Pular para conteúdo
Investor Relations Institutional
Accessibility
PT
Press Enter to search

The Audit, Risks, Internal Controls, Ethics & Integrity, and DPO Department aims to promote strategic risk management, foster ethical and cultural values and ensure adherence to anti-corruption laws, and other related regulations, with focus on business sustainability through the integrated management of the following processes within the CPFL Energia group: 

  • Corporate Risks - strategic risk management based on identification, assessment, measurement, treatment, and appropriate communication of the risks to which the CPFL Energia Group is exposed;
  • Internal Controls - promote process adequacy, reduce risk exposure, and ensure the reasonableness of the information presented in the financial statements through the internal controls’ implementation and monitoring;
  • Ethics and Integrity – development and management of the Integrity Program;
  • Internal Audit - performs assessment, follow-up and independent monitoring processes, based on good market practices, policies and procedures in force in the Company;
  • Data Protection – responsible for the development, implementation and monitoring of the data protection and privacy strategy.

Organizational structure

The Risk Management area is responsible for the process of identifying and measuring risks that may affect the organization's business strategies, in accordance with the Corporate Risk Management Policy.

  • Coordinate the risk management process in the CPFL Group, developing and keeping up-to-date Corporate Risk Management methodologies that include the identification, assessment, measurement, treatment and appropriate communication of the risks to which the CPFL Energia Group is exposed.
  • Define, together with the executives and the Board of Directors, the level of risk exposure that the organization is willing to accept in the pursuit of its objectives.
  • Ensuring that business is being conducted within defined risk limits (“risk appetite”) and, if necessary, monitoring actions to mitigate these risks.
  • Verify that the Company does not participate in activities or adopt practices that may compromise the sustainability of its business and does not assume risks of operations that are not inherent to its business and/or previously approved by the Board of Directors.
  • Support the Company in preparing to face adverse situations, as a way of minimizing possible negative impacts.

The CPFL Group's main risks are consolidated in the Corporate Risk Map, obligatorily and minimally organized into categories, namely: Financial, Operational, Legal, Energy Market, Sectorial Regulation, Environmental, Reputation and Corruption.

The risks contained in the Map are periodically monitored through models and/or indicators with exposure limits approved by the Board of Directors of the CPFL Energia Group. The threshold is the measure of risk that the institution is willing to accept to achieve the expected results in the respective business areas. They are established through quantitative metrics, for the most part, and have three levels of classification: low, moderate and high. When there is an extrapolation of the established limit, the risk owner, or executive responsible for the risk, is responsible for preparing action plans to reduce exposure, and the risk area must ensure compliance with the risk governance approved by the Board of Directors.

Risk indicators and limits are continuously evaluated and, when necessary, proposals for changes must be submitted by CPFL Energia's Executive Board to CPFL Energia's Board of Directors for deliberation.

The Internal Controls area is responsible for continuously evaluating and monitoring the internal controls effectiveness, aiming to reduce risk exposure and support the achievement of CPFL Group’s strategic objectives with long-term value creation. It ensures the reasonableness of financial information and transparency in disclosures to shareholders and stakeholders. 

  • Sufficiently mitigate operational risks;
  • Ensure the reasonableness of financial information;
  • Continuously improve internal controls;
  • Safeguard the Company's assets;
  • Provide information to support decision-making, contributing to the business continuity.

Annually, processes, risks, and internal controls are evaluated and electronically certified by our executives through an Internal Controls Management system1.

1We adopt COSO 2013 (Committee of Sponsoring Organizations of the Treadway Commission) to structure the CPFL Energia Group’s internal control system , as well as the guidelines issued by the Brazilian Accounting Council for the relevant internal controls and risks identification to the financial statements.

The main steps for evaluating internal controls include:

Self-assessment:

Activity performed by the internal control owner to review risks, systems, and control design, aiming to anticipate potential weaknesses and enable their correction timely.

Effectiveness Assessments:

Verification of whether the control is operating in accordance with its risk mitigation objective, aiming to obtain evidence that supports the evaluation of CPFL Energia’s internal control environment, which will be formally disclosed through the Reference Form to the Brazilian market.

Process Mapping:

Mapping carried out to identify and review existing operational risks within processes and suggest the implementation of controls to mitigate or reduce them.

Remediation Plan:

Actions defined for controls with ineffective results, to correct the identified weaknesses and minimize or mitigate the occurrence of associated operational risks.

Ascending Certification:

Consists of the awareness and electronic signatures of executives responsible for internal controls, regarding the annual assessment of the effectiveness of those controlsy.

The Ethics and Integrity department is responsible for the development, implementation, and continuous monitoring of the Integrity Program, including the management of the Ethics Channel for receiving reports and the investigative process, ensuring compliance with the best practices of governance and integrity.

