Internal Control Corporate Policy 

Internal Control Corporate Policy sets out the fundamental criteria of our Internal Control Model, which applies across the entire Telefónica Group.

Purpose and scope of application

To ensure proper oversight and control of the Board of Directors via the Audit and Control Committee, it is essential to outline the foundation of Telefónica’s Internal Control Model and the mechanisms to monitor its effectiveness. 

This Policy sets out the fundamental criteria of our Internal Control Model, which applies across the entire Telefónica Group. As the parent company, Telefónica, S.A. is responsible for providing the tools and mechanisms for effective coordination with all group companies, while respecting their individual decision-making rights and fiduciary duties to their shareholders. 

This Policy also provides guidance on internal control responsibilities within Telefónica’s subsidiaries. When new entities join the Group or we acquire stakes without gaining control, the relevant departments take action. Supported by Internal Audit, they ensure these entities adhere to this Policy’s requirements. Accordingly, confidentiality is maintained and compliance is ensured before finalizing any investments or participations.

Definition of the internal control framework

Telefónica Group has a defined strategy and has adopted the globally recognised COSO framework for internal control, bolstering our system’s credibility with entities like auditors and the SEC. 

Telefónica Group’s internal control involves a collaborative effort from our Board of Directors, Management, and staff. The aim is to meet operational, informational, and compliance objectives through key components:

• Control Environment: Foundational standards and structures, including our ethical guidelines and organisational hierarchies. 
• Risk Assessment: Active management of significant risks to our objectives. 
• Control Activities: Measures to implement management’s directives and mitigate risks, covering business processes and technology. 
• Information and Communication: Efficient dissemination of vital information aligned with our goals. 
• Monitoring Activities: Continuous oversight of our control system, with key findings reported to our Board and Senior Management. 

Responsibility over the internal control 

Aligned with Telefónica’s Business Principles, our ethical cornerstone, we’ve instituted robust controls to manage all pertinent risks. Therefore, our internal control is seamlessly integrated into our daily operations. 

Every department, within its remit, is accountable for internal control, ensuring operational effectiveness, resource efficiency, accurate decision-making information, and legal compliance. We are vigilant about potential risks in these areas, embedding safeguards against unforeseen challenges and maintaining oversight of activities within their responsibility. In line with Corporate Governance standards, our approach to Internal Control and Risk Management covers financial and non-financial facets. Above all, these facets include operational, technological, legal, social, environmental, reputational, and regulatory aspects.

Supervision of the internal control

In line with Spanish CNMV and Telefónica, S.A.’s regulations, the Board’s Audit and Control Committee oversees our internal systems. Our Internal Audit ensures these systems function correctly, detects any inefficiencies, and operates independently, supporting the Committee in risk and control management. 

They employ a methodical and disciplined strategy, focusing on specific action areas which are: 

• Regulatory Framework Coordination: Ensuring consistency within Telefónica Group’s internal regulations by fostering the development and oversight of standards. This is in line with Telefónica’s Regulation on the Preparation and Organisation of the Regulatory Framework. 
• Risk Management Oversight: Overseeing risk management activities, promoting a risk-aware culture, and liaising with the Audit and Control Committee on risk management matters, as per the Group’s Risk Management Policy. 
• Continuous Auditing: Leveraging technology to continuously monitor specific management controls, enhancing internal control structures, and identifying risks in real-time. 
• Outflows Control Supervision: Based on the Outflows Control Verification Protocol, we conduct sample checks on the effectiveness of certain controls before executing payments. 
• Specific Process Audits: Evaluating the design and operation of controls within company processes, issuing recommendations, and monitoring action plans to address identified shortcomings. This includes internal control audits for financial reporting as mandated by the Sarbanes-Oxley Act, efficiency audits of control designs, and other specific compliance audits across the Telefónica Group. 
• IT and Cybersecurity Audits: Assessing the operation and security of our networks and IT systems, including cybersecurity checks on Telefónica Group’s system and network infrastructures. 
• Other Specific Audits: Conducting audits or reviews as requested by the Board or Management, including investigations from whistleblowing channels, potential fraud cases, and fraud prevention-focused reviews. 

Internal Audit organisation

Internal Audit centrally reports to our Group’s Audit and Control Committee. Organised around a main unit at Telefónica, S.A., it can have extensions in business lines and operational units, all overseen by the central unit. Any structural changes need the Corporate Chief Internal Auditor’s approval. The Board of Directors, with guidance from relevant committees, appoints this Chief Auditor.  

Incorporation of entities within the framework of Telefónica

Given our varied involvements in different entities, we’ve set guidelines to clarify Telefónica’s role in their internal control. This considers our board representation, ownership stake, voting rights, and any related contractual rights. We’ve categorised these into specific scenarios. 

• Entities with significant influence from Telefónica 

For entities where Telefónica Group has significant influence but not outright control, we typically have board representation without holding a majority. We advise such entities to maintain an independent Internal Audit function to oversee internal control and risk management. Additionally, we recommend the adoption of an annual Internal Audit plan. 

• Entities in which Telefónica holds joint control with other partner / s or other participants  

Entities where Telefónica Group shares control with other participants must, beyond our standard measures, embed core internal control principles in operational contracts, like shareholder or joint venture agreements. This ensures compliance with relevant regulations, such as the Sarbanes-Oxley Act and FCPA, safeguarding Telefónica Group’s interests. 

• Entities controlled by Telefónica 

Entities where Telefónica Group has a controlling stake, either through a majority shareholding or the power to appoint most directors, are bound by the stipulations in this Policy and other relevant Telefónica Group regulations. 

Specifics are detailed in the document “Internal Control Corporate Policy” that you can see below: