The Challenge

In 2024, Ipiranga received from the external auditor the identification of a material weakness in its internal IT controls environment, indicating that the processes, controls, and systems then existing did not provide adequate security for the information published in the financial statements. The low maturity of the environment represented a significant risk to regulatory compliance, especially in the face of the Sarbanes-Oxley Act (SOx).

‍

Objective of the Project

‍

The purpose of the Gap Zero project was to increase the maturity of Ipiranga's internal control system, focusing on IT governance and General Information Technology Controls (ITGCs), seeking:

• Reduction of gaps identified in external audits;
• Adherence to best market practices;
• Strengthening the governance structure and mitigation of operational and regulatory risks;
• Creation of an environment of sustainable and auditable controls.

Approach and Service Lines

‍

Vennx acted in an integrated manner across six service lines, aimed at continuously strengthening governance and consolidating the IT environment:

1. IT Process and Control Mapping
Creation of detailed flowcharts and documentation of existing controls, which were incorporated into the Risk and Control Matrix (MRC), ensuring clarity, standardization, and preservation of knowledge.
2. COBIT 2019 Assessment
Diagnosis of the current environment compared to the objectives of the framework, with the preparation of a roadmap for improvements and a clear assignment of responsibilities, aligning IT with the best governance practices.
3. Execution of General IT Controls (ITGCs)
Conducting quarterly design tests (TODs), monthly monitoring of critical controls, and timely execution of essential controls.
4. Support for Interactions with External Audit
Technical monitoring of inquiry meetings and tests, analysis of auditor requests, and support in formulating effective responses aligned with the scope of the audit.
5. Evidence Curation
Technical and timely review of documents required in auditing, focusing on the consistency of the evidence and on formal compliance with the requirements of the process.
6. Structuring IT Governance
Development of an organization chart with clear roles and responsibilities for ITGC agents and creation of the SoX Adherence Policy, promoting the consistent execution of controls and compliance with critical deadlines.

Achieved results

‍

• Raising the maturity of internal IT controls, with a gain in robustness and traceability;
• Reduction of formal gaps and notes identified by the external audit;
• Improved curation and timeliness of auditing evidence;
• Consolidation of a sustainable IT governance model, aligned with frameworks such as COBIT and COSO, focusing on SOx compliance;
• Strengthening the culture of risks, controls, and organizational responsibility.

The Gap Zero project was decisive in reversing the status of material weakness in Ipiranga's IT controls environment, promoting significant gains in security, governance, and compliance. By delivering a mature and auditable model, Vennx contributed to creating a more reliable environment for stakeholders and adhering to market and regulatory requirements.
‍

‍