The Group’s audit unit conducts audits of the entities and controlled subsidiaries, business units, projects and cross-functional functions. These audits include a review of the robustness of internal control and are carried out every three to five years depending on their level of significance. The IAD conducts corporate cross-functional audits, whereas the Audit Departments of the subsidiaries only conduct audits within their scope. The IAD is the only entity competent to carry out audits of BUs/projects involving a corporate level risk.
The audit programme is drawn up on the basis of the Group’s priority risk universe; all Group BUs, projects and processes must be audited on a regular basis.
All audits give rise to recommendations which, once validated by the audited parties and their management, become the subject of action plans drafted by the aforementioned management and audited parties. These action plans are sent to the IAD for its opinion, which subsequently monitors them starting no later than six months after the audit report is circulated. A half-yearly summary report recaps the main findings of the corporate audit and the follow-up of action plans. The half-yearly report also presents the results of the audit programme, the level of satisfaction of the audited parties, the activity of the entity as well as an assessment of skills and the budget. Furthermore, it identifies any recurring or generic problems observed in several audits and that deserve special attention. Finally, it provides an audit-based view of the Group’s level of risk control. This report is presented to the Chairman & Chief Executive Officer, the Executive Committee, and then to the Audit Committee and the Board of Directors.
Like all listed companies, the EDF group is subject to review by the AMF. As a company majority owned by the French State, EDF is also subject to control by the Cour des comptes (French court of auditors), State Controllers, the Inspectorate of Finance, Economic Affairs Committees or ad hoc Committees of inquiry of the French National Assembly and Senate.
According to law, the Statutory Auditors certify the annual financial statements (parent company and consolidated financial statements) and perform a limited review of the Group’s half-yearly condensed consolidated financial statements. Their report on the annual financial statements includes the verifications of the information on corporate governance required by Articles L. 225-237-3 et seq. of the French Commercial Code.
In the light of its business activities, EDF is also subject to control, in France, by the Energy Regulation Commission (CRE) and the French Nuclear Safety Authority (ASN).
The activity control programmes are implemented to ensure that the requirements set out in the Group’s policies, validated by the Executive Committee (see box in 2.1.2), are met and are selected according to the major risks.
The Group Ethics and Compliance Department implements the Group Ethics and Compliance programme on the basis of the following referentials (see section 3.1 “EDF, a responsible company”):
The main strategic orientations for controlling activities aim to generalise a culture of safety throughout the Group, legitimise and strengthen governance and management at entity level, in particular by making available tools for acculturation and incident monitoring. The Assets Security programme is covered by the Security of Assets against Malicious Acts policy. It aims to prevent the risks of damage to the Group’s assets and limit the impact of any such damage.
The Information Security and Information Systems programme is covered by the Security of Assets against Malicious Acts policy and the Security of Information Systems policy, which both aim to prevent the risk of attacks and limit the impact of any such attack. These policies are supplemented by guidelines on the protection of personal data.
The main strategic orientations for controlling activities aim to: legitimise and strengthen governance and management, generalise a culture of safety throughout the Group, secure the most critical functions in close collaboration with the business lines, and anticipate, strengthen and maintain the uniformity of monitoring and the ability to react in the event of an incident.
A charter regarding the use of IT resources is annexed to the Company’s internal regulations. IS security training and awareness-raising courses adapted to different profiles (users, project managers, IS security managers, etc.) are offered on a regular basis to employees. The Executive Committee and the Audit Committee of the Board of Directors receive reports on cybersecurity risk management. Several dozen security audits are carried out each year by external PASSI qualified IS security audit companies (IS security audit providers) by the ANSSI (the National Cybersecurity Agency of France), both on IT infrastructures and on business information systems. In addition, the EDF group SOC (Security Operational Center) reports on IS security incidents on a monthly basis.
Lastly, IS crisis and cybersecurity drills are regularly carried out to test the various measures put in place.
The main cybersecurity risk control actions implemented in 2021 are set out in chapter 2.2.4 “Operational performance related risks” (4D).
The EDF group’s health and safety programme is set out in chapter 3.3.1.3.1 “Health and safety policy”.
The EDF group’s Commitments policy sets the framework for decisions on commitments in terms of management, governance and control. This policy applies to all commitment projects, regardless of their amount, for all EDF entities and subsidiaries, excluding regulated subsidiaries, while respecting the governance of listed companies. Before each commitment decision, the proposed projects undergo a risk analysis according to a methodological reference framework made available to the entire Group. Strategic projects (beyond the thresholds defined in the Commitments policy) are reviewed by the Group Executive Committee Commitments Committee (CECEG).
Commitment projects are reviewed, where applicable, by the Board of Directors as described in sections 4.2.2.3 “Powers and duties of the Board of Directors” and
4.2.2.9 “Activity of the Board of Directors in 2021”.
Strategic disposal projects are examined separately and supervised by the Disposals Committee (part of the CECEG) to preserve confidentiality and responsiveness.