Nemetschek : Main Characteristics of the Internal Control and Risik and Opportunity Management System

5 Main Characteristics of the

Internal Control and Risk and

Opportunity Management System

General risk management and internal control system*

Governance Structure

Overall responsibility for the internal control (ICS) and risk and opportunity management system (RMS) at the Group level lies with the Executive Board of Nemetschek SE. The RMS and the ICS cover Nemetschek SE and all consolidated subsidiaries and apply the three-lines-of-defense model approach.

The first "line of defense" entails the management of operating business in conjunction with the central Group functions. They are responsible for identifying, evaluating and managing any risks that may occur. To this end, measures are defined and implemented to address the risks identified. In organizational terms, the second

THREE LINES OF DEFENSE MODEL

"line of defense" is the central risk management function, which reports to Corporate Controlling. The risk management function, which has been operating as a separate department within the Corporate Controlling organization since 2023, is responsible for the Group-wide risk and opportunity management system (RMS). The RMS undergoes continuous further development and is anchored in the Group by means of appropriate information. The Risk Committee also forms part of this second "line of defense". This body, which is composed of the segment managers and the risk category owners, discusses the combined Group-wide risks and opportunities as well as the measures taken and their impact with the Executive Board on a quarterly basis. In addition, the central risk management function prepares the reports for internal as well as external stakeholders. Internal Audit is the third "line of defense" and acts as an independent control unit of the Executive Board. It regularly reviews the effectiveness of the RMS and ICS on behalf of the Supervisory Board and also submits suggestions that contribute to its continuous improvement.

In summary, this means that the two systems are implemented in the operating units, i.e. on the level of the local process owners of the Group companies ("1st line of defense"). The Corporate Controlling (RMS/ICS) and Corporate Finance (accounting-related ICS) functions ("2nd line of defense") are responsible for designing and developing the systems. In cooperation with other central functions, they also coordinate the preparation and communication of princip- les, policies and other information such as the Group account framework for the RMS and ICS. These units also organize and arrange training in conjunction with the central functions involved. The ICS and the RMS entail the management of risks and opportunities relevant for the achievement of business objectives, the appropriateness and reliability of internal and external accounting and compli-

* These disclosures are not part of the management report and are therefore unaudited.

ance with the legal requirements and regulations applicable to the Nemetschek Group. Sustainability aspects, which are being continuously developed on the basis of regulatory requirements, are also increasingly taken into account included here. The Internal Audit function ("3rd line of defense") as an independent function regularly reviews the effectiveness of the two systems. Audit activities are performed within the framework of the annual audit plan or on the basis of audits requested during the year. The Audit Committee is systematically involved in the Group-wide ICS and RMS. It primarily monitors the accounts, the accounting process and also the effectiveness and the appropriateness of the ICS, the RMS and the Internal Audit function.

With the internal control system, the risk management system and the compliance management system, the Executive Board of the Nemetschek Group has created a control framework aimed at achieving appropriate and effective internal control and risk man- agement. After considering internal control and risk management, the Executive Board is not aware of any circumstances impairing the appropriateness and effectiveness of these systems.

Accounting-Related Risk Management and Internal Control Systems (Process)

The Nemetschek Group's consolidated financial statements (in accordance with IFRS) are prepared on the basis of a centrally defined conceptual framework. This primarily entails uniform requirements in the form of accounting policies. An ongoing analysis is performed to identify the need for any adjustments to the conceptual framework necessitated by changes in the regulatory environ- ment. The accounting departments of the operating units are kept informed on a monthly basis of relevant matters and deadlines in connection with accounting and the preparation of financial state- ments. The financial data reported by Nemetschek SE and its subsidiaries form the data basis for preparing the relevant financial statements. Most of the Group companies' financial data is prepared by local accounting departments. In addition, other accounting activities, such as governance and monitoring activities, may generally also be pooled at the regional level. In certain cases, such as valuations of complex remuneration or in connection with business combinations, external service providers are also consulted.

The financial statements are prepared in the consolidation system on the basis of the financial information reported by the local accounting departments. The steps required for the preparation of the financial statements undergo manual as well as system-based checks.

The qualifications of employees involved in the accounting process are ensured by means of appropriate selection processes and trai- ning. The "dual-control principle" is generally applied. In addition, financial information must pass through certain predetermined approval processes. Further control mechanisms include target/ actual comparisons and analyses of the content and changes in the individual items of the financial information reported by Group units and the consolidated financial statements.

Access rights are defined in the accounting-related IT systems in accordance with our information security policy to prevent unauthorized access. The above-mentioned manual and system-based checks are also applied to the transfer of the financial information prepared in accordance with the International Financial Reporting Standards (IFRS) for inclusion in the annual financial statements of Nemetschek SE.

There is a quarterly internal certification process, in which members of various management levels, supported by confirmations from the management of units in their area of responsibility, confirm the correctness of the financial data reported to the Group headquarters and the reports on the effectiveness of the corresponding control systems.

The Audit Committee is involved in the accounting-related ICS, see << Governance >>.

6 Report on Risks and Opportunities

Risk and Opportunity Management System

In the face of ever faster market changes, mounting uncertainties, the growing complexity of internationally disparate conditions and swift technological progress, coupled with dynamic growth and capital spending in the markets addressed by the Nemetschek Group, business decisions increasingly depend on a reliable assessment of potential risks and opportunities.

As a global software company with a broad product portfolio, Nemetschek is exposed to risks and opportunities that may vary depending on the division, industry and region. Its corporate policy is geared towards utilizing opportunities, leveraging and expanding potential for success and avoiding, minimizing or offsetting the associated risks as far as possible. The aim is to preserve entrepreneurial flexibility and financial solidity, to increase the company's enterprise value on a sustainable basis and thus to safeguard the Group's long-term viability.

The risk and opportunity management process aims at systematically identifying any changes to the Group's viability at an early stage and addressing any risks jeopardizing its ability to manage its success. It follows the "three lines of defense" model.

As risk and opportunity management is integrated within Corporate Controlling for organizational purposes, it is aligned with the planning and reporting processes and their criteria. In addi- tion, steps are taken to ensure that risks arising from business operations are evaluated across the Group on the basis of uniform quantitative and qualitative criteria and categories for the purpose of greater comparability. In contrast to the previous year, opportunities were not quantified, as strategic opportunities are the subject of the company's aspiration. However, opportunities are recorded, discussed and assessed, but not explicitly quantified individually for internal management purpo- ses. This is generally only done when an opportunity is deemed sufficiently worthy of investment and is considered in corporate and financial planning.