1. Definition and elements of the internal control and risk management system in the TUI Group
The TUI Group’s internal control system comprises all the principles, processes and measures that are applied to secure effective, efficient and accurate accounting which is compliant with the necessary legal requirements.
The internationally recognised framework of COSO (Committee of Sponsoring Organizations of the Treadway Commission) forms the conceptual basis for TUI Group’s internal control system, consisting of internal controls and the internal monitoring system. The Executive Board of TUI AG, in exercising its function of managing business operations, has entrusted responsibility for the internal control system in the TUI Group to specific Group functions.
The elements of the internal monitoring system in the TUI Group comprise both measures integrated into processes and measures performed independently. Besides manual process controls, e. g. the ‘four-eyes principle’, another key element of the process-related measures are automated IT process controls. Process-related monitoring is also secured by bodies such as the Risk Oversight Committee of TUI AG and by specific Group functions.
The Supervisory Board of TUI AG, in particular its Audit Committee, as well as the Group Auditing department at TUI AG are incorporated into the TUI Group’s internal monitoring system through their audit activities performed independently from business processes. On the basis of section 107 (3) of the German Stock Corporation Act, the Audit Committee of TUI AG deals primarily with the auditing of the annual financial statements, monitoring the accounting process and the effectiveness of the internal control and risk management system. In the Audit Committee Report the reliability of the financial reporting and the monitoring of the financial accounting process as well as the effectiveness of the internal control and risk management system are described.
The Group’s auditors have oversight of the TUI Group’s control environment. The audit of the consolidated financial statements by the Group auditor and the audit of the individual financial statements of Group companies included in the consolidated financial statements, in particular, constitute a key non-process-related monitoring measure with regard to Group accounting.
In relation to Group accounting, the risk management system, introduced as an Enterprise Risk Management System (ERM System) as a component of the internal control system, also addresses the risk of misstatements in Group bookkeeping and external reporting. Apart from operational risk management, which includes the transfer of risks to insurance companies by creating cover for damage and liability risks and also hedging transactions to limit foreign currency and fuel price risks, the TUI Group’s risk management system embraces the systematic early detection, management and monitoring of risks across the Group. A more detailed explanation of the risk management system is provided in the section on the Risk Governance Framework in the Risk Report.
2. Use of IT systems
Bookkeeping transactions are captured in the individual financial statements of TUI AG and of the subsidiaries of TUI AG, through local accounting systems such as SAP or Oracle. As part of the process of preparing their individual financial statements, subsidiaries complete standardized reporting packages in the Group’s Oracle Hyperion Financial Management 184.108.40.206 (HFM) reporting system. HFM is used as the uniform reporting and consolidation system throughout the Group so that no additional interfaces exist for the preparation of the consolidated financial statements.
Nearly all consolidation processes used to prepare the consolidated financial statements of TUI AG, e. g. capital consolidation, assets and liabilities consolidation and expenses and income elimination including at equity measurement, are generated and fully documented in HFM. All elements of TUI AG’s consolidated financial statements, including the disclosures in the Notes, are developed from the HFM consolidation system. HFM also provides various modules for evaluation purposes in order to prepare complementary information to explain TUI AG’s consolidated financial statements.
The HFM reporting and consolidation system has an in-built workflow process whereby when businesses promote their data within the system, to signal that their reporting package is complete, they are then locked out from making any further changes to that data. This ensures data integrity within the system and also facilitates a strong audit trail enabling changes to a reporting package to be identified. This feature of the HFM system has been checked and validated by the TUI AG Group Audit department on several occasions since the system was introduced.
At their own discretion, TUI AG’s Group auditors select certain individual financial statements from the financial statements entered in the HFM reporting and consolidation system by the Group companies, which are then reviewed for the purposes of auditing the consolidated financial statements.
3. Specific risks related to Group Accounting
Specific risks related to Group accounting may arise, for example, from unusual or complex business transactions, in particular at critical times towards the end of the financial year. Business transactions not routinely processed also entail special risks. The discretion necessarily granted to employees for the recognition and measurement of assets and liabilities may result in further Group accounting-related risks. The outsourcing and transfer of accounting-specific tasks to service companies may also give rise to specific risks. Accounting-related risks from derivative financial instruments are outlined in the Notes to the consolidated financial statements.
4. Key regulation and control activities to ensure proper and reliable (Group) Accounting
The internal control measures aimed at securing proper and reliable Group accounting ensure that business transactions are fully recorded in a timely manner in accordance with legal requirements and the Articles of Association. This also ensures that assets and liabilities are properly recognised, measured and presented in the financial statements and the consolidated financial statements. The control operations also ensure that bookkeeping records provide reliable and comprehensive information.
Controls implemented to secure proper and reliable accounting include, for instance, analysis of facts and developments on the basis of specific indicators. Separation of administrative, execution, settlement and authorisation functions and the implementation of these functions by different persons reduces the potential for fraudulent operations. Organisational measures also aim to capture any corporate or Groupwide restructuring or changes in sector business operations rapidly and appropriately in Group accounting. They also ensure, for instance, that bookkeeping transactions are correctly recognised in the period in which they occur in the event of changes in the IT systems used by the accounting departments of Group companies. The internal control system likewise ensures that changes in the TUI Group’s economic or legal environment are mapped and that new or amended accounting standards are correctly applied.
The TUI Group’s accounting policies together with the International Financial Reporting Standards (IFRS) in compliance with EU legislation, govern the uniform accounting and measurement principles for the German and foreign companies included in TUI’s consolidated financial statements. They include general accounting principles and methods, policies concerning the statement of financial position, income statement, notes, management report and cash flow statement.
The TUI Group’s accounting policies also govern specific formal requirements for the consolidated financial statements. Besides defining the group of consolidated companies, they include detailed guidance on the reporting of financial information by those companies via the group reporting system HFM on a monthly, quarterly and year end basis. TUI’s accounting policies also include, for instance, specific instructions on the initiating, reconciling, accounting for and settlement of transactions between group companies or determination of the fair value of certain assets, especially goodwill.
At Group level, specific controls to ensure proper and reliable Group accounting include the analysis and, where necessary, correction of the individual financial statements submitted by the Group companies, taking account of the reports prepared by the auditors and meetings to discuss the financial statements which involve both the auditors and local management. Any further content that requires adjusting can be isolated and processed downstream.
The control mechanisms already established in the HFM consolidation system minimize the risk of processing erroneous financial statements. Certain parameters are determined at Group level and have to be applied by Group companies. This includes parameters applicable to the meas-urement of pension provisions or other provisions and the interest rates to be applied when cash flow models are used to calculate the fair value of certain assets. The central implementation of impairment tests for goodwill recognized in the financial statements secures the application of uniform and standardized evaluation criteria.
With the organisational, control and monitoring structures established by the TUI Group, the internal control and risk management system enables company-specific facts to be captured, processed and recognized in full and properly presented in the Group’s accounts.
However, it lies in the very nature of the matter that discretionary decision-making, faulty checks, criminal acts and other circumstances, in particular, cannot be ruled out and will restrict the efficiency and reliability of the internal control and risk management systems, so that even Group-wide application of the systems cannot guarantee with absolute certainty the accurate, complete and timely recording of facts in the Group’s accounts.
Any statements made relate exclusively to TUI AG and to subsidiaries according to IFRS 10 included in TUI AG’s consolidated financial statements.