47
The Audit and Control Committee receives an annual report from the Internal Audit SVP on its assessment of the effectiveness of the SCIIF
model, the weaknesses detected during internal audits, and the plans or actions already in place to remedy any detected weaknesses.
The Committee supports and supervises the work of the internal audit department in its assessment of the SCIIF. The Committee proposes the
selection, appointment and replacement of the body or person responsible for internal audit services, validates and approves the internal audit
plan and objectives for the year, and is responsible for evaluating the performance of the Internal Audit Department.
The internal audit plan for assessing the SCIIF is presented to the Audit and Control Committee for final validation and approval before it is put
into practice, in order to include all the considerations of the Committee.
The external auditor notifies the Audit and Control Committee of the conclusions of its audit procedures, and any other matters which may be
considered important, 6 times a year. The external auditor also has access to the Audit and Control Committee in order to share, comment on
or report any aspects they consider necessary or pertinent. Without compromising its independence, the external auditor engages in a dialogue
with the Board, informing it of new accounting standards, the most suitable accounting system for complex or unusual transactions, or the
appropriate scope for audit procedures, in regular meetings.
Audit and Control Committee proceedings are documented in the minutes of its meetings.
Internal Audit Function
Internal audits are carried out by the Group’s Internal Audit Department, which reports functionally to the General Secretary and directly to the
Audit and Control Committee. This hierarchical structure is designed to enable the Internal Audit function to remain structurally independent
and to encourage direct communication to and from the Audit and Control Committee.
The Internal Audit function ensures, within reason, the effectiveness of the internal control system, supervising and evaluating the design and
effectiveness of the risk management system applied to the company, including specific IT audits.
This function has internal auditing statutes that have been formally approved by the Audit and Control Committee, and an internal audit manual
which sets out the Department’s working methods.
In relation to monitoring the SCIIF, the Internal Audit Department is responsible for:
• Independently evaluating the internal control model for financial reporting.
• Testing the assertions of the Board.
• Testing the effectiveness of internal controls in the companies within the scope of application, in a maximum period of one year for key controls
and three years for non-key controls.
• Helping to identify weaknesses in controls and reviewing action plans to correct inadequate controls.
• Conducting follow-up checks to see if weaknesses in controls have been properly remedied.
• Coordinating between the Board and the external auditor when clarification is needed on scope and testing plans.
Scope of SCIIF 2014
As explained above, the Group’s SCIIF model covers the 2 main companies based in Spain: NH Hotel Group, S.A. and NH Hoteles España, S.A.,
and 13 business cycles of great importance to the presentation of financial reports.
A total of 417 control activities have been defined, divided between financial reporting and IT systems, and classified as key and non-key
controls. Those responsible for the controls have been defined at Corporate level, for Business Units and at the Shared Services Centre.
Since October 2014, a monthly calendar has been defined for internal control reporting where, at the end of each month, each responsible body
performs a self-assessment of the controls for which it is responsible. This self-assessment leads to a certification process at Administration
SVP level.
During 2014, the Internal Audit Department supervised the self-assessment process and evidence deposited in a file shared by the Shared
Services Centre, Administration and the Audit Department.
The 2014 evaluation process analysed a total of 351 controls. These controls were evaluated according to the guidelines included in the “SCIIF
Evaluation Procedure”, summarised below:
• The controls evaluated each month were subjected to two types of review, one based on the supervision of the evaluation by the owners of
the controls, and another where the objective was to repeat the tests and checks of the effectiveness of the control.
• For the other controls, evidence was obtained and the necessary tests were run to enable conclusions to be drawn on their effectiveness.
• User-defined files (UDA) have been identified which impact the preparation of financial reports, where the existence has been verified of
controls of completeness, availability and security.
The review has detected weaknesses in internal controls and room for improvement in certain processes which do not have a significant impact
on the quality of financial reporting, and action plans agreed with the bodies responsible for the controls have been proposed. The Internal Audit
Department will check the implementation of these action plans during its regular tests of the SCIIF.
F.5.2 Whether there is a discussion procedure through which the accounts auditor (as established in the NTA), the internal auditing area and
other experts can report to senior management and the Audit Committee or company administrators on the significant weaknesses in
internal control detected during the process of reviewing the annual accounts, or others for which they are responsible. Likewise, whether
there is an action plan to correct or mitigate the weaknesses found.
The Audit Committee meets approximately every six weeks to review the regular financial reports. It also discusses matters relating to internal
controls and/or other current initiatives.
The Financial Department, through the Chief Financial Officer, is responsible for notifying senior management of any important matter relating
to the SCIIF and/or financial reporting through the meetings of the Board of Directors, which are attended by the CEO and occasionally by the
SVP of the Internal Audit Department.
All the weaknesses detected by the Internal Audit Department during its work are subject to recommendations and action plans agreed with
the audited department. The Internal Audit Department supervises the implementation of the agreed actions and reports their status to the
Company’s various governing bodies (mainly the Audit Committee).
ANNUAL CORPORATE GOVERNANCE REPORT
