Internal Audit Executive Board

Click here to access the PDF.

Histórico de Revisões

Versão: Data de Revisão: Histórico:
1 08/02/2018 Document Elaboration.
2 06/19/2019 Updated subitems 1.1, 2.1, 2.2, 3.1, 3.2 and 4.1 of item III. Guidelines, included sub-items 2.3, 2.9, 3.3, 5 and 6 and excluded sub-item 2.1.1.
Updated item IV. Management of Consequences
Updated item V. Responsibilities
Updated item VII. Concepts and Acronyms
3 06/25/2021 Update of the following items: II. Scope, IV. Outcome Management, V. Responsibilities, VI. Additional Documents, VII. Concepts and Acronyms, in addition to the update of all subitems of III. Guidelines.


I. Purpose

Set forth the principles of action of the Internal Audit Executive Board in the Company’s processes.

II. Scope

All members of the Board of Directors, Advisory Committees and Executive Board (”Management”), members of the Fiscal Council and employees of Cielo S.A., Servinet Serviços Ltda., Aliança Pagamentos e Participações Ltda. and Stelo S.A., hereinafter referred to as “Cielo” or the “Company”.

All the Company’s Subsidiaries must establish their directives based on the guidance provided in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.

Regarding its Affiliates, the Company’s representatives acting as management members of the Affiliates must spare no effort for said companies to define their guidance based on the guidelines provided for in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.

III. Guidelines

1. Mission

1.1. Provide independent, autonomous and impartial opinions on the quality and effectiveness of the risk management systems and processes, internal controls and corporate governance, identifying deviations and appropriate measures, recommending improvements focused on protecting the interests of the Company and of its shareholders.

1.2. The Company’s Executive Audit Department is responsible for the Internal Audit activities.

2. Independence and Objectivity

2.1. The Internal Auditors report to the Executive Audit Superintendent, who reports to the Board of Directors, with technical support from the Audit Committee.

2.2. The appointment, designation, dismissal or dismissal of the Executive Audit Superintendent must be approved by the Board of Directors, with prior consultation with the Audit Committee, and communicated to the Central Bank of Brazil.

2.3. The Internal Audit’s and Audit Committee’s budgets, both intended to cover their operating expenses and for hiring consultants when an opinion by an external expert is required, considering their operational autonomy, must be approved by the Board of Directors, the corporate body that is responsible for its approval.

2.4. The Internal Auditors must have technical capacity and experience in the fields in which they operate, as well as independence, autonomy, impartiality, zeal, integrity and professional ethics, and the authority to evaluate their own roles and the roles of the Company’s outsourced professionals, in addition to free access to any of the Company’s information, environments and equipment.

2.5. The Internal Audit may obtain advice from external experts to support the area when it is not sufficiently proficient.

2.6. Internal Auditors may not assume operational responsibility for the audited units, being prohibited to:

2.6.1. Audit activities for which they have been responsible for, prior to, at least, an elapsed period of twelve (12) months in order to avoid a potential conflict of interest.

2.6.2. Engage in the development and implementation of specific measures relating to internal controls.

2.7. The compensation for the Internal Auditors is determined independently from their performance in their business areas, so as to not generate conflicts of interest.

2.8. The Executive Audit Superintendent’s performance shall be evaluated assessed by the members of the Audit Committee, at least, once a year.

2.9. The members of the Internal Audit team that perform the audit activities shall have unrestricted access to the information required for the proper performance of their duties. The Company’s Management and employees must cooperate with the Internal Auditors when accessing assets, facilities, transactions and information systems.

2.10. The members of the Internal Audit team must have a permanent communication channel with Management, enabling them to act correctly, in an appropriate and timely manner, in response to the recommendations resulting from the works of the Internal Audit.

3. Audit Plan

3.1. The Annual Internal Audit Plan (“Annual Plan”) includes all relevant factors and risks related to the areas, processes, products, strategies, as well as guidelines issued by the Executive Board, Audit Committee and Board of Directors.

3.2. The Annual Plan must contain the processes that will be included in the scope of the Internal Audit activity, classified according to risk level, execution schedule and allocation of available resources.

3.3. The Board of Directors is responsible for approving the Annual Plan, after previous discussions with the Audit Committee, including any proposed adjustments and aiming at its adaptation in the event of changes in the Company’s business, risks and operations, among other aspects.

3.4. The Annual Plan must be maintained available to the Central Bank of Brazil during a period of, at least, five (5) years.

4. Scope

4.1. The scope of the Internal Audit’s activities must consider all the activities of Cielo S.A. and the institutions that are part of its prudential conglomerate, in addition to other related and controlled companies, including outsourced activities, and must assess, at least, the following:

4.1.1. Effectiveness and efficiency of internal controls and corporate governance systems and processes;

4.1.2. Effectiveness of policies and strategies for managing relevant risks, considering current risks and potential future risks;

4.1.3. Reliability, effectiveness and integrity of management information systems and processes;

4.1.4. Compliance with the legal framework, infra-legal regulations, recommendations of regulatory bodies and applicable internal codes and standards; and

4.1.5. Protection of assets and activities related to the institution.

4.2. The Central Bank of Brazil may determine the inclusion and exclusion of specific of attributes in the Internal Audit’s scope.

