[5.2] Three Lines Model

A principles-based model

The Internal Control System of Iberdrola and the companies of its group is configured by reference to international best practices. The Three Lines Model, published on 20 June 2020 by the Institute of Internal Auditors, updates the previous Three Lines of Defense Model, and is based on an assurance system combined around three lines, providing a comprehensive view of how the different parts of the organisation interact in an effective and coordinated manner, increasing the efficiency of the processes for management and internal control of the entity’s significant risks.

A principles-based model

Based on the document “The IIA’s Three Lines Model 2020. An update of the Three Lines of Defense”. IIA 2020.

Iberdrola adopts the Three Lines Model to
ensure its internal control system.

Principle 1:

Iberdrola’s governance has structures and processes that enable:

  • Accountability by the Board of Directors to stakeholders for organisational oversight though integrity, leadership and transparency.
  • Actions (including managing risk) by management to achieve the objectives of the strategic plan through risk-based decision-making and application of resources.
  • Assurance and advice by an internal audit function to provide clarity and confidence and to promote and facilitate continuous improvement through rigorous research and insightful communication.

Principle 2:
Governing body roles

Iberdrola’s Board of Directors:

  • Ensures that appropriate structures and processes are in place for effective governance.
  • Ensures that organisational objectives and activities are aligned with the prioritised interests of the stakeholders.
  • Delegates responsibility and provides resources to management to achieve the objectives of the organisation while ensuring legal, regulatory and ethical expectations are met.
  • Establishes and oversees an independent, objective and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives.

Principle 3:
Management and first and second line roles

Management’s responsibility to achieve organisational objectives comprises both first and second line roles. The management team and the professionals of Iberdrola and its group are the direct managers of the entity’s risks. Thus, the company’s Management is responsible for maintaining effective control and for implementing procedures to control risks on a continuous basis, based on the Internal Control objectives of the COSO model (operational, reporting and compliance – Committee of Sponsoring Organizations, May 2013).

Significant risks facing Iberdrola’s primary businesses: Networks
Significant risks facing Iberdrola’s primary businesses: Renewables
Significant risks facing Iberdrola’s primary businesses: Wholesale and Retail

The primary assurance functions within Iberdrola, within their respective areas of responsibility, are: (i) the group’s Risk Division, within the framework of its duties within the Comprehensive Risk Control and Management System; (ii) the Internal Assurance Division, belonging (like the Risk Division) to the Risk Management and Internal Assurance area, in its responsibilities relating to the internal risk management and control systems in relation to the preparation of financial information (Internal Control over Financial Reporting System, or ICFRS) and non-financial information (Internal Control over Non-Financial Reporting System, or ICNFRS) and the SAP environment; (iii) the Compliance Unit, which is responsible for proactively ensuring the effective operation of the Compliance System (notwithstanding which, in the financial and non-financial information processes it is considered to have a third line role as it provides independent assurance regarding the risk of non-compliance with the legal framework); and (iv) the Cybersecurity Division within the Corporate Security Division, through the supervision, monitoring and reporting of cybersecurity risks.

Comprehensive Risk Control and Management System
Compliance Unit

Principle 4:
Third line roles

The Internal Audit area proactively ensures the proper operation of the internal control, risk management and governance systems, systematically auditing the roles of the first and second lines in the performance of their respective duties of management and control.

To ensure its independence, the director of the Internal Audit Area reports hierarchically to the chairman of the Board of Directors and functionally to Iberdrola’s Audit and Risk Supervision Committee (ARSC). The Audit and Compliance Committees (ACC) and Internal Audit divisions of the various country subholding companies have this same positioning, and are coordinated under the framework of the Basic Internal Audit Regulations. These regulations, approved by the Board of Directors, form part of the Governance and Sustainability System and establish the rules, duties, competencies and powers of Internal Audit, as well as its framework of relations within the group.

The 2020 annual activities plans of Iberdrola’s Internal Audit Area and of the Internal Audit divisions of the group, with a risk-based focus, responded to the requirements established by the ARSC and the respective ACCs of the country subholding companies, and included:

  • Half-yearly reviews of the operation of the most critical ICFRS controls, as well as reviews of the various cycles of financial information preparation, within the framework of the revision of the entire ICFRS over a 5-year period.
  • Audits of key corporate and business process and risks, based on the Risk Policies approved by the Board of Directors on an annual basis.
  • Audits of the compliance programmes.

Iberdrola satisfactorily completed the Quality Assurance evaluation performed by the Internal Auditors Institute of Spain in 2020.

Principle 5:
Third line independence

Internal audit’s independence from the responsibilities of management is critical to its objectivity, authority and credibility. At Iberdrola this is established by: accountability to the Board of Directors; unfettered access to people, resources and data needed to complete its work; and freedom from bias or interference in the provision of audit services.

Principle 6:
Creating and protecting value

At Iberdrola, all of the roles are aligned with each other and with the interests of the stakeholders, contributing to the creation and protection of value.

External assurance providers

Regulators establish requirements to strengthen the organisations’ controls and perform an independent oversight role. The powers of the ARSC and the ACCs include striving to preserve the independence of the statutory auditors, who provide assurance of the true picture provided by Iberdrola’s financial information.

Audit Report on the Consolidated Financial Statements