Vodafone 2025 Annual Report

90 Vodafone Group Plc Annual Report 2025 Governance continued Audit and Risk Committee continued Assessment of the Group’s system of internal control, including the risk management framework The Group’s risk assessment process and the way in which significant business risks are managed is an area of focus for the Committee. The Committee’s activity here was led primarily, but not solely, by the Group’s assessment of its principal and emerging risks and uncertainties as set out on pages 55 to 59 and a range of mitigations as set out on page 60 . Cyber threats remain a major focus for the Committee given the continual threats in this area. The Group has an internal control environment designed to protect the business from the material risks that have been identified. Management is responsible for establishing and maintaining adequate internal controls and the Committee has responsibility for ensuring the effectiveness of those controls. The Committee reviewed the process by which Group management assessed the control environment, in accordance with the requirements of the Guidance on Risk Management, Internal Control and Related Financial and Business Reporting published by the FRC. This activity was supported by (i) reports from the Group Audit Director, (ii) a review of the Group’s principal risks with the Head of Risk, and (iii) reviews of the Group’s second line of defence with the Group General Counsel and Company Secretary, the Global Director of Compliance and Business Integrity and the Group Head of Controls, Compliance and Assurance.

Strategic report

Governance

Financials

Other information

Long-term viability statement and going concern assessment The Committee provides advice to the Board on the form and basis of conclusion underlying the long-term viability statement and the going concern assessment. R ead more about the long-term viability statement on page 59 R ead more about the going concern assessment on page 117 At our meeting in May 2025, the Committee challenged management on its financial risk assessment as part of its consideration of the long-term viability statement. This included scrutiny of forecast liquidity, balance sheet stress tests, the availability of cash and cash equivalents through new or existing financing facilities and a review of counter-party risk to assess the likelihood of third parties not being able to meet contractual obligations. This comprehensive assessment of the Group’s prospects made by management included consideration of: – The review period and alignment with the Group’s internal long-term forecasts; – The assessment of the capacity of the Group to remain viable after consideration of future cash flows, expected debt service requirements, undrawn facilities and access to capital markets; – The modelling of the financial impact of severe but plausible risk scenarios materialising; – The inclusion of clear and enhanced disclosures in the Annual Report as to why the assessment period selected was appropriate to the Group, what qualifications and assumptions were made and how the underlying analysis was performed, consistent with FRC pronouncements; and – The thoroughness of disclosure in relation to the Group’s liquidity provided in the consolidated financial statements. See note 22 ‘Capital and financial risk management’ in the consolidated financial statements.

The Group operates a ‘Speak Up’ channel that enables employees to anonymously raise concerns about possible irregularities. The Committee received an update on the operation of the channel together with the output of any resulting investigations. The Committee has completed its review of the effectiveness of the Group’s system of internal control, including risk management, during the year and up to the date of this Annual Report. The review covered all material controls including financial, operating and compliance controls. The Committee confirms that the system of internal control operated effectively for the 2025 financial year. Where specific areas for improvement were identified, mitigating alternative controls and processes were in place. This allows us to provide positive assurance to the Board to help fulfil its obligations under the Code.

Compliance with section 404 of the US Sarbanes-Oxley Act Oversight of the Group’s compliance activities in relation to section 404 of the US Sarbanes-Oxley Act and policy compliance reviews also fall within the Committee’s remit. Management is responsible for establishing and maintaining adequate internal controls over financial reporting, and we have responsibility for ensuring the effectiveness of these controls. The Committee received updates on the Group’s work in relation to section 404 compliance and the Group’s broader financial control environment during the year. We continue to challenge management on ensuring the nature and scope of control activities evolve to ensure key risks continue to be adequately mitigated. The Committee also took an active role in monitoring the Group’s compliance activities, including receiving reports from management in the year covering programme-level strategy, the scope of compliance work performed and the results of controls testing. The external auditor also reports the status of its work in relation to controls in its reports to the Committee.