Internal control and risks management systems with regard to financial reporting

This chapter addresses the mechanisms which comprise the internal control and risks management systems (ICFR) with regard to the financial reporting of the company



The description of the duties of the bodies responsible for (i) the existence and maintenance of an appropriate and effective ICFR; (ii) its implementation, and (iii) its supervision, is provided below:

1.1.1. Board of Directors

Except for such issues whose transaction is reserved to the General Meeting of Shareholders, the Board of Directors is the highest decision-making, supervisory and monitoring body of the Company, being ultimately responsible for the existence and update of an appropriate and effective ICFR.

The Board of Directors is entrusted with the management and representation of the Group, delegating in general the management of the day-to-day business of INDITEX to the executive bodies and the management team and focusing on the general supervisory function, which includes guiding the policy of the Group, monitoring the management activity, assessing officers’ management, making the most relevant decisions for the Group and liaising with the shareholders.

1.1.2. Audit and Control Committee

Pursuant to the provisions of the Articles of Association, the Board of Director’s Regulations and the Audit and Control Committee’s Regulations, and as part of its financial and monitoring duties, it is incumbent on the Audit and Control Committee to oversee the process for preparing and releasing the regulated financial information, and to monitor the effectiveness of the ICFR. In this respect, the Committee discharges, inter alia, the following duties:

  • Overseeing the effectiveness of the internal control system of the Company, the internal audit, and the risks management system, including tax risks, and to discuss with the auditor the significant weaknesses of the internal control system revealed in the course of the audit.
  • With regard to the powers regarding the process to prepare the regulated financial information:
    • Overseeing the process of preparation and submission and the integrity of the regulated financial information relating to the Company and its Group, ensuring that the half-yearly financial reports and the quarterly management statements are drafted in accordance with the same accounting standards as the annual financial reports, and overseeing the review of the interim financial statements requested from the financial auditor, with the scope and frequency that may be defined, as the case may be.
    • Reviewing compliance with the legal requirements, the appropriate delimitation of the consolidation perimeter and the correct application of the generally accepted accounting principles and international financial reporting standards as may be applicable.
    • Advising the Board of Directors on any significant change of accounting standard and on the significant risks of the balance sheet and off-balance sheet.
  • With regard to the internal control and risk management policy:
    • Overseeing the control and risk management function.
    • Regularly reviewing the internal control and risks management policy, including tax risks.
    • Ensuring that the internal control and risks management policy contains at least:
      1. The different types of risk (including without limitation, operational, technological, financial, legal, reputational and tax related) that the Group is faced with, including among such financial or economic risk, contingent liabilities and other off-balance sheet risks;
      2. The determination of the level of risk that the Company deems acceptable;
      3. The measures planned to reduce the impact of the identified risks, should they materialize; and,
      4. The information and internal control systems that will be used to monitor and manage the aforementioned risks, including contingent liabilities and other off-balance sheet risks.
    • Reviewing the information about the risks that the Group is faced with, and about the risk control systems, that must be included in the Annual Corporate Governance Report, the management report attached to the annual accounts and the interim financial statements and in any other information instruments of the Group;
    • Evaluating any question regarding non-financial risks (including without limitation operational, technological, legal, social, environmental, political and reputational) that the control policy and the risks management systems must contain;

Most members of the Audit and Control Committee are independent directors. The Committee meets on a quarterly basis and each time it is called by its Chair. In FY2016, the Audit and Control Committee has met 6 times.

1.1.3. Financial Division

The Dirección General de Finanzas [Financial Division] is responsible for the design, roll-out and update of an appropriate ICFR, as provided in the Procedure for Enterprise Risk Management in respect of Financial Information. Such procedure is part of the Enterprise Risk Management System of the Group and it covers exclusively those risks which affect the financial information.

The Financial Division sets out and circulates the policies, guidelines and procedures, associated with financial information production and is charged with ensuring the appropriate enforcement thereof within the Group.

1.1.4. Internal Audit

Internal Audit is overseen by the Audit and Control Committee to which it reports. It is charged, inter alia, with supporting the Committee in supervising the internal control of financial information systems, by performing specific audits about ICFR, requesting action plans to correct or reduce any weaknesses revealed and following-up on the implementation of the proposed recommendations.

Internal Audit relies on an Internal Audit Chart, approved by the Audit and Control Committee, which regulates the mission, authority and responsibilities of such function pursuant to both domestic and international regulations and standards for the professional practice of internal auditing.

