ANNUAL REPORT OF THE INTERNAL AUDIT DEPARTMENT ON INTERNAL AUDITING FOR 2023

Prepared by	Polonca Jug Mauko
Adopted by	Company's management board
Consent by	supervisory board
Type of document	report
Department	internal audit
Confidentiality level	confidential
Report number	6-2024/POR/PJM
Distribution list	Company's management board
	Company's supervisory board
	members
	Company's members of the
	supervisory board's audit committee
	Company's general meeting
	key function holders and DPO
Language versions	Slovenian, English
Prepared on	25/3/2024
Date of submission to the	25/3/2024
management board, AC and SB
Date of adoption at the	26/3/2024
management board session
Date of adoption at the AC and	on 2/4/2024 at the AC session and
SB sessions	on 4/4/2024 at the SB session

Ljubljana, March 2024

3


3
4
6

11
11
12
INTRODUCTION 1.1 Organisational independence of the internal audit 3 ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF SAVA RE'S INTERNAL CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE OVERVIEW OF THE IMPLEMENTATION OF THE 2023 ANNUAL WORK PLAN SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY DEFICIENCIES AND IRREGULARITIES STAFF, TRAINING AND OTHER ACTIVITIES IAD QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME

1 INTRODUCTION

The internal audit department has prepared the Annual Report on Internal Auditing for 2023 pursuant to Article 165 of the Slovenian Insurance Act (ZZavar-1), the Internal Audit Policy of Sava Re d.d. (Sava Re), the Strategy of the Internal Audit Department (IAD) for 2023–2027 and the Annual Work Plan of the IAD for 2023.

This report includes:

a report on the organisational independence of the internal audit department;
an assessment of the effectiveness and efficiency of Sava Re's internal controls, risk management and corporate governance;
an overview of the implementation of the 2023 annual work plan;
a summary of the main conclusions of the internal audit engagements;
an overview of the implementation of recommendations to remedy deficiencies and irregularities;
an overview of the implementation of other IAD activities (employees, education and training);
a summary of the internal audit quality assurance and improvement programme.

1.1 Organisational independence of the internal audit

The IAD is an independent organisational unit, functionally and organisationally separate from other units of Sava Re. Administratively, it reports to Sava Re's management board, whereas functionally it reports to Sava Re's supervisory board and its audit committee. This ensures the autonomy and organisational independence of the IAD's activity.

In accordance with the Slovenian Insurance Act and on the basis of outsourcing agreements, Sava Re d.d. has performed the key functions of internal audit for the following companies for an indefinite period: Zavarovalnica Sava d.d., Vita Življenjska Zavarovalnica d.d., Sava Pokojninska Družba d.d. and Sava Infond d.o.o.

The director of the IAD Polonca Jug Mauko was appointed as the internal audit key function holder of Sava Re d.d. and Zavarovalnica Sava d.d., as well as the internal audit key function holder at the level of the Sava Insurance Group.

2 ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF SAVA RE'S INTERNAL CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE

As the internal audit key function holder, I have assessed the effectiveness and efficiency of the internal control system and risk management in 2023 based on the internal audit engagements carried out. Internal audit is a risk-based, continuous and comprehensive supervision of the Company's operations with the objective of verifying and assessing whether the risk management, internal control and corporate governance processes are adequate and functioning in such a way as to ensure the achievement of the Company's key goals. The internal control system is defined as the totality of the risk management, control and governance processes of the Company and the Group that enable the achievement of the Company's significant goals. The audit engagements covered all key risks of the Company.

Based on all the tests carried out and methods used in the individual areas that we audited, the IAD considers that Sava Re's internal controls are adequate and that their reliability is GOOD. It also

believes that Sava Re's governance was adequate and that it is being continuously improved to ensure the achievement of key business goals, and that Sava Re's risk management was efficient and aimed at ensuring effective and economical operations. According to the IAD, there is still room for improvement in the operation of the system. The internal audit engagements have identified certain irregularities and deficiencies, which the IAD has pointed out and made appropriate recommendations for their remedy to ensure further improvement of the Company's internal controls, risk management and corporate governance. This leads to greater efficiency of internal controls and enhances the regularity of operations.

