Universal Registration Document 2022

Operating procedures

The Group’s audit unit conducts audits of the entities and controlled subsidiaries, Business Units, projects and cross-functional functions. These audits include a review of the robustness of internal control and are carried out every three to five years depending on their level of significance. The IAD is the sole entity with powers to conduct corporate cross-functional BU/project audits, whereas the Audit Departments of the subsidiaries only conduct audits within their scope.

The audit programme is developed on the basis of the Group risks.

All audits give rise to recommendations which, once validated by the audited parties and their management, become the subject of action plans drafted by the aforementioned management and audited parties. These action plans are sent to the IAD for its opinion; the IAD subsequently monitors them, starting no later than six months after the audit report is circulated. A half-yearly summary report recaps the main findings of the corporate audit and the follow-up of action plans. This half-yearly report also presents the results of the audit programme, the level of satisfaction of the audited parties, the activity of the entity, an assessment of skills and the budget. Furthermore, it identifies any recurring or generic problems observed in several audits and deserving special attention. Finally, it provides an audit-based view of the Group’s level of risk control. This report is presented to the Chairman and Chief Executive Officer, the Executive Committee, and then to the Audit Committee and the Board of Directors.

External controls

Like all listed companies, the EDF group is subject to review by the AMF. As a company majority-owned by the French State, EDF is also subject to control by the Cour des Comptes (French Court of Auditors), the economic and financial controllers of the Inspectorate of Finance, the Economic Affairs Committees or ad hoc Committees of Enquiry of the French National Assembly and Senate.

In accordance with the law, the Statutory Auditors certify the annual financial statements (parent company and consolidated financial statements) and perform a limited review of the Group’s half-yearly condensed consolidated financial statements. Their report on the annual financial statements includes checks on the corporate governance information required by the Articles L. 225-37-6 of the French Commercial Code.

In view of its business activities, EDF is also subject to control, in France, by the Energy Regulation Commission (CRE) and the French Nuclear Safety Authority (ASN).

2.1.3 The main programmes for controlling activities

The activity control programmes are implemented to ensure that the requirements set out in the Group’s policies, validated by the Executive Committee (see box in section 2.1.2), are met and are selected according to the major risks.

2.1.3.1 The Group Ethics and Compliance programme

The Group Ethics and Compliance Department implements the Group Ethics and Compliance programme on the basis of the following reference frameworks (see section 3.1 “Carbon neutrality and the climate”):

• the Group Ethics and Compliance Policy (PECG) lays down the main rules of which Managers must be aware, and with which they must comply with and ensure compliance within their entities, in strict accordance with the risks of their respective entities. The PECG is backed up by instruction memoranda and support guides designed to assist its deployment, including in particular monitoring the integrity of business relations, financial ethics, protection of personal data, the combating of fraud, the management of gifts and invitations, the prevention of conflicts of interest and the duty of vigilance. The PECG is the supra-reference to the Group Ethics Charter and the Ethics and Compliance code of conduct, which can be updated according to new applicable regulations, and which is subject to audit;
• the Group Ethics Charter built around the Group’s three values (Respect, Solidarity, Responsibility), defines the requirements that should guide the actions and conduct of the Group employees on a daily basis;
• the Ethics and Compliance code of conduct, reviewed in 2021, is set out in the internal regulations of the entities, is the reference document for the prevention of corruption, and applies to all employees (requirements of the Sapin II Act);
• the EDF group’s ethics and compliance whistle-blowing system, allows the Group’s employees and external personnel (temporary staff, employees of a service provider, etc.) or occasional employees (fixed-term contracts, apprentices, trainees, etc.), to submit a report in accordance with the “Sapin II” Act of 9 December 2016, relating to transparency, the combating of corruption and the modernisation of economic life (see section 3.3.2.4 “The EDF Group whistleblowing procedure”). The same whistle-blowing system is also made available to third parties for issues covered by the “Duty of Vigilance” Act of 27 March 2017 relating to the duty of vigilance of parent companies and companies placing orders.

2.1.3.2 The Information Systems and Assets Security programme

The Information Security and Information Systems programme is covered by both the policy for the Security of Assets against Malicious Acts and the policy for the Security of Information Systems and IS Governance of information systems and digital transformation. Both policies aim to prevent the risk of attacks and limit the impact of any such attack. These policies are supplemented by guidelines on the protection of personal data.

The main strategic orientations for controlling activities aim to:

• legitimise and strengthen governance and management;
• generalise the culture of safety throughout the Group;
• secure the most critical functions in close collaboration with the business lines;
• anticipate, strengthen and maintain the uniformity of monitoring and the ability to react in the event of an incident.

A charter governing the use of IT resources sets out IT best practices, and is annexed to EDFs internal regulations. IS security training and awareness-raising courses adapted to different profiles (users, project managers, IS security managers, etc.) are offered on a regular basis to employees. The Executive Committee and the Audit Committee of the Board of Directors receive reports on cyber security risk management. Several dozen security audits are carried out each year by external IS security audit companies qualified to PASSI standard (IS security audit providers), and by the ANSSI (the French National Cyber security Agency), both on IT infrastructures and on business information systems. In addition, the EDF group SOC (Security Operational Centre) reports monthly on IS security incidents.

Lastly, IS crisis and cyber security drills are regularly carried out to test the various measures put in place.

The main actions for cyber security risk control that were implemented in 2022 are set out in section 2.2.4 “Attacks against assets, including cyber attacks” (4D).

2.1.3.3 The Health and Safety programme

The EDF group’s health and safety programme is set out in section 3.3.1.3.1 “Health and safety policy”.

2.1.3.4 Approval of capital commitments

The EDF group’s Capital Commitments policy sets the framework for decisions on commitments in terms of management, governance and control. This policy applies to all capital-commitment projects, regardless of their amount, for all EDF entities and subsidiaries, excluding regulated subsidiaries while adhering to the governance principles applying to listed companies. Before each commitment decision, the proposed projects undergo a risk analysis according to a methodological reference framework made available to the entire Group. Capital commitment projects are reviewed, where applicable, by the Board of Directors as described in sections  4.2.2.3  “Powers and duties of the Board of Directors” and 4.2.2.9 “Activity of the Board of Directors in 2022”.