Internal Audit Executive Board

Click here to access the PDF.

Histórico de Revisões

Versão: Data de Revisão: Histórico:
1 08/02/2018 Document Elaboration.
2 06/19/2019 Updated subitems 1.1, 2.1, 2.2, 3.1, 3.2 and 4.1 of item III. Guidelines, included sub-items 2.3, 2.9, 3.3, 5 and 6 and excluded sub-item 2.1.1.
Updated item IV. Management of Consequences
Updated item V. Responsibilities
Updated item VII. Concepts and Acronyms
3 06/25/2021 Update of the following items: II. Scope, IV. Outcome Management, V. Responsibilities, VI. Additional Documents, VII. Concepts and Acronyms, in addition to the update of all subitems of III. Guidelines.
4 05/31/2023 Update of items: II. Scope, III. Guidelines, sub-items 1.1, 2.1, 2.4, 2.5, 2.13, 2.14, 2.15, 4.1, 5.3, 6.2, 6.2.1, 6.2.2 6.2.3, 6.2.5, 8, 8.1, 8.2, V. Responsibilities, VI. Supplementary Documentation and VII. Concepts and Acronyms.

 

I. Purpose

Define the principles for operation of the Internal Audit in the Company’s processes and the
guidelines for contracting Extra-Audit Services.

II. Scope

All members of the Board of Directors, Advisory Committees and Executive Board (”Management”), members of the Fiscal Council and employees of Cielo S.A., Servinet Serviços Ltda., Aliança Pagamentos e Participações Ltda. and Stelo S.A., hereinafter referred to as “Cielo” or the “Company”.

All the Company’s Subsidiaries must define their directions based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

With respect to the Affiliates, the Company’s representatives who act in managing its Affiliates must make every effort to define their directions based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

III. Guidelines

1. Mission

1.1. Provide independent, autonomous and impartial opinions on the quality and effectiveness of the risk management systems and processes, internal controls and corporate governance, identifying deviations and appropriate measures, recommending improvements focused on protecting the interests of the Company and of its shareholders.

1.2. The Company’s Executive Audit Department is responsible for the Internal Audit activities.

2. Independence and Objectivity

2.1. The Internal Auditors report to the Executive Audit Superintendent, who reports to the Board of Directors, with technical support from the Audit Committee.

2.2. The nomination, designation, exoneration or dismissal of the Audit Executive Superintendent must be approved by the Board of Directors, after previously hearing the Audit Committee, and communicated to the Central Bank of Brazil.

2.3. The budgets for the Internal Audit and the Audit Committee, both intended to cover expenses with their operation and for hiring consultants when the opinion of an external expert is required, considering their operational autonomy, must be approved by the Board of Directors, the competent body for approval.

2.4. The Internal Audit Policy must be approved by the Board of Directors, accompanied by the manifestation of the Audit Committee.

2.5. Internal Auditing is guided by the Audit Mission and the mandatory elements of the International Professional Practices Framework (Core Principles for the Practice of Internal Auditing, Code of Ethics, Standards, and the Definition of Internal Auditing).

2.6. Internal Auditors must possess technical capacity and experience in the areas in which they work, possess independence, autonomy, impartiality, diligence, integrity, and professional ethics, in addition to the authority to evaluate the Company’s own functions and outsourced functions, and unrestricted access to any Company information, environments, and equipment.

2.7. Internal Audit can seek guidance from external experts to supplement the area when it is not sufficiently knowledgeable.

2.8. Internal Auditors are not allowed to take on operational responsibility for the un its being audited, and the following are forbidden:

2.8.1. Work in the audit of activities for which they have been responsible, within 12 (twelve) months, to prevent potential conflicts of interest.

2.8.2. Engage in the development and implementation of specific measures relating to internal controls.

2.9. The compensation of the Internal Auditors is determined independently of the performance of the business areas to avoid any potential conflicts of interest.

2.10. The performance of the Executive Audit Superintendent is evaluated by the members of the Audit Committee at least once a year.

2.11. Members of the Internal Audit team who conduct audit activities have unrestricted access to the information required for them to fulfill their duties effectively. The Company’s Officers and employees are responsible for cooperating with the Internal Auditors when accessing assets, facilities, transactions, and information systems.

2.12. The members of the Internal Audit team must maintain a continuous communication channel with Management, enabling them to take corrective action in an appropriate and timely manner in response to recommendations arising from the Internal Audit work.

2.13. The Executive Audit Superintendent must ensure that the internal audit team is free from any conditions that could compromise the ability of internal auditors to fulfill their responsibilities impartially, including matters of selection, scope, procedures, frequency, timeline, and content of audit reports.

