SpareBank 1 Østlandet : UNEP FI Principles for Responsible Banking - Independent Auditors Assurance Report

Deloitte AS

Dronning Eufemias gate 14

Postboks 221 Sentrum

NO-0103 Oslo

Norway

Tel: +47 23 27 90 00

www.deloitte.no

To the Management of SpareBank 1 Østlandet

INDEPENDENT AUDITOR'S LIMITED ASSURANCE REPORT ON SPAREBANK 1 ØSTLANDET'S REPORTING AND SELF- ASSESSMENT TEMPLATE UNDER THE UNITED NATIONS ENVIRONMENT PROGRAM FINANCE INITIATIVE PRINCIPLES FOR RESPONCIBLE BANKING ("PRB") FRAMEWORK FOR THE YEAR ENDED 31 DECEMBER 2023.

We have performed a limited assurance engagement for the Management of SpareBank 1 Østlandet on the following discrete elements of the entity's Reporting and Self-Assessment Template (the "Selected Information") within the published PRB Reporting and Self-Assessment Template of SpareBank 1 Østlandet for the year ended

31 December 2023:

• Principle 2.1: Impact analysis.
• Principle 2.2: Target setting.
• Principle 2.3: Plans for target implementation and monitoring.
• Principle 5.1: Governance and culture - describe relevant governance structures, policies and procedures.

Our limited assurance conclusion

Based on our procedures described in this report, and evidence we have obtained, nothing has come to our attention that causes us to believe that the Selected Information for the year ended 31 December 2023, as described below, has not been prepared, in all material respects, in accordance with the Applicable Criteria.

Scope of our work

SpareBank 1 Østlandet has engaged us to provide independent Limited assurance in accordance with International Standard on Assurance Engagements 3000 (Revised) Assurance Engagements Other than Audits or Reviews of Historical Financial Information ("ISAE 3000 (Revised), issued by the International Auditing and Assurance Standards Board ("IAASB") and our agreed terms of engagement.

The Selected Information in scope of our engagement, as presented in the entity's Reporting and Self- Assessment Template for the year ended 31 December 2023 is as follows:

Penneo Dokumentnøkkel: 4W43K-TQOAS-8J7PY-1EZGY-SIOKK-6DSGN

Page 1

• Principle 5.1: Governance and culture - describe relevant governance structures, policies and procedures.

as presented on pages 8-28 and 33-34 in the published PRB Reporting and Self-Assessment Template of SpareBank 1 Østlandet for the year ended 31 December 2023.

The guidance requires SpareBank 1 Østlandet to publish other information within its Reporting and Self-Assessment Template. This other information is not the subject of this Assurance Report.

In relation to the Selected Information, as listed in the above table, the Selected Information needs to be read and understood together with the Applicable Criteria.

Inherent limitations of the Selected Information

We obtained limited assurance over the preparation of the Selected Information in accordance with the Applicable Criteria. Inherent limitations exist in all assurance engagements.

Any internal control structure, no matter how effective, cannot eliminate the possibility that fraud, errors or irregularities may occur and remain undetected and because we use selective testing in our engagement, we cannot guarantee that errors or irregularities, if present, will be detected.

Our review of source documentation did not include any detailed testing or procedures to verify the correctness and completeness of the information. We did not evaluate the design of particular processes and internal control activities or obtained evidence about their implementation or test their operating effectiveness.

Management's responsibilities

The Management are responsible for:

• Selecting and establishing the Applicable Criteria.
• Preparing, measuring, presenting and reporting the Selected Information in accordance with the Applicable Criteria.
• Designing, implementing, and maintaining internal processes and controls over information relevant to the preparation of the Selected Information to ensure that they are free from material misstatement, including whether due to fraud or error.
• Providing sufficient access and making available all necessary records, correspondence, information and explanations to allow the successful completion of our independent limited assurance engagement.

Our responsibilities

We are responsible for:

• Planning and performing procedures to obtain sufficient appropriate evidence in order to express an independent limited assurance conclusion on the Selected Information.
• Communicating matters that may be relevant to the Selected Information to Management including identified or suspected non-compliance with laws and regulations, fraud or suspected fraud, and bias in the preparation of the Selected Information.
• Reporting our conclusion in the form of an independent limited Assurance Report to the Management.

Our independence and quality management

Penneo Dokumentnøkkel: 4W43K-TQOAS-8J7PY-1EZGY-SIOKK-6DSGN

Page 2

We are independent of the company as required by laws and regulations and the International Ethics Standards Board for Accountants' Code of International Ethics for Professional Accountants (including International Independence Standards) (IESBA Code), and we have fulfilled our other ethical responsibilities in accordance with these requirements.

We apply the International Standard on Quality Management (ISQM) 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements, and accordingly, maintain a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements.

Key procedures

We planned our engagement in accordance with ISAE 3000 (Revised) and designed procedures to obtain sufficient appropriate evidence to express an independent limited assurance conclusion on the Selected Information in line with ISAE 3000 (Revised). Our procedures were informed by the Guidance for assurance providers - Providing limited assurance for report - Version 2 (October 2022) published by UNEP FI in November 2022. However, we have performed the procedures as outlined in 'the work we performed' section below which do not necessarily obtain the confidence level as outlined by UNEP FI's Guidance for assurance providers, but what is normally obtained by a practitioner in a limited assurance engagement under ISAE 3000 (Revised).

We are required to plan and perform our work to address the areas where we have identified that a material misstatement of the description of activities undertaken in respect of the Selected Information is likely to arise. The procedures we performed were based on our professional judgment and included, among others, an assessment of the appropriateness of the Applicable Criteria.

In carrying out our Limited assurance engagement on the description of activities undertaken in respect of the Selected Information, we performed the following procedures:

• We planned our procedures which were informed by the Guidance for assurance providers - Providing limited assurance for report - Version 2 (October 2022)published by UNEP FI in November 2022, considering SpareBank 1 Østlandet's stage of implementation of the Principles for Responsible Banking.
• We conducted interviews with process owners and internal stakeholders to understand the processes for measuring, reporting, and presenting information in SpareBank 1 Østlandet's Reporting and Self -assessment Template, in accordance with the Applicable Criteria.
• We made inquiries with process owners and internal stakeholders, obtained and reviewed source documentation to assess whether disclosures within the Selected Information in SpareBank 1 Østlandet's Reporting and Self -Assessment Template reflect SpareBank 1 Østlandet's assessment of the stage of implementation of the Principles. Our review of source documentation did not include any detailed testing or procedures to verify the correctness and completeness of the information. We did not evaluate the design of particular processes and internal control activities or obtained evidence about their implementation or test their operating effectiveness.
• In respect of Principle 2.1 (Impact analysis), based on inquiries made and information obtained and reviewed, we checked that SpareBank 1 Østlandet's business areas and scope are clearly described. We reconciled portfolio composition to management information and checked that challenges and priorities have been analysed, including the rationale for business areas where the analysis was not performed. We also checked that SpareBank 1 Østlandet has disclosed the method for determining its impact areas and has selected what was determined as the most significant areas of impact. For the one impact area where performance has been measured (Climate change), we reconciled to source documentation such as published information referenced in the response and to supporting management information. Finally, we checked to source documentation, including to meeting minutes, that the stated governance process was followed.

Penneo Dokumentnøkkel: 4W43K-TQOAS-8J7PY-1EZGY-SIOKK-6DSGN

Page 3

• In respect of Principle 2.2 (Target setting), based on inquiries made and information obtained and reviewed, we checked that SpareBank 1 Østlandet sets targets for one of its significant impact areas (Climate Change) and that the targets are linked to that impact area. We checked that SpareBank 1 Østlandet has identified frameworks to align with and explained how targets contribute to relevant goals. Further, for the one impact area where targets have been set (Climate Change), we checked that the base year for climate targets (2020) is no more than two full reporting years prior to the year when the targets have been set (2022) and that the targets are Specific, Measurable, Achievable, Relevant and Time-bound.
• In respect of Principle 2.3 (Target implementation and monitoring), based on inquiries made with process owners and internal stakeholders, we obtained and reviewed source documentation to assess whether disclosures within the selected responses in SpareBank 1 Østlandet's Reporting and Self -Assessment Template reflect SpareBank 1 Østlandet's assessment of the stage of implementation of the Principle.
• In respect of Principle 5.1 (Governance Structure for Implementation of the Principles), based on inquiries made and information obtained and reviewed, we checked consistency to source documentation, including organisation charts and meeting minutes with that of the disclosures of SpareBank 1 Østlandet's governance structure for implementation of the Principles. We checked that there is oversight over the implementation and monitoring and that the structure is in line with existing governance structures as defined by SpareBank 1 Østlandet. Further, we checked that the Board of Directors obtained information on the SpareBank 1 Østlandet's stage of implementation of the Principles for Responsible Banking on a quarterly basis.

The procedures performed in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement. Consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed.

Oslo, 12 April 2024

Deloitte AS

Henrik Woxholt

State Authorised Public Accountant

Penneo Dokumentnøkkel: 4W43K-TQOAS-8J7PY-1EZGY-SIOKK-6DSGN

Signaturene i dette dokumentet er juridisk bindende. Dokument signert med "Penneo™ - sikker digital

signatur". De signerende parter sin identitet er registrert, og er listet nedenfor.

"Med min signatur bekrefter jeg alle datoer og innholdet i dette dokument."

Woxholt, Henrik Johannes

Statsautorisert revisor

Serienummer: no_bankid:9578-5999-4-1368035

IP: 163.116.xxx.xxx

2024-04-12 12:55:36 UTC

Penneo Dokumentnøkkel: 4W43K-TQOAS-8J7PY-1EZGY-SIOKK-6DSGN