The IAD's recommendations have been actively implemented by those responsible. However, some additional time will be needed to implement the recommendations made in the last quarter of the year and those related to the improvement of information technology and documentation management.

In the standard internal audit engagements, due consideration was given to potential instances of fraud and exposure, as well as the potential vulnerability of IT support to operations and ethical and sustainable behaviour. Internal control systems were in place in the areas audited and were working to prevent the occurrence of fraud. The audits also resulted in recommendations for the improvement of the IT system.

3 OVERVIEW OF THE IMPLEMENTATION OF THE 2023 ANNUAL WORK PLAN

In 2023, the IAD carried out internal audit engagements and other activities in accordance with the Annual Work Plan of the IAD for 2023.

A total of 43 audit engagements were planned and carried out:

1) 1_R_2023/SRe Audit of the system for concluding contracts with audit firms;
2) 2_R_2023/SRe Audit of the ORSA process;
3) 3_R_2023/SRe Audit of the process and IT support for managing SysAid requests;
4) 4_R_2023/SRe Audit of capital and capital adequacy management;
5) 5_R_2023/SRe Audit of the management of BI-DWH data sources;
6) 6_R_2023/SRe Audit of the investment process;
7) 7_R_2023/SRe Audit of the treaty reinsurance process;
8) 8_R_2023/SRe Audit of compliance with sustainability requirements (cooperation with the compliance function);
9) 9_R_2023/SRe Audit of the IT governance process;
10) 10_R_2023/SRe Audit of salary and travel order accounting process;
11) 11_R_2023/SRe Continuous auditing IT;
12) 1_SV_2023/SRe Consulting engagement SimCorp software package compliance with legal and regulatory requirements;
13) 2_SV_2023/SRe Consulting engagement of compliance with the Network and Information Security Directive (NIS2), Digital Operational Resilience Act (DORA) and the law (ZVOP-2);
14) 3_SV_2023/SRe Review of the maturity of the IT governance process COBIT 2019 in the Sava Insurance Group;
15) 4_SV_2023/SRe Informal consulting engagements;

16) 1_SOD_2023/SRe Audit of the system for concluding contracts with audit firms Illyria;
17) 2_SOD_2023/SRe Audit of the system for concluding contracts with audit firms Illyria Life;
18) 3_SOD_2023/SRe Audit of the system for concluding contracts with audit firms SŽO;
19) 4_SOD_2023/SRe Audit of the system for concluding contracts with audit firms SNO;
20) 5_SOD_2023/SRe Audit of the system for concluding contracts with audit firms SO MKD;
21) 6_SOD_2023/SRe Audit of the system for concluding contracts with audit firms SPD MKD;
22) 7_SOD_2023/SRe Audit of the system for concluding contracts with audit firms SO MNE;
23) 8_SOD_2023/SRe Audit of the IT governance process Illyria;
24) 9_SOD_2023/SRe Audit of the IT governance process Illyria Life;
25) 10_SOD_2023/SRe Audit of the IT governance process– SO MNE;
26) 11_SOD_2023/SRe Audit of the IT governance process– SŽO;
27) 12_SOD_2023/SRe Audit of the IT governance process– SNO;
28) 13_SOD_2023/SRe Audit of the IT governance process– SO MKD;
29) 14_SOD_2023/SRe Audit of the IT governance process– SPD MKD;
30) 15_SOD_2023/SRe Audit of capital and capital adequacy management Illyria;
31) 16_SOD_2023/SRe Audit of capital and capital adequacy management SO MNE;
32) 17_SOD_2023/SRe Audit of capital and capital adequacy management SŽO;
33) 18_SOD_2023/SRe Audit of capital and capital adequacy management SNO;
34) 19_SOD_2023/SRe Audit of capital and capital adequacy management SO MKD;
35) 20_SOD_2023/SRe Audit of capital and capital adequacy management SPD MKD;
36) 21_SOD_2023/SRe Audit of capital and capital adequacy management Illyria Life;
37) 22_SOD_2023/SRe Group Audit collaboration subsidiaries SO MKD;
38) 23_SOD_2023/SRe Group Audit collaboration subsidiaries SPD MKD;
39) 24_SOD_2023/SRe Group Audit collaboration subsidiaries SO MNE;
40) 25_SOD_2023/SRe Group Audit collaboration subsidiaries SŽO;
41) 26_SOD_2023/SRe Group Audit collaboration subsidiaries SNO;
42) 27_SOD_2023/SRe Group Audit collaboration subsidiaries Illyria;
43) 28_SOD_2023/SRe Group Audit collaboration subsidiaries Illyria Life.

