Vodafone 2025 Annual Report

86 Vodafone Group Plc Annual Report 2025 Governance continued Audit and Risk Committee

Strategic report

Governance

Financials

Other information

The Committee oversees the governance of the Group’s risk management system, financial reporting, the external audit process, internal control and related assurance processes. During the year, the Committee completed a series of deep-dive reviews of principal key risks with a focus on cyber security, technology resilience and company transformation programmes. Chair and financial expert David Nish Members Michel Demaré Simon Dingemans (appointed on 1 January 2025) Deborah Kerr Christine Ramon T he attendance at Committee meetings can be found on page 76

Objective The objective of the Committee is the provision of effective governance over the appropriateness of financial reporting of the Group. This includes the adequacy of related disclosures, the performance of both the Internal Audit function and the external auditor and oversight of the Group’s systems of internal control, business risks and related compliance activities. Click or scan to watch the Chair of the Audit and Risk Committee explain his role: investors.vodafone.com/videos Committee governance Committee meetings normally take place the day before Board meetings. The Committee Chair reports to the Board, as a separate agenda item, on the activity of the Committee and matters of particular relevance. The Board has access to the Committee’s papers and receives copies of the Committee minutes. The Committee regularly meets separately with the external auditor, the Group Chief Financial Officer, the Group Audit Director, the Compliance Director and the Group Head of Risk without others being present. The Chair also meets regularly with the external lead audit partner during the year, outside of the formal Committee process. The Chair is designated as the financial expert on the Committee for the purposes of the US Sarbanes-Oxley Act and the 2018 UK Corporate Governance Code (‘Code’). The Committee continues to have competence relevant to the sector in which the Group operates. R ead more about the skills and experience of Committee members on pages 73 to 76

– Review and monitor the external auditor’s independence and objectivity and the effectiveness of the external audit; – Review the system of internal financial control and compliance with section 404 of the US Sarbanes-Oxley Act; – Monitor the activities and review the effectiveness of the Internal Audit function; – Monitor the Group’s risk management system, review of the principal risks and the management of those risks; and – Review and provide advice to the Board on the approval of the Group’s US Annual Report on Form 20-F. Click to read the Committee’s terms of reference: vodafone.com/board-committees Letter from Committee Chair I am pleased to present our report as Chair of the Audit and Risk Committee. This report provides an overview of how the Committee operates, an insight into the Committee’s activities during the year and its role in ensuring the integrity of the Group’s published financial information and the effectiveness of its risk management, controls and related processes. The Committee met six times during the year. The attendance by members at Committee meetings can be seen on page 76 . Each meeting agenda included a range of topics across the Committee’s areas of responsibility. In summary: – We undertook a programme of reviews across multiple business units, typically with a focus on the risk and control environment. Alongside key members of their teams, this included presentations by the CEO of Vodafone Business, the CEO of Vodafone Shared Operations, the CEO of Vodafone Germany, the CEO of Vodacom Group and the CEO European Markets; – We met on several occasions with the Group Chief Technology Officer and the Cyber

Security, Technology Strategy and Governance Director to review and challenge strategies and activities around external cyber threats and technology resilience which continue to be principal risks for the Group; R ead more about cyber security on pages 48 to 52 – At the September 2024 and March 2025 meetings, we considered the anticipated financial reporting matters impacting the half-year and year-end reporting; and – We reviewed Q1 trading update at our July 2024 meeting, the half-year results announcement at our November 2024 meeting, the Q3 trading update at our January 2025 meeting and this Annual Report and accompanying materials at our March 2025 and May 2025 meetings. Our work included reviews of the Strategic Report, goodwill impairment testing, taxation judgements, legal contingencies and the Company’s work on going concern and the long-term viability statement. – The Committee recognises the importance of Environmental, Social and Governance (‘ESG’) and the evolving Corporate Sustainability Reporting Directive (‘CSRD’) requirements in this area. During our joint meetings with ESG Committee members, we considered the appropriateness of disclosures included in this Annual Report. Our external auditor, Ernst & Young (‘EY’), provides robust challenge to management and its independent view to the Committee on specific financial reporting judgements and the control environment. David Nish On behalf of the Audit and Risk Committee 3 June 2025

Find out more Click or scan to watch our Non-Executive Directors explain their role: investors.vodafone.com/videos

Key responsibilities The responsibilities of the Committee are to: – Monitor the integrity of the financial statements, including the review of significant financial reporting judgements; – Provide advice to the Board on whether the Annual Report is fair, balanced and understandable, and on the appropriateness of the long-term viability statement;