Likewise, Internal Audit has been awarded the certificate of compliance with the “International Standards for the Professional Practice of Internal Auditing” by the Instituto de Auditores Internos, a member of the IIA (Institute of Internal Auditors).


Additionally, with regard to the process for drawing up the financial information, a number of departments and/or mechanisms are charged with (i) designing and reviewing the organizational structure; (ii) clearly defining the lines of responsibility and authority with an appropriate allocation of duties and functions; and, (iii) ensuring the existence of the required procedures for the appropriate circulation within the company.

The design and review of the organizational structure and of the lines of responsibility and authority within the Group falls on the Board of Directors. The departments charged with drawing up the financial information are to be found within such structure.

The Nomination Committee, which is composed of a majority of independent directors is charged with providing and reviewing the criteria to be followed in the recruitment of the senior executives of the Group.

It is incumbent on such Committee, inter alia, to issue a report on any appointment and/or removal of senior executives of the Group proposed to the Board of Directors by the chief executive pursuant to the provisions of section 16.2 (g) of the Board of Directors’ Regulations.

Senior executives and the Human Resources Department (hereinafter DRRHH, (Spanish acronym)) are charged with describing duties and responsibilities of each area. Additionally, the Compensation Department, reporting to the DRRHH regularly assesses the classification, description and duties of each position. Such duties are disclosed to each of the affected areas.

For the purposes of preparing financial information, the Group has clearly defined authority and responsibility lines. The main responsibility in preparing financial information falls with the Financial Division

The structure, size and definition of duties and tasks of each position within the financial area are defined by the Financial Division and disclosed by the DRRHH.

To carry out its activity, the Financial Division is organized in the following departments:

  • Administration Department
  • Planning and Management Control Department
  • Financial Management Department
  • Enterprise Risks Management Department
  • Processes and Projects Department
  • Tax Department

The Group relies on financial organization structures that meet local requirements in each country where it operates, headed by a Chief Financial Officer who is charged, among other things with following the procedures which are part of the ICFR.

Code of Conduct

The Board of Directors approved in the meeting held on 17 July 2012, following a favorable report of the Audit and Control Committee, the Code of Conduct and Responsible Practices of the Inditex Group (which replaces both the Internal Guidelines for Responsible Practices of the Inditex Group’s Personnel and the Code of Conduct) and the Code of Conduct for Manufacturers and Suppliers (which replaces the Code of Conduct for External Manufacturers and Workshops).

Therefore, the Group’s internal conduct policies are covered in the following codes:

  • The Code of Conduct and Responsible Practices.
  • The Code of Conduct for Manufacturers and Suppliers.
  • The Internal Regulations of Conduct regarding Transactions in Securities.

The Code of Conduct and Responsible Practices provides the action lines which must be followed by the Group in the performance of its professional duties.

Its goal consists of exacting an ethical and responsible professional conduct from INDITEX and its entire workforce in the conduct of their business anywhere in the world, as a gist of its corporate culture upon which the training and the personal and professional career of its employees is based. For such purposes, the principles and values which shall govern the relationship between the Group and its stakeholders (employees, customers, shareholders, business partners, suppliers and the societies where its business model is implemented)are defined.

The Code of Conduct and Responsible Practices is based upon a number of general principles, inter alia, that according to which the Inditex Group shall carry out all its transactions under an ethical and responsible perspective; all persons, whether natural or legal, who maintain, directly or indirectly, any kind of professional, economic, social or industrial relationships with the Inditex Group shall be treated in a fair and honourable manner and that according to which, all the activities of Inditex shall be carried out in the manner that most respects the environment, promoting biodiversity preservation and sustainable management of natural resources.

One of the standards of conduct covered in the Code of Conduct and Responsible Practices is the “Obligation to Record Transactions”, addressed in section 4.13 thereof, according to which:

“Any and all transactions carried out by the Company which may have an economic impact shall be clearly and accurately shown on the appropriate records of accounts, as a true representation of the transactions carried out, and they shall be made available to the internal and external auditors.

Inditex’s employees shall enter the financial information on the company’s systems in a full, clear and accurate manner, so that they would show, as at the relevant date, their rights and obligations in accordance with the applicable regulations. Additionally, the accuracy and integrity of the financial information which, under the prevailing regulations in force shall be disclosed to the market shall be ensured.

