Internal Controls

Copel, a mixed capital company that is part of the State Indirect Administration, is also a publicly traded company, with shares traded on stock exchanges, subject to compliance with an extensive set of domestic and foreign laws and regulations, among which is to formally constitute a risk management, compliance and internal controls structure, following the criteria established in the 2013 COSO framework – Integrated Framework, prepared by the Committee of Sponsoring Organizations of the Treadway Commission, an American organization that has among its main objectives to integrate requirements of transparency and confidence in the financial reports of companies, supported by requirements of ethics and effectiveness in their internal controls.

This definition reflects some fundamental concepts, highlighting that internal control is a process with the following characteristics:

• Conducted to achieve objectives in one or more categories – operational, disclosure, and compliance.
• A process consisting of ongoing tasks and activities – a means to an end, not an end in itself.
• Performed by people – not simply a manual of policies and procedures, systems and forms, but concerns people and the actions they take at each level of the organization to effect internal control.
• Able to provide reasonable – but not absolute – assurance to an entity’s governance structure and top management.
• Adaptable to the entity’s structure – flexible in application to the entire entity or to a particular subsidiary, division, operating unit, or business process.

This definition is intentionally broad and captures concepts fundamental to how organizations develop, implement and conduct internal control, providing a basis for application to all organizations operating in different entity structures, industries and geographic regions.

Internal Controls at Copel

The Internal Controls Coordination is the area responsible for coordinating and maintaining Copel’s internal control environment in order to comply with the Sarbanes Oxley Act – SOX. Compliance with this law is a requirement of the authorities of that country for all companies that trade securities in the New York Stock Exchange. As a result, Copel must annually review and evaluate its internal controls and issue a certificate declaring their compliance with the norms of section 404 of SOX. This has been done since 2005.

As a working model, Copel adopts the internal control structure established by “COSO 2013 – Internal Control Integrated Framework”, which defines internal control as “a process conducted by the entity’s governance structure, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives related to operations, disclosure and compliance.

Internal controls provide reasonable (but not absolute) assurance with respect to operations, disclosure, and compliance objectives because they depend on people and the actions they take at each level of the organization to accomplish them, in which case there will always be a risk that effective controls are ‘overridden’ (“management override of controls”).

Furthermore, in addition to the existence of controls over authority, reports and monitoring of deficiencies by senior management, to mitigate the risk of “management override of controls”, the Company has a robust and consolidated process for encouraging denunciations to the Denouncement Channel.

As established in NPC 0104 – Integrated Corporate Risk Management Policy, the Company also adopts the “IIA Three Lines” model in the effective management of risks and controls, through which the responsibilities of each of the interested parties are delimited, so that there are no gaps during the process.

Below is a breakdown of the Three Lines for understanding responsibilities according to the Company’s structure: