3. Control activities

Information on the main features if at least the following exist:

3.1. Procedures to review and authorize financial information and SCIIF description, to be disclosed to stock exchanges, stating who is in charge thereof, as well as the documentation describing the activities and control flows (including those concerning fraud risk) for the different types of transactions which may have a material impact on the financial statements, including the procedure for closing the accounts and the specific review of the relevant judgment, estimates, valuations and projections.

Pursuant to the Board of Directors’ Regulations, it is incumbent on the Audit and Control Committee, among other things, to review the annual accounts and the periodic information that the Board of Directors must submit to the markets and their supervisory bodies, overseeing at all times compliance with the legal requirements and the appropriate use in the preparation of such information of generally accepted accounting standards.

Likewise, the above-referred Regulations provide that the Audit and Control Committee will meet on a quarterly basis to review the periodic financial information to be submitted to the Stock Exchanges authorities and the information that the Board of Directors must approve and add to its annual public documentation.

The Group relies on review and authorization mechanisms regarding the financial information on different levels:

  • A first level of review carried out by the different local organizational structures
  • A second level of corporate review (conducting analytical reviews of financial information reported by the above structures)
  • A third level of control of compliance with internal control procedures regarding financial information

Prior to the statement of the annual accounts and to the approval of the half-yearly financial statements, the DGF and External Auditors meet for the purposes of reviewing and assessing the financial information prior to submitting it to the Board of Directors.

The Audit and Control Committee submits this information to the Board of Directors which is responsible for approving it, prior to it being disclosed to the market.

The Group keeps duly documented in the relevant procedures all processes which it deems to entail a risk of a material impact on the preparation of the financial information.

Such procedures include controls which allow giving an appropriate answer to risks associated with the achievement of the goals regarding reliability and integrity of the financial information so as to prevent, detect, reduce and correct the risk of any potential mistakes way in advance.

Additionally, procedures are represented in flow charts and control activities through scoping risks matrixes and controls. Each control activity is overseen by the relevant supervisor and is systematically carried out. Dissemination of procedures, flow charts and matrixes to staff members involved in the drafting of the financial information is carried out through the DGF portal of the Group available on the intranet, where they may be accessed by any member of the financial team. Such portal represents an additional work tool.

Each procedure is allocated to a manager charged with reviewing and updating it. Said updates are duly reviewed and authorized by the head of the area prior to their dissemination via the financial portal.

The following procedures should be underscored in accordance with their relevance, considering the business nature:

  • Accounts payable
  • Cash
  • Stores sales
  • Stock management
  • Tangible fixed assets
  • Taxes
  • Accounting closure

Such procedures have been updated during the year, with the addition of new ones, and the adjustment thereof to the new requirements of the control tool.

The Group also relies on procedures governing accounting closing, central purchases units and consolidated financial statements. This last procedure provides a section regarding “Provisions, Opinions and Estimates” which covers the main consolidated provisions, opinions and estimates, as well as the review and approval thereof by the DGF.

During financial year 2014, the Group continues implementing the SAP GRC Process Control tool in the different companies of the Group.

The DGF relies on another control tool, which complements the different documented procedures. Such tool consists of a number of indicators (KPIS, “key performance indicators”) which aim at evaluating the quality of financial information reported by the relevant managers of the Group companies. Such tool is available to the different units which create information. KPIS are regularly reviewed by members of the different financial departments of companies, with the proposal, where appropriate, of corrective measures and specific action plans and the follow-up thereof.

3.2. Internal control policies and procedures for IT systems (including secure access, control of changes, system operation, continuity and segregation of functions) supporting the key process of the company regarding the drafting and publication of financial information.

The internal control framework of IT systems of the Group has been defined based upon a catalogue of IT processes (hereinafter, IT) which covers the whole activity associated with each system and a basic risks review associated with such processes. Thus, the internal control framework covers all the risks associated with each and every process.

The Group has an Ethical Hacking area, reporting to the IT Division, which aims at ensuring security of all computer processes by:

  • The Group has an Ethical Hacking area, reporting to the IT Division, which aims at ensuring security of all computer processes by:
  • setting and circulating regulations to ensure security, pursuant to the Policy for Information Security (hereinafter, PSI (Spanish acronym)).
  • carrying out reviews aimed at verifying enforcement of such regulations.

The PSI serves as a benchmark which provides guidelines to be followed by the staff of the Inditex Group, for the purposes of ensuring computer security within all business processes; therefore, they also support the SCIIF. Guidelines provided in the Security Policy address the following issues:

  • Assets classification and control
  • Security versus human deeds
  • Physical security and security of the environment
  • Accesses control
  • Systems, Communications and Transactions Management
  • Systems Development and Update
  • Business Continuity Management
  • Management of Information Security Incidences
  • Regulatory and Legal Compliance.

Additionally, regarding the design and implementation of applications, the Group has defined a methodological framework with different requirements aimed at ensuring that the solution implemented actually meets the functions demanded by users and so that the quality level meets the security standards set out.

Likewise, the Group relies on contingency mechanisms and procedures, both technical and operational, which have been defined to ensure recovery of IT systems in case of lack of availability.

Finally, a Committee for Information Security has been set up in 2014, to monitor and support Security initiatives, fostering the dissemination and awareness-raising of the area.

The following areas are represented in the Committee:

  • Administration and Finances
  • Internal Audit
  • Corporate Development
  • International
  • Legal
  • Corporate Logistics
  • Product Diversion Control
  • Human Resources
  • General Counsel’s Office
  • Corporate Security
  • IT

3.3. Internal control policies and procedures to oversee activities outsourced to third parties as well as the appraisal, calculation or assessment activities commissioned from independent experts, which may have any material impact on financial statements.

As a general rule, the INDITEX Group does not have any process with a relevant impact on financial information outsourced to any third party. The general policy of the Group lies in not outsourcing any activity which might have any material impact on its financial statements.

During FY2014, the following main activities entrusted to third parties have been identified, without their having any material impact on financial statements:

  • Valuation of real estate
  • Valuation of intangible assets
  • Actuarial calculations
  • HHRR related services
  • Valuation of derivatives

Such services are engaged by the supervisors of the relevant areas, ensuring the technical and legal qualifications and capacity of the individuals or companies hired.