Control mechanisms

EPM has specific mechanisms to follow-up its corporate management.

Due to its legal nature, EPM is subject to diverse internal and external controls which seek to guarantee the development of its governance process, all within the main principles of public administration and of the international standards of corporate governance.

Based on the above mentioned, there are two types of controls in the organization – Internal and External:

Internal Control System (corresponding with the MECI 1000:2005 Model)

A system that involves the outline of organization and set of plans, methods, principles, rules, procedures and mechanisms of verification and evaluation adopted by EPM, with the purpose of encouraging that all the activities, operations and actions, as well as managing information and resources, are conducted in accordance with the constitutional and legal rules in effect, within the policies set forth by the Board of Directors and by senior management, bearing in mind the vision and objectives foreseen.

Internal Control System (corresponding with the MECI 1000:2005 Model)

Enterprises interact with their surroundings and with the different factors which converge therein. Indeed, financial, political and competition factors, among others, represent the elements relative to a company’s risks in a higher or lower degree. International standards establish the need to have plans to address risks to facilitate their identification, impact and mitigation - all represented at EPM by an integral risk management.

Risk management as a discipline of a business’ activity is based on a series of strategies which enable the prevention of events that may affect meeting its goals or reducing its consequence if the events take place.

In public administration, Risk Management is demanded by Decree 1537 of 2001, issued by the Administrative Department of Public Duties (Departamento Administrativo de la Función Pública), as an integral part to enhance the internal control systems of public entities.

Later, through Decree 1599 of 2005, the Standard Model of Internal Control (SMIC) was adopted for all state-owned entities. This model defines Risk Management as a component of the Strategic Control Subsystem.

EPM, with the purpose of facilitating and achieving its strategic goals and acting within the legal framework in effect, has been conducting an integral or comprehensive risk management. Defining a policy for an integral risk management, assigning roles and responsibilities, applying the methodology Guide for risk management, among other elements, enable this purpose and help meet the requirements of the Technical Quality Standards in Public Management NTC GP 1000:2004 and to implement the Standard Model of Internal Control (SMIC) 1000:2005.

Internal Control System (corresponding with the MECI 1000:2005 Model)

In addition to the internal control, the legal nature of EPM being 100% state-owned and an issuer in the securities market, assign it the duty to undergo external controls by diverse bodies in terms of management and results, actions of officers, financial management and fiscal responsibility, among others. The Controllership General of Medellin and the Superintendence of Residential Public Utilities, among others, conduct periodically audits to generate permanent improvement actions.

Investors

Investors constantly oversee and monitor the performance and business performance of EPM. Consequently, EPM has been establishing related commitments and practices primarily to keep investors informed in equal conditions and to access true, clear, transparent and timely information of the Company’s financial situation, business perspectives and investments, and relevant facts of interest for the players in the capital market.

Rating Agencies

Rating agencies conduct an annual assessment of the ability to pay and the securities issued by EPM, locally and internationally. Their tasks help to promote transparency in the information and to create a culture of investment risk other than profitability and liquidity.

Control and Oversight Bodies

The Public Prosecutor General of the Nation (Procuraduría General de la Nación) and the delegate public prosecutors exercise a disciplinary control relative to the official conduct of EPM’s officers.

The Comptrollership General of the Nation (Contaduría General de la Nación) oversees the quality and reliability of EPM’s accounting information and financial situation.

The Residential Public Utilities Superintendence (Superintendencia de Servicios Públicos Domiciliarios) oversees the compliance of the State’s social goals through the Service provided, and seeks to preserve EPM’s financial and economic feasibility.

The Financial Superintendence (Superintendencia Financiera) protects investors by the follow-up and oversight of the agents acting in the public securities market.

Civil Society

Due to EPM’s public nature and given the importance that residential public utilities have for the development and well-being of the community, there are different mechanisms of citizens’ participation through which they may speak to undergo a “social control” of EPM’s public resources since they are a patrimony of the Municipality. Civil society is represented by the public opinion (media), Unions, the Council of Medellin, the Civil Committee to Follow-up EPM, among others.

EPM is subject to fiscal control but is not obliged to have a controller, pursuant to Paragraph 2 of Article 13 of Law 42 of 1993, since it is a State-owned industrial and commercial enterprise and since all of the capital used for its incorporation and operation is public.

Though EPM’s legal nature does not oblige it to have an external audit, it permanently has an external auditor as part of its corporate governance. This controller or external auditor cannot provide other services to EPM and its contractor shall last no more than three years, including its extensions.

The services of external audits have been traditionally hired by the Company with firms widely recognized and with an international background. The current external auditor or Controller of EPM is Deloitte & Touche Ltda.., which contract has a duration of 365 days and a termination date set for April 30, 2022.

The object of the contract is the following: "Provision of external audit services for EPM and its international subsidiaries, fiscal audit for the national subsidiaries and consolidated financial statements of the EPM Group, under IFRS standards".