Hermès // 2021 Universal Registration Document

4

RISK FACTORS AND MANAGEMENT RISK MANAGEMENT, INTERNAL CONTROL AND INTERNAL AUDIT

Audit plan

There are several types of audits including: audit of distribution subsidiaries including the audit of stores; s audit of production sites and métiers ; s audit of support departments for upstream or downstream flows; s special audits conducted with the help of external firms, in particular s on information systems; support for affiliates in the setting up of the internal control system. s Upon completion of the audits, reports are prepared detailing the audit findings and risks identified, and recommending solutions to remedy them. Proper implementation of the recommendations is verified during follow-up audits. The audit reports are sent to the managers of the audited subsidiaries or departments and to Group Management. Since 2020, the audit and risk management department uses an analysis tool for accounting entries in its audits. This tool improves the relevance of certain tests undertaken, by facilitating the identification of atypical transactions. In addition, a data analysis tool using artificial intelligence algorithms was introduced in 2021. Initially developed for internal control officers, it enables continuous control of in-store operations. It allows the automatic identification, using 29 indicators, of any non-compliance with Group procedures. This tool is also used by the audit and risk management department for the selection of tests performed during audits.

The auditors work on the basis of an annual audit plan, validated by the Executive Management and the Audit and Risk Committee, which is adapted every six months, if necessary. An overall analysis of risks, in particular financial, operational and compliance risks, feeds into the audit plan. This is also supplemented by proposals from the Executive Committee and by audit follow-ups. It must allow a regular review of all Group entities and processes, with a frequency appropriate to the magnitude of the risks and the relative weight of each entity. The audit and risk management department also carries out support assignments for the internal control roll-out within newly acquired entities. For specialised audits, it may use external service providers and data analysis tools, particularly in the context of fraud prevention. In addition, it regularly performs integrated audits with the Group’s experts: IT security, safety, compliance, insurance, etc. In connection with the lockdowns that persisted in 2021 and borders that remained closed, audits in subsidiaries continued to be carried out remotely. The 2021 audit plan has been adapted to the current context, notably with an increase in e-commerce audits and remote sales as well as increased security audits of the IT environment. Most of the IT audits have been entrusted to a firm that has the dual advantage of expertise and geographical location, making it possible to carry out face-to-face interviews.

356 2021 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL