CEPSA - 2021 INTEGRATED MANAGEMENT REPORT

113

2021 INTEGRATED MANAGEMENT REPORT

COMBATING CORRUPTION, BRIBERY AND MONEY LAUNDERING

We have assessed the effectiveness of our crime prevention framework in 2021. This entailed analysing risks from a criminal viewpoint and considering risks linked to corruption in both the public and private spheres. We tested the effectiveness of the control framework in 18 companies2 and found no significant level of corruption risk. We have also had no confirmed cases of corruption and bribery in recent years.

We also have a Know-Your-Customer (KYC) and Trade Controls function. This includes the analysis of third parties with which we interact from the viewpoint of bribery, corruption, money laundering, terrorist financing and international sanctions. An additional ESG assessment criterion was recently added to take account of environmental, human rights, health, safety, security, inequality and governance risks.

The main measures to prevent corruption, bribery and money laundering are:

· Audit of corporate cards, travel expenses and executive cards.

· On-line training in crime and corruption prevention.

· Streaming training for suppliers.

· Company-wide counterparty analysis procedure.

· Enhanced counterparty analysis communication and reporting processes between business units.

· Internal communications on the Bribery, Corruption and Conflict of Interest Policy.

Finally, Cepsa does not directly or indirectly finance or provide support or assistance of any other kind to trade unions, public officials, political office holders, political parties, their representatives and/or candidates, advisors, or any person who performs public duties or is a trusted employee of the above persons or entities.

External audit of our Crime Prevention Model and Internal Control over Financial Reporting System

UNE 19601 and ISO 37001 certification1

EXTERNAL AUDITS AND CERTIFICATES

In order to check the effectiveness of our internal control system, we have undergone an external audit process under ISAE 3000, with satisfactory results.

The UNE 19601 Criminal Compliance Systems and ISO 37001 Anti-Bribery Management Systems certificates were renewed to ensure that our approach follows the applicable best standards.

1 The company certified under ISO 19601 and ISO 37001 is the parent: Compañía Española de Petróleos S.A Cepsa Comercial Petróleo, S.A.U. 2 The following companies were reviewed: Compañía Española de Petróleos, S.A., Cepsa Comercial Petróleo, S.A.U., Cepsa Química, S.A., Cepsa Trading, S.A.U.,

CEDIPSA, Cepsa Business Services, S.A.U., Cepsa EP S.A.U., Cepsa Gas Comercializadora S.A., Fundación Cepsa, Cepsa Colombia, S.A., Cepsa Gas y Electricidad, S.A., Cepsa Aviación, S.A., Spanish Intoplane Services, S.L.U, CMD, S.L. Petrocan, S.A. Cepsa Petronuba, S.A., Atlas, S.A. Ressa, S.A., Cepsa Card, S.A., Cepsa Bioenergía San Roque, S.L.U., Cepsa Trading, S.A.U., Cepsa Gas y Electricidad, S.A.U., Cepsa Gas Comercializadora, S.A., Cepsa Química, S.A., Spanish Intoplane Services, S.L.U., Cepsa Aviación, S.A., CMD Aeropuertos Canarios, S.L., Cepsa Comercial Petróleo, S.A.U., CEDIPSA, Compañía Española de Petróleos, S.A, Red Española de Servicios, S.A.U. (RESSA) Atlas, S.A., Cepsa Colombia, S.A.