  • Establish guidelines that promote understanding and observance of the values and rules contained in the Codes of Ethical Conduct (for employees and suppliers), including, but not limited to, guidelines on conflicts of interest, relationship with public and/or political agents, procedure gifts, gifts and hospitality and anti-corruption and anti-bribery initiatives;
  • With the support of senior management and business areas, the CPFL Group Integrity Program is structured around four fundamental dimensions: guidelines, communication, evaluation and monitoring, in addition to the ethics channel;
  • To ensure that the Integrity Program can prevent, detecting, and responding to incidents of corruption, bribery, fraud, and other ethical breaches within the CPFL Group, through the Anti-Bribery and Anti-Corruption Management System, in compliance with the ISO 37001 standard;
  • Communicate the message and commitment to the integrity value through institutional channels, and through communication and training actions for employees, suppliers and sensitive audiences;
  • Provide channels for reporting potential ethical violations related to the Code of Ethical Conduct and the respective internal policies and procedures of the Integrity Program, including access to the external reporting channel (Ethics Channel), which is available 24 hours a day, 7 days a week, and open to all stakeholders (suppliers, employees, customers, etc). Click here to access the channel;
  • Investigate complaints and allegations, ensuring fairness in the application of the respective disciplinary measures; and,
  • Ensuring the transparency, effectiveness and continuous improvement of the Integrity Program through monitoring mechanisms, such as the Compliance Risk Assessment – CRA, periodic reports and compliance indicators for the respective executive forums.

The monitoring of the guidelines and the effectiveness of the Integrity Program is also carried out by the Ethics Committee (COMET), and the Whistleblower Reports Review Committee (CPD). Both committees are composed of members of senior management and one external member. 

Discover our Code of Ethical Conduct (The document was approved in the April 20th, 2023 Board of Directors Meeting and it's in the 5th version) and the Code of Ethical Conduct for Suppliers (The document was approved by the CPFL ethics and integrity area, published on October 24th, 2023 in CPFL intranet, and it is in the 2nd version). 

Failure to comply with the guidelines and commitments contained in our Code of Ethical Conduct will subject to the application of disciplinary measures provided for in internal rules and applicable legislation and may even lead to contractual termination. 

CPFL Energia's Internal Audit is structured to allow efficient and independent action. The set of criteria, guidelines and basic rules for the performance of Internal Audit work at the CPFL Energia Group is formalized by the Internal Regulations and aligned with the best practices of the IIA (Internal Auditors Institute).

  • Review and evaluate the effectiveness, sufficiency and application of accounting, financial, systemic and operational controls;
  • Determine the extent of compliance with the rules, plans and current procedures;
  • Determine the extent of controls over the existence of the company's assets;
  • Determine the degree of confidence in the company's information and accounting data;
  • Assess the quality achieved in the execution of tasks determined to fulfill the respective responsibilities.

In order to achieve the objectives, the Annual Audit Plan is prepared according to the following steps: strategic guidelines and value levers; research with the main process managers; risk review with Risk Management; evaluation and perception of the Internal Auditors; interviews with board members and key executives, and risk rating by process.

After the elaboration of the Annual Audit Plan will be submitted to the Audit Committee for consideration. The latter must recommend its approval to the Board of Directors. After approval by the Board of Directors, the Audit Plan shall be brought to the attention of the President and Vice Presidents.

Among the work carried out by the Internal Audit, considering the coverage of strategic, operational, financial and compliance (regulatory) risks, are:

Identification of the main vulnerabilities, specific risks and respective control activities, as well as opportunities for improvement, to then propose recommendations that make it possible to improve internal controls and minimize the identified risks to acceptable levels.

Automated verification of the status of the implementation of action plans arising from the improvement opportunities proposed in the Audit Report, as well as the identification of possible new risks and needs for additional or special work.

Continuous monitoring of automated indicators to timely identify eventual non-conformities and trends in the analyzed processes. With this methodology, we evaluate 100% of the database of the audited processes.

Support the business areas in various consultations, support in specific analyses, participation in projects, internal committees and specific meetings, among others, always aiming at preventively mitigating risks, improving processes and internal controls, with care to not lose the independence of essential assessment activities (assurance).

The set of criteria, guidelines, and basic rules for the development of Internal Audit’s work within the CPFL Energia Group is defined in the Internal Audit Regulations.

The Data Protection area is responsible for guiding the treatment of personal information of natural persons, through the development, implementation, monitoring, management and supervision of the CPFL Energia Group's Data Protection Governance Program.

  • Establish guidelines for the processing of personal data within the Organization;
  • Guide the compliance with the rights of holders;
  • Manage the strategy and data protection and privacy governance program;
  • Monitor and respond in a timely manner to identify privacy and data protection risks that may violate legislation or impact on the rights of holders;
  • Monitor the implementation of initiatives that are associated with compliance with legal demands or privacy laws;
  • Develop and promote training on privacy and data protection for all audiences that are necessary within the organization, including service providers and third parties.
     

Having security as one of its non-negotiable values, the CPFL Group is committed to complying with the laws and regulations that govern privacy and the protection of personal data so that the processing of personal data of natural persons takes place in a legal, ethical and responsible manner, respecting legitimate, specific and informed purposes to data subjects.

Also based on the same amount, CPFL Energia is committed to promoting a culture of valuing data protection through policies, regulations, training and communications related to the topic, directing and involving its employees, agents and outsourced contractors.

The processing of personal data is guided by the Data Protection Governance Program, which aims to maintain the trust of its customers, consumers, candidates, employees, visitors, legal representatives, partners, investors, related parties and authorities, in addition to guiding the management of privacy and data protection risks.

The way in which the personal data of a natural person is handled by the Organization is informed to data subjects through privacy policies and notices made available in the means of communication used to contact the data subject, depending on the category of subject he/she falls into (customer, user, partner, employee,...), and whenever applicable, in order to make the previous consultation viable, by the data subject, regarding the treatment of personal information.

Imprimir