Internal Control and Risk Management
50. INTERNAL AUDIT
EDPR Internal Audit Department is composed by seven people. The function of EDPR’s Internal Audit is to carry out an objective and independent assessment of the Group’s activities and of its internal control situation, in order to make recommendations to improve the internal control mechanisms over systems and management processes in accordance with the Group’s objectives.
Additionally, EDPR has a Responsibilities Model and a SCIRF Manual (Internal Control System over Financial Reporting), in which individuals, governing bodies and committees responsible for implementing and managing the internal control system are indicated.
The Responsibilities Model includes the functions and main activities in the management and maintenance of the system at all levels of the organization including monitoring activities related to the annual cycle, the implementation of controls and documentation of evidence and supervision activities.
The SCIRF Manual incorporates the general principles of the Internal Control System over Financial Reporting as well as the methodology used, the procedures for ensuring the effectiveness of internal control and design of models, documentation, evaluation and reporting.
In line with the general principles of the model adopted by EDPR for the management of the SCIRF, the COSO Internal Control Integrated Framework 2013 (Committee of Sponsoring Organizations of the Treadway Commission), the responsibility for supervising the Internal Control System lies in the Board of Directors and the Audit and Control Committee. The CEO is accountable before the Board, must ensure the proper functioning and effectiveness of the SCIRF, promoting its design, implementation and maintenance. The Executive Committee must support the CEO in this task, guiding the development of the Entity Level Controls of the Company and the controls in their areas of responsibility, relying when necessary on other levels of the organization. Also, the Senior Managers are responsible for evaluating any deficiencies and implementing appropriate improvement opportunities.
To fulfil these responsibilities, EDPR’s Internal Audit offers support and advice to the management and development of the SCIRF.
51. ORGANIZATIONAL STRUCTURE OF INTERNAL AUDIT
The Internal Audit function in EDPR Group is a corporate function carried out by the Internal Audit Department, that reports both to the Chairman of EDPR’s Executive Committee and to EDPR’s Audit and Control Committee.
52. RISK MANAGEMENT
EDPR’s Risk Management is as an integrating element of all organizational processes and decisions and not a stand-alone activity separated from the main activities of the company. It includes from strategic planning to evaluation of new investments and contracts.
Risk Management at EDPR is supported by three distinct organizational functions, each one with a different
role: Strategy (Risk Profiler), Management (Risk Manager) and Controlling (Risk Controller).
Market, credit and operational risks are identified and assessed and, following the result of the assessment, Risk Policies are defined and implemented across the company. These policies are aimed to mitigate risks without compromising potential opportunities, thus, optimizing return versus risk exposure.
During 2015, EDPR defined or reviewed four Global Risk Policies: Energy Hedging Policy, Counterparty Risk Policy, Operational Risk Policy and Country Risk Policy. These policies are already implemented.
53. RISK MAP
Risk Management at EDPR is focused on covering all risks of the company. In order to have a holistic view of risks, they are grouped in Risk Areas, covering the entire business cycle of EDPR, and in Risk Categories, following a standard classification of risks.
54. RISK FUNCTIONS AND FRAMEWORK
Risk Management at EDPR is supported by three distinct organizational functions, each one with a different role: Strategy (Risk Profiler), Management (Risk Manager) and Controlling (Risk Controller).
The Risk Committee is the forum where the different Risk Functions discuss the policies to be implemented and control the risk exposure of the company. EDPR’s Risk Committee integrates and coordinates all Risk Functions and assures the link between corporate’s risk appetite and defined strategy and the operations of the company.
EDPR created three distinct meetings of the Risk Committee in order to separate discussions on execution of mitigation strategies from those on the definition of new policies:
- Restricted Risk Committee: Held every month, it is mainly focused on development risk and market risk from electricity price. It is the forum to discuss the execution of mitigation strategies to reduce merchant exposure. Its purpose is also to control the limits of defined risk policies, with regards to counterparty risk, operational risk and country risk.
- Financial Risk Committee: Held every quarter, it is held to review main financial risks and discuss the execution of mitigation strategies. Exchange rate risk, interest rate risk and credit risk from financial counterparties are most relevant risk reviewed in this committee.
- Risk Committee: Held every quarter, it is the forum where new strategic analyses are discussed and new policies are proposed for approval to the Executive Committee. Additionally, EDPR ́s overall risk position is reviewed, together with EBITDA@Risk and Net Income@Risk.
55. DETAILS ON THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEMS IMPLEMENTED IN THE COMPANY REGARDING THE PROCEDURE FOR REPORTING FINANCIAL INFORMATION
With the purpose of not only controlling risks, but also managing them ex-ante, EDPR has created Global Risk policies that are enforceable at a Global Level. These policies are proposed and discussed in the Risk Committee and approved by the Executive Committee.
During 2015, EDPR defined or reviewed four Global Risk Policies, which are already implemented:
- Energy Price Hedging Policy
- Counterparty Credit Risk Policy
- Operational Risk Policy
- Country Risk Policy
Compliance with Global Risk policies is verified every month in the Restricted Risk Committee.
INTERNAL CONTROL SYSTEM OVER FINANCIAL REPORTING
EDPR has an Internal Control System over Financial Reporting (SCIRF) updated and monitored in line with international standards of Internal Control.