Inditex undertakes to implement and maintain an appropriate internal control system on financial reporting, ensuring the regular supervision of the effectiveness of such system.

Accounting records shall be at all times made available to the internal and external auditors. For such purposes, Inditex undertakes to provide its employees with the necessary training for them to understand and comply with the commitments undertaken by the company regarding the internal control on financial information.”

A Committee of Ethics has been set up to ensure compliance with the Code of Conduct and Responsible Practices. Such Committee of Ethics is composed of:

  • The General Counsel and Code Compliance Officer, who chairs it.
  • The Chief Audit Officer.
  • The Chief Sustainability Officer.
  • The Chief Human Resources Officer.

The Committee of Ethics may act ex officio or at the behest of any of Inditex’s employees, manufacturers, suppliers or any third party involved in a direct relationship and with a lawful commercial or professional interest, further to a report made in good faith.

The Committee of Ethics reports to the Board of Directors through the Audit and Control Committee and has the following duties:

  • To supervise compliance with the Code and the internal circulation thereof to the Group’s s personnel.
  • To receive any manner of written instruments with regard to the enforcement of the Code and to send them, where appropriate, to the relevant body or Department which may be responsible for processing and issuing a resolution regarding such instrument.
  • To monitor and supervise the management and settlement of any case.
  • To solve any doubts which may arise, regarding the enforcement of the Code.
  • To propose to the Board of Directors, after report from the Audit and Control Committee, any explanation or implementation rule which the enforcement of the Code may require, and at least, an annual report to review its enforcement.
  • To oversee the Whistle Blowing Channel and compliance with the Procedure.
  • In the performance of its duties, the Committee of Ethics shall ensure:
  • The confidentiality of all the information and background and of the acts and deeds performed, unless the disclosure of information is required by law or by any court order.
  • The thorough review of any information or document that triggered its action.
  • The commencement of such proceedings that adjust to the circumstances, where it shall always act with independence and full respect of the right of the affected person to be heard as well as of the presumption of innocence.
  • The indemnity of any complainant as a result of bringing complaints in good faith to the Committee.

Decisions of the Committee of Ethics shall be binding for the Inditex Group and for its employees.

The Committee of Ethics submits a report to the Audit and Control Committee at least twice a year, reviewing its proceedings and the enforcement of the Code of Conduct and Responsible Practices.

Additionally, the Audit and Control Committee reports to the Board of Directors, on an annual basis as well as whenever this latter so requires, on the enforcement of the Code of Conduct and Responsible Practices and of the additional documents which comprise the model of compliance with internal regulations, from time to time in force.

Code of Conduct for Manufacturers and Suppliers

The Code of Conduct for Manufacturers and Suppliers defines minimum standards of ethical and responsible behaviour which must be met by the manufacturers and suppliers of the products commercialized by Inditex in the course of its business, in line with the corporate culture of the Inditex Group, firmly based on the respect for human and labour rights.

The Code applies to all manufacturers and suppliers involved in the processes for procuring, manufacturing and finishing the products that the Group commercializes and it is based upon the general principles that define Inditex’s ethical behavior, i.e.: all Inditex’s operations shall be carried out under an ethical and responsible perspective; all persons, individuals or entities, who maintain, directly or indirectly, any kind of employment, economic, social and/or industrial relationship with Inditex, are treated in a fair and honourable manner; all Inditex’s activities are carried out in a manner that most respects the environment; all manufacturers and suppliers (production centers that are not the property of Inditex) fully adhere to these commitments and undertake to ensure that the standards which are set forth in the Code of Conduct for Manufacturers and Suppliers are met.

Manufacturers of goods commercialized by Inditex are bound to comply with this Code of Conduct for Manufacturers and Suppliers and with the Code of Conduct and Responsible Practices, insomuch as they apply to them. Likewise, the remaining suppliers of goods and services of the Group shall enforce both Codes insomuch as they apply to them.


Moreover, the Board of Directors approved on 19 July 2016 the Internal Regulations of Conduct regarding Transactions in Securities of Inditex and its corporate group, within the European regulatory framework against market abuse, comprising the Market Abuse Regulation (Regulation (EU) No 596/2014 of the European Parliament and of the Council, of 16 April 2014) and Directive 2014/57/EU of the European Parliament and of the Council of 16 April 2014 on criminal sanctions for market abuse, which seeks to reinforce market integrity and establish mechanisms for a streamlined implementation and supervision within the different Member States of the European Union.

By approving the IRC, Inditex Inditex follows the latest regulatory developments which apply to such persons who, given their position, duties or office, have (or may have) access to Inside Information of the Inditex Group (hereinafter, the “Affected Persons”) and their Related Persons, as well as to the proceedings of Affected Persons and their Related Persons related to the stock exchanges. All the transactions in Inditex shares carried out by Affected Persons and their Related Persons are subject to the IRC.

All the procedures related to Personal Transactions regarding Affected Securities and Instruments (Inditex shares) are kept in the new IRC. As was previously the case, Affected Persons must:

  • Request from the Code Compliance Office (hereinafter, the “CCO”) prior authorization for any transactions in Inditex shares, where the actual amount thereof is equal to or in excess of €60,000. Regardless of the economic value of the transaction, notify such transaction to the CCO within the first 15 days of the month immediately after the one during which it was carried out.
  • Request authorization, where appropriate and disclose as provided in the two previous paragraphs, such transactions in Inditex shares carried out by their Related Persons.
  • Refrain from carrying out any transaction in Inditex’s shares during close periods. As customary, and to help compliance with this obligation, the Code Compliance Office will give Affected Persons written notice of both the beginning and the end of such close periods.
  • Compliance with the IRC is mandatory for all the persons included in its scope of application and any noncompliance may be reported in a confidential manner to the Committee of Ethics, pursuant to the provisions of the Whistle Blowing Channel Procedure of the Inditex Group.

In this respect, noncompliance with the IRC may give rise to the relevant disciplinary sanctions, as the case may be; to civil, criminal and/or administrative liability, and to the obligation to compensate any damages incurred, where appropriate.

Finally, there is a Code Compliance Supervisory Board which reports directly to the Audit and Control Committee of the Board of Directors. Such Supervisory Board is composed of:

Por último, existe un Comité de Cumplimiento Normativo, que depende directamente de la Comisión de Auditoría y Control y está compuesto por:

  • The Executive Chairman
  • The General Counsel
  • The Director of the Capital Markets Department, and
  • The Chief Human Resources Officer.

Such Supervisory Board is mainly responsible for developing procedures and implementing regulations to enforce the IRC. Likewise, a Code Compliance Office exists within the Code Compliance Supervisory Board. The General Counsel of the Inditex Group is the Code Compliance Officer. The Code Compliance Office is charged, inter alia, with enforcing the conduct policies of stock exchanges and the rules and procedures of the IRC on directors, officers, employees and any other person to which the IRC applies.

The proceedings of the companies which are part of the Group and of all the individuals with access to information which may be deemed to be relevant information, and namely to financial information, shall comply with the following principles: regulatory compliance, transparency, collaboration, information, confidentiality and neutrality. Both the Code Compliance Supervisory Board and the Code Compliance Office shall ensure that the above referred principles are observed.

With regard to the dissemination of the above referred regulations, it is incumbent on the Human Resources Department of the Group to circulate a copy of the Code of Conduct and Responsible Practices to any new employees upon their joining the organization.

Likewise, an updated version of such regulations is available on the corporate website and on INET; they are subject to the appropriate measures regarding disclosure, training and awareness-raising, so that they may be understood and implemented within the whole organization. Additionally, the Code of Conduct and Responsible Practices is also available at the stores’ TGT in most countries.

With regard to the IRC, the Code Compliance Office keeps a General Documentary Register of all Affected Persons. The Code Compliance Office is bound to inform Affected Persons that they are subject to the provisions of the IRC as well as of any breaches and penalties which may arise, where appropriate, from an inappropriate use of reserved information.

Likewise, the Code Compliance Office shall inform the Affected Persons that they have been included in the General Documentary Register and about any other issues addressed by Ley Orgánica 15/1999, of 13 December on Personal Data Protection.

Whistle Blowing Channel

A Whistle Blowing Channel is available to all employees of the Group, manufacturers, suppliers or third parties with any direct relationship and a lawful business or professional interest, regardless of their tier or geographical or functional location, so that they may report through this Whistle Blowing Channel any breach of the Group’s internal conduct and regulatory compliance policies by any employees, manufacturers, suppliers or third parties with whom the Group has any direct employment, business or professional relationship and which affect Inditex or its Group.

