Systems for control of risks

1. Scope of the Company’s Risks Management System

Risks management in the Inditex Group is a process driven by the Board of Directors and the Senior Management, incumbent on each and every single member of the Organization, which aims at providing a reasonable safety in the achievement of the targets established by the Group, ensuring the shareholders, other stakeholders and the market in general, an appropriate level of guarantee which ensures protection of value built.

In this context, the Enterprise Risks Management Policy of the Group sets the overarching principles, key risk factors and the general action lines to manage and control the risks which affect the Group. This Policy is enforced on the whole Group and is at the basis of an Integral Risks Management System which is currently being implemented, gradually, starting at Corporate level and in key business areas.

The Enterprise Risks Management Policy is developed and supplemented by specific policies with regard to certain Group areas. Among the policies developed and implemented by the above mentioned areas regarding the management of the different risks, the following should be pointed out:

  • Investment Policy
  • Payment Management Policy
  • Foreign Exchange Risk Management Policy
  • Proxies Policy
  • Code of Conduct and Responsible Practices
  • Code of Conduct for Manufacturers and Suppliers
  • Occupational Hazards Policy
  • Environmental Risk Management Policy
  • IT Safety Policy
  • Health and Safety of the Product Policies (Safe to Wear and Clear to Wear)

The risk management process is described in detail in the Risks Management Manual in connection with this Policy. The whole process is based upon the identification and assessment of the factors which may have a negative impact on attainment of the business objectives, which translates into a risks map of the main risks which are classified in different groups together with an assessment thereof based upon their potential impact, their likelihood of occurrence and the level of preparedness of the Group to face up to them. The risks map ir regularly reviewed to keep it updated, in order to include amendments related to the evolution of the Group itself and the environment where it operates. This risks management process also addresses a certain response vis-à-vis such factors, and the establishment of the control measures which are necessary for such response to be effective.

Within the Risks Management System, business units represent the first line of defense, and they report relevant information to the Risks Management Department, which coordinates the System as second line of defense.

Internal Audit acts as third line of defense supervising in an independent and objective manner the Risks Management System and reporting to the Board of Directors through the Audit and Control Committee.

2. Corporate bodies responsible for drawing up and enforcing the Risks Management System

The main responsibilities of the governing bodies and areas involved in Enterprise Risks Management at the INDITEX Group are described below:

Board of Directors

  • Approval of the Enterprise Risks Management Policy, on the proposal of the Management, wherein risks management strategy is defined, and disclosure thereof to the organization. Based upon such policy, the ERM System is implemented, as well as the mechanisms for the regular follow-up of internal information and control systems.

Audit and Control Committee

  • Periodic review of the control policy and of the effectiveness of the ERM System, ensuring that the main risks are duly identified, managed and disclosed in an appropriate manner. .

Financial Division (ERM Department)

  • Setting in train the ERM System.
  • Overseeing and coordinating the work of Risks Managers at each corporate or format Business Unit or Area, providing valid tools for risks assessment and management.
  • Maintaining and updating knowledge, techniques, methodologies and tools allowing observance of the principles underlying the ERM system at maximum quality levels.
  • Periodic review of the risks management policies and manuals and proposing the amendment and update thereof to the Board of Directors, where applicable.
  • Coordinating and processing the information received by Risks Managers at each Business Unit or Area, Reporting to the Senior Managers and the Board of Director through the Audit and Control Committee.
  • Monitoring the ERM System and encouraging its integration in the activities, process and decision-making.
  • Promoting appropriate and effective communication channels between ERM Division and the remaining Divisions and areas involved.

Risks Managers

  • Monitoring the risks under their remit, in accordance with the methodology and tools defined by the ERM Department.
  • Identification of events which may entail any likely risks and opportunities within the assigned scope of Responsibility, Reporting the necessary information to the ERM Department.
  • Follow-up and notice of the risks management evolution, as well as the defined action plans.

Internal Audit

  • Contributing to the improvement of risks management, control and governance processes, assuring to the Audit and Control Committee an effective supervision other than the internal control system and issuing recommendations for the Group which help reduce to reasonable levels the potential impact of risks which hamper the attainment of objectives of the Organization.
  • Internal Audit function must always remain independent in respect of ERM System, and not be responsible for making any key decisions regarding its operation.

