2.1. Main features of the risk identification process

The risk identification process has been documented in the “Procedure for Enterprise Risks Management in respect of Financial Information”. This process seeks to describe the mechanisms to identify and assess, on an annual basis, the risks which may lead to material mistakes in financial reporting

The above referred risks management process is based upon five stages:

1. Gathering financial information
2. Identification of the operation cycles with an impact on financial information
3. Assessment or risks by the reporting unit of financial statements
4. Prioritization of accounts criticality
5. Checking risks versus operational cycles

As a result of such process, a scoping matrix of risks regarding financial information (Scoping Matrix of SCIIF) is updated on an annual basis. This Scoping Matrix allows identifying the material headings of financial statements, assertions or goals of financial information in respect of which any risks may exist, and the prioritization of operational processes which have an impact on financial information.

The assessment process covers all the goals of financial information: (i) existence and occurrence; (ii) integrity; (iii) assessment; (iv) release and breakdown; (v) rights and obligations.

Further to the identification of potential risks, they are assessed on an annual basis based upon the management’s information and understanding of the business and upon materiality criteria.

Assessment criteria are established (i) from a quantitative perspective in accordance with such parameters as: turnover, size of assets and pre-tax profit and (ii) from a qualitative perspective in accordance with different issues such as transactions standardizing and processes automation, composition, changes versus the previous year, complexity of accounting, likelihood of fraud or error or degree of use of estimates in book recording.

The Group relies on a Corporate Master of Companies wherein all the companies which are part of the Inditex Group are included. Such master is managed and updated in accordance with the “Procedure for the Incorporation and Financing of Companies”.

Recorded in such master are on the one hand, general information about companies, such as company name, accounting closing date and currency and on the other, legal details such as the date of incorporation, share capital, list of shareholders, stake percentage, and other relevant information. The Legal Department is responsible for updating the master as regards legal information.

The External Reporting area, which reports to the Planning and Management Control Department determines on monthly basis the number of the companies which make up the Consolidation Perimeter as well as the consolidation methods which apply to each of the companies included in the above referred perimeter.

In addition to the above referred quantitative and qualitative factors, the process for the assessment of financial information risks considers the main risks identified through the general Map of Critical Risks of the INDITEX Group.

Potential risks identified through the Scoping Matrix of SCIIF are taken into account upon preparing the Map of Critical Risks, which is updated on an annual basis by the Enterprise Risks Management Department (reporting to the DGF) with the assistance of all the involved areas of the organization. Thus, the Group may consider the impact that the remaining risks regarding Business Environment, Reputation, Regulatory Risks, Human Resources, Operations, Financial, Information for the decision-making, Technology and IT Systems and Corporate Governance may have on financial statements.

The whole process is overseen and approved on a yearly basis by the Audit and Control Committee.