Therefore, any breach and/or any manner of malpractice in respect of any codes may be reported, including those of a financial and accounting nature.

It is incumbent on the Committee of Ethics to oversee the Whistle Blowing Channel and the enforcement of the Whistle Blowing Channel Procedure.

The proceedings of such Channel are implemented in the Whistle Blowing Channel Procedure approved by the Board of Directors on 17 July 2012. Such document is available on the INET.

Reports of noncompliance and/or queries regarding the construction or enforcement of internal conduct and regulatory compliance policies may be sent to the Company by post, for the attention of the Committee of Ethics (to Avenida de la Diputación, Edificio INDITEX, 15142 Arteixo, A Coruña (Spain)); by e-mail (to:, or by fax (+34 981186211). The confidentiality of such reports or queries is ensured.

Upon receiving any report, the Committee of Ethics verifies first whether it falls within the remit of the Whistle Blowing Channel. If so, the Committee of Ethics will refer such report to the relevant department so that it would make the appropriate investigations. Otherwise, the Committee of Ethics will order closure of proceedings.

In light of the findings reached following the investigation, the relevant department or department shall, having heard first the interested party, propose any of the following measures to the Committee of Ethics which will have final say:

  • Remedy of the breach, if appropriate,
  • Proposal of penalties or relevant courses of action
  • Closure of proceedings, where no breach has been detected.

Training and refresher courses

The Training and Career Development area of the Group, which reports to the DRRHH, is charged with preparing, together with each of the areas reporting to the Financial Division, training and refresher courses for the different staff members involved in the preparation and supervision of the financial information of each and every company within the Group. Such schemes include, both general courses, focusing on business expertise and knowledge of the different departments which make up the company, and specific schemes aimed at training and refreshing employees in respect of new regulatory changes in the matter of preparation and supervision of financial information.

(a) General Induction

Aimed at gaining internal knowledge of each business unit, as well as of each department and of the respective activities, functions and duties within the business.

Under this scheme, employees begin by working at the stores, getting directly acquainted with the whole process of running a store. Then, they spend time at the different corporate departments at headquarters and their training is completed at any of the subsidiaries of the Group abroad.

(b) Specific training

Group employees involved in procedures associated with the preparation of financial information regularly receive training and refresher courses that seek to provide knowledge about local and international standards governing financial information, as well as about the existing regulations and best practices in the area of internal control.

Within the financial environment, such training and refresher schemes are organized by the DRRHH, liaising with each of the areas within the Financial Division.

Training courses are provided on an annual basis for all new supervisors of financial areas in each country, in order to train them in respect of the management model of the INDITEX Group, as well as in the internal control on financial information system implemented by the Group.

Additionally, supplementary courses are taught by internal staff on the operation of financial software tools used in the preparation of financial information.

With regard to specialized training proceedings carried out by employees from the different departments of Financial Division during FY2016, the following stand out, among others:

  • International Cash & Treasury Management
  • Accounting regulations on derivatives and hedging
  • Corporate Fraud and Cyber Risks
  • COSO Framework 21013



The risk identification process has been documented in the “Procedure for Enterprise Risks Management in respect of Financial Information”. This process seeks to describe the mechanisms to identify and assess, on an annual basis, the risks which may lead to material mistakes in financial reporting.

The above referred risks management process is based upon five stages:

  1. Gathering financial information.
  2. Identification of the operation cycles with an impact on financial information.
  3. Assessment of risks by the reporting unit of financial statements.
  4. Prioritization of accounts criticality.
  5. Checking risks versus operational cycles.

As a result of such process, a scoping matrix of risks regarding financial information (Scoping Matrix of ICFR) is updated on an annual basis. This Scoping Matrix allows identifying the material headings of financial statements, assertions or goals of financial information in respect of which any risks may exist, and the prioritization of operational processes which have an impact on financial information.

The assessment process covers all the goals of financial information: (i) existence and occurrence; (ii) integrity; (iii) assessment; (iv) release and breakdown; (v) rights and obligations.

Further to the identification of potential risks, they are assessed on an annual basis based upon the management’s information and understanding of the business and upon materiality criteria.

Assessment criteria are established (i) from a quantitative perspective in accordance with such parameters as: turnover, size of assets and pre-tax profit and (ii) from a qualitative perspective in accordance with different issues such as transactions standardizing and processes automation, composition, changes versus the previous year, complexity of accounting, likelihood of fraud or error or degree of use of estimates in book recording.

