Report by Group Internal Audit and risk management

||

Group Internal Audit is established as a staff unit of the CEO of Telekom Austria AG with a duty to report to the entire Management Board. There are also local Internal Audit units at all material operating subsidiaries of Telekom Austria AG which report to Group Internal Audit.

All companies, divisions and processes fall within the audit purview of Group Internal Audit without restriction. The associated rights and duties, in addition to the regulations for audit activities, are set out in a Group Internal Audit Charter.

Group Internal Audit performs independent and objective audits throughout the entire Group and reports to the Management Board of Telekom Austria AG. Audit subjects are specified as part of an annual audit plan, which is prepared according to risk criteria, and supplemented by ad hoc audit orders as required. After an initial joint evaluation by Group Compliance, reports received via the ‘tell.me’ whistleblowing system are examined by Internal Audit.

In accordance with C Rule 18 of the Austrian Corporate Governance Code, the head of Group Internal Audit reports to the Audit Committee of the Supervisory Board on the annual audit plan in addition to an annual report on the audits performed and its material findings. Furthermore, significant issues as well as whistleblowing information from the ‘tell.me’ system are reported by Group Internal Audit intra-year to the Audit Committee of the Supervisory Board.

The Telekom Austria Group’s risk management system, which the auditor has reported on to the Audit Committee, enables the Group-wide, structured identification, assessment and processing of risks on the basis of a defined risk policy in addition to strategic and operational objectives. The Audit Committee monitors the functionality and suitability of risk management and the effectiveness of the internal control system.

The internal control system of the Telekom Austria Group serves to ensure the effectiveness and profitability of business activities, the integrity and reliability of financial reporting and compliance with all relevant laws and regulations. To prevent the passing on or misuse of confidential information that might affect the share price, a Group-wide capital market compliance guideline has been implemented and classified units have been defined within the company.

The Telekom Austria Group has also implemented a Group-wide information security policy that governs the use of confidential information such as customer data, traffic data, content data and business and trade secrets. This policy is supplemented by country-specific guidelines at a local level. Information security and data protection managers have been appointed at all Group subsidiaries. Regular internal and external audits in addition to staff training ensure the effective implementation of this corporate policy. Since 2005 A1 has been the only network operator in Austria to be certified according to the ISO 27001 standard. It was followed by Vipnet in 2007 and Mobiltel in 2012. The processes stipulated by this standard ensure the highest possible level of data security within the company. Furthermore, since 2014 A1 has also complied with the ISAE 3402 Type II standard, which attests to an effective internal control system for accounting and IT services.

||