4 SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED

On the basis of risk ratings, internal audit performed ongoing and comprehensive supervision of the Company's operations to verify and assess whether the Company's risk management processes, control procedures and corporate governance are adequate and work in such a way as to ensure the achievement of the Company's following important goals:

effective and efficient operations, including meeting business and financial performance targets, and safeguarding assets against loss;
reliable, timely and transparent internal and external financial and non-financial reporting;
compliance with laws and other regulations, including internal rules;
the management of the Company's IT to support the delivery of the Company's strategy and goals;
the assessment of the risk of fraud and how it is managed by the Company.

The IAD provided ongoing written reports to the auditees and submitted reports for information as well as conclusions and recommendations for adoption by the Company's management board. It reported regularly on the implementation of these recommendations to the management board, audit committee and supervisory board based on feedback received from those responsible for the implementation of the recommendations.

The IAD provided a more detailed overview of the internal audit engagements, including conclusions, irregularities and recommendations, in its quarterly reports to the management board, the audit committee and the supervisory board.

The IAD assesses the adequacy, effectiveness and efficiency of the risk management and internal control system in accordance with standard 2410.A1. We use the following rating scale to assess the internal control system in accordance with the methodology of the Sava Insurance Group:

VERY GOOD – The control system of the audited organisational unit is very good in every respect; the internal controls in place are strong; all key controls are operating, and there are no deviations. Supervision is optimal. The risk is very low. There are no findings with a medium or high risk rating.

GOOD – The control system is generally good; minor weaknesses can be addressed by the head of any business function (area)/ organisational unit in the course of the business process. Management has good control of business operations and ensures that responsibilities and authority are exercised. In the event of deviations, immediate action is taken, and procedures are continuously improved. Supervision is carried out regularly. The risk is low. One to two findings with a medium risk rating and no findings with a high risk rating.

ADEQUATE – A combination of some deficiencies in the control system requires immediate corrective action by the head of the business area / organisational unit. Management is aware of the required monitoring and supervision; procedures and responsibilities are roughly defined. Supervision is occasional. The risk is medium. Most findings are rated as medium risk.

INADEQUATE – Major deficiencies in the control system undermine operations and must be immediately addressed by the head of the business area / organisational unit as a matter of priority. Supervision is not carried out according to formal written procedures and is left to individuals. The risk is high. There are findings rated as high risk.

UNSATISFACTORY – There is a high degree of major deficiencies (non-compliance, complete lack of controls), requiring a complete reorganisation of the business area / organisational unit. There is no supervision. The risk is very high.

Despite the given scale and in view of the professional and ethical standards required of the certified internal auditor, part of the assessment of the internal control system remains the discretion of the certified internal auditor.

Below is a brief summary of the key conclusions in the audited areas in Sava Re (internal audit collaborations with subsidiaries are not included, since these engagements are included in subsidiaries' annual internal audit reports).

Audit of the system for concluding contracts with audit firms (1_R_2023/SRe)

The audit included a review of the system for concluding contracts with audit firms and is carried out annually in accordance with the requirements of the Policy for Ensuring the Independence of the Auditor of the Financial Statements of Sava Re d.d. and the Sava Insurance Group.

Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the audited processes of the area audited as GOOD.

We made two recommendations that were considered medium risk. The first one is related to the completion of the record of audit and non-audit activities, and the second one is related to the proposals made for updating the Policy for Ensuring the Independence of the Auditor of the Financial Statements of Sava Re d.d. and the Sava Insurance Group.

Audit of the ORSA process (2_R_2023/SRe)

The audit included a review and assessment of the effectiveness of managing the ORSA process and of the compliance of the own risk and solvency assessment content with the legislation and internal regulations.

