91622, 10.05 PM This content matches your MGS Profile. Charter for Corporate Internal Audit (MIP-16) MARRIOTT INTERNATIONAL POLICY (MIP) REVISED: FEBRUARY 18, 2021 Charter for Corporate Inteomal Ault (MIP-16) - Ml Standards REVIEWED: FEBRUARY 10, 2021 Region & Brand Applicability Table BRAND NAME ‘Above Property AC Hotels Aloft Hotels ‘Autograph Collection Autograph Collection Residences Bulgari Bulgari Residences Courtyard Detta Hotels Design Hotels EDITION Hotels EDITION Residences Element Hotels Fairfield Four Points Gaylord Hotels Headquarters htps:mgscloud mariol.comstandards7id=1835, AP EUR MEA 4 4°86 ‘6 ve91622, 10.05 PM JW Marriott JW Marriott Residences Le Meridien Le Meridien Residences Marriott Executive Apartments Marriott Hotels BRAND NAME Marriott Residences Marriott Vacations Club MOXY Hotels Protea Hotels by Marriott Renaissance Hotels Residence Inn Ritz-Carlton Reserve Sheraton Hotels Sheraton Residences SpringHill Suites St. Regis Hotels, St. Regis Residences The Luxury Collection The Luxury Collection Residences The Ritz-Carlton The Ritz-Carlton Club The Ritz-Carlton Residences ‘TownePlace Suites Tribute Portfolio htps:mgscloud mariol.comstandards7id=1835, Charter for Corporate Intemal Ault (MIP-16) -Ml Standards v ¥ v ¥ ¥ v v ¥ v ¥ ¥ ¥ us! CAN CALA ¥ ¥ v v v v ¥ ¥ ¥ ¥ ¥ v ¥ ¥ v ¥ v v v v ¥ ¥ ¥ ¥ v v v ¥ ¥ ¥ ¥ ¥ v ¥ v ¥ ¥ ¥ v v AP EUR MEA 2891622, 10.05 PM Charter for Corporate Intemal Ault (MIP-16) -Ml Standards W Hotels v v v v v W Residences ¥ v ¥ ¥ v Westin Hotels v v v v v Westin Residences v v ¥ v v APPLIES TO: Architecture & Construction, Communications, Engineering, Event Management, Finance & Accounting, Fitness & Recreation, Food & Beverage, Front Office, Furniture, Fixtures & Equipment, Golf, Housekeeping, Human Resources, Legal, Information Protection, Purchasing, Quality Assurance & Guest Satisfaction, Residential Operations, Retail, Risk Management & Loss Prevention, Sales, Marketing & Revenue Management, Spa, Technology Requirements Applicability: Associates at all brands, all regions Seger Key Responsibilities: Policy Owner: (unless otherwise stipulated, is responsible for policy administration, Chief Audit Executive (Keri Day) compliance monitoring, implementation, and training) Policy Approver: (unless otherwise stipulated, is responsible for approval of Audit Committee of the Board of Directors exceptions) + Chief Audit Executive (CAE) and Global Internal Audit Function have oversight responsibilty for the facilitation of policy updates. 1, Policy Overview The Internal Audit Department (IAD) is established by Marriott International, Inc. (the "Company" to provide independent, objective assurance and consulting services designed to ensure maintenance of an adequate and effective system of internal controls based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and improve the effectiveness and efficiency of the Company's operations. The Intemal Audit Department employs a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, internal control, and governance processes, thereby assisting management in the achievement oftheir operational, regulatory, and financial reporting objectives. The Internal Audit Department will govern itself in accordance with mandatory guidance of The Institute of Internal Auditors (The IIA), including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the htps:imgscloud marriott. comlstandards?id=1835 ae‘911822, 1005 Pm Charter for Corporate Intomal Aust (MIP-16)- Ml Standards Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the Internal Auait Department. In addition, the Internal Audit Department will adhere to the Company's relevant policies and procedures. 2. Policy Statement This Policy establishes Marriott International's requirements for the Internal Audit Department (IAD). The IAD scope of ‘work includes assurance services which require the examination and evaluation of the adequacy and effectiveness of the organization's governance, risk management, and internal control processes as well as the quality of performance in carrying out assigned responsibilities to achieve the organization's stated goals and objectives. This includes: + Assessing whether risks relating to the achievement of the Company's strategic objectives are appropriately identified and managed, + The actions of the Company's officers, directors, employees, and contractors are in compliance with the Company's policies, procedures, and applicable laws, regulations, and governance standards. + Assessing control processes related to the reliability and integrity of financial and operating information and the means used to identify, measure, classify, report and disclose such information, + Assessing control processes