Annual Corporate Governance Report 2017

55 42. The audit committee should have the following functions over and above those legally assigned: 1. With respect to internal control and reporting systems: a) Monitor the preparation and the integrity of the financial information prepared on the company and, where appropriate, the group, checking for compliance with legal provisions, the accurate demarcation of the consolidation perimeter, and the correct application of accounting principles. b) Monitor the independence of the unit handling the internal audit function; propose the selection, appointment, re-election and removal of the head of the internal audit service; propose the service’s budget; approve its priorities and work programmes, ensuring that it focuses primarily on the main risks the company is exposed to; receive regular report-backs on its activities; and verify that senior management are acting on the findings and recommendations of its reports. c) Establish and supervise a mechanism whereby staff can report, confidentially and, if appropriate and feasible, anonymously, any significant irregularities that they detect in the course of their duties, in particular financial or accounting irregularities. 2. With regard to the external auditor: a) Investigate the issues giving rise to the resignation of the external auditor, should this come about. b) Ensure that the remuneration of the external auditor does not compromise its quality or independence. c) Ensure that the company notifies any change of external auditor to the CNMV as a material event, accompanied by a statement of any disagreements arising with the outgoing auditor and the reasons for the same. d) Ensure that the external auditor has a yearly meeting with the board in full to inform it of the work undertaken and developments in the company’s risk and accounting positions. e) Ensure that the company and the external auditor adhere to current regulations on the provision of non-audit services, limits on the concentration of the auditor’s business and other requirements concerning auditor independence. Complies. 43. The audit committee should be empowered to meet with any company employee or manager, even ordering their appearance without the presence of another senior officer. Complies. 44. The audit committee should be informed of any fundamental changes or corporate transactions the company is planning, so the committee can analyse the operation and report to the board beforehand on its economic conditions and accounting impact and, when applicable, the exchange ratio proposed. Complies. 45. Risk control and management policy should identify at least: a) The different types of financial and non-financial risk the company is exposed to (including operational, technological, financial, legal, social, environmental, political and reputational risks), with the inclusion under financial or economic risks of contingent liabilities and other off- balance-sheet risks. b) The determination of the risk level the company sees as acceptable. c) The measures in place to mitigate the impact of identified risk events should they occur.