2.14. The Executive Audit Superintendent shall disclose to the Board of Directors and the Audit Committee any limitation to the scope of the internal audit team’s work, confirming, at least annually, its organizational independence to said governance bodies.

2.15. Internal auditors will maintain an impartial attitude that enables them to conduct their work objectively and with confidence in the outcome, ensuring that the quality of their work is not compromised and that their judgment in audit matters is not subordinated to anyone else.

3. Internal Audit Plan

3.1. The Annual Internal Audit Plan (“Annual Plan”) shall consider all relevant factors and risks related to the areas, processes, products, strategies, as well as the guidelines established by the Executive Board, Audit Committee and Board of Directors.

3.2. The Annual Plan must contain the processes that will be part of the scope of Internal Audit activity, the classification of these processes by risk level, the timetable for execution and allocation of available resources.

3.3. The Board of Directors is responsible for approving the Annual Plan, after previously hearing the Audit Committee, including any adjustment proposals, aiming at its adaptation to possible changes to business, risks and operations, among other aspects.

3.4. The Annual Plan must be kept at the disposal of the Central Bank of Brazil for a minimum period of 5 (five) years.

4. Scope

4.1. The scope of the Internal Audit activity must consider all the activities of Cielo S.A. – Instituição de Pagamento, the institutions that are part of its prudential conglomerate and other affiliated companies and subsidiaries, including outsourced activities, and must include, at a minimum, the assessment of:

4.1.1. The effectiveness and efficiency of internal control and corporate governance systems and processes;

4.1.2. The effectiveness of policies and strategies for managing relevant risks, considering current and potential future risks;

4.1.3. Reliability, effectiveness and integrity of management information processes and systems;

4.1.4. Compliance with the legal framework, infra-legal regulation, the recommendations of regulatory bodies and the applicable internal codes and standards; and

4.1.5. Safeguarding of the assets and activities related to the institution.

4.2. The Central Bank of Brazil may determine the inclusion of work in the scope of the Internal Audit and the execution of specific work.

4.3. Internal Audit must investigate reports made to the Ethics Channel, confidentially, involving Officers, employees and third parties, and report the results of the investigation, under the terms defined in the Internal Regulations of the Company’s Ethics Forum.

5. Methodology of the Work

5.1. Internal Audit adopts standards compatible with the Company’s Code of Ethical Conduct and with the International Professional Practices Framework (IPPF) issued by The Institute of Internal Auditors (“IIA”), and also with the resolutions issued by the Central Bank of Brazil.

5.2. The Internal Audit work programs are based on the COSO (Committee of Sponsoring Organizations of the Treadway Commission) and COBIT (Control Objectives for Information and Related Technology) models, ISO (International Organization for Standardization) standards and the Company’s regulatory instruments.

5.3. The Executive Internal Audit Superintendent shall allocate resources, define frequencies, determine scopes of work, apply techniques necessary to achieve audit objectives, and issue reports in accordance with the Annual Internal Audit Plan approved by the Board of Directors.

5.4. The Internal Audit’s evaluation work involves the Internal Auditor obtaining and objectively analyzing evidence in order to provide opinions or conclusions about an operation, process, product, system, or other topics of importance to the Company.

5.5. The consulting work conducted by Internal Audit represent advisory and consulting actions, carried out at the specific request of the Executive Board, the Board of Directors and/or the Audit Committee.

5.6. For each audit action, the planning, auditing, and reporting steps are performed to ensure that the objectives and scope of the evaluations are met and the findings are reported.

5.7. The Internal Audit shall monitor the implementation of the measures taken by Management (“Action Plans”) to mitigate the risks indicated at the conclusion of the audit work.

6. Annual Internal Audit Report

6.1. The Internal Auditors report to the Board of Directors and the Audit Committee on all matters related to the performance of their activities.

6.2. The Executive Audit Superintendent shall prepare an Annual Internal Audit Report, containing:

6.2.1. The purpose, authority and responsibility of the Internal Audit area.

6.2.2. The compliance of the Internal Audit area with The IIA’s Code of Ethics and Standards, as well as action plans to address any compliance issues.

6.2.3. Exposures to risk and control issues assessed under the Annual Internal Audit Plan, including fraud risks, governance issues and other matters requiring attention or requested by the Company’s Board of Directors, Audit Committee and Executive Board.

6.2.4. The summary of the results of the audit work, its main conclusions, recommendations and measures taken by the Company’s Management.

6.2.5. Any Management responses to risk that, in the opinion of the Executive Audit Superintendent, may be unacceptable to Cielo.