Senior Managers

  • Raising awareness regarding the weight of the ERM System and its value for all the stakeholders of the Company, encouraging the creation of an all encompassing risks management culture.
  • Provision of appropriate and sufficient resources to implement Risks Management activities.
  • Validation of action and work plans resulting from the risks management process itself.
  • Follow-up of activities.

Additionally, certain specific Committees have been set up in respect of the follow-up of the major risks:

  • Expansion Committee
  • Logistics Committee
  • Committee of Ethics
  • Business Monitoring Committee
  • Code Compliance Supervisory Board

3. Main risks that could prevent attainment of business goals

In order to permit a standard and comprehensive management of risks, the Group has established a definition of risk valid for the whole Organization. Thus, the Group defines risk as: “any potential event which might have a negative impact on attainment of business objectives”.

Risks reviewed are classified and grouped in the following categories:

3.1. Business environment

These are risks stemming from external factors, connected with the Group’s business.

This category encompasses the risks regarding the difficulty in adjusting to the environment or market in which the company operates, whether as regards procurement processes or distribution and sale of goods processes. This is inherent in the fashion retail business and consists in the eventual incapacity of the Group to follow and offer a response to the evolutions of its target market or to adjust to the new situations in procurement countries.

With this respect, demographic and social and economic changes in procurement or distribution countries, the new ways of communication that arise, and changes in consumption habits, or the consumption decline in certain markets are, inter alia, factors which may have an impact on the effective achievement of the business goals of the Group.

3.2. Regulatory risk

Those are risks to which the Group is exposed arising from the different laws and regulations in force in the different countries where it is present.

In order to facilitate management of the risks included in this category, they have been classified in accordance with their nature, into two groups: risks regarding the tax, customs, employment, trade and consumption and industrial and intellectual property regulations and risks associated to the remaining laws and regulations.

3.3. Reputation

Those are the risks which have a direct impact on the way the Group is perceived by its stakeholders (customers, employees, shareholders and suppliers) and by the Society in general.

These risks arise out of a potential improper management of the issues regarding the social responsibility and sustainability, the responsibility on account of the composition of products, as well as of the corporate image of the Group.

3.4. Human Resources

The main risks in the human resources area are those arising out of the potential dependence on key personnel and of the difficulty in properly identifying and managing talent, due to a lack of capacity of the Organization to meet the new expectation of the employment market, on account of changes in the set of values of new generations.

3.5. Operations

The main operational risks the Group has to face up to arise out of a potential difficulty in recognizing and taking in the ongoing changes in fashion trends, manufacturing, supplying and putting on the market new models meeting customers’ expectation.

The risk arising out of the interruption of the transaction is linked with the likely occurrence of extraordinary events beyond the control of the Group (natural disasters, fires, strikes of haulers or suppliers, discontinuance in the supply of power or fuel, etc.,) that might significantly affect normal operations.

Given the operative of the Group, the main risks included in this category are to be found at the logistics centres and in external operators charged with transporting the goods. The distribution of apparel, footwear, accessories and home ware for all the formats is based upon 13 logistics centres spread throughout the territory of Spain. Logistics operations are also ensured by other smaller distribution centres located in 7 different countries. The size and use of all logistics centres is optimized on account of the volume of each format or the specific requirements existing in each geographic area serviced. Namely, some of the above referred logistics centre specialize in distribution of goods associated with on-line sales. Location of such centres has been considered so that they may be versatile to undertake storage capacity and distribution of other centres in the event of any contingency resulting from any potential accidents or stoppage of the distribution activities.

Other risks included in this category are those associated to quality of products and to an inappropriate customer service and satisfaction.

As well as those associated to real estate management, in connection with the search and selection of business premises and their profitability.

3.6. Financial

In the regular conduct of its business, the Group is exposed to financial risks. Included in this category are foreign exchange risk, counterparty credit risk, liquidity risk and interest rates risk. Additionally, given the ever growing international dimension of the Group’s business, the Company is exposed to the country risk in different markets.

The Euro is the functional currency of the Group. Its international transactions give rise to the use of a large number of other than the Euro, which gives rise to the foreign exchange risk.

The Group has various investments abroad, the net assets of which are exposed to exchange rate risk. As the consolidated financial statements of all the companies in the group are drafted in the functional currency, i.e., Euro, it is faced with the foreign exchange risk on account of translation, in respect of all its entities outside the European Union. The company is also faced with the risk resulting from transactions in currencies other than Euro of flows of collections and payments for acquisition of goods and rendering of services both in respect of transactions within the Group and outside the Group.

