[5.2] Three Lines of Defence

Internal control model

The Internal Control System of Iberdrola and the companies of its group is configured by reference to international best practices. It is based on an assurance system combined around three lines of defence, providing a comprehensive view of how the different parts of the organisation interact in an effective and coordinated manner, increasing the efficiency of the processes for management and internal control of the entity’s significant risks.

Three lines of defence model

Based on the document “Guidance on the 8th EU Company Law Directive, article 41” ECIIA/FERMA, September 2010.

1st line of defence Operational Management

As the first line of defence, the management team and the professionals of Iberdrola and its group are the direct managers of the risks of the entity.

Thus, the company’s Management is responsible for maintaining effective control and implementing procedures to control risks on a continuous basis.

Internal Control Objectives (COSO. May 2013)
Operations objectives- Pertain to the effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.
Reporting objectives- Pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency or other terms as set forth by regulators, recognised standard setters or the entity’s policies.
Compliance objectives- Pertain to adherence to laws and regulations to which the entity is subject.

Significant Risks Facing Iberdrola’s Primary Businesses: Networks
Significant Risks Facing Iberdrola’s Primary Businesses: Wholesale and retail
Significant Risks Facing Iberdrola’s Primary Businesses: Renewables

2nd line of defence Assurance Functions

As the second line of defence, certain functions provide the foundation for the entity’s Internal Control System, proposing guidelines to the Board of Directors and monitoring how the first line of defence implements them.

The primary assurance functions within Iberdrola, within their respective areas of responsibility, are: (i) the group’s Risk Division, within the framework of its functions within the Comprehensive Risk Control and Management System; (ii) the Cybersecurity Division within the Corporate Security Division, through the supervision, monitoring and reporting of cybersecurity risks; (iii) the Compliance Unit, which is responsible for proactively ensuring the effective operation of the Compliance System; and (iv) the Internal Control Division, which is part of the Administration and Control Division, within its duties relating to the internal control and risk management systems in relation to the preparation of financial information (ICFRS).

Comprehensive Risk Control and Management System
Compliance Unit

Iberdrola adopts the three lines of defence model to ensure effective and integrated management of its internal control system.

3rd line of defence Internal Audit

The function of the Internal Audit area, as the third line of defence, is to proactively ensure the proper functioning of the internal control, risk management, and governance systems, systematically auditing the first and second lines in the performance of their respective duties of management and control.

To ensure its independence, the director of the Internal Audit Area reports hierarchically to the chairman of the Board of Directors and functionally to the Audit and Risk Supervision Committee. The Internal Audit divisions of the various country subholding companies have this same positioning, and are coordinated under the framework of the Basic Internal Audit Regulations of Iberdrola and its group, which forms part of Iberdrola’s Corporate Governance System.

The 2019 annual activities plans of the Internal Audit Area Division of Iberdrola and of the Internal Audit divisions of the group, with a risk-based focus looking to support the achievement of the company’s goals, responded to the requirements established by the Audit and Risk Supervision Committee of Iberdrola and the respective Audit and Compliance Committees of the country subholding companies, and included work for the senior management and the rest of the organisation, including:

  • Half-yearly reviews of the operation of the most critical controls of the Internal Control Over Financial Reporting (ICFR) System, as well as reviews of the various cycles of preparation of the financial information of Iberdrola, S.A. and the various companies of the group, within the framework of the general goal of reviewing the entire ICFR over a period of 5 years.
  • Audits of key corporate and business process and risks, based on the Risk Policies approved by the Board of Directors on an annual basis.
  • Audits of compliance programmes and frameworks established by the group in the various areas of application, such as the crime prevention programme.

Continuing with the commitment made in 2005, the Internal Audit area submits to an exhaustive review every five years of compliance with internal audit rules (called a Quality Assessment) by the Global Institute of Internal Auditors. During the last review in 2015, the certification of Iberdrola, S.A. and of ScottishPower was renewed and the scope of the certification was expanded to include Iberdrola España and Avangrid.

Furthermore, the Internal Audit has had ISO 9001 certification since 1999, updated to version 9001:2015. This ensures that all of the group’s internal auditors perform duties under the same framework and that such framework is aligned with the international professional rules of the function.

Basic Internal Audit Regulations of Iberdrola, S.A. and its group
Approved by the Board of Directors of Iberdrola upon a proposal of its Audit and Risk Supervision Committee (updated on 28-Mar-2019).
Defines its nature as an independent internal unit, and establishes the regulation, competencies, powers and duties of Internal Audit, among other things.
Establishes the framework of relations with: i) the Board of Directors, its Chairman and Committees; ii) the Internal Audit divisions of the other companies of the group; and iii) the rest of the organisation.
Disseminates the knowledge of the Internal Audit function among the professionals of the group.
Serves as a reference for the management model and the quality system of the Internal Audit Area of the company and the Internal Audit divisions of the other companies of the group.

External assurance

Regulatory bodies and other entities external to the organisation play a significant role in the general structure of governance, internal control and risks of Iberdrola, especially in the regulated businesses. The regulators establish requirements intended to strengthen the controls of an organisation and perform a function of independent and separate monitoring, and the auditors provide assurance regarding the true and fair view of the entity’s financial information. In this regard, the powers of the Audit and Risk Supervision Committee of Iberdrola and the Audit and Compliance Committees of the country subholding companies include ensuring the preservation of the independence of the auditors in the performance of their duties.

Regulatory Environment
Audit Report on the Consolidated Financial Statements