The Audit, Risks, Internal Controls, Ethics & Compliance, and DPO Department aims to promote strategic risk management, foster ethical and cultural values and ensure adherence to anti-corruption laws, and other related regulations, with focus on business sustainability through the integrated management of the following processes within the CPFL Energia group:
- Corporate Risks - strategic risk management based on the identification, measurement, monitoring and reporting of risks to which the CPFL Energia Group is exposed;
- Internal Controls - coordination and evaluation of internal controls related to the preparation and disclosure of financial statements and other key processes of the company;
- Ethics and Compliance – development and management of the Integrity Program;
- Internal Audit - performs assessment, follow-up and independent monitoring processes, based on good market practices, policies and procedures in force in the Company;
- Data Protection – responsible for the development, implementation and monitoring of the data protection and privacy strategy.
Organizational structure
The Risk Management area is responsible for the process of identifying and measuring risks that may affect the organization's business strategies, in accordance with the Corporate Risk Management Policy .
- Coordinate the risk management process in the CPFL Group, developing and keeping up-to-date Corporate Risk Management methodologies that include the identification, measurement, monitoring and reporting of the risks to which the CPFL Group is exposed.
- Define, together with the executives and the Board of Directors, the level of risk exposure that the organization is willing to accept in the pursuit of its objectives.
- Ensuring that business is being conducted within defined risk limits (“risk appetite”) and, if necessary, monitoring actions to mitigate these risks.
- Verify that the Company does not participate in activities or adopt practices that may compromise the sustainability of its business and does not assume risks of operations that are not inherent to its business and/or previously approved by the Board of Directors.
- Support the Company in preparing to face adverse situations, as a way of minimizing possible negative impacts.
The CPFL Group's main risks are consolidated in the Corporate Risk Map, obligatorily and minimally organized into categories, namely: Financial, Operational, Legal, Energy Market, Sectorial Regulation, Environmental and Reputation.
The risks contained in the Map are periodically monitored through models and/or indicators with exposure limits approved by the Board of Directors of the CPFL Energia Group. The threshold is the measure of risk that the institution is willing to accept to achieve the expected results in the respective business areas. They are established through quantitative metrics, for the most part, and have three levels of classification: low, moderate and high. When there is an extrapolation of the established limit, the risk owner, or executive responsible for the risk, is responsible for preparing action plans to reduce exposure, and the risk area must ensure compliance with the risk governance approved by the Board of Directors.
Risk indicators and limits are continuously evaluated and, when necessary, proposals for changes must be submitted by CPFL Energia's Executive Board to CPFL Energia's Board of Directors for deliberation.
The Internal Controls area's mission is to promote preventive loss management, maximizing value to our stakeholders and return to shareholders in a sustainable manner. It is also responsible for establishing and maintaining internal controls to ensure the reliability of financial information and respective disclosure to shareholders.
- Sufficiently mitigate operational risks;
- Continuously improve internal controls;
- Acting preventively to reduce losses;
- Preserve the Company's assets;
- Provide information for decision making, guiding business performance.
Annually, the processes, risks and internal controls are electronically evaluated and certified by our executives, through an Internal Controls Management system1.
1It has been adopted COSO 2013 (Comittee of Sponsoring Organizations of the Treadway Commission) to structure the CPFL Energia Group's internal control system, and the guidelines issued by the Federal Accounting Council to identify risks and internal controls relevant to the financial statements.
The main steps for evaluating internal controls include:
Self-assessment:
Activity carried out by the process manager through the review of risks and internal controls, with the objective of anticipating possible weaknesses, allowing their timely correction, with the support of the Internal Controls team.
Effectiveness Assessments:
Measure whether the control is operating in accordance with the objective of mitigating risks and aims to obtain evidence to support the assessment of CPFL Energia's internal control environment, which will be publicly disclosed, through the Brazilian Market Reference form.
Remediation Plan:
Actions defined for controls with ineffective results and aimed at correcting the problems identified, minimizing or mitigating the materialization of associated operational risks.
Ascending Certification:
consists of the science and electronic signatures of executives who have internal controls under their responsibility.
The Ethics and Compliance area is responsible for the development, implementation and monitoring of the CPFL Energia Group's Integrity Program. .
- Establish guidelines that promote understanding and observance of the values and rules contained in the Codes of Ethical Conduct (for employees and suppliers), including, but not limited to, guidelines on conflicts of interest, relationship with public and/or political agents, procedure gifts, gifts and hospitality and anti-corruption and anti-bribery initiatives;
- Ensuring that the Integrity Program is able to prevent, detect and respond to incidents of corruption, bribery, fraud, among other ethical deviations in the CPFL Group;
- Communicate the message and commitment to the integrity value through institutional channels, and through communication and training actions for employees, suppliers and sensitive audiences;
- Provide channels for consultation, suggestions, complaints and/or questions regarding the Code of Ethical Conduct and the respective internal policies and procedures of the Integrity Program, including access to the external channel for complaints (Ethics Channel), available 24 hours a day, 7 days per week and open to all stakeholders (suppliers, employees, customers, etc). Click here to access the channel;
- Investigate complaints and allegations, ensuring fairness in the application of the respective disciplinary measures; and,
- Ensuring the transparency, effectiveness and continuous improvement of the Integrity Program through monitoring mechanisms, such as the Compliance Risk Assessment – CRA, periodic reports and compliance indicators for the respective executive forums.