The Group is not exposed to significant concentrations of counterparty credit risk. Most of its revenue results from retail sales, where payment is primarily made in cash or through credit card. Anyway, the Group is faced with the risk that counterparties, mainly financial ones, would fail to comply with the obligations stemming from investment of cash or other financial and securities vehicles, and from derivatives used for financial risks hedging. With regard to the interest rate risk, direct exposure of the Group to such risk is rather scarce, considering the non existence of leverage. However, as the value of financial assets depends upon the evolution of interest rates, the Group is exposed to such risk in terms of its financial investments.

Finally, the international nature of the Group’s business determines the exposure to country risk in a growing number of markets.

3.7. Information for the decision making

The risks hereunder included are those linked to the appropriate information at all levels: transactional and operative, financing-accounting, management, budgeting and control.

These are not significant risks in relative terms, although the various departments of the Group and especially the Planning and Management Control Department and the Administration Department, which report to the Financial Division, are directly responsible for producing and supervising the quality of such information.

3.8. Technology and information systems

The risks hereunder covered are those linked to the technical infrastructure and the efficient management of information and of the computing and robotic networks. The risks connected with the physical and logical safety of the systems are also included.

3.9. Corporate Governance

This category includes the risk of not having the appropriate management of the Group which might entail a breach of the Corporate Governance and transparency standards.

4. Company’s risk tolerance level

The Inditex Group relies on standard criteria to identify, assess and prioritize risks, based upon the concept of risk tolerance as key tool.

It is incumbent on Senior Managers to establish risk tolerance and strategy, which must reflect the risk volume that the company is willing to assume to reasonably attain the goals and interests of the Group. Such tolerance is regularly updated, and at least every time the Group strategy changes.

Once the risks tolerance for strategic and business goals of the Group has been defined, it is duly disclosed to the Corporate Risks Manager, who determines the assessment scales of key business risks (impact, likelihood and readiness level).

5. Risks which have materialized during the year

During the year, risks inherent in the business model, the activity of the Group and the market environment have materialized, as a result of circumstances inherent in the development of business and the prevailing economic climate. Although none of them has had a significant impact on the Organization, materialization of foreign exchange had a higher weight.

The Group operates globally and therefore, it is exposed to the foreign exchange risks in respect of transactions in currencies, namely in US dollar, Russian ruble, Chinese renminbi, Mexican peso, sterling pound and Japanese yen. In the course of the year, depreciation of non euro currencies has had a 3 percentage points negative impact on the growth rate of net sales of the company.

The foreign exchange risk is managed pursuant to the guidelines set out by the Management of the Group, which mainly cover the establishment of financial or natural hedging systems, constant monitoring of foreign exchange rates flows and other measures aimed at mitigating such risk.

6. Response and supervision plans for the main risks faced by the Company

The Group relies on response plans seeking to reduce the impact and materialization likelihood of critical risks described under section 3 above, or to improve the level of risk preparedness.

The main response plans for each risks category are explained below:

6.1. Business environment

In order to reduce the exposure to risk in this area, the Group carries out a feasibility research for each new market, business line or store, considering pessimistic scenarios, and subsequently monitors whether the expected figures are met or not. Moreover, the business model of the Group is not only based upon the management of new openings, but also on improvements in the efficiency and effectiveness of the markets, business lines and stores already existing, so that the growth achieved via expansion and diversification, be complemented by the organic growth of the current business.

In line with the foregoing, the expansion policy, the multi-brand format of the Group and the use of new technologies as an option for communicating and selling to our customers, represent a way to diversify this risk, which downplays the global exposure to this risk of the market.

6.2. Regulatory risk

In order to reduce the exposure to risk in this area and secure the appropriate enforcement of the prevailing local legislation in force, the corporate Legal, Tax, Industrial Property and Human Resources departments, as well as the General Counsel’s Office work in coordination with the different supervisors and with the legal external advisors of each country or geographic area.

Special mention should be made of criminal regulatory risks. For the purposes of reducing such risks, the Group relies on a Manual on Criminal Risks Prevention, overseen by the Committee of Ethics.

The Internal Audit department conducts regulatory compliance audits on a regular basis with teams of independent professionals specializing in certain regulations which apply to business.

