47
• Whether the process takes into account the effects of other types of risks (operational, technological, financial, legal, reputational,
environmental, etc.) insofar as these affect the financial accounts.
In designing the risk management process associated with generating Financial Reports, the following objectives have been focused on:
• Definition of the Financial Information Control System processes and sub-processes. Determination of the relevant risk categories and types
for each of the different Internal Financial Information Control System processes defined in the point above.
Corresponding subcategories have been defined for each of these risk categories.
•Definition and analysis of controls for each specific risk and establishment of their degree of effectiveness. A risk matrix has been established
for each of the sub-processes detailed above, in which the most relevant risks for each process are defined, along with the operational
controls and their effectiveness in mitigating the risks that affect them.
• Which governing body of the company supervises the process.
The company’s Board of Directors is responsible for supervising the risk assessment process. In order to carry out the aforementioned
supervision duties, the Board of Directors turns to the Audit and Control Committee, which performs this duty through the Internal Audit
Department.
F.3 Control Activities
Report, indicating the main characteristics, on the availability of at least:
F.3.1 Procedures to review and authorise the financial report and description of the SCIIF, to be published on the securities market, indicating its
responsible bodies, and documentation describing the workflows and controls (including those regarding fraud risk) of the different types
of transactions which can have a tangible effect on the financial accounts, including the accounting close procedure and the specific review
of the relevant judgements, estimations, evaluations and projections.
Every month, the Group’s Finance Department submits the management report to the Board of Directors for their consideration. This report
includes the most important financial and management information, the Profit and Loss account and the main financial indicators and ratios.
The Board of Directors reviews the intermediate financial statements every six months.
The Board of Directors periodically requests an analysis of specific issues, as well as the details of particular financial transactions which,
because of their importance, need to be studied in greater depth.
The Chairman of the Audit and Control Committee periodically reviews this financial reporting during its meetings, and when appropriate,
requests the attendance of the external and/or internal auditors.
The Financial Statements are drawn up based on a reporting calendar in accordance with legal requirements and are shared among the areas
involved in preparing them.
Internal control of financial information:
NH has an internal financial reporting control system (SCIIF) based on the COSO model (Committee of Sponsoring Organisations of the
Treadway Commission). This model has the following objectives:
• Effectiveness and efficiency of operations
• Safeguarding assets
• Reliability of financial reporting
• Compliance with applicable laws and regulations
The SCIIF model includes reviewing the Company’s Entity-Level Controls (ELC).
The SCIIF model used by NH Group contains a matrix of financial risks and controls which includes the following business cycles, which are
relevant to the preparation of the Group’s financial statements:
o Loyalty programme
o Purchasing and Suppliers
o Sales and Customers
o Cash
o Financing
o Fixed assets
o Inter-company
o Tax
o Human Resources
o Provisions and contingencies
o Accounting close, consolidation and financial reporting process
o Shared Services Centre
o Business support technological processe
The total business cycles include 22 processes and 62 sub-processes. In order to achieve financial reporting reliability and completeness targets,
a total of 416 controls have been defined to prevent, detect, mitigate, compensate for or correct their potential impact.
ANNUAL CORPORATE GOVERNANCE REPORT