Risk management and internal controls over sustainability reporting (GOV-5)

Epiroc strives for quality and accuracy in its disclosures and reporting. Risks for inaccurate sustainability reporting are identified by a systematic evaluation of potential risks based on their likelihood and impact, using the same methodology as for financial reporting. This allows us to focus on the most significant risks to the sustainability reporting process. Inaccuracy could arise from factors such as manual errors, data inconsistencies, and challenges in aggregating data from multiple systems into Epiroc’s consolidation system, or consolidating information across the value chain. A lot of new data flows have been established to capture and consolidate data during the last couple of years. Data quality is therefore a focus area that will see gradual improvement in coming years.

We have identified internal control objectives for all business processes, including sustainability, and we continuously evaluate and implement controls, with priority given to the most significant risks. In 2025 we introduced key control testing for selected material ESRS data points.

Most data are consolidated within Epiroc’s dedicated sustainability reporting system with procedures in place to ensure accurate, complete, timely disclosures, transparency and traceability. Data for different areas is collected with different frequencies, depending on the specific monitoring requirements of each metric. For data reported outside this system, such as weight of material inflow and adequate wages, Group Financial Reporting and Control reviews the reported information. We have established accounting policies and internal guidelines to ensure consistent reporting, including standardization of terms, formulas, and key variables like emissions factors, in compliance with the GHG Protocol. To avoid mistakes in data reporting, we implement a series of quality checks at the entity, division, and Group levels. Any deviations and errors are thoroughly analyzed, documented, explained, and communicated to the respective divisions. We have a follow-up process and a protocol in place to ensure that detected errors are addressed and communicated effectively.

The Board oversees internal control through the Audit Committee. Epiroc has dedicated Internal Control and Internal Audit & Assurance functions, with the latter reporting directly to the Board through the Audit Committee. Sustainability reporting risks are discussed with the Audit Committee and external auditors, who provide feedback on their assessment to both the Audit Committee and Group Management. External auditors provide limited assurance, as defined in the assurance statement.