4.3. The Internal Audit must act, in a confidential manner, in the investigation of complaints registered in its Ethics Channel that involve its Administrators, employees and third parties, and report the results of the investigation as provided for in the Charter of the Company’s Ethics Forum.

5. Methodology of the Works

5.1. The Internal Audit adopts standards that are compatible with the Company’s Code of Ethical Conduct and the International Professional Practices Framework (IPPF) issued by The Institute of Internal Auditors (IIA), in addition to the resolutions issued by the Central Bank of Brazil.

5.2. The Internal Audit work programs are based on the models of the COSO (Committee of Sponsoring Organizations of the Treadway Commission), COBIT (Control Objectives for Information and Related Technology), ISO Standards (International Organization for Standardization) and the Company’s normative instruments.

5.3. The Internal Audit’s assessment work involves obtaining objective evidences and analysis by the Internal Auditor to provide opinions or conclusions regarding an operation, process, product, system or other issues deemed important for the Company.

5.4. The consulting work provided by the Internal Audit are considered advisory actions and are carried out upon specific request by the Executive Board, the Board of Directors and/or the Audit Committee.

5.5. Planning, auditing and reporting steps are carried out for each audit work to ensure compliance with the objectives and scope of the assessments and the reporting of conclusions.

5.6. The Internal Audit must monitor how the measures taken by Management are implemented (“Action Plans”) to mitigate the risks identified as a result of the conclusion of the audit work.

6. Contracting Extra-Audit Services

6.1. The Internal Auditors report to the Board of Directors and the Audit Committee on all matters related to the performance of their activities.

6.2. The Executive Audit Superintendent must prepare an Annual Internal Audit Report with a summary of the results achieved by the audit work, main conclusions, recommendations and measures taken by the Company’s Management.

6.3. The Company’s Board of Directors is responsible for approving the Annual Internal Audit Report, after previous discussions with the Audit Committee.

7.  Hiring of Extra-Audit Services

7.1. The Board of Directors is responsible, in addition to hiring the audit firm responsible for auditing the financial statements, for approving the eventual hiring of any other services, other than the auditing of the financial statements, to be provided by the audit firm to the Company, pursuant to the recommendations of the Audit Committee and the Executive Audit Superintendent. The hiring of extra-audit services that could compromise the independence of the auditors is prohibited.

7.2. The company must not hire as an Independent Auditor any individual or entity who has provided internal audit services for the Company during the three (3) previous years.

IV. Management of Consequences

Employees, suppliers or other stakeholders who notice any deviation to this Policy’s guidelines, may report the fact to the Ethics Channel ( or 0800 775 0808), anonymously or not.

Likewise, employees, suppliers or other stakeholders must immediately notify the Auditor of any material fact or situation of risk to the Company’s assets or matters involving a misconduct and irregular behavior that they are aware of.

Internally, the failure to comply with this Policy’s guidelines implies the application of measures holding liable those violators according to the respective seriousness of non-compliance.

V. Responsibilities

Executive Audit Superintendent:

  • Prepare the Annual Plan proposal and submit it for deliberation by the Audit Committee and the Board of Directors.
  • Make periodic reassessments on the adequacy of the Annual Plan in relation to possible changes in the Company’s business, risks and operations, among other aspects, proposing amendments as applicable.
  • Ensure that the Annual Plan and other Internal Audit activities executed by the Company are done with independence, autonomy, impartiality, care, integrity and professional ethics. Ensure that the Internal Audit activities, collectively, have or obtain the necessary knowledge, abilities, and other skills to perform its activities.
  • Supervise service contracts and ensure the quality of activities in situations where audit works are provided by external service providers.
  • Share information and coordinate activities involving independent auditing for relevant assessments to ensure appropriate coverage and minimize double works.
  • Ensure that claims received through the Ethics Channel are investigated and, if evidenced, carry out the appropriate disciplinary measures.
  • Participate as a consultant in working groups, in addition to joining committees and forums when invited, without losing independence.
  • Be prudent when using and protecting information obtained as a result of the performance of auditing activities, never using them for personal purposes or in any other way that contradicts with the Company’s Code of Ethical Conduct.
  • Ensure that audit reports and their respective working papers are treated confidentially and are used exclusively by the Internal Audit.
  • Provide adequate and timely reporting to the members of the Executive Board and the Audit Committee regarding concluded works, Action Plans addressed by Management to mitigate the identified risks as a result of the concluded audit works, in addition to other material facts. Develop and maintain a Quality Assurance and Improvement Program that includes all aspects of the Internal Audit activities, comprising internal and external assessments, and continuously monitor the program’s effectiveness and compliance with internal and external standards.
  • Allow the external audit, inspection and control entities access to the results of the works performed, as provided for in applicable legislation and regulations, and only allow access to other interested parties pursuant to a court order.
  • Report to the Board of Directors and the Audit Committee on all matters related to the performance of the activities carried out by the Internal Audit.

