CEPSA - 2021 INTEGRATED MANAGEMENT REPORT

151

2021 INTEGRATED MANAGEMENT REPORT

control system (Internal Control over Financial Reporting (ICFR) system, Internal Control over Non-Financial Reporting (ICNFR) sys- tem and Crime Prevention Model (CPM)); (iii) the Cybersecurity unit, which supervises, monitors and reports on IT and cybersecurity system risks; and (iv) the Health, Safety, Environment and Quality (HSEQ) Department, which oversees, monitors and reports on industrial plant and environmental safety risks.

THIRD LINE OF DEFENCE: INTERNAL AUDIT

The Internal Audit function, as the third line of defence, proactively ensures that the internal control systems are working properly, performing its activities in accordance with international standards on Internal Auditing and holding the Quality Certificate granted by the International Institute of Internal Auditors. The Internal Audit Department has a specific quality team that audits the quality of the internal audits undertaken annually at Cepsa so as to assure that internal standards are met.

As a guarantee of independence, the Internal Audit, Compliance and Risk area reports functionally to the Audit, Compliance, Ethics and Risk Committee and hierarchically to the Chief Legal & Assurance Officer.

The annual internal audit plan has a risk-based approach designed to support the achievement of Cepsa's objectives, responding at all times to the requirements of the Audit, Compliance, Ethics and Risk Committee, and including specific requests made by mana- gement.

Reviews of the internal control system are performed annually in coordination with the statutory external auditors and the external auditors of the Crime Prevention Model, checking the most critical controls to verify the proper functioning of the system prior to certification.

EXTERNAL ASSURANCE PROVIDERS

External auditors and regulators independently supervise compliance with Cepsa's requirements and the controls in place to gua- rantee that corporate governance and the risk control management system are effective. The standards and certifications suppor- ting these reviews are addressed in section 2.9.4 Internal Control System" of this report.