Corporate controls

Risk management and internal control

The risk management and internal control framework is a set of organisational measures, methods, practices and standards of corporate culture. It also embraces actions taken by the Company to strike the right balance between value growth, profitability and risks, support sustainable development, and ensure efficient operations, protection of its assets, compliance with applicable laws and internal documents, along with timely and accurate reporting.

The Board of Directors defines the key principles of, and approaches to, risk management and internal controls, oversees the Company's executive bodies, and performs other key functions, including setting the overall risk appetite and reviewing material risks and ways to manage them.

The Board's Audit Committee focuses on assessing and making proposals to improve the risk management and internal controls. On top of that, its members supervise the preparation of accounting (financial) statements and the measures taken to prevent fraudulent behaviour of the Company's employees or third parties.

The Review Committee elected by the General Meeting of Shareholders exercises control over the financial and business operations of the Company.

The Annual General Meeting of Shareholders held in June 2022 elected the following members to the Review Committee:

• Lusine Agabekyan, Deputy Head of Group Financial Control and Management Reporting at PhosAgro;
• Ekaterina Viktorova, Deputy Head of Treasury at PhosAgro;
• Olga Lizunova, head of unit (functional in other areas), budgeting office, Economics Department at Apatit.

The Review Committee’s goals, objectives and powers are outlined in the Regulations on Review Committee of PhosAgro as approved by the General Meeting of Shareholders on 12 May 2011.

The Committee endorsed PhosAgro’s financial statements for 2022, with its report dated 28 February 2023 included in the materials for the shareholders to prepare for the Annual General Meeting of Shareholders.

The executive bodies establish and maintain an efficient risk management and internal control framework.

To this effect, they have set up a Risk Commission that monitors the status and effectiveness of risk management initiatives. The monitoring results serve as a basis for the relevant proposals issued by the Commission to executive bodies and the Board of Directors.

Following the audits, the Internal Audit Department provides the Board of Directors and executive bodies with recommendations and reports, including, among other things, the assessment of the current status, reliability and effectiveness of the corporate governance, risk management and internal control framework.

The Risk Management and Internal Control Department is charged with the general supervision of risk management, including related activities, and consolidated reporting to the Board of Directors and executive bodies.

As part of their duties, heads of other organisational units are responsible for building, documenting, implementing, monitoring and developing the risk management and internal control framework in their respective functional areas. The framework requires the Company's employees to identify and assess relevant risks and efficiently implement the controls and risk management initiatives.

Risk management

In 2022, PhosAgro’s risk management and internal control framework continued performing strongly thanks to timely identification and assessment of risks, as well as development and implementation of risk management measures. On a quarterly basis, the Board of Directors reviewed reports on the management of PhosAgro's key risks. PhosAgro’s executives paid special attention to managing these key risks. The Risk Commission continuously monitored the status of risk management activities and, when necessary, initiated changes to improve those related to key risks.

Development of the risk management and internal control framework in 2022

The Company is making a consistent effort to develop its risk management and internal control framework. The Board of Directors reviewed the results of the framework’s independent external assessment, which showed that it was on par with those adopted by the industry’s leading companies, including:

• compliance with applicable regulatory requirements;
• adoption of most of the leading risk management practices such as alignment with the Company’s development strategy, risk appetite, key risk indicators, automation and robotisation in risk management, as well as integration into the Company’s incentive system and governance framework.

The reporting year saw both the production sites and PhosAgro Group as a whole complete a full-year cycle of risk management and internal control, including:

• ongoing risk monitoring;
• analysis of key risk indicators;
• development of corrective actions;
• follow-up control and review.

In addition, in 2022, the Company rearranged a number of risks in different focus areas, including the continuity of procurement, logistics, and software and IT infrastructure operation, on the back of geopolitical developments.

Plans for 2023

PhosAgro Group looks to maintain and further develop the existing elements of its risk management framework based on the best practices, while also taking into account the changing external and internal factors.

Internal audit

Audit of business processes

The audit plan along with the budget of the Internal Audit Department for the calendar year is subject to review, discussion and approval by the Audit Committee and the Board of Directors. Audits are performed at the Company level, as well as at specific subsidiaries and their standalone business units. In addition, the Internal Audit Department monitors the effectiveness and efficiency of corrective actions taken by the management following the audit, and reports to the Audit Committee on a quarterly basis and to the Board of Directors annually.

In 2022, the Internal Audit Department fully met the annual action plan. The audits covered PhosAgro Group’s business processes related to the procurement of goods, works and services, inventory management and corporate governance. The Internal Audit Department also conducted an IT audit of the automated process control system. The audits were followed by proposals to improve efficiency of procurement processes, streamline the approach to inventory management and improve cooperation between business units. The management developed and approved corrective action plans, with the progress monitored by the Internal Audit Department.

The 2023 audit plan includes audits of personnel management, cash and CAPEX management. It also covers an IT audit of sales units, review of the IT strategy alignment and audit of ESG targets.

Team development

In order to achieve the strategic goals in internal audit, we continue working to develop and diversify the competencies of our team by holding regular trainings, which focus on sourcing data from information systems and further processing and visualising it. We will continue these efforts in 2023.

Self-assessment and external assessment

The internal audit quality is assured through regular external independent assessments and self-assessment.

An external independent assessment takes place once every three years. The latest one was conducted in late 2021 by PwC.