We made two recommendations that were considered medium risk. The first is to consider the possibility of including additional elements of the ORSA already in the preparation of the business plan, and the second is to consider the possibility of implementing the scenarios at the same time.

Audit of the process and IT support for managing SysAid requests (3_R_2023/SRe)

The audit included a review and assessment of the adequacy of the change management and incident and problem management processes, as required by Cobit 2019, for the period from the implementation of the ITSM tool SysAid to the start of the audit in 2023. Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the audited processes of the area audited as ADEQUATE.

Based on the audit procedures carried out, we made nine recommendations, of which four were considered medium risk and five low risk, relating to the establishment of a single platform for the management of all IT services within a single software solution (SysAid), the implementation of all SysAid activities as a project in accordance with the project management methodology, the determination of the severity of each error (incident) which will determine the prioritisation of its

resolution, and the description relating to the SLA (when the request is expected to be processed according to the urgency indicated by the user).

The main finding of the audit was that there is room for process improvement, particularly in standardising IT support for all types of requests, incidents and problems, and in properly presenting the capabilities of the SysAid software solution to users.

Audit of capital and capital adequacy management (4_R_2023/SRe)

The audit included a review and assessment of the accuracy of the Company's capital adequacy and liquidity calculations in relation to legal requirements and internal regulations.

We made seven recommendations, of which three were considered medium risk and four low risk. The recommendations relate to the review or alignment/updating of internal regulations (liquidity risk management policy, QRT reporting instructions), changes to the process or the way certain activities are carried out (organisation of the investment committee, establishment of a channel/method for reporting major outflows, preparation of the annual cash flow plan, inclusion of additional items in the annual cash flow plan) and consideration of the possibility of providing better quality data on planned reinsurance inflows/outflows for the purpose of planning and reporting on the Company's liquidity.

Audit of the management of BI-DWH data sources (5_R_2023/SRe)

The audit included a review and assessment of the adequacy of data flows, databases, dependencies between individual databases and the DWH filling process, based on the COBIT 2019 Framework for the Governance and Management of Enterprise Information and Technology (COBIT 2019 Framework), namely on the governance objectives DSS01 – Managed Operations, DSS05 – Managed Security Services and DSS06 – Managed Business Process Controls. Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the audited processes of the area audited as GOOD.

The data warehouse management process is adequately managed, with a large part of it being carried out within Zavarovalnica Sava, and Sava Re's activities being limited to preparing data flows for the data warehouses of both Sava Re and the Sava Insurance Group. Process improvements can be made in terms of user rights assignment where there is a lack of control over access validation by the service owner.

Based on the audit procedures performed, we made a medium-risk recommendation related to the process of assigning user rights.

Audit of the investment process (6_R_2023/SRe)

The audit included a review and assessment of the adequacy of the investment process (implementation, monitoring and reporting).

Based on the audit procedures performed we assessed the adequacy, effectiveness and efficiency of risk management and the internal control system of the processes of the audited area as VERY GOOD. This is because (i) the investment process is adequately governed by internal regulations, (ii) the management of the finance business line is adequate and will be further strengthened in the future, (iii) an adequate framework for monitoring (the effectiveness of) the outsourced engagement is in place and properly implemented, (iv) the investment policy is planned, (v) the limit system is in place, (vi) compliance with the investment policy and the limit system is adequately monitored, (vii)

investment risks are monitored and measured, (viii) and adequate internal reporting is in place. We made four recommendations that were considered low risk, namely in relation to the updating of internal regulations.

Audit of the treaty reinsurance process (7_R_2023/SRe)

The audit included a review and assessment of the adequacy of the treaty reinsurance process.

We made two recommendations that were considered low risk, namely in relation to the review of the Rules on Underwriting, Risk Acceptance and Claims Handling Outside the Sava Insurance Group, the Rules on Underwriting and Risks Acceptance in the Group, and the Group Underwriting Guidelines.

Audit of compliance with sustainability requirements (cooperation with the compliance function) (8_R_2023/SRe)

The audit included a review of the Company's compliance with regulatory requirements related to sustainability and best practice.