Additionally, the Environment Department carries out audits and leakage controls of wet processes and the Corporate Social Responsibility Department carries out social audits, as well as technical and production audits. All of them are carried out on a regular basis, together with teams of independent professionals, with a great command of the language as well as of the local labour and environmental legislation, to ensure the appropriate enforcement of both the labour requirements covered by the International Labour Organisation (ILO) Treaties and the Human Rights covered in the major Treaties that govern this subject.

6.3. Reputation

The Group has developed a Social Audit Program, based on the external and independent verification of the degree of implementation and compliance with the Code of Conduct for Manufacturers and Suppliers in order to minimize the potential risks of harming the image due to improper behaviours by third parties. Said program specifies the review procedures which secure the gathering of information and evidences on the minimum working conditions that all manufacturers, suppliers and external workshops must comply with. Additional information on this Program and on other programs is available in the Annual Report and on the corporate web.

In such sizable and visible organisations as the Group, some conflicts could arise out of an inappropriate relationship with third parties alien to the proceedings of the Group (CNVM, communication media, Investors, public authorities, etc.,).

The Group, through its Division of Communication and Institutional Relations, responsible for the centralized management of the communications with third parties and with the Corporate Social Responsibility Department, sets out the procedures and protocols required to minimize this risk. Likewise, given their relevance, the General Counsel’s Office and the Capital Markets department are charged with managing specifically the relationship with CNMV and the latter is also charged with dealing with the investors.

Moreover, the large experience gained by the Group, given its long international career, allows it to minimize the risk attached to the difficulty in adapting its products and proceedings to the different social and cultural realities, uses and special features of specific markets, by setting up the right policies which allow it to identify and as the case may be, implement the required measures. Additionally, the Group controls and verifies the level of compliance with its health and safety of the products standards (“Safe to Wear” and “Clear to Wear”), as part of its production process.

The Group relies also on a Code of Conduct and Responsible Practices and a Code of Conduct for Manufacturers and Suppliers, whose enforcement and construction falls on the Committee of Ethics.

6.4. Human Resources

To minimize these risks, the Human Resources Department carries out continuous recruitment and hiring processes of new personnel. It has also developed a regular training program for its staff and has implemented specific systems:

  • to combine quality in the performance of their duties by the employees and the satisfaction they may obtain at their workplace;
  • to facilitate the exchange of jobs among those employees wishing to broad their experience in the different areas of the Organisation
  • to provide career opportunities to the most talented and willing persons within the Organization.

On the other hand, the work system implemented within the Organization favours the transfer of knowledge between the relevant employees in the different areas, thus minimizing the risk linked to depending excessively on the knowledge of key personnel Additionally, the use of career development, training and compensation policies seeks to retain key employees.

To ensure the appropriate labour environment, the Human Resources department is governed by a series of acting rules which are thoroughly reviewed in the Performance section of the Annual Report.

On the other hand, a growing demand has arisen lately within the labour market, linked to the social responsibility of companies, which has become a key factor upon selecting a company for the job of choice. Therefore, such issues as equal opportunities or labour and work-family balance are inter alia, factors that the Company takes into account, with policies designed for such purposes.

With this respect, the INDITEX Group has implemented the Equal Opportunities Plan, with measures that seek to meet different goals, such as, inter alia: fostering the commitment and effective implementation of the equal opportunities principle between female and male employees, contributing to reduce inequality and imbalance, preventing labour discrimination, fostering the corporate commitment towards a better life quality, ensuring a healthy work environment and providing actions to promote family and work balance.

Likewise, the use of technology as a means for talent attraction, development and retention is becoming a new trend within the employment market; therefore, the Group is promoting integration and optimization of its use globally within the Organization for the purposes of creating a virtual communication environment in line with employees’ customs and preferences.

6.5. Operations

The Group reduces the exposure to this risk through a manufacturing and procurement system that ensures a reasonable flexibility to answer to the unforeseen changes in the demand by our customers. Stores are permanently in touch with the designer team, through the Product Management Department, and this allows perceiving the changes of taste of the customers. Meanwhile, the vertical integration of the transactions allows cutting the manufacturing and delivery terms as well as to reduce the stock volume, while the reaction capacity that allows to introduce new products throughout the season, is kept.

