3.1. Procedures to review and authorize financial information and SCIIF description

Pursuant to the Board of Directors’ Regulations, it is incumbent on the Audit and Control Committee, inter alia, to review the financial statements and the periodic information that the Board of Directors must submit to the markets and their supervisory bodies, overseeing at all times compliance with the legal requirements and the appropriate use in the preparation of such information of generally accepted accounting standards.

Likewise, the above referred Regulations provide that the Audit and Control Committee will meet on a quarterly basis to review the periodic financial information to be submitted to the Stock Exchanges authorities and the information that the Board of Directors must approve and add to its annual public documentation.

The Group relies on review and authorization mechanisms regarding the financial information on different levels:

• A first level of review carried out by the different local organizational structures.
• A second level of corporate review conducting analytical reviews of financial information reported by the above structures.
• A third level of control of compliance with internal control procedures regarding financial information.

Prior to the statement of the annual accounts and the approval of the half-yearly financial statements, the DGF meets with the External Auditors for the purposes of reviewing and assessing the financial information prior to submitting it to the Board of Directors.

The Audit and Control Committee submits this information to the Board of Directors which is responsible for approving it, in order to be subsequently disclosed to the market.

The Group keeps duly documented through the relevant procedures all processes which it deems to entail a risk of a material impact on the preparation of the financial information.

Such procedures describe the controls which allow giving an appropriate answer to risks associated with the achievement of the goals regarding reliability and integrity of the financial information so as to prevent, detect, reduce and correct the risk of any potential mistakes way in advance.

Additionally, procedures are represented in flow charts and scopes and scoping risks matrixes and controls whereby the relevant control activities are identified. Each control activity is overseen by the relevant supervisor and is systematically carried out. Dissemination of procedures, flow charts and matrixes to staff members involved in the drafting of the financial information is carried out through the specific DGF portal of the Group available on the INET portal, where they may be accessed by any member of the financial team. Such portal represents an additional work tool.

Each procedure is allocated to a manager charged with reviewing and updating it. Said updates are duly reviewed and authorized by the area management prior to their disclosure.

The following procedures should be underscored in accordance with their relevance, considering the business nature:

• Accounts payable
• Treasury
• Stores sales
• Stock management
• Tangible fixed assets
• Taxes
• Accounting closing

The Group also relies on procedures governing accounting closing of subsidiaries and the preparation of the consolidated financial statements. This last procedure provides a section regarding “Provisions, Opinions and Estimates” which defines the main consolidated provisions, opinions and estimates, as well as the review and approval thereof by the DGF.

The Group’s standard form of internal control is supported by the SAP GRC Process Control tool.

The DGF relies on another control tool, which supplements the different documented procedures. Such tool consists of a number of indicators (KPIS, “key performance indicators”) which aim at evaluating the quality of financial information reported by the relevant managers of the Group companies. Such tool is available to the different units which create information. KPIS are regularly reviewed by members of the different financial departments of companies, with the proposal, where appropriate, of corrective measures and specific action plans and the follow-up thereof.

3.2 Internal control policies and procedures for IT systems (including secure access, control of changes, system operation, continuity and segregation of functions) supporting the key process of the company regarding the drafting and publication of financial information

The internal control framework of IT systems of the Group has been defined based upon a catalogue of IT processes (hereinafter, IT) which covers the whole activity associated with each system and a basic risks review associated with such processes. Thus, the internal control framework covers all the risks associated with each and every process.

The Group has an Ethical Hacking area, reporting to the IT Division, which aims at ensuring security of all computer processes by:

• Setting and circulating regulations to ensure security, pursuant to the Policy for Information Security (hereinafter, PSI (Spanish acronym)).
• Carrying out reviews aimed at verifying enforcement of such regulations.

The PSI serves as a benchmark which provides guidelines to be followed by the staff of the Inditex Group, for the purposes of ensuring ethical hacking within all business processes; therefore, they also support the SCIIF. Guidelines provided in the Policy for Information Security address the following issues:

• Assets classification and control
• Security versus human deeds
• Physical security and security of the environment
• Accesses control
• Systems, Communications and Transactions Management
• Systems Development and Update
• Business Continuity Management
• Management of Information Security Incidences
• Regulatory and Legal Compliance.

Additionally, regarding the design and implementation of applications, the Group has defined a methodological framework with different requirements aimed at ensuring that the solution implemented actually meets the functions demanded by users and so that the quality level meets the security standards set out.

Likewise, the Group relies on contingency mechanisms and procedures, both technical and operational, which have been defined to ensure recovery of IT systems in case of lack of availability.

During FY2015, the Committee for Information Security has held quarterly meetings and the number of attendees has increased, including the area of Communications and Institutional Relations and E-commerce. Members of the following areas serve on such Committee:

• Administration and Finances
• Internal Audit
• Corporate Development
• International
• Legal
• Corporate Logistics
• Product Diversion Control
• Human Resources
• General Counsel’s Office
• Corporate Security
• IT

3.3. Internal control policies and procedures to oversee activities outsourced to third parties as well as the appraisal, calculation or assessment activities commissioned from independent experts, which may have any material impact on financial statements

As a general rule, the Inditex Group does not have any process with a relevant impact on financial information outsourced to any third party. The general policy of the Group lies in not outsourcing any activity which might have any material impact on its financial statements.

During FY2015, the following main activities entrusted to third parties have been identified, without their having any material impact on financial statements:

• Valuation of fixed assets.
• Valuation of intangible assets
• Actuarial calculations.
• HHRR related services
• Valuation of derivatives

Such services are engaged by the supervisors of the relevant areas, ensuring the technical and legal qualifications, capacity and independence of the individuals or companies hired.