This system covers the main aspects of the COSO framework: maintaining a control environment for the preparation of qualified financial information, assessment of the risks of financial reporting, existence of control activities to mitigate risks of error, information and communication and evaluation mechanisms.
SCOPE REVISION AND UPDATE
The SCIRF Manual includes the annual update of the scope that aims to identify companies, areas and processes that must be included in the scope of SCIRF, according to criteria of materiality and risk, including the risk of error or fraud.
The risk analysis included in the scoping process for SCIRF, includes both the different types of risk (operational, economic, financial, technological or legal) and the control objectives of financial reporting (existence and occurrence, completeness, measurement, presentation, disclosure and comparability, and rights and obligations in terms of their potential impact on the financial statements).
The results of the updated scope with the methodology outlined are communicated at all levels of the organization involved in the SCIRF and supervised by the Audit and Control Committee.
In documented SCIRF processes and controls, information capture mechanisms are established (including identification of the scope of consolidation) and steps and checks that are carried out for the preparation of the financial information that will be part of consolidated financial statements are specified.
The procedures for review and approval of financial information are provided by the areas of Planning and Control, and Administration, Consolidation and Tax. Financial information is supervised in the scope of its competences by the Audit Control Committee, prior to the formulation of the accounts by the Board of Directors.
The SCIRF includes control activities related to these processes, embodied in Entity Level Controls, Process Controls and General Computer Controls. These processes include review and approval activities of the financial information which are described in the processes of elaboration of individual accounts, preparation of consolidated accounts and processing of consolidated financial statements.
EDPR has descriptions of Competency Profiles for the Positions to be carried out in the exercise of the main features of each position that includes a description of the main responsibilities. These include the descriptions of the key positions of those involved in the preparation of financial information. These descriptions include responsibilities in the preparation of financial information and compliance with internal control procedures.
The documentation of processes and associated controls designed include among others, the completion of closure activities by completing monthly closing checklists by entity, setting time limits for the closures, the identification of the relevance of the operations in order to be reviewed at the appropriate level, conducting analytical reviews of financial information, the existence of limitations in systems to prevent erroneous records or by unauthorized persons, analysis of deviations from the budget, the analysis in Executive Committees of relevant and significant facts that could cause a significant impact on the accounts, or the allocation of responsibilities for calculating amounts to be provisioned for them to be carried out by authorized personnel with the right skills.
In addition to the mentioned processes, major transactional processes resulting from the scope are documented. The description of the activities and controls are designed with the aim of ensuring the registration, evaluation, appropriate presentation and disclosure of transactions in financial reporting.
Control activities of EDPR’s SCIRF also include those relating to systems and information technology (Computer General Controls) following an international reference, the COBIT framework (Control Objectives for Information and related Technologies). The importance of this area is that information systems are the tools with which financial information is prepared, and is therefore relevant for transactions conducted with them.
These control activities include those related to access control to applications and systems, segregation of duties, management of corrective and preventive maintenance, new projects implementation, administration and management of the systems, facilities and operations (back-ups, security incidents) and their proper monitoring and planning. These activities are developed taking into account the requirements of control and supervision.
Among the activities of SCIRF’s scope update, there is a periodic analysis of the existence of service suppliers that perform relevant activities in relation to the processes of preparing financial information.
The Audit and Control Committee supervises the SCIRF in the scope of the exercise of their activities through the monitoring and supervision of the developed mechanisms for SCIRF’s implementation, evolution and evaluation, and the results of the scope analysis and the extent of the situation in terms of coverage. To this extent, the Internal Audit Department assists the Audit and Control Committee.
EDPR has an Internal Audit Department under the Chairman of the Executive Committee. The Audit and Control Committee supervise the Internal Audit Department as establishes the Basic Internal Audit Act.
The main functions of the Internal Audit Department are set out in the Basic Internal Audit Act, which includes, among others, the evaluation activities of internal control systems, including the internal control system over financial reporting.
The annual work plans of the Audit Department obtain the opinion of the Audit and Control Committee. The Internal Audit Department reports to the Audit and Control Committee about the status and the performance of the audit works.
Among these activities, Internal Audit supports the Audit and Control Committee in supervising the implementation and maintenance of SCIRF and reports the results of the evaluation, improvement actions identified and their evolution.
The entity has action plans for improvement actions identified in SCIRF’s assessment processes, which are accompanied and supervised by the Internal Audit Department, considering their impact on the financial information.
Also in the year 2015, as in previous years, a process of self-certification was made by the heads of the various process owners regarding proper documentation update on SCIRF controls and processes in their area of responsibility and the implementation of controls with corresponding evidence.
Besides the monitoring and evaluation activities described in the preceding paragraph, in case the auditors identified internal control weaknesses in the scope of their financial audit work, they are expected to communicate these circumstances to the Audit and Control Committee, which regularly monitors the results of the audit work.
Additionally, in 2015 the EDPR Group decided to have its SCIRF audited by the external auditor. As a result of its evaluation, the external auditor issued a report with a favourable opinion on the SCIRF of the EDPR Group, according to ISAE 3000 (International Standard on Assurance Engagements 3000).