Annual Report 2024

Risk Management and internal controls over Sustainability Reporting

The aim of the Volkswagen Group’s risk management system (RMS) and standardized internal control system (ICS) is to identify potential risks at an early stage so that suitable countermeasures can be taken to avert the threat of loss to the company, and any risks that might jeopardize its continued existence can be ruled out. In recent years, the standardized ICS was developed to better protect against process risks and was introduced in key companies. In 26 catalogs of controls, the Group companies within its scope are presented with requirements in respect of the process risks and control objectives to be covered in order to protect the value chain in a standardized manner. In addition to financial reporting issues, they address matters such as process risks in development or production, as well as in the areas of compliance and sustainability. A risk-driven review of the companies to be included in the standardized ICS is performed annually. The catalogs of controls are checked at regular intervals to verify that they are up to date and are regularly expanded.

To meet the sustainability reporting requirements and to safeguard the associated reporting process, material risks along the reporting process were identified in a risk analysis in the reporting year and mitigating internal controls were implemented in the standardized ICS using a catalog of controls for the sustainability reporting process.

In this context, the components of the reporting process – from ensuring that the scope is complete and correct, through the materiality assessment and the opportunities, risks, and impacts identified, to the completeness and accuracy of the presentation in the external reporting – were identified as risks and included in full in the catalog of controls as process risks to be covered.

A risk-oriented policy was created to meet the risk of incorrect calculation, recording or processing of datapoints. This takes into account aspects such as the complexity of the data generation. Depending on the risk classification of the datapoints, these are included in the standardized ICS central approach or are documented decentrally.

The standardized ICS covers the regular review of the material risks identified along the reporting process, the associated controls, the identification of potential control weaknesses and their rectification, and the corresponding reporting. Reports are submitted each quarter to the Group Board of Management and the Audit Committee of the Supervisory Board regarding the degree to which rectification work has been completed on the control weaknesses identified. Further information on the risk management approach can be found under “Procedure for and results of the double materiality assessment