48
The structure of the financial risk matrix includes the following information:
• Process and Sub-process
• Risk, being the possible events or actions which could affect the capacity of the company to meet financial reporting objectives and/or
implement strategies successfully.
• Description of the control, defining the control activities included in the policies, procedures and practices applied by the Group to ensure it
meets its control objectives and the risk is mitigated.
• Evidence, the documentation maintained by those responsible for the control (company personnel), so that the entire model can be regularly
supervised and audited.
• Type of Control: If the control is key, or not, preventive or detective, and manual or automatic, depending on whether they can be monitored
using data from automated tools.
• Control managers: for each control activity.
• Frequency: depending on its execution.
The SCIIF model was substantially changed during the 2014 financial year due to the Administration function being outsourced from 1 January
2014, adapting the controls to the new defined processes and sub-processes.
Therefore, controls were defined to be run by personnel from the Shared Services Centre, the administrative and corporate personnel function
retained. Furthermore, in 2015, the model was extended to the business units in Holland, Belgium and Germany.
F.3.2 Internal control policies and procedures for the information systems (including secure access, change monitoring and management,
operational continuity and separation of functions) which support the company’s processes relating to the preparation and publication of
financial reports.
Internal control of IT systems
associated risks. This model (based on COSO and COBIT) includes a matrix of general IT system controls (GITC) (115 controls), and policies and
procedures relating to the security the IT systems need.
The internal control model covers the systems that contribute to the preparation of the Group’s consolidated financial statements and thus
assures the completeness, availability, validity and quality of the information provided to the markets.
The GITC matrix is aligned with the control models created by the NH Group for other business cycles, which are structured into the following
processes:
Access to programmes and data
There are policies and procedures that set up controls over:
• Restricted access to the systems, avoiding unauthorised access or changes to programmes that could affect the completeness, integrity and
reliability of financial reports.
• Correct separation of functions, in order to guarantee secure access to the accounts information systems.
• Security in the facilities housing the systems, ensuring that only authorised personnel have access to them.
Operations
There are policies and procedures that set up controls over:
• The availability of the information, ensuring that financial data are complete, valid and accurate.
• Good management of incidents, enabling quick resolutions and minimising their impact.
• That operations are monitored, ensuring that they are executed completely and on time. Any incidents are resolved, enabling jobs to be
restarted and run correctly.
Since 2011, the Group has had an Information Security area, part of the IT Department, which monitors security in all IT processes, assuring the
availability, reliability and completeness of information.
Security Policy
The security policy is the reference framework defining the directives to be followed by all employees, and makes it possible to ensure the
security of the IT systems and, therefore, of all the business processes. This policy was revised during the 2015 financial year.
During the 2014 financial year, a draft Information Security Master Plan was addressed, which defined the strategy to be followed in this area by
the company, defining an exhaustive plan for projects intended to be implemented within the framework of a Technical Security Office during
the next three years.
F.3.3 Internal control policies and procedures to supervise the management of outsourced activities and those aspects of evaluation, calculation
or appraisal entrusted to independent experts, which may materially affect the financial accounts.
Since 1 January 2014, the Administration function has been outsourced to a third party in the companies included in the scope of the SCIIF. This
outsourcing was defined as a process with a significant impact on the preparation of financial reports.
The NH Group has implemented an internal control model for the Shared Services Centre (SSC) aligned with the control models defined for the
other business cycles.
Therefore, a matrix has been defined with 6 sub-processes and 28 control activities, including controls relating to the handover period of
transferring the administrative function to the SSC, the settling-in period, the provision of the service, compliance with regulations, the continuity
of the service and the governance model in the outsourcing contract.
The service provider has also been asked to obtain an ISAE (International Standard on Assurance Engagements) 3402 report, allowing the NH
Group to check whether the control objectives and activities of the service provider have been effective in the corresponding period.
ANNUAL CORPORATE GOVERNANCE REPORT