247 BMW Group Report 2024 To Our Stakeholders Combined Management Report Group Financial Statements Responsibility Statement and Auditor’s Report Remuneration Report Other Information Internal Control System INTERNAL CONTROL SYSTEM 1 » The Internal Control System2 (ICS in the narrower sense) is part of the BMW Group’s overall system of internal governance and based on a set of measures and control activities that are inte- grated in processes and organisational structures. Its purpose is to ensure the accuracy of external financial and non-financial re- porting. The requirements for the design and structure of ICS procedures incorporated in accounting and financial reporting processes as well as those used to generate non-financial infor- mation are defined on a Group-wide basis. Non-financial infor- mation comprises information from sustainability reporting as well as other non-financial information. The BMW Group’s ICS for financial reporting has the task of en- suring that significant accounting and financial reporting pro- cesses are both accurate and reliable. The ICS for non-financial reporting focuses on the further development of data collection processes and reporting processes for non-financial perfor- mance indicators. As such, the ICS for non-financial reporting es- sentially covers the risks relating to sustainability reporting. Sus- tainability risks are reflected and managed in the BMW Group’s risk management. The ICS is based on the “three lines” model, including a clear def- inition of how the various functions are required to interact with one another in order to manage risks. As a component of the second line, the ICS serves as the link between the operating units (first line) and Corporate Audit (third line). An appropriate and effective ICS aims to safeguard external fi- nancial and non-financial reporting. The design of the BMW Group’s Internal Control System is based on internationally recognised standards such as the COSO model3. The principal features of the BMW Group’s ICS are a role-based approach embedded throughout the organisation, a clearly de- fined control environment that is underpinned by a combination of risk assessment procedures, control activities, information and communication, and monitoring activities. Standardised methods are used to safeguard the reporting pro- cesses for both the financial and non-financial ICS. On the basis of an end-to-end process analysis, all potential risks are identi- fied that essentially relate to the completeness and integrity of data, data availability or partially automated processes. Based on the classification of the risks identified, suitable control measures to mitigate risks are prioritised and developed. The controls, such as plausibility checks, validation and segregation of duties, are intended to have a preventive or detective effect depending on their appropriateness. They are specifically de- signed and purposefully anchored within the Group reporting process. The effectiveness and execution of the controls is en- sured by systematic control tests, among other things. In addi- tion, the ICS monitoring processes are supplemented by an in- dependent assessment of the ICS maturity level. Both the system itself and the methods applied are subject to continuous improvement, with system functionality being as- sessed on a regular basis. Notwithstanding the measures taken, every control system is subject to inherent limitations, given that it is not possible to prevent all incorrect disclosures or detect them in a timely manner. BMW Group working instructions and guidelines for recognising, measuring and allocating items to accounts as well as definitions of non-financial performance indicators are available to all em- ployees via the BMW Group’s intranet system. New reporting standards such as the European Sustainability Reporting Stand- ards (ESRS) are assessed for their potential impact on the BMW Group. ICS requirements such as the segregation of duties are already embedded in the IT systems that are relevant for accounting and financial reporting and are also taken into account in their further development. Furthermore, the BMW Group deploys IT or AI- supported data analysis tools to identify and subsequently elim- inate any weaknesses detected in its processes and/or control systems. Responsibilities for ensuring the appropriateness and effective- ness of ICS procedures for accounting and financial reporting processes as well as those relating to non-financial performance indicators are defined in a role-based model and allocated to the relevant line and process managers. They report annually on their assessment of the ICS for accounting processes and the processes for non-financial key figures. The assessment takes into account the results of internal and external audits as well as the results of continuous monitoring. The results are gathered and documented in a centralised IT system. Both the Board of Management and the Audit Committee are informed about the status of the ICS on an annual basis. The Board of Management and, where appropriate, the Supervisory Board are promptly in- formed in the event of significant changes to the ICS. « 1 Contains disclosures pursuant to ESRS 2 GOV-5. 2 Disclosures pursuant to § 289 and § 315 HGB as well as ESRS 2, paragraphs 34-36 and AR 11. 3 Committee of Sponsoring Organizations of the Treadway Commission.