We consider the area's organisation appropriate, and the Group governance and the flow of information on sustainable development adequate. The Company has adopted a sustainability strategy with associated KPIs, and activities to set targets for some KPIs are ongoing. It has also integrated sustainability risks into its risk management process. The Company complies with regulatory requirements. We made nine recommendations, of which five were considered opportunities for improvements in operations (considering the inclusion of the persons appointed by the subsidiaries to coordinate sustainability in the sustainable development executive meeting, completing the presentations for the sustainable development executive meeting with the decisions taken and the responsible business line managers, reviewing the requirements of the EU Sustainable Finance Disclosure Regulation on pre-contractual disclosures and online publications and providing guidance to Group companies in this respect, and compiling a list of the reports to be provided by the subsidiaries), and four that were considered low risk (adoption of the management board's resolution to appoint the members of the sustainable development executive meeting, review of the requirement of the Companies Act to adopt a cooperation policy, alignment of the Procurement Policy of the Sava Insurance Group with the actual situation and ensuring that the business line managers include in their communication the persons appointed by the subsidiaries to coordinate sustainable development).

Audit of the IT governance process (9_R_2023/SRe)

The audit included a review and assessment of the maturity, effectiveness and efficiency of the IT governance processes defined in COBIT 2019 and a follow-up to the previous COBIT 2019 audit. Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the audited processes of the area audited as ADEQUATE.

During the audit, we made three recommendations that were considered medium risk, mainly related to managing security data on endpoint devices and the service request management process.

The internal audit engagement showed progress in the adherence to controls compared to the results of the assessment from 2020, 2021 and 2022. Four recommendations from previous IT governance

audits are pending, although there are still opportunities for improvement, particularly in the management of user computing devices. Based on the internal audit engagement performed, we believe that Sava Re's IT governance process is not yet at an adequate level to fully comply with COBIT 2019 requirements and has not yet reached the level of control and process maturity in all areas that Sava Re has set for itself.

Audit of salary and travel order accounting process (10_R_2023/SRe)

The audit included a review and assessment of the adequacy of the salary and travel order accounting process within the audit time frame for 2022 and the period 1–10/2023.

Based on the audit processes carried out, we assessed the effectiveness and efficiency of the risk management and the system of internal controls in the reviewed processes of the audited area as GOOD, which means that management generally has good control of the business operation and ensures that responsibilities, authority and control are exercised.

We made five recommendations, of which one was considered medium risk and four low risk. Recommendations relate to describing the HR process and setting up an archive, recording employee attendance and absences, and a greater commitment regarding the eligibility of tax-deductible expenses for teambuilding.

Continuous auditing – IT (11_R_2023/SRe)

The continuous auditing included the following activities throughout the year:

we monitored the CORE ERP steering committee (with the service provider and in-house) and reviewed the project status report;
we were involved in the review of compliance with ZVDAGA-A Sava Re's rules on document storage;
we participated in the review of the document management information system (M-files) requirements;
we reviewed and contributed to the development of a cyber incident response plan;
we participated in the implementation of activities of the information security committee;
we reviewed the materials at the time of the IT steering committee's formation;
we participated in the first IT conference of the Sava Insurance Group;
we attended a meeting about moving the local servers to a new physical location at Illyria;
we reviewed the state of the GDPR consultation with the DPO of Sava Re;
we reviewed the actions taken by IT to address the recommendations of the external audit in the IT area – reviewing the implementation of user rights controls, monitoring activities in IT systems, complying with regulators' requirements, etc;
we created an ISO/IEC 27001:2022 checklist for all changes;
we carried out a DORA gap analysis for all Slovenian Group companies;
we reviewed the security analyses and penetration tests carried out (review of deficiencies and follow-up of actions taken to remedy them): a comprehensive review of the IT system (2BSecure, Israel) and GO-LIX and Carbonsec security tests (all at the Group level).

Based on the audit procedures carried out, we assessed the adequacy, effectiveness and efficiency of the risk management and internal control system in the reviewed processes of the area audited as ADEQUATE.

5 OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY DEFICIENCIES AND IRREGULARITIES

The IAD periodically reports on the status of the implementation of recommendations or proposals made following the identification of irregularities or deficiencies. Between 1 January and 31 December 2023, 109 recommendations were monitored. Based on the internal audits carried out, we made 53 recommendations in 2023.

