50
Internal Audit Function
Internal audits are carried out by the Group’s Internal Audit Department, which reports functionally to the General Secretary and directly to the
Audit and Control Committee. This hierarchical structure is designed to enable the Internal Audit function to remain structurally independent
and to encourage direct communication to and from the Audit and Control Committee.
The Internal Audit function, via a team consisting of 9 auditors located in both Corporate and the business units, ensures, within reason, the
effectiveness of the internal control system, supervising and evaluating the design and effectiveness of the risk management system applied
to the company, including specific IT audits.
This function has internal auditing statutes that have been formally approved by the Audit and Control Committee, and an internal audit manual
which sets out the Department’s working methods.
In relation to monitoring the SCIIF, the Internal Audit Department is responsible for:
• Independently evaluating the internal control model for financial reporting.
• Testing the assertions of the Board.
• Testing the effectiveness of internal controls in the companies within the scope of application, in a maximum period of one year for key controls
and three years for non-key controls.
• Helping to identify weaknesses in controls and reviewing action plans to correct inadequate controls.
• Conducting follow-up checks to see if weaknesses in controls have been properly remedied.
• Coordinating between the Board and the external auditor when clarification is needed on scope and testing plans.
Scope of SCIIF 2015
The Group’s SCIIF model covers the business units in Spain, Holland, Belgium and Germany, which consist of 251 hotels and 13 business cycles
of major importance in the presentation of financial reports.
A total of 416 control activities have been defined, divided between financial reporting and IT systems, and classified as key and non-key
controls. Those responsible for the controls have been defined at Corporate level, for Business Units and within the Shared Services Centre.
Since October 2014, a monthly calendar has been defined for internal control reporting where, at the end of each month, each responsible body
performs a self-assessment of the controls for which it is responsible. This self-assessment leads to a certification process at Administration
SVP level.
During 2015, the Internal Audit Department supervised the self-assessment process and evidence deposited in a file shared by the Shared
Services Centre, Administration and the Audit Department.
The assessment process in 2015 analysed a total of 350 controls for the geographic area of Spain, Holland, Belgium and Germany and controls
at Corporate level, which involved reaching 84% of their total. These controls were evaluated according to the guidelines included in the “SCIIF
Evaluation Procedure”, summarised below:
• The controls evaluated each month (relating to Administration and the Shared Services Centre) were subjected to two types of review, one
based on the supervision of the evaluation by the owners of the controls, and another where the objective was to repeat the tests and checks
of the effectiveness of the control.
• For the other controls, evidence was obtained and the necessary tests were run to enable conclusions to be drawn on their effectiveness.
• User-defined files (UDA) have been identified which impact the preparation of financial reports, where the existence has been verified of
controls of completeness, availability and security.
The review has detected weaknesses in internal controls and room for improvement in certain processes which do not have a significant impact
on the quality of financial reporting, and action plans agreed with the bodies responsible for the controls have been proposed. The Internal Audit
Department will check the implementation of these action plans during its regular tests of the SCIIF.
F.5.2 Whether there is a discussion procedure through which the accounts auditor (as established in the NTA), the internal auditing area and
other experts can report to senior management and the Audit Committee or company administrators on the significant weaknesses in
internal control detected during the process of reviewing the annual accounts, or others for which they are responsible. Likewise, whether
there is an action plan to correct or mitigate the weaknesses found.
The Audit Committee meets periodically to review the regular financial reports. It also discusses matters relating to internal controls and/or
other current initiatives.
The Financial Department, through the Chief Financial Officer, is responsible for notifying senior management of any important matter relating
to the SCIIF and/or financial reporting through the meetings of the Board of Directors, which are attended by the CEO and occasionally by the
SVP of the Internal Audit Department.
All the weaknesses detected by the Internal Audit Department during its work are subject to recommendations and action plans agreed with
the audited department. The Internal Audit Department supervises the implementation of the agreed actions and reports their status to the NH
Group’s various governing bodies (mainly the Audit Committee).
The external auditor notifies the Audit and Control Committee of the conclusions of its audit procedures, and any other matters which may be
considered important. The external auditor also has access to the Audit and Control Committee in order to share, comment on or report any
aspects they consider necessary or pertinent. The external auditor, without breaching his/her independence, will participate in the dialogue
with Management.
F.6 Other relevant information
None.
ANNUAL CORPORATE GOVERNANCE REPORT