Given the relevance that an efficient logistics management has on the appearance of such risks, the Group conducts a review of all the factors which may have a negative impact on the target of achieving the maximum efficiency of the logistics management, to actively monitor such factors under the supervision of the Logistics Committee.

To mitigate the risk resulting from stoppage of operations, associated to the likelihood of occurrence of extraordinary events beyond the control of the Group, mainly in connection with logistics centres and external operators charged with trucking of goods, the size and use of all centres has been optimized, based upon the volume of each format or the specific requirements of the geographic area which they service. Namely, part of the above mentioned logistics centre specialize in distribution of goods sold on-line. The different centres have been set in such a manner as to be able to assume storage and distribution capacity from other centres in the event of any contingency resulting from potential accidents or stoppage of distribution activities.

Additionally, the Group takes active measures to reduce risk exposure, by keeping high levels of safety and protection in all its distribution centres, together with insurance policies covering both the potential property damage incurred by the facilities and stock, as well as any loss of profit which might arise out of any loss.

In order to ensure the growth of the Group and enhance the flexibility of its business model, the Logistics Expansion Plan assess the need and envisages, where appropriate, investing in new distribution centres or in the extension of the existing ones, so as to minimize the risk linked to the logistics planning and sizing. Additionally, investments are carried out towards the improvement and automation within the existing centres so as to increase their capacity and efficiency.

To minimize the risks attached to the quality of finished product, the Group resorts to different monitoring systems based upon defined standards (“Safe to Wear” and “Clear to Wear”) whose implementation is mandatory within the production line, for all finished products, footwear and accessories.

To reduce exposure to the risk arising out of an improper customer satisfaction and service, the Group applies standard store service procedures, training and monitoring programs for store managers and assistants, and communication channels available for customers in order to ensure the quality of the sale and post sale service. Likewise, as a result of the introduction of a new sale channel through the online sale, certain mechanisms to follow-up the degree of satisfaction of customers regarding their online purchase have been set up. With this respect, Marketing and Internet departments of the two formats which currently offer online sale have prioritized the design of their websites, taking into account such premises, while, at the same time, making a large team of professionals available to support the queries, concerns or requests of the customers regarding their online purchase experience.

The Group reduces the risk linked to the real estate management, regarding the search and selection of business premises, through the monitoring of local markets where it operates and through the evaluation and supervision of new openings by the Expansion Committee.

6.6. Financial

In order to reduce foreign exchange risk, it must be managed in a proactive, sufficient and systematic manner; to achieve this, the Group has implemented the Foreign Exchange Risk Management Policy with the major goal of reducing potential economic losses and volatility in the financial statements resulting from such risk. Exchange exposure materializes in terms of net investment, translation and transaction risks. The above referred policy sets the guidelines to manage all such exposures.

Payment Management Policy addresses the principles leading to ensure compliance with Group’s obligations, safeguarding its interests and setting up the required procedures and processes to ensure an effective and prompt payment management. Such policy determines the best manner, currency and terms to make payments, in economic, accounting and legal terms. Finally, the Payment Policy covers the potential exceptions and the procedure to authorize such exceptional payments. Meanwhile, the Proxies Policy determines the different proxies of Groups authorized to approve financial transactions on behalf of the Group, including payments, the level of authorization according to the Group to which they belong, the authorized amount of the transaction and the required pairing of proxies according to such criteria.

Under the current policy in force, exchange rate management is incumbent on the corporate Financial Management Department. Such policy lays down the review and follow-up procedures regarding exchange exposure and the potential hedging strategies, the procedure for acquiring derivatives and the recording and registration thereof. At present, forward contracts are the main hedging instrument.

The Investment Policy of the Group, which aims at ensuring security, integrity and liquidity of financial assets of the company, provides the guidelines which need to be observed by counterparties and classifies them in panels in accordance with their rating and solvency profile and their relevance for the Group. Likewise, such Policy sets maximum exposure limits in terms of counterparty and provides procedures to ensure control, follow-up and monitoring of credit risk.

The Group has enough liquidity to undertake the funding requirements of its regular functional transactions and to face its future growth expectations. At present, the Group has no external debt and keeps on its balance sheet a sufficient position in very liquid assets (cash and cash equivalents). For the purposes of attending to any potential cash need, the Group relies on a sufficient number of loan agreements, both in Euro and in other currencies.

