45
The Financial Statements are drawn up based on a reporting calendar in accordance with legal requirements and are shared among the areas
involved in preparing them.
NH has an internal financial reporting control system (SCIIF) based on the COSO model (Committee of Sponsoring Organisations of the
Treadway Commission). This model has the following objectives:
• Effectiveness and efficiency of operations
• Safeguarding assets
• Reliability of financial reporting
• Compliance with applicable laws and regulations
The SCIIF model includes reviewing the Entity-Level Controls (ELC).
The SCIIF model used by NH contains a matrix of financial risks and controls which includes the following business cycles, which are relevant
to the preparation of the Group’s financial statements:
- Loyalty programme
- Purchasing and Suppliers
- Sales and Customers
- Cash
- Financing
- Fixed assets
- Inter-company
- Tax
- Human Resources
- Provisions and contingencies
- Accounting close and consolidation process
- Shared services centre
- IT controls
The business cycles include 19 processes and 62 sub-processes. In order to achieve financial reporting reliability and completeness targets, a
total of 417 controls have been defined to prevent, detect, mitigate, compensate for or correct their potential impact.
NH has defined the scope of the SCIIF in the following group companies: NH Hotel Group, S.A. and NH Hoteles España, S.L. These entities
represent XX of revenues and XX of the assets of the consolidated Group.
The structure of the financial risk matrix includes the following information:
• Process and Sub-process
• Risk, being the possible events or actions which could affect the capacity of the company to meet financial reporting objectives and/or
implement strategies successfully.
• Description of the control, defining the control activities included in the policies, procedures and practices applied by the Company to ensure
it meets its control objectives and the risk is mitigated.
• Evidence, the documentation maintained by those responsible for the control (company personnel), so that the entire model can be regularly
supervised and audited.
A first classification indicates whether the control is a key one, or not. The controls have been defined as prevention or detection, and
manual or automatic, depending on whether they can be monitored using data from automated tools. Those responsible for the controls and
frequency of execution have been defined for each control.
The SCIIF model was substantially changed in 2014 due to the Administration function being outsourced from 1 January 2014, adapting the
controls to the new defined processes and sub-processes. Therefore, controls have been defined to be run by personnel from the Shared
Services Centre, the administrative and corporate personnel function retained.
F.3.2 Internal control policies and procedures for the information systems (including secure access, change monitoring and management,
operational continuity and separation of functions) which support the company’s processes relating to the preparation and publication of
financial reports.
Internal control of IT systems
There is an internal control model for the Group’s information systems which covers the different IT processes and is based on their associated
risks. This model (based on COSO and COBIT) includes a matrix of 100 general IT system controls (GITC), and policies and procedures relating
to the security the IT systems need.
The internal control model covers the systems that contribute to the preparation of the Group’s consolidated financial statements and thus
assures the completeness, availability, validity and quality of the information provided to the markets.
The GITC matrix is aligned with the control models created by NH for other business cycles, which are structured into the following processes:
Access to programmes and data
There are policies and procedures that can guarantee, within reason:
• Restricted access to the systems, avoiding unauthorised access or changes to programmes that could affect the completeness, integrity and
reliability of financial reports.
• Correct separation of functions, in order to guarantee secure access to the information systems.
• Security in the facilities housing the systems, ensuring that only authorised personnel have access to them.
Operations
There are policies and procedures that can guarantee, within reason:
• The availability of the information, ensuring that financial data are complete, valid and accurate.
• Good management of incidents, enabling quick resolutions and minimising their impact.
• That operations are monitored, ensuring that they are executed completely and on time. Any incidents are resolved, enabling jobs to be
restarted and run correctly.
Software acquisition, maintenance and changes
There are policies and procedures that can guarantee, within reason:
That changes to the IT systems are authorised, tested and approved before going live.
That changes to the IT systems are correctly managed to avoid downtime or unauthorised alterations.
ANNUAL CORPORATE GOVERNANCE REPORT