Board of Directors and Audit Committee:

  • Ensure the independence and effectiveness of the Internal Audit activities.
  • Resolve on the Annual Plan and the Annual Internal Audit Report.
  • Provide the necessary means for Internal Audit activities to be properly carried out, pursuant to this Policy.
  • Notify, in a timely manner, the Executive Audit Superintendent of any material change in the Company’s risk management strategy, policies and processes.
  • Ensure the Company’s Management complies with the rules and procedures applicable to the Internal Audit activities.

Management and Employees:

  • Comply and ensure compliance with this Policy and, when necessary, contact the Cielo’s Board of Director and/or the Audit Committee to get information on situations that relate to conflict with this Policy or with situations described herein.
  • Cooperate with Internal Auditors when they need access to assets, facilities, transactions and information systems.

VI. Additional Documentation

  • This Policy takes into account the set of best practices adopted by the market, Resolution 93 of the Central Bank of Brazil (BCB), of May 6, 2021, and the International Standards for the Professional Practice of Internal Auditing (IPPF) issued by The Institute of Internal Auditors (IIA).
  • Cielo’s Code of Ethical Conduct
  • Charter of the Board of Directors
  • Charter of the Audit Committee
  • Charter of the Ethics Forum
  • Internal rules constantly improved, approved by the competent levels and made available to all employees.

VII. Concepts and Acronyms

  • Independent Auditors or Independent Audit: The firm that carries out the audit service on the Company’s financial statements to issue an expert opinion on the compliance of such statements with the equity and financial position, results of operations, changes in shareholders’ equity and other financial statements, according to Brazilian and international auditing standards.
  • Internal Audit: An independent and objective activity which provides assurance and consulting services, aiming at adding value and enhancing the Company’s operations. The Internal Audit assists the Company in achieving its objectives by adopting a systematic and disciplined approach to assess and improve the efficacy of risk management, control, and corporate governance processes.
  • Ethics Channel: A channel provided by the Company to its employees, suppliers, or other interested parties so they can submit, anonymously or by identification, claims or information on deviations from the guidelines of Cielo’s Code of Ethical Conduct, its values, or legislation in force, including the Anti-Corruption Law.
  • Code of Ethical Conduct: A reference document for Cielo and other stakeholders. It consists of a set of rules, according to a version periodically updated by Cielo, that enforces the Company’s stakeholders to respect its values and prohibits the practice of acts that characterize disrespect for ethics, the Company’s values, or legislation in force, including the Anti-Corruption Law.
  • Audit Committee: Has the purpose to assist the Board of Directors in the performance of its responsibilities relating to accounting policies, internal controls and issue of financial reports. The Audit Committee may also issue recommendations and opinions so that the Board of Directors may promote the accountability of the Executive Board and assess the integrity and the effectiveness of the internal controls implemented by the Company. Without prejudice to the activities mentioned above, the Audit Committee shall also ensure that the Internal Audit regularly performs its duties independently, in addition to the independent auditors assessing the practices of the Executive Board and Internal Audit.
  • Ethics Forum: Comprised by Cielo’s Statutory Executive Board, chaired by the Executive Audit Superintendent, who reports directly to the Board of Directors. Said Forum is linked to and advises the Statutory Executive Board and the Board of Directors, as applicable, since, in situations identified as deviations from the precepts contained in the Code of Ethical Conduct and the normative instruments of the Company, involving members of its Statutory Executive Board or employees subordinated directly to the Board of Directors, or, at the discretion of the Ethics Forum, people considered key or strategic, the Audit Committee Coordinator or one of its members shall participate in the Ethics Forum’s meeting that analyzes the case, presenting the recommendation on the disciplinary sanction to be applied to the case. As for other employees, the Ethics Forum will resolve on the disciplinary sanction to be applied to the case.
  • Annual Plan: An annual plan, based on the assessment of audit risks, that presents the processes to be included in the Internal Audit’s scope of activities, classified according to risk level, execution schedule and allocation of available resources.
  • Evaluation Services: An objective evaluation of the evidence by the Internal Auditor aiming at presenting an independent opinion or conclusions on a certain process or other related matter.
  • Consulting Services: Independent and objective advice provided to the Company’s Board of Directors, Advisory Committees, and business units.
  • Extra-Audit Services: Services provided by the Independent Auditors other than those described in the aforementioned definition of Independent Auditors.

VIII. Miscellaneous

It shall be incumbent upon the Company’s Board of Directors to amend this Policy whenever necessary.

This Policy takes effect on the date of its approval by the Board of Directors and revokes any contrary rules and procedures.