Of the 109 recommendations made to Sava Re, 79 have been implemented (of these 15 opportunities), 19 remain pending, and 14 had their implementation deadline extended. As at 31 December 2023, 99% of overdue recommendations were implemented.

6 STAFF, TRAINING AND OTHER ACTIVITIES

In 2023, the IAD had eleven employees. Of these, six were certified internal auditors, one was CIAlicensed, and two were certified information systems auditors. Two employees are in the process of attaining the title of certified internal auditor. The staff also hold the following licences: CISA, CRISC, CISM, CSX, lead assessor for ISO 9001, ISO 22301, ISO/IEC 27001, 27018, ISO/IEC 20000, PCI DSS ASV, PCI DSS QSA, EIDAS, NPK security manager, certified public sector accountant, certified state internal auditor, internal assessor for ISO 9001, ISO 14001, ISO 18001, ISO 45000 and IIA Quality Assessment.

I believe that the number and structure of the IAD staff will enable the proper fulfilment of planned activities, provided that there are no prolonged unplanned absences and/or increased unplanned workloads. In 2023, the internal audit function covered all key risks and was not constrained in any way (in terms of staff, technical means, material, etc.) in the performance of its duties.

In 2023, IAD employees received training in various areas. In addition to the training sessions held by the Slovenian Institute of Auditors, ISACA and the Slovenian, Croatian and Serbian institutes of internal auditors, in-house training sessions in various areas, sustainability, IT, compliance and internal audit, and international web-based seminars, we also regularly followed articles on current topics related to the internal audit, (re)insurance, accounting, finance, tax and sustainability. We also successfully held a workshop for internal auditors of the Sava Insurance Group, where we presented best practices of internal audit in the Group (new internal audit application, follow-up of recommendations, quarterly reporting, PPT presentations, exploring possible improvements of reporting in the new application, etc.), the proposal of new Global Internal Audit Standards™, artificial intelligence and its use in internal audit, the impact of DORA implementation and soft skills.

In 2023, the IAD produced the Annual Work Plan of the IAD for 2024, the Strategy of the IAD for 2023– 2027, four quarterly internal audit reports for October–December 2022, January–March 2023, April– June 2023 and July–September 2023, and its 2022 annual report.

The director of IAD regularly attended the meetings of the management board, supervisory board and its audit committee, the risk management committee and the Company's executive meetings. Operations were also monitored by reviewing the documents prepared for the meetings of the management board, the risk management committee and the executive meetings. Other activities include managing the department. Employees were interviewed on an annual basis, and personal objectives were set for 2023/2024, as well as an evaluation of the work of IAD employees throughout the year.

The IAD was involved in regular quarterly risk assessments at the Sava Insurance Group and Sava Re levels, and also contributed to the SFCR and RSR reports. It was also involved in the IAD-related parts

of the 2024 planning process, and in the IAD-related section of the Sava Insurance Group's annual report.

Cooperation with the external auditor included coordinating work, following up pre-audit and postaudit conclusions, and participating actively in joint meetings.

As part of the development of the IAD in 2023, we further improved the activities related to the software support for the comprehensive internal audit process (we introduced the new K10 software support) at the Group level, completed the overall opinion methodology at the Company and Group level, and prepared the overall opinion for the Company and the Group for 2023. We also updated our continuous auditing methodology, which we have been using since 2021. The Group Internal Audit process, introduced in all Sava Insurance Group companies in 2021, was further improved in 2023.

The IAS provided technical assistance to the subsidiaries' internal auditors in the areas of methodology, updating work programmes for individual internal audit engagements, providing software support for the comprehensive internal audit process and training new employees in the subsidiaries. All the Group's internal auditors met at least monthly, and there was active cooperation between the Company's and the Group's key function holders.

The Company's internal audit policy was updated in March 2023 with effect from 1 April 2023. The policy was reviewed as part of the regular annual review in December 2023, and no amendments were required. In light of the revision of the Global Internal Audit Standards™, which will come into force on 8 January 2025, we will review the internal audit policy by the end of 2024 and adapt it as necessary.

7 IAD QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME

In accordance with the requirements of the standards, the IAD performed a quality assessment of its activities. These assessments are conducted on the basis of the quality assurance and improvement programme, which covers all aspects of the IAD's activities. The IAD director reports on the results of this programme to the management board and the supervisory board's audit committee.