6.3. The Company’s Board of Directors is responsible for approving the Annual Internal Audit Report, having previously heard the Audit Committee.

7. Contracting of Extra-Audit Services

7.1. In addition to approving the hiring of the audit firm that is responsible for auditing the financial statements, the Board of Directors is also responsible for approving its eventual hiring to provide any other service to the Company, other than the audit service of the financial statements, having previously heard the Audit Committee and the Executive Audit Superintendent. Hiring extra-audit services that may compromise the independence of the auditors if forbidden.

7.2. Individuals who have provided Internal Audit services to the Company within the last 3 (three) years must not be hired as Independent Auditors.

8. Quality Assurance and Improvement Program (PGQM)

8.1. Internal Audit will maintain a quality assurance and improvement program covering all aspects of the area. The program will include an assessment of compliance with the Standards and an assessment that will report on whether internal auditors apply The IIA’s Code of Ethics. The program will also evaluate the effectiveness and efficiency of Internal Audit and identify opportunities for improvement.

8.2. The Executive Audit Superintendent will notify the Board of Directors and the Audit Committee about the results of the internal audit Quality Assurance and Improvement Program, including results of internal assessments (both continuous and periodic) and external evaluations conducted at least once every five years by a qualified and independent assessor or assessment team, external to Cielo.

IV. Consequence Management

  • Employees, suppliers or other stakeholders who observe any deviations from the guidelines of this Policy may report the fact to the Ethics Channel (www.canaldeetica.com.br/cielo or 0800 775 0808), with the option of anonymity.
  • Likewise, employees, suppliers or other stakeholders may immediately communicate to the Internal Auditor any material fact or situation of risk to the Company’s assets or matters involving irregular conduct and behavior of which they become aware.
  • Internally, non-compliance with the guidelines of this Policy gives rise to the application of accountability measures for agents who fail to comply with it, according to the respective severity of the non-compliance.

V. Responsibilities

Executive Audit Superintendent:

  • Prepare the proposal for the Annual Plan and submit it to the Audit Committee and the Board of Directors for deliberation.
  • Periodically reassess the need to adapt the Annual Plan to any changes in business, risks and operations, among other aspects, and propose such changes if necessary.
  • Ensure the execution of the Annual Plan and other Internal Audit activities in the Company , with independence, autonomy, impartiality, diligence, integrity, and professional ethics. Ensure that the Internal Audit activity collectively possesses or obtains the knowledge, skills, and other competencies necessary to perform its activities.
  • Supervise the service provision agreement and ensure the quality of the activities in cases where audit work is provided by external providers.
  • Share information and coordinate activities involving independent auditing on relevant assessments to ensure adequate coverage and reduce duplication of effort.
  • Ensure that complaints received on the Ethics Channel are thoroughly investigated and, if found to be valid, that they are referred for the implementation of the applicable disciplinary measures.
  • Participate in working groups as a consultant, as well as committees, and forums when invited, while maintaining their independence.
  • Be prudent when using and safeguarding the information obtained during audit activities, and refrain from using it for any personal gain or in any way that violates the Company’s Code of Ethics.
  • Ensure that audit reports and related working papers are handled with the utmost confidentiality and are for the exclusive use of Internal Audit.
  • Report appropriately and in a timely manner to the members of the Executive Board and the Audit Committee the work completed, the Action Plans addressed by the managers to mitigate the risks indicated in the conclusion of the audit, as well as other material facts. Develop and maintain a Quality Assurance and Improvement Program that includes all aspects of the Internal Audit activity, comprising internal and external evaluations, and continuously monitor its compliance with internal and external standards and its effectiveness.
  • Provide the results of the work to the external auditors and inspection and control entities, in the cases foreseen in the applicable legislation and regulations, and to other stakeholders only by reason of a court order.
  • Report and provide updates to the Board of Directors and the Audit Committee on all matters related to the performance of Internal Audit activities.
  • Notify the Executive Board and the Board of Directors/Audit Committee of the impact of resource limitations on the internal audit plan.
  • Ensure that emerging trends and successful practices that may impact the Company, as assessed under the Annual Internal Audit Plan as a result of the work, are considered and communicated to the Executive Board and the Board of Directors/Audit Committee.
  • Ensure that emerging trends and successful internal audit practices are considered.

Board of Directors and Audit Committee:

  • Ensure the independence and effectiveness of the Internal Audit activities.
  • Deliberate on the Annual Internal Audit Plan and Report.
  • Provide the necessary means for the Internal Audit activity to be properly exercised, under the terms of this Policy.
  • Inform, on a timely basis, the Executive Audit Superintendent of any material change in the Company’s risk management strategy, policies, and processes.
  • Ensure that Management adheres to the applicable rules and procedures for Internal Audit activities.