The Investment Policy of the Group also seeks to minimize the exchange rate risk by determining the nature, term and credit quality of the underlying integrating the investment vehicles of the company.

Such Policy sets guidelines with regard to the role of sovereign risk in terms of counterparty credit risk, and the influence thereof on financial assets and/or investment vehicles.

6.7. Information for the decision making

In order to reduce exposure to this kind of risks, the Group regularly reviews the management information disclosed to the relevant officers and invests in IT, follow-up and budgeting systems, among others.

With regard to the risks associated to financial reporting, the Group has set up an Internal Control System on Financial Reporting (SCIIF, Spanish acronym) aimed at achieving an ongoing follow-up and assessment of the main risks associated, which permits ensuring reasonably the reliability of the public financial information of the Group. Additional information on this issue is available in next Section of this Annual Report.

In addition, the consolidated Annual Accounts and those of each and every relevant company are subject to review by the independent auditors who are also in charge of carrying out certain audit works regarding the financial information. Likewise, as regards the most significant companies of the Group, independent auditors are requested to issue recommendations on internal control.

6. 8. Technology and IT

To reduce exposure to this type of risks, the IT Division permanently monitors the streamlining and coherence of the systems, for the purposes of minimizing the number of software packages, maximising training of all users involved in handling these and guaranteeing the security and stability required for the continuous development of the activities of the Group. The IT Division is governed by the IT Safety Policy.

Moreover, there are contingency systems in the event of computer stoppage, with double equipment and data storage somewhere other than the main Centre, which would reduce the consequences of any failure or stoppage.

6.9. Corporate Governance

In order to reduce these risks, compliance with the corporate governance system of the Company is required, which comprises the Articles of Associations, the Board of Directors’ Regulations, the Regulations of the General Meeting of Shareholders, the corporate policies implemented for enterprise risk management, and the internal regulations of the Group (the Code of Conduct and Responsible Practices, the Code of Conduct for Manufacturers and Suppliers, and the Internal Regulations of Conduct regarding Transactions in Securities– hereinafter, IRC).

The Code Compliance Supervisory Board and the Code Compliance Officer are charged with overseeing and enforcing the IRC.

With regard to the Code of Conduct and Responsible Practices and the Code of Conduct for Manufacturers and Suppliers, the Committee of Ethics is responsible for the enforcement and construction thereof. Such Committee may act “ex officio” or further to a report made by any of Inditex’s employees, manufacturer or supplier, or by any third party involved in a direct relationship and with a lawful business or professional interest, who submits a report in good faith.

With regard to corporate governance supervision, the Board of Directors and the Audit and Control Committee are the main governing bodies responsible for risks control.

1.- The Board of Directors

The Board of Directors is responsible for identifying the main risks for the Group and for organising the appropriate internal control and information systems.

2.- The Audit and Control Committee

The Audit and Control Committee assists the Board of Directors in its supervision and control duties by reviewing the internal control systems. The duties of the Audit and Control Committee are provided under the Articles of Association and the Board of Directors’ Regulations.

The Board of Directors’ Regulations provide that it is incumbent on the Audit and Control Committee, exclusively comprised of non-executive directors of the Group, to supervise the process for preparing and presenting the regulated financial information and the effectiveness of the internal control systems of the Group, (namely, of the internal control system on financial information) and to check the appropriate type and integrity of said systems. Additionally, the Audit and Control Committee is charged with overseeing the Internal Audit Department of the Group, approving the budget of the Department and the Internal Audit Plan, the annual report of activities of the Internal Audit department and supervising the material and human resources thereof, whether internal or external, to discharge its duties.

The Internal Audit Department is directly linked to the Board of Directors, to which it reports, through the Audit and Control Committee, thus ensuring the full independence of its acts.

In accordance with the Internal Audit Charter of the Group, the mission of the Internal Audit function is that of contributing to the good running of the Group, by assuring an independent supervision of the internal control system, and by providing recommendations to the Group that help reduce to reasonable levels the potential impact of the risks that hinder the accomplishment of the objectives of the Organization.

Likewise, according to the Charter, the goals of the Internal Audit function are to promote the existence of appropriate internal control and risk management systems, the homogeneous and efficient application of internal control system policies and procedures which make up such internal control system and to serve as communication channel between the Organization and the Audit and Control Committee, in relation to those matters that are responsibility of Internal Audit.