2. Risks assessment in financial reporting

Information on at least:

2.1. Main features of the risk identification process, including error and fraud risks, with respect to:

• Whether the process exists and is documented

Within the Group, the process to identify risks has been documented in the “Procedure for Enterprise Risks Management in respect of Financial Information” prepared by the DGF and Internal Audit. This process helps identify and assess, on an annual basis, the risks which may lead to material mistakes in financial reporting.

• Whether the process covers all the goals of financial information (existence and occurrence; integrity; assessment; submission, breakdown and comparison; rights and obligations); whether the information is updated and how often

The above-referred risks management process is based upon five stages:

  • Gathering financial information
  • Identification of the operation cycles with an impact on financial information
  • Assessment or risks of the reporting of financial statements unit
  • Prioritization of accounts criticality
  • Checking risks versus operational cycles

As a result of such process, a scoping matrix of risks regarding financial information (Scoping Matrix of SCIIF) is updated on an annual basis. This Scoping Matrix allows identifying the material headings of financial statements, assertions or goals of financial information in respect of which any risks may exist, and the prioritization of operational processes which have an impact on financial information.

The assessment process covers all the goals of financial information: (i) existence and occurrence; (ii) integrity; (iii) assessment; (iv) presentation and breakdown; (v) rights and obligations.

Further to the identification of potential risks, they are assessed on an annual basis based upon the management’s information and understanding of the business and upon materiality criteria.

Assessment criteria are established (i) from a quantitative perspective in accordance with such parameters as: turnover, size of assets and pre-tax profit and (ii) from a qualitative perspective in accordance with different issues such as transactions standardizing and processes automation, composition, changes versus the previous year, complexity of accounting, likelihood of fraud or error or degree of use of estimates in book recording.

• The existence of a process to identify the consolidation perimeter taking into account, inter alia, the potential existence of complex corporate structures or special purposes vehicles

The Group relies on a Corporate Master of Companies wherein all the companies which are part of the Inditex Group are included. Such master is managed and updated in accordance with the “Procedure for the Incorporation and Financing of Companies”.

Recorded in such master are on the one hand, general information about companies, such as company name, accounting closing date and currency and on the other, legal details such as the date of incorporation, share capital, list of shareholders, stake percentage, and other relevant information. The Legal Department is responsible for updating the master as regards legal information.

The External Reporting area, which reports to the Planning and Management Control Department determines on a monthly basis the number of the companies which make up the Consolidation Perimeter as well as the consolidation methods which apply to each of the companies included in the above-referred perimeter.

• Whether the process takes into account the effects of other types of risks (operational, technological, financial, legal, reputational, environmental, etc.,), to the extent that they might have an impact on financial statements

The process for the assessment of financial information risks includes in addition to the above-referred quantitative and qualitative factors, the main risks identified through the general risk map of the INDITEX Group.

Potential risks identified through the Scoping Matrix of financial information are added to the Risks Map of the Group. Such Map is regularly updated by the Enterprise Risks Management Department (reporting to the DGF) with the assistance of all the involved areas of the organization. Thus, the Group may consider the impact that the remaining risks regarding Business Environment, Reputation, Regulatory risks, Human Resources, Operations, Financial, Technology and IT Systems, Environmental, Governance and Management may have on financial statements.

• Which governing body of the company is charged with overseeing the process

The whole process is overseen and approved on a yearly basis by the Audit and Control Committee.