In 2019, an external assessment of the quality of Sava Re's internal audit was performed by Deloitte Revizija d.o.o. with the following audit team: Barbara Žibert Kralj, partner, certified auditor, responsible for quality control of the tasks performed; Katarina Kadunc, certified internal auditor, certified auditor, FCC; and Urban Goršič, CIA, CFE, as external assessor. Based on the procedures carried out, the external assessment of Sava Re's internal audit activity confirmed that the internal audit complies with the International Standards for the Professional Practice of Internal Auditing, the Code of Ethics of Internal Auditors and the Code of Internal Auditing Principles. The Deloitte internal audit maturity model showed that the level of Sava Re's internal audit was in the upper part of the advanced level or a leading practice in most of the attributes. The next external assessment (by an independent external assessor) is planned for 2024 and will be carried out simultaneously in all Group companies (BDO as the selected contractor).

We continued our activities to improve and complement our working methodology, particularly in terms of further development of the internal audit process with a new internal audit application, the overall opinion and the continuous audit of key processes. We also updated the internal audit manual.

In accordance with the standards, the IAD carried out a regular annual self-assessment of its activities in 2023. The results showed the compliance of internal audit activities with the definition of internal auditing, the standards and the code of ethics. In accordance with the internal audit guidelines, we amended the IAD quality assurance and improvement programme to include statements on the

compliance of the internal auditor's activities with the standards and the code of ethics, and on the disclosure and avoidance of conflicts of interest.

In early 2024, we sent a questionnaire to the members of the management board, the supervisory board and its audit committee to assess their satisfaction with the internal audit function (for the internal audit maturity model). The average score of all returned questionnaires is 3.6 out of a maximum of 4. The management board sees the internal audit as an important component of the Company's risk management framework and believes the internal audit plays an important role in the Company. The responses to the questionnaire provide important input for the design of the internal audit quality assurance and improvement programme. In December 2023, the members of the supervisory board's audit committee and the holder of the internal audit key function had a separate annual interview at the audit committee session without the management board present.

In March 2024, we prepared and submitted to the audit committee the Internal Audit Quality Improvement Programme of Sava Re d.d., together with a self-assessment of our work in 2023. We have also reviewed our independence against an established internal audit checklist and have not identified any audit in which our independence has been compromised or impaired. The IAD has also foreseen a performance assessment in its annual work plan. It also follows up on the implementation of the recommendations it makes to the management board. In 2023, all but one of the proposed recommendations were adopted by the resolution of the management board and submitted to those responsible for their implementation.

As director of internal audit, I believe that the activity of the IAD in 2023 was compliant with the standards and that the annual work plan was implemented very successfully.

