Hermès // 2022 UNIVERSAL REGISTRATION DOCUMENT

4

RISK FACTORS AND MANAGEMENT RISK MANAGEMENT, INTERNAL CONTROL AND INTERNAL AUDIT

Audit plan The auditors work on the basis of an annual audit plan, validated by the Executive Management and the Audit and Risk Committee, which is adapted every six months, if necessary. An overall analysis of risks, in particular financial, operational and compliance risks, feeds into the audit plan. The Executive Committee’s proposals and audit follow‑ups complete it. It must allow a regular review of all Group entities and processes, with a frequency appropriate to the magnitude of the risks and the relative weight of each entity. The audit and risk management department also carries out support assignments for the internal control roll‑out within newly acquired entities. For specialised audits, it may use external service providers and data analysis tools, particularly in the context of fraud prevention. In addition, it regularly performs integrated audits with the Group’s experts: IT security, safety, compliance, insurance, etc. The 2022 audit plan has been adapted to the current context, notably with the continuation of e‑commerce audits and remote sales as well as increased security audits of the IT environment. In the field of cybersecurity, and more broadly the IT control environment, most audits are entrusted to external expert firms. In addition, since the end of 2021, the audit and risk management department has been carrying out specific audits of communications expenditure with the support of external firms.

There are several types of audits including:

Upon completion of the audits, reports are prepared detailing the audit findings and risks identified, and recommending solutions to remedy them. Proper implementation of the recommendations is verified during follow‑up audits. The audit reports are sent to the managers of the audited subsidiaries or departments and to Group Management. Since 2020, the audit and risk management department uses an analysis tool for accounting entries in its audits. This tool improves the relevance of certain tests undertaken, by facilitating the identification of atypical transactions. Moreover, since 2021, the Group has had a tool for analysing in‑store transactions based on 29 indicators that can continuously highlight any non‑compliance with Group procedures. Initially developed for internal controllers, this tool is also used by the audit and risk management department to perform in‑store tests on the most sensitive sales transactions and stock movements. More broadly, this tool is also a means of fighting corruption and money laundering in the exclusive stores. Collective and individual training sessions against fraud, for Chief Financial Officers and internal control officers, were organised by the data, innovation and method optimisation project manager of the audit and risk management department. audit of support departments for upstream or downstream flows; s special audits conducted with the help of external firms, in particular on information systems; s support for affiliates in the setting up of the internal control system. s audit of distribution subsidiaries including the audit of stores; s audit of production sites and métiers ; s

2022 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL

394