related to the systems established to ensure compliance with policies, plans, procedures, laws, and regulations which could have a significant impact on the Company, + Assessing control processes related to safeguarding Company assets and, as appropriate, verifying the existence of such assets, + Assessing control processes related to the efficiency and effectiveness with which Company resources are employed, + Assessing control processes related to operations or programs in place to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned, + Assessing the adequacy of governance and risk management processes, and + Evaluating specific operations at the request of the Audit Committee or management, as appropriate, In addition to the assurance services, the Internal Audit Department may provide consulting services, such as training, facilitation, process design and other advisory services that add value to the Company and contribute to the improvement of governance, risk management, and internal controls, 3. Requirements The Internal Audit Department shall review the Company's system of internal controls while maintaining its independence from the Company's operations. The Internal Audit Department has no direct responsibilty or authority over any of the activities or operations of the Company. The department shall not develop and install procedures, prepare records, or engage in activities which would normally be the responsibility of management and therefore subject to independent review procedures performed by the department 3.4 The Chief Audit Executive (CAE) reports functionally to the Audit Committee of the Board of Directors, and administratively to the Chief Financial Officer (CFO). htps:imgscloud marriott. comlstandards?id=1835 4891622, 10.05 PM Charter for Corporate Inteomal Ault (MIP-16) - Ml Standards 3.2 The CAE will communicate and interact directly with the Audit Committee, including in executive sessions and between Audit Committee meetings as appropriate. 3.3 The Audit Committee will meet with appropriate management personnel to discuss the annual performance of the CAE and approve the proposed compensation using processes established by the Compensation Committee. 3.4 Internal auditors will exhibit the highest level of professional objectivity in matters of audit selection, scope and timing, and while gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments. 3.5 The CAE will confirm to the Audit Committee, at least annually, the organizational independence of the Internal Audit Department. 3.6 Authorization is granted by the Board for unrestricted access to any of the Company's records (either manual or electronic), physical locations, and personnel. Documents and information provided to the Internal Audit Department during an audit or review will be handled in the same prudent manner as by those personnel normally accountable for them. 3.7 The Audit Committee maintains governance over the Internal Audit function and its role in overseeing the Chief Audit Executive by performing the following: approving the appointment of the Chief Audit Executive; consulting with management regarding the performance of the Chief Audit Executive; and approving the compensation of the Chief Audit Executive ‘Additionally, the Audit Committee: (1) approves the Internal Audit charter; (2) approves the risk-based Internal Audit plan and significant changes to that plan; (3) approves the Internal Audit budget and resources necessary to achieve audit plan objectives; (4) receives communications from the Chief Audit Executive on Internal Audit’s performance related to the Internal Audit plan and other matters; and (5) makes appropriate inquiries of management and the Chief Audit Executive to determine whether there are inappropriate scope or resource limitations, 4. Responsibilities The CAE and the intemal Audit Department associates have the responsibilty to + Develop at least annually, an internal audit plan using appropriate risk-based methodology and submit that plan including resource requirements to the Audit Committee for approval. The CAE will communicate the impact of resource limitations and significant interim changes to the annual plan to senior management and the Audit Committee, + Implement the audit plan, as approved, including any additional assignments requested by management and the Audit Committee, + Periodically report to senior management and the Audit Committee on the Internal Audit Department's purpose, authority, and responsibilty, as well as performance relative to its plan. Reporting will also include significant risk htps:imgscloud marriott. comlstandards?id=1835 se‘911822, 1005 Pm Charter or Corporat ntmal Au (MIP-16)- Ml Standares exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Audit Committee, + Report to management the result of each audit engagement, including significant control issues, potential improvements, and management corrective actions, + Establish and maintain a system to monitor the disposition of results communicated to management, + Keep the Audit Committee informed of emerging trends and successful practices in intemal auditing, + Coordinate audit efforts with the independent auditors, and control and monitoring functions (for example, legal, internal investigations, casino oversight, privacy, information security and intemal control functions), + Assist in the investigation of significant suspected fraudulent activities within the organization and notify management and the Audit Committee of the results, and + Report annually to the Audit Committee the results and findings of audits conducted in the current year. The presentation related to results and finding of audits conducted in the current year will include an opinion as to the adequacy and effectiveness of the Company's system of business and financial risk management, control, and governance processes and a review of all significant, unresolved, or uncorrected items identified during the preceding year. 4.1 Quality Assurance The Internal Audit Department shall strive to increase its effectiveness by learning and applying improved techniques of communications, analysis, and problem solving. A quality assurance program, consisting of supervision and internal reviews will be performed to provide reasonable assurance that the internal audit work conforms to this document and an evaluation of the Department's conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. In addition, a qualified independent reviewer will perform an external quality assurance review at least once every five years. The CAE will communicate to senior management and the Audit Committee on the Internal Audit Department's quality assurance and improvement program, including results of ongoing internal assessments and the external assessments conducted at least once every five years, 4.2 Internal Audit Department Associates The primary resource of the intemal Audit Department is its associates. The motivations, business knowledge, and technical and interpersonal skills of these associates determine the overall effectiveness of the function within the Company. To maintain and improve the function's effectiveness, the CAE will establish the necessary policies and programs to ensure the successful recruitment, training, supervision, and retention of these associates, The CAE is also authorized to obtain necessary assistance of associates in the function where au are being performed, as well as other specialized services from within or outside the Company. 43 Ad nal Responsibilities htps:imgscloud marriott. comlstandards?id=1835 cy‘9118722, 10.05 PM Charter for Corporate Intomal Aust (MIP-16)- Ml Standards ‘Additionally, the CAE is responsible for + Assessing the Company's ethical conduct compliance program, including the assessment of ethical culture of the business and tone set by senior management, + Administering the maintenance of the Marriott International Policy Manual (maintained electronically on the Company's intranet), + Overseeing the administration of the Company's processes to address and act on information received through the Company's Business Integrity reporting systems and/or directly or indirectly reported to the Internal Audit, Department by the Law Department and/or Internal Investigations, and + Assessing, periodically, whether the purpose, authority, and responsibility, as defined in this charter, continue to be adequate to enable the Internal Audit Department to accomplish its activities. ‘Any changes to this charter require Audit Committee approval 5. Documents Associated with this Policy + Periodic SEC Filing Policy (MIP-68) + Audit Committee Charter: the Audit Committee Charter can be found in the Documents & Charters section of the Corporate Investor Relations website at Marriott.com EFFECTIVE: FEBRUARY 01, 2005 | PUBLISHED: FEBRUARY 01, 2005 I this documents older than December 15, 2022, vist Marriot Global Source to ensure you have the most upte-date version af this standard, MARRIOTT CONFIDENTIAL AND PROPRIETARY INFORMATION ‘The contents ofthis material are confidential and proprietary to Martot Intemational, Inc. and may not be reproduced, dsclosed, distributed or used without the express permission ofan authorized representative of Marriot. Any other use is expressly prohibited. htps:imgscloud marriott. comlstandards?id=1835 189118722, 10.05 PM Charter for Corporate Inteomal Ault (MIP-16) - Ml Standards ae