The monitoring of the guidelines and effectiveness of the Integrity Program is also carried out by the Ethics and Business Conduct Committee (COMET), with support from the Complaint Processing Commission (CPD), which is composed of members of senior management and a member independent external.
Discover our Code of Ethical Conduct (The document was approved in the April 20th, 2023 Board of Directors Meeting and it's in the 5th version) and the Code of Ethical Conduct for Suppliers (The document was approved by the CPFL ethics and compliance area, published on October 24th, 2023 in CPFL intranet, and it is in the 2nd version).
Failure to comply with the guidelines and commitments contained in our Code of Ethical Conduct will subject to the application of disciplinary measures provided for in internal rules and applicable legislation and may even lead to contractual termination.
CPFL Energia's Internal Audit is structured to allow efficient and independent action. The set of criteria, guidelines and basic rules for the performance of Internal Audit work at the CPFL Energia Group is formalized by the Internal Regulations and aligned with the best practices of the IIA (Internal Auditors Institute).
- Review and evaluate the effectiveness, sufficiency and application of accounting, financial, systemic and operational controls;
- Determine the extent of compliance with the rules, plans and current procedures;
- Determine the extent of controls over the existence of the company's assets;
- Determine the degree of confidence in the company's information and accounting data;
- Assess the quality achieved in the execution of tasks determined to fulfill the respective responsibilities.
In order to achieve the objectives, the Annual Audit Plan is prepared according to the following steps: strategic guidelines and value levers; research with the main process managers; risk review with Risk Management; evaluation and perception of the Internal Auditors; interviews with board members and key executives, and risk rating by process.
After the elaboration of the Annual Audit Plan will be submitted to the Audit Committee for consideration. The latter must recommend its approval to the Board of Directors. After approval by the Board of Directors, the Audit Plan shall be brought to the attention of the President and Vice Presidents.
Among the work carried out by the Internal Audit, considering the coverage of strategic, operational, financial and compliance (regulatory) risks, are:
Identification of the main vulnerabilities, specific risks and respective control activities, as well as opportunities for improvement, to then propose recommendations that make it possible to improve internal controls and minimize the identified risks to acceptable levels.
Automated verification of the status of the implementation of action plans arising from the improvement opportunities proposed in the Audit Report, as well as the identification of possible new risks and needs for additional or special work.
Continuous monitoring of automated indicators to timely identify eventual non-conformities and trends in the analyzed processes. With this methodology, we evaluate 100% of the database of the audited processes.
Support the business areas in various consultations, support in specific analyses, participation in projects, internal committees and specific meetings, among others, always aiming at preventively mitigating risks, improving processes and internal controls, with care to not lose the independence of essential assessment activities (assurance).
The set of criteria, guidelines and basic rules for development Internal Audit work at the CPFL Energia Group is defined in the Internal Audit Regulation.
The Data Protection area is responsible for guiding the treatment of personal information of natural persons, through the development, implementation, monitoring, management and supervision of the CPFL Energia Group's Data Protection Governance Program.
- Establish guidelines for the processing of personal data within the Organization;
- Guide the compliance with the rights of holders;
- Manage the strategy and data protection and privacy governance program;
- Monitor and respond in a timely manner to identify privacy and data protection risks that may violate legislation or impact on the rights of holders;
- Monitor the implementation of initiatives that are associated with compliance with legal demands or privacy laws;
- Develop and promote training on privacy and data protection for all audiences that are necessary within the organization, including service providers and third parties.
Having security as one of its non-negotiable values, the CPFL Group is committed to complying with the laws and regulations that govern privacy and the protection of personal data so that the processing of personal data of natural persons takes place in a legal, ethical and responsible manner, respecting legitimate, specific and informed purposes to data subjects.
Also based on the same amount, CPFL Energia is committed to promoting a culture of valuing data protection through policies, regulations, training and communications related to the topic, directing and involving its employees, agents and outsourced contractors.
The processing of personal data is guided by the Data Protection Governance Program, which aims to maintain the trust of its customers, consumers, candidates, employees, visitors, legal representatives, partners, investors, related parties and authorities, in addition to guiding the management of privacy and data protection risks.
The way in which the personal data of a natural person is handled by the Organization is informed to data subjects through privacy policies and notices made available in the means of communication used to contact the data subject, depending on the category of subject he/she falls into (customer, user, partner, employee,...), and whenever applicable, in order to make the previous consultation viable, by the data subject, regarding the treatment of personal information.