CEPSA - 2021 INTEGRATED MANAGEMENT REPORT

CHAPTER 6 Additional content

150

The internal control system is based on a combined assurance approach using the IIA (Institute of Internal Auditors) s three- line model updated in 2020. It provides an integrated view of how the different parts of the organisation interact in an effective and coordinated way, allowing more efficient management and internal control of the entity's relevant risks.

APPENDIX 3 INTERNAL CONTROL SYSTEM

Cepsa's internal control system is overseen on different levels:

BOARD OF DIRECTORS

It approves the company's general policies and strategies and oversees risk management and internal information and control sys- tems. The Board is ultimately responsible for ensuring an internal control environment conducive to reliable, complete and timely financial and non-financial reporting, as well as providing the basis for all other compliance approaches. The oversight of the internal control systems has been delegated to the Audit, Compliance, Ethics and Risk Committee.

AUDIT, COMPLIANCE, ETHICS AND RISK COMMITTEE

As indicated in section 2.9.1 Good Governance", the Committee's remit includes overseeing the effectiveness of Cepsa's internal control system, as well as advising the Board of Directors on all matters relating to risk management, internal control, compliance and internal audit systems.

MANAGEMENT: FRONTLINE ROLES

The Board of Directors and management, as the highest authorities, establish the expected tone at the top when implementing the internal control system, as reflected in the 'Code of Ethics and Conduct', associated policies and certain aspects of the control environment such as organisational structures, segregation of duties, or delegation of authority, among others, which assure an adequate control framework.

Cepsa's frontline professionals directly manage risks and controls and are responsible for implementing and maintaining effective internal control on an ongoing basis.

MANAGEMENT: SECOND-LINE ROLES

Second line of defence functions are primarily responsible for monitoring risks, controls and compliance established by the Board of Directors, proposing improvements and guidelines, and checking frontline implementation.

The main second-line assurance functions at Cepsa, within their respective areas of responsibility, are, among others, (i) the Corpo- rate Risk unit, responsible for the comprehensive risk control and management system, together with business risk functions; (ii) the Compliance and Internal Control units, responsible for proactively ensuring the effective functioning of the compliance and internal