Skip to main content

Basic Internal Audit Regulations

Nature, powers, organisation and duties of the members of the Internal Audit function

Basic Internal Audit Regulations

29 May 2025

TITLE I.- REGULATIONS

Article 1.- Nature and Scope of Application

  1. These Basic Internal Audit Regulations (the “Basic Regulations”), which form part of the Company’s Governance and Sustainability System, govern, among other issues, the nature, powers, organisation and duties of the members of the Internal Audit function that correspond to the Internal Audit and Risk Division of IBERDROLA, S.A. (the “Company”).
  2. The Basic Regulations also establish the internal audit foundations that must inform the conduct and standards-setting implemented by the other companies belonging to the group of which the Company is the controlling entity, within the meaning established by law (the “Group”), in the exercise of their powers and in accordance with their autonomy, which will be required in all cases to respect the Ethical and Basic Principles of Governance and Sustainability of the Iberdrola Group and the coordination criteria established in these Basic Regulations
  3. The Internal Audit and Risk Division is an internal unit of the Company that hierarchically reports to the chairman of the Board of Directors and functionally reports to the Audit and Risk Supervision Committee (the “Committee”). Its basic activity consists of independently and proactively endeavouring to ensure the effectiveness of the governance, risk management and internal control processes within the Company and within the boundary of the Group. 

Article 2.- Approval, Amendment and Priority

  1. In accordance with the provisions of the Regulations of the Audit and Risk Supervision Committee, the Basic Regulations and the amendments thereof must be approved by the Board of Directors upon a proposal from the Committee.
  2. Without prejudice to the foregoing, the Board of Directors may make amendments to these Basic Regulations without having a prior proposal from the Committee within the context of the reform of other regulations of the Governance and Sustainability System.
  3. These Basic Regulations further develop and supplement the provisions of the Regulations of the Audit and Risk Supervision Committee applicable to the Internal Audit and Risk Division, which prevail over them in the event of conflict.

Article 3.- Interpretation

  1. Any questions that might arise regarding the interpretation and application of the Basic Regulations shall be resolved by the Chief Internal Audit and Risk Officer, who shall take into consideration the provisions of the Governance and Sustainability System, the International Standards for the Professional Practice of Internal Auditing approved by the Institute of Internal Auditors (IIA) and other applicable legal provisions. In the event of questions or conflicts, the opinion of the Committee shall be requested.
  2. The Chief Internal Audit and Risk Officer shall inform the following of the standards of interpretation under the Basic Regulations that have been adopted: (i) the members of the Company’s Internal Audit and Risk Division, as well as the heads of the internal audit divisions of the other companies of the Group; and (ii) the secretary of the Committee, who in turn shall communicate them to the secretary of the Company’s Board of Directors.

Article 4.- Compliance

  1. The members of the Internal Audit and Risk Division have the obligation to know and comply with these Basic Regulations, which shall form part of the management tools of the Internal Audit and Risk Division.
  2. The professionals of the Company have the obligation to know these Basic Regulations to the extent they are affected hereby and to comply with the provisions applicable thereto, for which reason the Chief Internal Audit and Risk Officer shall ensure the proper dissemination hereof and inform them of the amendments hereto. 
  3. The Chief Internal Audit and Risk Officer shall have the duty to ensure compliance with these Basic Regulations.

TITLE II. POWERS OF THE INTERNAL AUDIT AND RISK DIVISION

Article 5.- Scope of Powers

  1. The Internal Audit and Risk Division shall independently and objectively provide assurance and advisory services to add value and improve the operations of the Company, providing a systematic and disciplined focus in order to evaluate and improve the efficiency of the risk management, control and governance processes thereof at the Group level.
  2. In performing its duties, as well as in preparing the annual activities plans of the Internal Audit and Risk Division provided for in Article 11 of these Basic Regulations, they must take into account the powers of assurance of other areas of the Company in order for the responsibilities of the Internal Audit and Risk Division to be clearly defined and in order for there to be proper mechanisms of coordination with other assurance functions.
  3. The Internal Audit and Risk Division must be informed of the provision of any assurance services to the companies of the Group by outside service providers.