The Group relies on a Corporate Master of Companies wherein all the companies which are part of the Inditex Group are included. Such Master is at the basis of the consolidation perimeter and is managed and updated in accordance with the Procedure for the Incorporation and Financing of Companies.

Recorded in such Master are on the one hand, general information about companies, such as company name, accounting closing date and currency and on the other, legal details such as the date of incorporation, share capital, list of shareholders, shareholding, and other relevant information. The Legal Department is responsible for updating the Master as regards legal information.

The External Reporting area, which reports to the Planning and Management Control Department, reviews and updates on a monthly basis the number of companies which make up the Consolidation Perimeter as well as the consolidation methods which apply to each of the companies included in the above referred perimeter.

In addition to the above referred quantitative and qualitative factors, the main risks identified through the Risks Map of the Inditex Group are considered in the process for the assessment of financial information risks.

Potential risks identified through the Scoping Matrix of ICFR are taken into account upon preparing the Risks Map of the Group, which is updated on an annual basis by the Enterprise Risks Management Department (reporting to the Financial Division) with the assistance of all the involved areas of the organization. Thus, the Group may consider the impact that the remaining risks classified within the following groups: Business Environment, Reputation, Regulatory Risks, Human Resources, Operations, Financial, Information for the decision-making, Technology and IT Systems and Corporate Governance, may have on financial statements.

The whole process is overseen and approved on a yearly basis by the Audit and Control Committee.



Likewise, the above referred Regulations provide that the Audit and Control Committee will meet on a quarterly basis to review the periodic financial information to be submitted to the Stock Exchanges authorities and the information that the Board of Directors must approve and add to its annual public documentation.

The Group relies on review mechanisms of the financial information. Each of the organizational structures shall be responsible for reviewing the periodic financial information reported. Analytical reviews of the financial information reported by such structures are carried out at financial level. Prior to stating the annual accounts and approving the half-yearly financial statements, the Financial Division and the external auditors meet, for the purposes of reviewing and assessing the financial information.

El Grupo tiene mecanismos de revisión de la información financiera. Cada una de las estructuras organizativas es responsable de revisar la información financiera reportada. A nivel financiero corporativo se realizan revisiones analíticas de la información financiera reportada por dichas estructuras. Con anterioridad a la formulación de las cuentas anuales y a la aprobación de los estados financieros semestrales, la Dirección General de Finanzas y los auditores externos se reúnen, a los efectos de analizar y evaluar la información financiera.

The Audit and Control Committee submits this information to the Board of Directors which is responsible for approving it, in order to be subsequently disclosed to the market.

The Group keeps duly documented all processes which, in its view, entail a risk of a material impact on the preparation of the financial information, through the relevant procedures.

Such procedures describe the controls which allow giving an appropriate response to risks associated with the achievement of the objectives related with reliability and integrity of the financial information so as to prevent, detect, reduce and correct the risk of any potential mistakes way in advance. Such procedures and controls are covered in the SAP GRC Process Control tool.

Additionally, such processes are represented in flow charts and scoping risks and controls matrixes whereby the relevant control activities are identified. Each control activity is overseen by the relevant supervisor and is systematically carried out. Circulation of procedures, flow charts and matrixes to staff members involved in the preparation of the financial information is carried out through the specific Financial Division portal of the Group available on the Group’s INET, where they are available to any member of the financial team. Such portal represents an additional work tool.

Each procedure is allocated to a supervisor charged with its review and update. Said updates are duly reviewed and authorized by the management of the area prior to their disclosure.

With regard to the accounting closing, the Financial Division issues the instructions together with the calendar and contents of the financial reporting for each of the local financial structures to prepare the consolidated financial statements.

Additionally, this procedure includes a section on “Provisions, Opinions and Estimates” regarding the specific identification of the relevant consolidated opinions, estimates, assessments and projection, as well as the review and approval thereof by the Financial Division.


The internal control framework of IT systems of the Group seeks to set up controls over the main business processes, which are closely related to Information Technologies (hereinafter, “IT”).

Based upon the relationship between business processes and associated systems, a basic review of risks is carried out, allowing the company to prioritize and focus on such environments which are especially relevant for IT.