In late 2022, the Internal Audit Department held a self-assessment of its compliance with the International Standards for the Professional Practice of Internal Auditing and the Institute of Internal Auditors’ Code of Ethics. The self-assessment showed the Department’s full compliance with all applicable standards and requirements.

Awards

In April 2023, the Expert Council of the 10th Internal Auditor of the Year national competition named PhosAgro's Internal Audit Department a winner in the Internal Audit Service of the Year category.

External audit

A key element of the Audit Committee’s operations is ongoing interaction with external auditors and development of recommendations for the Board of Directors regarding the choice and approval of auditors. When selecting an auditor, we evaluate the following factors in addition to the cost of their services:

• composition of the audit team (in terms of experience and qualifications), which should ensure that the statements are audited within acceptable deadlines and with adequate quality;
• the auditor’s independence evaluated based on a variety of factors, including assessment of the scope of non-audit services provided to us by the candidate company during the relevant periods. Each offer from the current auditor for non-audit services requires confirmation by the audit partner to make sure there is no risk to independence and is submitted to PhosAgro's Audit Committee for consideration and approval. The Committee consents to the contract only if the scope of the non-audit services does not call into question the ability to perform the audit service independently and impartially. The Committee’s assessment of the auditor’s independence is also significantly influenced by the auditor’s internal procedures for controlling the impartiality and professional ethics of the auditor's staff, including requirements for periodic rotation of the audit partner, training arranged in this area and the use of specialised software to perform the respective audits;
• balance between the benefits of long-term cooperation with the auditor and the need for a fresh look at PhosAgro's financial statements and preparation procedures;
• the auditor’s performance over the previous period. The Committee may form its opinion on the quality of the external auditor’s work during in-person Committee meetings, where the external auditor’s mandatory participants are a manager and the partner, as well as during meetings between the audit team and the Chairman of the Audit Committee held prior to the Committee meetings.

PhosAgro’s auditor performs the audit of its financial and business operations in compliance with Russian laws and regulations and the agreement signed with the Company. The auditor is approved by the Company’s General Meeting of Shareholders. The Company engaged JSC Technologies of Trust – Audit (10 Butyrsky Val, Moscow, Russia) to audit its 2022 IFRS financial statements.

The Company’s 2021 RAS accounting statements were audited by JSC Unicon (8 Preobrazhenskaya Ploshchad, Preo 8 Business Centre, Moscow, Russia).

The approach to assessing external audit’s independence and efficiency, as well as appointment and re-appointment of the external auditor is set out in the External Auditor Selection and Cooperation Policy of PhosAgro as approved by the Board of Directors on 14 April 2021.

Inside information

PhosAgro has adopted the Inside Information Regulations compliant with the Russian laws and the EU Market Abuse Regulation (MAR).

In accordance with its provisions, the Corporate Secretary Office keeps a list of insiders, persons discharging managerial responsibilities (PDMR) and persons closely associated with them (PCA). The Regulations define the scope of responsibilities for each insider group, which the Corporate Secretary Office from time to time communicates to respective persons.

First and foremost, these include the limitations on the use of inside information and trading in the Company’s securities. Depending on the group, an insider may be prohibited from such transactions or obliged to notify PhosAgro or obtain its consent for such transactions. Every quarter, the Corporate Secretary Office checks the list of shareholders to identify transactions that may have been executed in breach of such limitations. The checks showed that in 2021 and 2022 no changes were made to the shareholding structure as a result of transactions unreported by insiders.

The audit conducted by the Internal Audit Department in 2021 identified no material violations of the applicable laws and the Inside Information Regulations. In January 2022, following the 2021 audit an action plan was adopted to improve engagement with insiders and inside information management. The plan was fully implemented in the reporting year.

In 2022, the Board of Directors approved a revised version of the Inside Information Regulations.

Information security

The Information Security Policy is the Company’s fundamental document defining the general provisions and principles for ensuring information security. Its adoption ensues from the risks and hazards faced by the Group companies in their operations and the respective need to respond to the hazards and minimise the risks.

The Policy states high priority of information security activities and sets up its key principles. They cover the target setting and planning of information security activities, as well as their implementation, quality management and process improvement. The above principles define the contents of the lower-level documents such as the Information Security Framework and other internal documents covering respective issues. This set of documents reflects modern solutions and best practices in information security. Ensuring information security is the responsibility of each employee. To this end, the Group regularly holds events to raise employees' awareness of information security issues and develop practical skills to deal with modern threats. This, together with the use of modern information security tools and well-coordinated work of the department, helped avoid information security incidents in 2022 and in previous periods that could have caused tangible material or reputational damage. Based on the results of the 2021 assessment, a description of the target state and a respective roadmap were also prepared by one of the world's leading expert companies. The proposed measures were included in the 2022–2023 action plans; information security issues are submitted for consideration by the Board of Directors every six months. In 2022, the Company did the following to implement the roadmap:

• raised awareness: over 11,000 employees completed information security courses on the corporate Kaspersky Automated Security Awareness Platform (ASAP); the training continues to cover 100% of users who have accounts in the Company’s information systems);
• ensured compliance with statutory requirements by adopting 55 internal regulations;
• enhanced SCADA information security;
• improved access control processes;
• improved information security monitoring processes;
• improved vulnerability management processes.

In 2022,

the Group received the national Silver Dagger Award having won in the Digital Transformation and Information Security category. The Company outperformed the competition with its unique solution offering a comprehensive approach to cybersecurity based on Kaspersky Unified Monitoring and Analysis Platform (KUMA).