Control Mechanisms

Control Architecture

Enel Colombia develops its processes by applying an Internal Control System, based on international practices such as COSO and the principles of three lines of defense:

1. First Line of Defense: Business Units/Front Office “risk owners”, who are responsible for managing risks and, therefore, must have control mechanisms.
2. Second Line of Defense: Control and Monitoring of Risks "risk control", which must ensure compliance with the limits, criteria and principles in which the actions related to the risk area are framed.
3. Third Line of Defense: Internal Audit that provides assurance on the effectiveness of the measures provided in the corporate governance structure, risk management and internal control, including the way in which the first and second lines of defense achieve their objectives. control and risk management.

The main elements and functions that ensure the effectiveness of the Internal Control System are:

Enel Colombia has defined an effective management for the control of the activities carried out in the execution of its different processes, ensuring the trust of its stakeholders and offering business opportunities backed by transparency and good governance, the disclosure of relevant information and reliability, as well as efficient risk management.

Objectives of the Internal Control System

Improve the effectiveness and efficiency of operations, in order to generate value and promote the optimization of processes.

Develop long-term relationships of trust with stakeholders, by complying with current laws and regulations, executing activities in a responsible manner and transparent communication.

Appropriate risk management, through the implementation of activities and tools for the identification, detection and mitigation of risks.

Assurance of the financial report, guaranteeing the reliability and application of the appropriate accounting policies.

Audit Management

The Internal Audit Management is responsible for objectively and independently ensuring the efficiency and effectiveness of the internal control and risk management system, adding value through review and monitoring activities that aim to continuously improve the processes and relative controls, always in the perspective of a constant evolution of risks in the business context.

Due to its nature, the Internal Audit Department is outside the line of business, reporting directly to the Audit Committees of the Boards of Directors.

The audit processes allow to evaluate, from a risk-based perspective, the functioning of the Company's operations on a regular basis, identify areas for improvement, and facilitate, together with those responsible for processes, action plans that allow strengthening the Internal Control System. .

Each audit includes control activities associated with the Criminal Risk Prevention Model (MPRP), a framework that contains the requirements established in Colombian Legislation and applicable to the Enel Group, and that promotes the adoption of best international practices to prevent and detect potential risks of illegal, fraud and any action that may be in conflict with the ethical principles of the Enel Group.

The results of each audit and the follow-up of the implementation of the action plans are periodically reported to the Audit Committee, which directly supervises the adequate execution of the improvement actions.

The Audit Management is made up of three (3) divisions and has a team of professionals with the experience and knowledge necessary to execute the assigned functions.

The Audit Management has direct access to the Board of Directors through the Audit Committee, Country Manager and global audit function to periodically report the results of the evaluation and monitoring of the implementation of the compliance program, reporting: Review of the Audit Plan , Complaint Management, review of the Compliance Program, monitoring of action plans and reviews of the Anti-Bribery Management System. The report to the Audit Committee on this matter is quarterly or when required by the Audit Manager.

Regarding risk management, the Internal Audit Management carries out a risk assessment at an inherent and residual level. The risk assessment is continuously updated based on changes in the organization, processes, external regulations and results of audit activities. The risk assessment tools defined and used consider inherent and residual risks. These are:

• Fraud Risk Assessment: contains the fraud risk assessment and its typologies for all the Group's units and processes.
• Risk Assessment: evaluates the different types of risks for all processes.
• Risk and Control Matrix of the Criminal Risk Prevention Model (MPRP): evaluates the risks and controls for the prevention of crimes contemplated in the Global and local Compliance program. 

Administration, Finance and Control Management

Internal Control Division

The Company, through the Internal Control Division, coordinates the self-assessment and certification process of the Internal Control of Financial Reporting model in compliance with Italian Law 262 and Sarbanes Oxley (SOX) carried out by those responsible for controls and the Management staff. of the Company considering its responsibility to establish, maintain and evaluate the effectiveness of the Internal Control System.

Additionally, in response to the responsibility for internal monitoring of the Internal Control Model, the firm Ernst & Young performs an independent evaluation to conclude whether the Internal Control Model for Financial Information operates effectively.

Risk Rating Agencies

Annually, through a professional, specialized and independent opinion, the risk rating agency evaluates the payment capacity and credit quality of the issues of securities issued by the Company, thus promoting standards of transparency and corporate governance to investors.

External Audit and Independent Auditor

In accordance with article 13 of Law 43 of 1990, the Company has a Statutory Auditor, with his respective alternate, appointed by the General Assembly of Shareholders, for a period of two (2) years, and may be removed at any time. Its functions are enshrined in the bylaws and the law. Notwithstanding the foregoing, you must include in your reports the relevant findings found during the development of your management, so that shareholders and other investors have the necessary information for decision making.

The Statutory Auditor and External Auditor issues an opinion as statutory auditor on the reasonableness of the financial statements under the Accounting and Financial Reporting Standards accepted in Colombia (NCIF) and an inter-office conclusion as external auditor on whether the financial report has been prepared in all its material aspects in accordance with the framework defined in the instructions.

The findings identified by the Statutory Auditor / External Auditor are reported to the audit committee and management. Through the Internal Control Division, the Company coordinates and designs action plans to mitigate the risks identified by the Statutory Auditor / External Auditor.

Management Audit

In compliance with article 51 of Law 142 of 1994, Enel Colombia, as a public service company, has an external audit of management and results, which is obliged to inform the Superintendency of Residential Public Services of situations that endanger financial viability. of the company, the flaws found in internal control, and in general, the evaluation assessments on the management of the company.

Watchdogs

Due to its nature, "Provider of Home Public Services" and to which Laws 142 and 143 of 1994 apply, the Superintendence of Home Public Services is in charge of exercising control, inspection and surveillance over Enel Colombia.

Additionally, Enel Colombia, as it has the quality of issuer of securities, is inspected by the Financial Superintendence of Colombia (exclusively in relation to this activity), which ensures that integrity, efficiency, and transparency are maintained in the public securities market.