  4. In addition to the powers established in these Basic Regulations, the Internal Audit and Risk Division shall have such other powers as are allocated thereto by the Board of Directors or vested therein by the Governance and Sustainability System.

Article 6.- Powers relating to the Audit and Risk Supervision Committee

  1. The Internal Audit and Risk Division shall assist the Committee in developing its powers, especially as regards supervision of the efficiency of the internal control and risk management systems, relations with the statutory auditor, and supervision of the process of preparing the financial and non-financial information of the Company and the consolidated financial and non-financial information.
  2. The Chief Internal Audit and Risk Officer shall be responsible for preparing the information requested by the Committee. The Chief Internal Audit and Risk Officer shall also attend the meetings to which this officer is called when dealing with issues within the purview thereof (including meetings held to formulate or approve annual or interim financial information and annual non-financial information).

    In particular, the Chief Internal Audit and Risk Officer shall provide to the Committee, within the purview thereof, the information required so that the Committee can (without limitation): (i) supervise the efficiency of the internal control and risk management systems; and (ii) reach a conclusion as to whether the accounting policies have been properly applied.
  3. The Internal Audit and Risk Division shall be the regular body for communication between the Committee and the rest of the Company’s organisation, without prejudice to provisions of the Regulations of the Board of Directors, the Regulations of the Audit and Risk Supervision Committee and the General Framework for Relations of Coordination and Information among the Audit Committees of Iberdrola, S.A. and its group regarding the duties entrusted to other areas, particularly the Office of the Secretary of the Board of Directors and other divisions. 

Article 7.- Powers regarding the Internal Control System

  1. The Internal Audit and Risk Division shall objectively and independently supervise the effectiveness of the internal control system established at the Group level, which is made up of a set of risk management and control mechanisms and systems.
  2. By way of example and not limitation, and to the extent within its purview, it shall be particularly responsible for:
    1. Supervising the efficient operation:
      1. Of the comprehensive risk control and management system established at the Group level, as described in the General Risk Control and Management Foundations of the Iberdrola Group and the adaptation thereof to ensure compliance with the guidelines and risk limits. 

        In order to ensure the independence and objectivity of the Internal Audit function, assurance work to be performed regarding the Risk function shall be carried out by independent expert professionals who shall report their conclusions directly to the Committee. 
      2. Of the Internal Control over Financial Reporting (ICFR) and Internal Control over Non-Financial Reporting (ICNFR) Systems established for preparing and presenting the financial and non-financial information of the companies of the Group, including information that the Company must regularly publish due to its status as a listed company.
      3. Of the Company’s Compliance System, which is intended to prevent, manage and mitigate the risk of improper conduct and acts that are illegal or contrary to law and the Governance and Sustainability System that can be performed within the organisation.
      4. Of the mechanisms established for the implementation of the policies of the Governance and Sustainability System.
    2. Verifying that the investment and divestment processes comply with the applicable guidelines and risk limits in each case and that the procedures pursuant to which they are performed ensure proper internal control and effective management of the related risks.
  3. The Internal Audit and Risk Division shall also engage in any other actions needed to perform its duty of ensuring the effective operation of the internal control system.