The Group has an IT Security area, reporting to the IT Division, which seeks to ensure security of all computer processes by:

  1. Setting and circulating regulations to ensure security, pursuant to the Policy for Information Security (hereinafter, the “PSI” (Spanish acronym)).
  2. Carrying out reviews and setting up controls aimed at verifying enforcement of such regulations.

The PSI and its implementing regulations serve as the benchmark which provides guidelines to the staff of the Inditex Group, for the purposes of ensuring information security within all business processes; therefore, they also support the ICFR. Guidelines provided in the Policy for Information Security address the following issues:

  • Assets classification and control
  • Security vis-à-vis human deeds
  • Physical security and security of the environment
  • Accesses control
  • Systems, Communications and Transactions Management
  • Systems Development and Update
  • Business Continuity Management
  • Management of Information Security Incidences
  • Regulatory and Legal Compliance.

Additionally, regarding the design and implementation of applications, the Group has defined a methodological framework with different requirements aimed at ensuring that the solution implemented actually meets the functions demanded by users and so that the quality level meets the security standards set out.

Likewise, the Group relies on contingency mechanisms and procedures, both technical and operational, which have been defined to ensure recovery of IT systems in case of lack of availability.

During FY2016, the Committee for Information Security has held quarterly meetings. Such body is charged with ensuring within the organization support to any and all initiatives about information security. Members of the following areas serve on such Committee:

  • Administration and Finances
  • Internal Audit
  • Corporate Development
  • International
  • Legal
  • Corporate Logistics
  • Product Diversion Control
  • Human Resources
  • General Counsel’s Office
  • Corporate Security
  • IT


During FY2016, a number of activities, such as valuation of fixed assets, valuation of intangible assets, actuarial calculations, HHRR-related services or valuation of derivatives, were outsourced to third parties. They did not have any material impact on financial statements:

Such services are commissioned by the supervisors of the relevant areas, ensuring the technical and legal qualifications, capacity and independence of the individuals or companies hired.


The External Reporting area, within the Planning and Management Control Department, is responsible for drafting, publishing, implementing and updating the Manual of Accounting Policies of the Group. Such area has, among others, the following duties associated with the Group’s accounting policies:

  • Defining the accounting treatment of the transactions which make up the business of the Group.
  • Defining and updating the accounting practices of the Group.
  • Addressing doubts and queries arising from the construction of accounting standards.
  • Standardizing the accounting practices of the Group.

Such manual covers the different transactions inherent in the Groups’ business and their accounting treatment in accordance with the benchmark accounting framework of the Inditex Group.

The manual is regularly updated. During such updating procedure, the External Reporting area includes all accounting changes identified which were advanced to those in charge of drafting the financial statements.

The manual and the remaining documentation are available on the INET.

The process for consolidation and preparation of consolidated financial statements is centralized, falling on the External Reporting area which reports to the Planning and Management Control Department.

Preparation of the consolidated financial information begins with the addition of individual financial statements of each company included in the consolidation perimeter, to be subsequently consolidated based upon the accounting regulations of the Group. The entire addition and consolidation process is based upon SAP BPC tool.

Financial information reported to CNMV is drafted based upon consolidated financial statements gathered through the above referred tool, and based upon certain supplementary information reported by the subsidiaries, required to prepare the annual/half-year report. Contemporaneously, certain specific controls are exerted to confirm integrity of such information.



In particular, regarding the supervision activities about ICFR, the Audit and Control Committee has carried out during the year, the following proceedings, without limitation:

  • It has reviewed the consolidated annual accounts of the Group and the periodic quarterly and half-yearly financial information that the Board of Directors has to provide to the markets and its supervisory bodies, overseeing compliance with the legal requirements and the appropriate application of the generally accepted accounting standards upon drafting such information.
  • As part of its supervision duties regarding the Internal Audit Department, it has approved its annual activities report, as well as its budget and the annual internal audit plan.
  • It has reviewed the annual audit plan of external auditors that includes the audit objectives based upon the evaluation of risks of financial information and the main areas of interests or significant transactions subject to review during the year.
  • It has reviewed with the external auditors and with Internal Audit the internal control weaknesses revealed, where appropriate, in the course of the different audit and review assignments. Meanwhile, both external auditors and Internal Audit have regularly advised the Audit and Control Committee on the degree of enforcement of recommendations resulting from such assignments.
  • It has kept regular meetings with other corporate departments of the INDITEX Group for the purposes of overseeing the effectiveness of internal control systems of the Group, including ICFR, verifying their suitability and integrity and the degree of implementation of action plans to meet audit recommendations.