Officers and employees:

  • Observe and ensure compliance with this Policy and, when necessary, call Cielo’s Board of Directors and/or Audit Committee for consultation on situations involving conflict with this Policy, or upon the occurrence of situations described herein.
  • Cooperate with the Internal Auditors when accessing assets, facilities, transactions, and information systems.

Internal Auditors:

  • Disclose any impairment to independence or objectivity, whether actual or perceived, to the relevant parties.
  • Show professional objectivity in collecting, evaluating, and communicating information about the activity or process being examined.
  • Assess all available and relevant facts and circumstances in an impartial manner.
  • Take the necessary precautions to avoid being unduly influenced by one’s own interests or by others when forming judgments.

VI. Supplementary Documentation

  • This Policy considers the best practices adopted by the market, BCB Resolution No. 93 of the Central Bank of Brazil dated May 6, 2021, and the International Standards for the Professional Practice of Internal Auditing (IPPF) issued by The Institute of Internal Auditors.
  • Cielo’s Code of Ethical Conduct
  • Internal Regulations of the Board of Directors
  • Internal Regulations of the Audit Committee
  • Internal Regulations of the Ethics Forum
  • Internal standards that are constantly improved, approved by the competent approval authority, and provided to all employees.

VII. Concepts and Acronyms

  • Executive Audit Superintendent: primarily responsible for leading the Company’s internal audit activity.
  • Independent Auditors or Independent Audit: the company that performs the audit service for the Company’s financial statements in order to issue an opinion on the accuracy with which they reflect the equity and financial position, the results of operations, changes in shareholders’ equity, and other financial statements, in accordance with Brazilian and international auditing standards.
  • Internal Audit: an internal, independent and objective activity that provides assurance and consulting services, with the objective of adding value and improving the Company’s operations. Internal Audit assists the Company in reaching its goals by taking a systematic and disciplined approach to assessing and enhancing the efficacy of risk management, control, and governance processes.
  • Ethics Channel: channel made available by the Company to its employees, suppliers or other stakeholders to report or provide information, anonymously or identified, about any deviations from Cielo’s Code of Ethics, its values or legislation in force, including the Anti-Corruption Law.
  • Code of Ethics: reference document for Cielo and other stakeholders. The set of rules, according to a version periodically updated by Cielo, through which the Company enforces the respect for its values and the prohibition to practice acts that characterize disrespect to ethics, to the Company’s values or to the legislation in force before its stakeholders, including the Anticorruption Law.
  • Audit Committee: Its purpose is to assist the Board of Directors in the performance of its responsibilities in relation to accounting policies, internal controls and issuance of financial reports. The Audit Committee may also issue recommendations and opinions to the Board of Directors to ensure the Executive Board is held accountable and to evaluate the integrity and effectiveness of the internal controls implemented by the Company. Without prejudice to the aforementioned activities, the Audit Committee shall also ensure that Internal Audit can regularly perform its duties independently, as well as the independent auditors can evaluate the practices of the Executive Board and Internal Audit.
  • Ethics Forum: consists of the Company’s Statutory Executive Board, and is run by the Executive Audit Superintendent, who reports directly to the Board of Directors. Such Forum is linked to and provides advice to the Statutory Executive Board and the Board of Directors, where applicable, since, in situations identified as deviations from the precepts contained in the Company’s Code of Ethics and regulatory instruments, involving members of its Statutory Executive Board or its employees reporting directly to the Board of Directors or persons that the Ethics Forum deems to be key or strategic, the Coordinator of the Audit Committee or one of its members will attend the Ethics Forum meeting to analyze the case and present a recommendation on the disciplinary sanction to be applied to the Board of Directors for deliberation. As for the other employees, it will be up to the Ethics Forum to decide on the disciplinary sanction to be applied to the case.
  • Annual Plan: the Annual Plan, based on an audit risk assessment, outlines the processes that will be included in the scope of Internal Audit activities, classifies these processes according to risk level, and outlines the timeline and allocation of available resources.
  • Assessment Work: involves an impartial evaluation of the evidence by the Internal Auditor in order to provide an independent opinion or conclusions regarding a process or other related matter.
  • Consulting Work: independent and objective assistance to the Board of Directors, the Advisory Committees and the Company’s business units.
  • Extra-Audit Services: other services provided by Independent Auditors other than those described in the definition of Independent Auditors above.

VIII. General Provisions

The Company’s Board of Directors is responsible for approving any changes to this Policy whenever necessary.

This Policy takes effect on the date of its approval by the Board of Directors and revokes any documents to the contrary.