The Group’s audit unit conducts audits of the entities and controlled subsidiaries, Business Units, projects and cross-functional functions. These audits include a review of the robustness of internal control and are carried out every three to five years depending on their level of significance. The IAD is the sole entity with powers to conduct corporate cross-functional BU/project audits, whereas the Audit Departments of the subsidiaries only conduct audits within their scope.
The audit programme is developed on the basis of the Group risks.
All audits give rise to recommendations which, once validated by the audited parties and their management, become the subject of action plans drafted by the aforementioned management and audited parties. These action plans are sent to the IAD for its opinion; the IAD subsequently monitors them, starting no later than six months after the audit report is circulated. A half-yearly summary report recaps the main findings of the corporate audit and the follow-up of action plans. This half-yearly report also presents the results of the audit programme, the level of satisfaction of the audited parties, the activity of the entity, an assessment of skills and the budget. Furthermore, it identifies any recurring or generic problems observed in several audits and deserving special attention. Finally, it provides an audit-based view of the Group’s level of risk control. This report is presented to the Chairman and Chief Executive Officer, the Executive Committee, and then to the Audit Committee and the Board of Directors.
Like all listed companies, the EDF group is subject to review by the AMF. As a company majority-owned by the French State, EDF is also subject to control by the Cour des Comptes (French Court of Auditors), the economic and financial controllers of the Inspectorate of Finance, the Economic Affairs Committees or ad hoc Committees of Enquiry of the French National Assembly and Senate.
In accordance with the law, the Statutory Auditors certify the annual financial statements (parent company and consolidated financial statements) and perform a limited review of the Group’s half-yearly condensed consolidated financial statements. Their report on the annual financial statements includes checks on the corporate governance information required by the Articles L. 225-37-6 of the French Commercial Code.
In view of its business activities, EDF is also subject to control, in France, by the Energy Regulation Commission (CRE) and the French Nuclear Safety Authority (ASN).
The activity control programmes are implemented to ensure that the requirements set out in the Group’s policies, validated by the Executive Committee (see box in section 2.1.2), are met and are selected according to the major risks.
The Group Ethics and Compliance Department implements the Group Ethics and Compliance programme on the basis of the following reference frameworks (see section 3.1 “Carbon neutrality and the climate”):
The Information Security and Information Systems programme is covered by both the policy for the Security of Assets against Malicious Acts and the policy for the Security of Information Systems and IS Governance of information systems and digital transformation. Both policies aim to prevent the risk of attacks and limit the impact of any such attack. These policies are supplemented by guidelines on the protection of personal data.
The main strategic orientations for controlling activities aim to:
A charter governing the use of IT resources sets out IT best practices, and is annexed to EDFs internal regulations. IS security training and awareness-raising courses adapted to different profiles (users, project managers, IS security managers, etc.) are offered on a regular basis to employees. The Executive Committee and the Audit Committee of the Board of Directors receive reports on cyber security risk management. Several dozen security audits are carried out each year by external IS security audit companies qualified to PASSI standard (IS security audit providers), and by the ANSSI (the French National Cyber security Agency), both on IT infrastructures and on business information systems. In addition, the EDF group SOC (Security Operational Centre) reports monthly on IS security incidents.
Lastly, IS crisis and cyber security drills are regularly carried out to test the various measures put in place.
The main actions for cyber security risk control that were implemented in 2022 are set out in section 2.2.4 “Attacks against assets, including cyber attacks” (4D).
The EDF group’s health and safety programme is set out in section 3.3.1.3.1 “Health and safety policy”.
The EDF group’s Capital Commitments policy sets the framework for decisions on commitments in terms of management, governance and control. This policy applies to all capital-commitment projects, regardless of their amount, for all EDF entities and subsidiaries, excluding regulated subsidiaries while adhering to the governance principles applying to listed companies. Before each commitment decision, the proposed projects undergo a risk analysis according to a methodological reference framework made available to the entire Group. Capital commitment projects are reviewed, where applicable, by the Board of Directors as described in sections 4.2.2.3 “Powers and duties of the Board of Directors” and 4.2.2.9 “Activity of the Board of Directors in 2022”.