Director of Internal Audit and Internal Audit Function Holder

Polonca Jug Mauko

Appendix 1: Glossary

Abbreviation	Meaning
AC	Audit committee
ASP.ins	Application to support insurance underwriting processes in Sava Re subsidiaries
CFE	Certified Fraud Examiner
CIA	Certified Internal Auditor
CISA	Certified Information System Auditor (upgraded with the Slovenian Institute of Auditing – PRIS certificate – certified information system auditor)
CISM	Certified Information Security Manager (this qualification makes you a CISO or Chief Information Security Officer)
COBIT 2019	Information and Technology Governance Framework
CORE ERP/systems	Software solution for a key business process
CRISC	Certified in Risk and Information Systems Control
EIDAS	REGULATION (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 999/93/EC
EU	European Union
IA	Internal audit
IAD	Internal audit department
IFRS	International Financial Reporting Standards
IIA	Institute of Internal Auditors
ISACA Slovenia	Information Systems Audit and Control Association of Slovenia
ISO 14001	International Standard for Environmental Management Systems, which covers the management of the environmental aspects of a production or service activity (Environmental Management System)
ISO 22301	Business continuity management system
ISO 45000	Occupational health and safety management system
ISO 9001	Quality management system
ISO/IEC 20000	Service management system
	Information security management system, an international standard about privacy in cloud computing services
ISO/IEC 27001, 27018	(Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
IT	Information technology
	Microsoft Teams – Microsoft's communications application (meetings, calls, video calls, messaging, screen
MS Teams	sharing, etc.)
P2P	Sava Re's internal peer-to-peer coaching
PCI DSS ASV	Payment Card Industry Data Security Standard Automatic Scanning Vendor
PCI DSS QSA	Payment Card Industry Data Security Standard Qualified Security Auditor
PJM	Polonca Jug Mauko
Q4	Fourth quarter
REP	Report
SB	Supervisory board
SIMCORP	Software for an integrated asset management system, improved investment decisions and overview of the entire business operation in one system – including SimCorp
SOC	Security operations centre
x_F_201x/company	Audit designation – follow-up audit
x_R_201x/company	Audit designation – standard audit
x_SOD_201x/company	Audit designation – consulting/collaboration in an audit of a subsidiary
x_SV_201x/company	Audit designation – consulting engagement
ZISDU-3	Investment Funds and Management Companies Act
ZZavar-1	Slovenian Insurance Act
	Companies of the Sava Insurance Group
SRe	Sava Re
ZS	Zavarovalnica Sava
SPD	Sava Pokojninska Družba
SIn	Sava Infond
SPDMKD	Sava Penzisko Društvo (North Macedonia)
SNOSr	Sava Neživotno Osiguranje (Serbia)
SŽOSr	Sava Životno Osiguranje (Serbia)
SOMKD	Sava Osiguruvanje (North Macedonia)
SOMNE	Sava Osiguranje (Montenegro)
Illy	Illyria (Kosovo)
ILife	Illyria Life (Kosovo)
TBS	TBS TEAM 24
Vita	Vita, Življenjska Zavarovalnica

OPINION OF THE SUPERVISORY BOARD ON THE ANNUAL REPORT OF THE INTERNAL AUDIT DEPARTMENT ON INTERNAL AUDITING FOR 2023

In 2023, Sava Re's internal audit department (IAD) carried out audits in the areas set out in its annual work plan for 2023.

The audit objectives pursued by the IAD were to verify whether the risk management procedures were adequate and efficient, and whether the internal controls and governance procedures in the reinsurer's most important operating segments were effective and efficient. The IAD assessed the adequacy of internal controls to prevent fraud and the potential vulnerability of IT business support.

A total of 43 internal audit engagements were carried out in Sava Re and its subsidiaries in 2023. In addition, the IAD collaborated in audits in several Group companies, and proposed 53 recommendations based on the audit engagements carried out at Sava Re. The supervisory board finds that the IAD operated in line with the guidelines of the supervisory and management boards and, with its recommendations, made a significant contribution to the risk management of Sava Re and the Sava Insurance Group.

Based on all the tests carried out and the methods used in the individual areas that we audited, the IAD believes that Sava Re's internal controls are adequate and that their reliability is good. Furthermore, it believes that the governance of Sava Re is appropriate and is continuously improving in order to achieve major business goals, and that risks are effectively managed while striving for efficient and economical operations. Nevertheless, there are still opportunities to improve the functioning of the internal control system. The internal audit engagements revealed certain irregularities and deficiencies, and the IAD made relevant recommendations for their elimination to ensure further improvement of Sava Re's internal controls, risk management and governance. The Company's management board is aware of the potential impact that the identified violations, irregularities and deficiencies may have on the achievement of the Company's key objectives, and it is therefore taking or seeking remedial action to address them. This leads to greater efficiency of internal controls and enhances the regularity of operations.

The members of the supervisory board monitored the effectiveness and efficiency of the IAD activity through quarterly reports and the annual report of the IAD. They received summaries of the internal quality assessment of the function of the IAD. The assessment showed that the IAD's activity was compliant in all material respects with the law and International Standards for the Professional Practice of Internal Auditing.

Based on the above, the supervisory board hereby gives a positive opinion on the Annual Report of the IAD on Internal Auditing for 2023.

Ljubljana, 4 April 2024

Supervisory Board of Sava Re d.d. Chairman Davor Ivan Gjivoje Jr

AI Terminal

Pozavarovalnica Sava

1987_rns_2024-04-11_fcf35f82-891d-4168-bff4-c7ac7895480f.pdf