Vodafone 2026 Annual Report

Audit and Risk Committee continued 95 Vodafone Group Plc Annual Report 2026

Strategic report

Governance

Financials

Other information

The scope of our material internal controls has been identified along with the level of internal attestation work that will be performed to support the Board’s declaration of effectiveness of the controls. Corporate Sustainability Reporting Directive In September 2025 and January 2026, the Committee received an update on the Group’s readiness activities to meet the requirements of the CSRD. The Group has a central team responsible for the delivery of CSRD compliance within the existing ESG finance team. Progress towards compliance continues to be closely monitored by management. Long-term viability statement and going concern assessment The Committee provides advice to the Board on the form and basis of conclusion underlying the long-term viability statement and the going concern assessment. R ead more about the long-term viability statement on page 64 R ead more about the going concern assessment on page 96 At our meeting in May 2026, the Committee challenged management on its financial risk assessment as part of its consideration of the long-term viability statement and going concern. This included scrutiny of forecast liquidity, balance sheet stress tests, the availability of cash and cash equivalents through new or existing financing facilities and a review of counter-party risk to assess the likelihood of third parties not being able to meet contractual obligations. This comprehensive assessment of the Group’s prospects made by management included consideration of: – The appropriateness of the three year review period and alignment with the Group’s internal long-term forecasts; – The assessment of the capacity of the Group to remain viable after consideration of future cash flows, including the impact of the agreement for the buyout of CK Hutchison Group Telecom

Holding Limited’s 49% interest in VodafoneThree Holdings Limited (‘VodafoneThree’) and Vodacom’s acquisition in Safaricom; – Expected debt service requirements, undrawn facilities and access to capital markets; – The modelling of the financial impact of severe but plausible risk scenarios materialising; and – The thoroughness of disclosure in relation to the Group’s liquidity provided in the consolidated financial statements. See note 22 ‘Capital and financial risk management’ in the consolidated financial statements. Internal control The Committee has primary responsibility for the oversight of the Group’s system of internal control framework, the compliance framework and the work of the Internal Audit function. Internal Audit The Internal Audit function provides independent and objective assurance over the design and operating effectiveness of the system of internal control, through a risk-based approach. The function reports into the Committee and, administratively, to the Group Chief Financial Officer. The function is composed of teams across Group functions and local markets. This enables access to specialist skills through centres of excellence and ensures local knowledge and experience. Cooperation with professional bodies and an information technology research firm has ensured access to additional specialist skills and an advanced knowledge base. Internal Audit activities are based on a robust methodology, and the internal quality assurance improvement programme ensures conformity with the International Professional Practices Framework (‘IPPF’), including the Global Internal Audit Standards TM and supports the continuous improvement and development of the internal audit methodology in line with leading professional practices. Conformity is independently assessed every three years through an external quality review. Deloitte’s

December 2024 assessment confirmed that Vodafone’s Internal Audit function fully aligns with the International Professional Practices Framework, including the IIA Standards and Code of Ethics, maintaining its highest ‘Generally Conforms’ rating. The review also concluded that the function operates at a level comparable to the most innovative Internal Audit teams in the FTSE 100, more commonly seen in the Financial Services sector. Prior to the start of each financial year, the Committee reviews and approves the annual audit plan, assesses the adequacy of the budget and resources and reviews the strategic initiatives for the continuous improvement of the function’s effectiveness. The audit plan is determined by considering Internal Audit’s rolling review framework and the outputs of a data-driven risk assessment. The Committee reviews progress against the approved audit plan and the results of Internal Audit activities, with a strong focus on unsatisfactory audit results and cross-entity audits, which are audits that are performed across multiple markets with the same scope. Audit results are analysed by process and entity to highlight both changes in the control environment and areas that require attention. During the year, Internal Audit focused its coverage around the Group’s principal risks, including Cyber threat and Data management and privacy. Through thematic reviews, assurance was also provided across key technology, regulatory and operational risk areas. This included assessments of cyber and data security controls, data protection and sovereignty obligations, commercial and Vodafone Business processes, core finance activities and critical M-Pesa system interfaces, reflecting a broad span of coverage across the Group’s principal risk areas. The activities performed by the shared service organisation continue to receive ongoing focus due to the significance across many processes.

Regulators and our financial reporting The Financial Reporting Council (‘FRC’) publishes thematic reviews and other guidance to help companies improve the quality of corporate reporting through the provision of guidance and reviews of the quality of reporting across public companies. The Group routinely reviews FRC publications and updates our external financial reporting to reflect best practice as required. In February 2026, the FRC notified the Group that it had completed a review of the Annual Report for the year-ended 31 March 2025. No questions or queries were raised which required a formal response to the FRC. The FRC’s role is to consider compliance with reporting standards and not to verify the information provided. Therefore, given the scope and inherent limitations of their review, which does not benefit from any detailed knowledge of the Group, it would not be appropriate to infer any assurance from their review that our Annual Report for the prior year-ended 31 March 2025 is correct in all material aspects. 2024 UK Corporate Governance Code In January 2024, the FRC published an updated UK Corporate Governance Code which came into effect during the year ended 31 March 2026, excluding amended Provision 29 which requires Companies to report on the effectiveness of material financial, operating, reporting and compliance controls. Provision 29 is effective for the year ending 31 March 2027. The Group believes it is well placed to meet this new requirement given its existing risk, compliance and assurance frameworks including its controls over financial reporting arising from the US Sarbanes-Oxley Act. The Committee met with the Group Risk and Assurance Director several times during the year on the approach and progress with Provision 29.