3.1. Procedures to review and authorize financial information and SCIIF description, to be disclosed to stock exchanges, stating who is in charge thereof, as well as the documentation describing the activities and control flows (including those concerning fraud risk) for the different types of transactions which may have a material impact on the financial statements, including the procedure for closing the accounts and the specific review of the relevant judgement, estimates, valuations and projections

Pursuant to the Board of Directors’ Regulations, it is incumbent on the Audit and Control Committee, among other things, to review the annual accounts and the periodic information that the Board of Directors must submit to the markets and their supervisory bodies, overseeing at all times compliance with the legal requirements and the appropriate use in the preparation of such information of generally accepted accounting standards.

Likewise, the above referred Regulations provide that the Audit and Control Committee will meet on a quarterly basis to review the periodic financial information to be submitted to the Stock Exchanges authorities and the information that the Board of Directors must approve and add to its annual public documentation.

The group relies on review and authorization mechanisms regarding the financial information on different levels:

• A first level of review carried out by the different local organizational structures
• A second level of corporate review (conducting analytical reviews of financial information reported by the above structures)
• A third level of control of compliance with internal control procedures regarding financial information.

Prior to the statement of the annual accounts and to the approval of the half-yearly financial statements, the DGF and External Auditors meet for the purposes of reviewing and assessing the financial information prior to submitting it to the Board of Directors.

The Audit and Control Committee submits this information to the Board of Directors which is responsible for approving it, prior to it being disclosed to the market.

The Group keeps duly documented in the relevant procedures all processes which it deems to entail a risk of a material impact on the preparation of the financial information.

Such procedures include controls which allow giving an appropriate answer to risks associated to the achievement of the goals regarding reliability and integrity of the financial information so as to prevent, detect, reduce and correct the risk of any potential mistakes way in advance.

Additionally, procedures are represented in flow charts and control activities through scoping risks matrixes and controls. Each control activity is overseen by the relevant supervisor and is systematically carried out. Dissemination of procedures, flow charts and matrixes to staff members involved in the drafting of the financial information is carried out through the DGF portal of the Group available on the intranet, where they may be accessed by any member of the financial team. Such portal represents an additional work tool.

Each procedure is allocated to a manager charged with reviewing and updating it. Said updates are duly reviewed and authorizes by the head of the area prior to their dissemination via the financial portal.

During FY2013 the group has commenced implementation and adjustment of the SAP GRC Process Control module which:

• Facilitates management of the control model in a single centralized environment
• Supports the assessment process based upon a hierarchic approval supported by Workflows
• Monitors the testing process at the different local organizational structures
• Streamlines the work of users by giving them notices of tasks to be carried out.

The following procedures should be underscored in accordance with their relevance, considering the business nature:

• Accounts payable
• Cash.
• Stores sales.
• Stock management.
• Tangible fixed assets.
• Taxes.
• Accounting closure.

The Group relies on procedures governing accounting closing, central purchases units and consolidated financial statements. This last procedure provides a section regarding “Provisions, Opinions and Estimates” which covers the main consolidated provisions, opinions and estimates, as well as the review and approval thereof by the DGF.

During the fiscal year and further to the launching of the new SAP GRC tool, all procedures connected with financial reporting have been updated and improved.

The DGF relies on another control tool, which complements the different documented procedures. Such tool consists of a number of indicators (KPIS, “key performance indicators”) which aim at evaluating the quality of financial information reported by the relevant managers of the Group companies. Such tool is available to the different units which create information. KPIS are regularly reviewed by members of the different financial departments of companies, with the proposal, where appropriate, of corrective measures and specific action plans and the follow-up thereof.

3.2. Internal control policies and procedures for IT systems (including secure access, control of changes, system operation, continuity and segregation of functions) supporting the key process of the Company regarding the drafting and publication of financial information

The internal control framework of IT systems of the Group has been defined based upon a catalogue of IT processes (hereinafter, IT) which covers the whole activity associated to each system and a basic risks review associated to such processes. Thus, the internal control framework covers all the risks associated to each and every process.

The Computer Security area of the Group, which reports to the IT Division, aims at ensuring security of all computer processes by:

• Setting and disseminated regulations to ensure security. With this respect, the Policy for Information Security (PSI, Spanish acronym).
• Carrying out reviews aimed at verifying enforcement of such regulations.

The PSI serves as a benchmark which provides guidelines to be followed by the staff of the Inditex Group, for the purposes of ensuring computer security within all business processes; therefore, they also support the SCIIF. Guidelines provided in the Security Policy address the following issues:

• Assets classification and control
• Security versus human deeds
• Physical security and security of the environment
• Accesses control
• Systems, Communications and Transactions Management
• Systems Development and Update
• Business Continuity Management
• Management of Information Security Incidences
• Regulatory and Legal Compliance.

Additionally, regarding the design and implementation of applications, the Group has defined a methodological framework with different requirements aimed at ensuring that the solution implemented actually meets the functions demanded by users and so that the quality level meets the security standards set out.

Finally, the Group relies on contingency mechanisms and procedures, both technical and operational, which have been defined to ensure recovery of IT systems in case of lack of availability.

3.3. Internal control policies and procedures to oversee activities outsourced to third parties as well as the appraisal, calculation or assessment activities commissioned from independent experts, which may have any material impact on financial statements

As a general rule, the INDITEX Group does not have any process with a relevant impact on financial information outsourced to any third party. The general policy of the Group lies in not outsourcing any activity which might have any material impact on its financial statements.

During FY2013, the following main activities entrusted to third parties have been identified, without their having any material impact on financial statements:

• Valuation of intangible assets and companies
• Actuarial calculations
• HHRR-related services
• Valuation of derivatives

Such services are engaged by the managers of the relevant areas, ensuring the technical and legal qualifications and capacity of the individuals or companies hired.