46
Since 2011, the Group has had an Information Security area, part of the IT Department, which monitors security in all IT processes, assuring the
availability, reliability and completeness of information.
Security Policy
The security policy, which is published and known to all Group personnel, is the reference framework defining the directives to be followed by
all employees, and makes it possible to ensure the security of the IT systems and, therefore, of all the business processes.
F.3.3 Internal control policies and procedures to supervise the management of outsourced activities and those aspects of evaluation, calculation
or appraisal entrusted to independent experts, which may materially affect the financial accounts.
Since 1 January 2014, the Administration function has been outsourced to a third party in the companies included in the scope of the SCIIF. This
outsourcing has been defined as a process with a significant impact on the preparation of financial reports.
The group has implemented an internal control model for the Shared Services Centre (SSC) aligned with the control models defined for the
other business cycles.
Therefore, a matrix has been defined with 6 sub-processes and 26 control activities, including controls relating to the handover period of
transferring the administrative function to the SSC, the settling-in period, the provision of the service, compliance with regulations, the continuity
of the service and the governance model in the outsourcing contract.
The service provider has also been asked to obtain an ISAE (International Standard on Assurance Engagements) 3402 report, allowing NH to
check whether the control objectives and activities of the service provider have been effective in the corresponding period.
F.4 Information and Communication.
Report, indicating the main characteristics, on the availability of at least:
F.4.1 A specific area responsible for defining and updating accounting policies (accounting policies area or department) and resolving queries
or conflicts arising from their interpretation, maintaining constant communication with those responsible for operations in the organisation,
and an updated manual of accounting policies communicated to the units through which the company operates.
The Financial Department is responsible for issuing and updating accounting policies and the resolution of queries or conflicts arising from their
interpretation.
The Company’s Organisation and Human Resources Department is responsible for standardising, analysing and publishing all the regulations
and procedures applicable within the department, particularly those dealing with operating, administrative (including accounting), quality and
regulatory matters.
The Internal Audit Department is responsible for reviewing the previously defined processes and procedures regularly, ensuring the control tasks
they include work and are correctly applied.
The Financial Department is responsible for defining and applying accounting criteria, checking that they are updated and approved.
To that end, the Company currently has a common Accounting Plan, and is in the process of drawing up a Manual of Accounting Policies
and a Consolidation Manual, applicable to all the countries in which the Group operates, This body of regulations reflects the International
Financial Reporting Standards (IFRS), which are the accounting standards by which the Group is governed. The Group’s Financial Department
is responsible for interpreting and applying regulations relating to Financial Reporting.
F.4.2 Mechanisms to capture and prepare financial reports with standardised formats, applicable and for use in all units of the company or the
Group, supported by the main financial statements and notes, and the information provided on the SCIIF.
The Financial Department will consolidate the accounts every month.
This process starts with the consolidated accounts being received from the various Business Units each month. These are checked and approved
to ensure they comply with the established principles of control and significant influence.
The last phase of this process includes verification of the standardisation adjustments affecting the income statement (monthly) and the
balance sheet (quarterly)
This means all the Business Units share a documentation and consolidation system that is approved by the Financial Department, which reviews
it once a year. It is important to stress that the Company has a single Accounts Plan for the entire Group, as well as shared management IT tools
in all the Business Units.
F.5 Supervision of the system.
Report, indicating the main characteristics of at least:
F.5.1 The supervision of the SCIIF by the Audit Committee and whether the company has an internal auditing area whose competency includes
supporting the committee in supervising the internal control system, including the SCIIF. It will also report the scope of the evaluation of the
SCIIF during the year and the procedure by which the body in charge of the evaluation will report its results, if the company has an action
plan which details possible corrective measures, and if its impact on financial reporting has been considered.
The Audit and Control Committee is the advisory body to which the Board of Directors has delegated its powers to update and supervise
the SCIIF. As part of this function and to fulfil the tasks delegated by the Board, the Committee receives and reviews the financial reports
which the group issues to the markets and regulatory bodies, particularly the audit report and the consolidated annual financial statements.
The Committee supervises the preparation process and the completeness of the financial reports of the Company and its subsidiaries, and
checks that the legal requirements applicable to the company are complied with, the consolidation perimeter is appropriate and that generally
accepted accounting standards are applied correctly.
ANNUAL CORPORATE GOVERNANCE REPORT