TITLE III. ORGANISATION OF THE INTERNAL AUDIT AND RISK DIVISION

Article 8.- Chief Internal Audit and Risk Officer

  1. The Chief Internal Audit and Risk Officer should have the knowledge, skills and experience appropriate to the duties they are asked to perform, especially with respect to internal audit, risk management, internal control and governance.
  2. Pursuant to the provisions of the Governance and Sustainability System, the Board of Directors is responsible for the appointment and removal of the Chief Internal Audit and Risk Officer, upon a proposal of the Committee and after a report of the Appointments Committee.
  3. The Chief Internal Audit and Risk Officer shall be deemed a member of the senior management of the Company.
  4. The Chief Internal Audit and Risk Officer shall generally have the powers necessary to carry out the duties they are called upon to perform. 
  5. The Chief Internal Audit and Risk Officer shall act transparently, informing the affected parties of the purpose and scope of the activities thereof whenever practicable.
  6. The Committee is the body that evaluates the operation of the Internal Audit and Risk Division and the performance of the chief officer thereof pursuant to the provisions of the Regulations of the Audit and Risk Supervision Committee, for which purpose it shall obtain any opinion that might be held by the chairman of the Board of Directors.
  7. The Chief Internal Audit and Risk Officer shall manage the operation and the budget of the Internal Audit and Risk Division under the principles of independence and efficiency in management, and shall be responsible for implementing the relevant measures and action plans and endeavouring to ensure the proper performance of the duties thereof.
  8. The Chief Internal Audit and Risk Officer may obtain assistance and advice from internal or outside professionals in those cases in which they deem it necessary.

Article 9.- Framework for Relations of Coordination and Information among the Company’s Internal Audit and Risk Division and the Internal Audit and Risk Divisions of the Country Subholding Companies

  1. Pursuant to the provisions of the Foundations for the Definition and Coordination of the Iberdrola Group, the Group’s country subholding companies have an internal audit division, without prejudice to the any particularities applicable thereto due to their status as a listed company, nationality, law or any other circumstances.

  2. The Company’s Chief Internal Audit and Risk Officer shall develop an appropriate framework for relations of coordination and information between the Company’s Internal Audit and Risk Division and the internal audit and risk divisions of the country subholding companies and shall develop the strategy, guidelines and overall supervision of the internal audit function at the Group level. Specifically, the Chief Internal Audit and Risk Officer shall:

    1. Define the strategic lines of the internal audit function, which shall be aligned with the Company’s strategic goals and the scale of the internal audit function at the Group level.

    2. Participate in the appointments of the chief internal audit officers of the country subholding companies, sending their proposal to the chair of the audit and compliance committee of the corresponding country subholding company.

    3. Participate in defining the performance assessment processes for the internal audit function and for the heads of the internal audit and risk divisions of the country subholding companies (which are not listed companies), without prejudice to the decision-making autonomy of each of the Group’s companies.

    4. Supervise and coordinate the annual activities plans of the internal audit divisions to verify that they are properly coordinated with the activities plan of the Company’s Internal Audit and Risk Division, and they shall transmit the guidelines and directives of the Company’s Board of Directors and of the Committee.

    5. Establish coordination processes for the preparation of the annual activity reports of the internal audit and risk divisions of the country subholding companies.

    6. Establish guidelines regarding quality requirements and the promotion of global certifications, and promote periodic evaluations of the internal audit and risk divisions. As such, the Chief Internal Audit and Risk Officer shall develop, implement and maintain a Quality Assurance and Improvement Programme, which shall include: (i) internal and external evaluations of the conformity of the internal audit function to the Global Internal Audit Standards and the mandatory rules of the International Standards for the Professional Practice of Internal Auditing approved by the Institute of Internal Auditors (IIA); and (ii) measurement of performance to evaluate the progress of the global internal audit function in terms of the achievement of its global goals; all to promote continuous improvement, and shall report the results thereof to the Board of Directors, through the Committee, and to the members of the Company’s senior management.

  3. The Chief Internal Audit and Risk Officer and the heads of the internal audit and risk divisions of the country subholding companies shall hold regular coordination and information meetings. Such meetings may also be attended by those professionals that the Company’s Chief Internal Audit and Risk Officer deems appropriate.

TITLE IV. RESOURCES, BUDGET AND ANNUAL ACTIVITIES PLAN

Article 10.- Material, Human and Technological Resources

The Internal Audit and Risk Division shall have the human, financial and technological resources required to perform its duties, including the hiring or participation of experts for audits or work requiring special qualifications for the performance thereof.