Internal Audit is a corporate function included in the current organizational structure by means of a direct link to the Board of Directors, which ensures a full independence in the performance of its activities. Internal Audit functionally reports to the Audit and Control Committee.

The area is centrally managed from headquarters and it relies on representatives at such geographical areas where the presence of the Inditex Group justifies such existence. Additionally, it is divided into specialized areas, which allows gathering deeper knowledge on risks and processes.

Internal Audit’s budget is approved on an annual basis by the Audit and Control Committee which provides for the human and material resources, both internal and external of the Internal Audit area.

Among the goals of the Internal Audit function are the assessment of risk exposure and the suitability and effectiveness of controls vis-à-vis risks identified and namely, those regarding reliability and integrity of financial and operational information.

Based upon ICFR Scoping Matrix of risks, Internal Audit drafts a pluri- annual plan for the regular review of ICFR of the Group which is submitted to the Audit and Control Committee for approval every year.

Such pluri-annual plan entails reviews of ICFR for the significant processes and t elements regarding the financial statements of the Group. Review priority is set in accordance with the risks identified. Such plan is implemented through annual planning which determines the scope of the annual ICFR reviews. The suitability of such plan is reviewed every year, further to the update of the process to identify and assess financial information risks.

Namely, the design and effective operation of key transactional controls and general controls on the main software tools involved in the preparation of the financial information, is subject to review, as well as the review of the general control environment.

Additionally, this review is supplemented with the implementation and review of key risk indicators (KRI) defined by Internal Audit in respect of the most critical risks areas; such KRI have been designed to detect and reduce likelihood of risks and mistakes, including those of financial nature and fraud. Such key risk indicators are centrally implemented for the different business units and geographical areas included in the audit plan.

To carry out its activities, Internal Audit relies on different audit techniques, mainly interviews, analytical reviews, specific control tests, reviewing both the effectiveness of design and the effective operation thereof, review of the effectiveness of software tools and material tests.

Likewise, Internal Audit carries out certain limited procedures of analytical review on consolidated financial statements for the first and third quarter of the year on consolidated information.

Results of the assignments, together with the corrective measures recommended, where appropriate, are reported to the Financial Division and the Audit and Control Committee. The implementation of such measures is subsequently followed up by Internal Audit and reported to the Audit and Control Committee.


Internal Audit regularly discloses to the Financial Division and the Audit and Control Committee the internal control weaknesses identified in the reviews carried out, as well as the follow-up on the action plans set out to settle or reduce them.

In turn, the external auditors regularly meet with the Financial Division and Internal Audit, both to gather information and to disclose any potential control weaknesses which may have been revealed, where appropriate, in the course of their work.

During its meetings, the Audit and Control considers the potential weaknesses in control which might have an impact on financial statements, requesting, where appropriate, from the affected areas, the necessary information to assess any effects on the financial statements.

Section 45.5 of the Board of Directors’ Regulations provides that: “The Board of Directors shall endeavour to draft the final accounts in such a manner that they do not give rise to qualifications on the part of the auditor. Nonetheless, when the Board of Directors considers that it must maintain its criterion, it shall publicly explain the contents and scope of the discrepancy.”

To meet the provisions laid down in the above referred section 45.5, any discussion or different view existing is advanced in the meetings held between the Audit and Control Committee and the external auditors. Meanwhile, external auditors report, where appropriate, about the main issues that need to be improved regarding internal control identified as a result of their work. Additionally, the Management reports on the degree of implementation of the relevant action plans set in train to correct or reduce the issues identified.

On the other hand, the Audit and Control Committee meets with the auditors of the individual and consolidated statements for the purposes of reviewing on the one hand the financial statements of the Group and on the other, certain half-yearly periodic financial information that the Board of Directors must provide to the market and its supervisory bodies, overseeing compliance with legal requirements and the appropriate enforcement of generally accepted accounting standards upon preparing such information.

During FY2016, members of the Internal Audit Department have attended all 6 meetings of the Audit and Control Committee, and the external auditors four meetings.


The Group’s Management has decided to submit the information about ICFR of the Annual Corporate Governance Report for FY2016 prepared by the Company’s Management, to the external auditors for review.

Arteixo (A Coruña), April 2017.