Internal audit 

The Audit unit is a multidisciplinary team that helps the company meet its strategic goals by evaluating and proposing improvements that bring risk management, control, and governance processes into line with international standards.

To guarantee the independence of the audit function, it reports to the Audit and Control Committee of the Board of Directors of Repsol, S.A., and for the purposes of internal organization, it reports to the Executive Managing Division of Energy Transition, Technology, Institutional Affairs, & Deputy CEO.

Mission and principles

The Repsol Audit Division has a mission to protect and improve the value of the Organization by providing objective assurance, advice, and risk-based knowledge to support the Audit and Control Committee’s work.

In carrying out its role, the Audit area adheres to the following principles:

  • Act independently of the rest of the Organization's criteria and actions, performing its work diligently, responsibly, and professionally.
  • Keep the information handled strictly confidential, notwithstanding the reports to be presented periodically.
  • Provide continuous professional training to auditors, giving them sufficient knowledge and experience to fulfill the requirements of their mission.
  • Comply with the fundamental principles, standards, and ethical codes of professional practice in internal audit that may be applicable at any time.

 

Code of Ethics and Business Conduct

To carry out our role, as well as complying with the Repsol Group's Code of Ethics and Business Conduct, we follow the Internal Audit Bylaws and Institute of Internal Auditor's International Standards for the Professional Practice of Internal Audit, which includes the Code of Ethics for the profession.

 

What we do 

We independently assess the reasonableness and adequacy of the design and functioning of internal control systems, risk management, and Group governance processes, as well as the reasonableness of operations with third parties.

When carrying out the assessment, we ensure that the internal control guaranteed by the company covers the following objectives:

  • The risks that could affect the organization are identified, measured, prioritized, and controlled appropriately.
  • Operations are carried out with effectiveness and efficiency criteria.
  • Operations are carried out in accordance with the applicable laws, regulations, and contracts, as well as valid policies, norms, and procedures.
  • The most significant financial, management, and operational reports are drafted properly.

 

Audit activities

  • Carry out audit projects for operated, non-operated, and co-operated companies and assets, as well as audits of systems and contracts included in the Annual Plan or those considered necessary, or when requested by the corresponding bodies or senior management.
  • Verify that the recommendations made in audits are implemented by the areas audited and financial claims related with third-party audits are made in accordance with the defined verification strategy.
  • Collaborate in investigating events or actions that could constitute a non-compliance with internal company norms and regulations, or that could make the company liable in any way. This is done at the request of the bodies or people authorized to start these investigations (including the Repsol Audit and Control Committee and Repsol Ethics and Compliance Committee).
  • Assess the consistency of the control environment in information systems, to ensure that data is processed reasonably and operational system procedures offer adequate protection against error, fraud, and loss of information.
  • Provide the Repsol Group with the required advisory and consultancy services, focusing on generating added value and improving operations, among others, as well as those related to the design of formal Internal Compliance and Control Models and the definition of specific controls.

The planning activities and the work of the Audit Division cover the entire world, including all operated, non-operated, and co-operated assets. 

 

Audit and Control Committee 

The Audit and Control Committee provides the Board of Directors with support to perform its monitoring responsibilities by periodically reviewing the process for drafting financial reports, evaluating the effectiveness of its executive controls, monitoring internal audit and the independence of the external auditors, and reviewing compliance with all the legal provisions and internal norms that apply to the company.

The Audit and Control Committee is regulated by the provisions of the Corporate Bylaws and the Regulation of the Board of Directors, which establish its composition, operation, and responsibilities. This Regulation establishes the organizational principles and operation of the Board of Directors of Repsol, S.A. and the norms that govern its legal and statutory activity, in addition to its supervision and control system. The Regulation also complements the discipline applicable to the Board of Directors established in current commercial legislation and the Corporate Bylaws.

Internal Control & Risk Management 


The Internal Control and Risk Management units are multidisciplinary teams that help the company meet its strategic goals by evaluating and proposing improvements that bring risk management, internal control and governance processes in accordance with the established polcies of the company.

To guarantee the independence of the their function, they report to the Audit and Control Committee of the Board of Directors of Repsol, S.A. and, for the purposes of internal organization, to the Executive Managing Division of Energy Transition, Technology, Institutional Affairs, & Deputy CEO.

 

Internal control

Repsol has an Integrated Internal Control model in place that follows the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework and includes the Group’s formally developed Internal Control and Compliance Systems, most notably the Systems of Internal Control over Financial and non-financial Reporting and the Crime Prevention Model, among other compliance models.

The System of Internal Control over Financial Reporting (ICFR) is aimed at reasonably ensuring the reliability of the Group’s financial reporting. The ICFR model is based on the methodological framework of COSO 2013 as set out in their report Internal Control‐Integrated Framework, which provides an integrated framework for internal control over financial reporting that is designed to ensure that transactions are recorded faithfully, in conformity with the applicable accounting framework, providing reasonable assurance in the prevention or detection of errors that might have a material impact on the information contained in Consolidated Financial Statements. The Audit, Control and Risks department annually evaluates the design and functioning of the Group ICFR and draws conclusions on its effectiveness.

Additionally, Repsol has in place a range of procedures, an overarching action framework and specialized teams dedicated solely to ensuring that its internal and external obligations are properly fulfilled. The internal control and the compliance functions reinforce compliance culture across the Group and improve our ability to identify and monitor ethics and compliance risks. 

 

Enterprise risk management

As a global integrated energy company, Repsol is exposed to risks that can affect its future performance. Such risks must be managed effectively in accordance with the established Risk Management Policy.

The company has an organization, procedures and systems that allow it to reasonably manage the risks to which the group is exposed, such that risk management is an integral part of decision-making processes in both corporate governance bodies and business management. The Integrated Risk Management System (SGIR in Spanish) provides a comprehensive, reliable and advance view of all risks that might affect the company, in accordance with the recommendations of:

  • The ISO 31000 standard on the risk management process, and
  • The IAA (Institute of Internal Auditors) Three Lines Model, in terms of the division of responsibilities between the areas and units involved.

The company has the commiment to reasonably ensure compliance with the objectives of each organizational area, including operational, financial and non-financial objectives, communication of financial and non-financial information, andregulatory compliance, through information and internal control systems based on the principles of the COSO reference framework

This risk maps is regularly updated and report to the Audit and Control Committee.