Article 11.- Annual Activities Plan and Budget

  1. The Chief Internal Audit and Risk Officer shall prepare a proposed annual activities plan of the Internal Audit and Risk Division and shall submit it for the approval of the Committee. In relation to the Internal Audit function, such proposal:
    1. shall contain the budget of the Internal Audit and Risk Division for engaging in its activities during the next financial year;
    2. shall take into account the principal financial and non-financial risk areas (including reputational risks) and those of the businesses;
    3. shall clearly identify and define the responsibilities of each corporate and business area for proper coordination with any other assurance functions, such as the financial and non-financial information control, compliance and statutory audit units;
    4. shall establish the Internal Audit function’s objectives and the work to be performed, as well as the resources necessary for the implementation thereof, both human (internal and external) and financial and technological; and
    5. shall take into account any suggestions that the Board of Directors, the Committee and the members of senior management have communicated thereto.
  2. The Chief Internal Audit and Risk Officer shall periodically review the annual activity plan in order to evaluate the adequacy thereof to cover the risks identified and, if applicable, propose to the Committee for approval the changes the Chief Internal Audit and Risk Officer deems appropriate, and shall report on the implementation of the plan on the terms established in section 2 of Article 12 below.
  3. The Committee shall evaluate compliance with the annual activity plan of the Internal Audit function.
  4. Once approved by the Committee, the budget for the Internal Audit and Risk Division shall be sent to the chairman of the Board of Directors, who shall present it to the Board of Directors for review.

Article 12.- Communication and Information

  1. The nature and scope of any advisory work performed by the Internal Audit and Risk Division shall be previously communicated to the relevant division. In no case may the Internal Audit and Risk Division assume management responsibilities or participate in making executive decisions.
  2. The Chief Internal Audit and Risk Officer shall:
    1. Regularly report to the Committee and to the members of senior management on the implementation of the annual activity plan, including any impacts and limitations on scope arising during the development thereof, as well as the results and conformance to recommendations. 
    2. Submit to the Committee, at the end of each financial year, a report on the activities of the Internal Audit and Risk Division, which must contain at least a summary of the activities performed and reports issued during the financial year, explaining what work provided for in the annual plan has not been carried or performed without being provided for in the initial plan, as well as an inventory of weaknesses, recommendations and action plans, and the results of the Quality Assurance and Improvement Programme
    3. Regularly report to the Committee on whether the members of senior management of the Company take into account the conclusions and recommendations of the reports of the Internal Audit and Risk Division, and report those cases in which they decide not to implement a recommendation regarding high or very high risk, thus accepting the existing risk.
  3. The Internal Audit and Risk Division shall promote constant and fluid communication with the members of senior management of the Company to ensure that they are aware of the powers of the Internal Audit function and support it in the achievement of its objectives. 

TITLE V. ACCESS TO INFORMATION AND DUTIES OF ITS MEMBERS

Article 13.- Access to Information and Collaboration

  1. The Internal Audit and Risk Division, through its chief officer or such person as is designated thereby, shall have access to the documentation, information or information systems it deems necessary or appropriate for the exercise of its powers, in all cases in compliance with legal provisions and the internal rules of the Company.
  2. In the exercise of its powers, the Internal Audit and Risk Division may obtain assistance from any member of the management team or professional of the Company, as well as from other internal and external specialised areas.

Article 14.- Duties

  1. The members of the Internal Audit and Risk Division must:
    1. Act with independence of judgement and action with respect to the rest of the organisation and perform their work in accordance with the Global Internal Audit Standards, particularly including principles of ethics and professionalism, integrity, objectivity, competence, professional due diligence and confidentiality.
    2. Refrain from disclosing any information, data, reports or background information to which they may have access while in office, nor use any of the foregoing for their own benefit or that of third parties, without prejudice to any applicable duties of transparency and reporting. This duty of confidentiality shall survive even after the members no longer hold such position.
  2. The professionals assigned to the Internal Audit and Risk Division undertake to comply with the mandatory rules established in the International Standards for the Professional Practice of Internal Auditing approved by the Institute of Internal Auditors (IIA), in addition to the other legal provisions and internal rules applicable thereto.