59

2021 INTEGRATED MANAGEMENT REPORT

Cepsa has an internal control system implemented under international best practices, mainly the methodologies laid down by COSO, the international standard on assurance engagements (ISAE 3000), international standard on criminal compliance management systems (ISO 19600) and anti-bribery and anti-corruption management standard (ISO 37001).

The following control models are audited and certified annually by the Audit, Compliance and Risk department:

· Internal Control over Financial Reporting (ICFR) system. Internal Control over Non-Financial Reporting (ICNFR) system.

Crime Prevention Model (CPM).

Anti-bribery and anti-corruption model.

The internal control system is based on a combined assurance approach using the IIA s (Institute of Internal Auditors) three-line model updated in 2020. It provides an integrated view of how the different parts of the organisation interact in an effective and coordinated way, allowing more efficient management and internal control of the entity's relevant risks (for more information see Appendix 3 Internal Control System), and the model s design and effectiveness is assessed annually prior to certification.

During 2021, the internal control system was aligned with all the process and organisational changes. The Internal Control System over Non-Financial Reporting system was further improved so as to assure the fair presentation of the information set out in the Integrated Management Report from the moment preparation begins, as well as to control the preparation of information for the new indicators required by law in the 2021 report.

In 2021, following the design review and the efficiency project, the number of controls was cut from 1,034 to 998, of which 440 are regarded as key controls.

APPENDIX 3. Internal

Control System

RISK CULTURE

The Board of Directors drives risk management in our company. Cepsa's risk level is defined and decision-making is delegated to the Management Committee based on the established risk tolerance level.

The risk culture is encouraged and fostered throughout the organisation by means of internal training programmes, workshops on investment project analysis processes and the improvement of management tools.

The Corporate Risks area promotes specific workshops in which global and cross-organisational risks are identified, assessed and discussed with senior management, and more relevant and specific risks with each business. Other examples are the training actions carried out over the last year on operational health and safety, cybersecurity and compliance.

2.9.4 Internal control system