Internal Control Processes in Relation to Sustainability Reporting

ESRS 2 GOV-5

Topic-specific opportunities and risks (gross risks) are explained in the subchapters of the Sustainability Statement. The opportunities and risks relevant to our opportunity and risk management processes (net risks) are reported on in Opportunities and Risks.

Our internal control system (ICS) for sustainability reporting also covers the Nonfinancial Statement pursuant to section 315b of the German Commercial Code (HGB). The ICS was designed to reflect the COSO Internal Control – Integrated Framework (ICIF-2013) from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). That document is an integral part of another framework published by COSO upon which our risk management system is based: Enterprise Risk Management – Integrated Framework (ERMIF-2004).

The main components of BASF’s internal control system for sustainability reporting are thus:

• Internal control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring activities regarding the appropriateness and effectiveness of the internal control system

The components are reflected to varying degrees depending on the topic and the risk assigned to that topic.

We also apply the method used in financial reporting to monitor how Scope 1 and Scope 2 CO₂ emissions – which are among the most important key performance indicators used in managing the BASF Group – are recorded and reported, including with regard to the appropriateness and effectiveness of the performance indicators (for more information, see Opportunities and Risks Internal Control System).

Compared with the control system used in financial reporting, the control systems used in other areas of sustainability reporting have a lower degree of formalization. As a rule, they include organizational security precautions such as compliance with basic principles of transparency, dual control and segregation of duties as well as limited access to information based on the principle of necessity, deployment of sufficiently qualified employees and adequate IT systems. The design of the internal control system depends on the topic at hand and is the responsibility of the units involved in data collection, data preparation and reporting. The controls operate at both management and process level.

The responsible Corporate Center units monitor the appropriateness and effectiveness of the internal control systems designed for specific topics. To this end, the individual units choose different approaches depending on the subject area, such as evaluating questionnaires on the effectiveness of the internal control system, conducting sample tests to validate the implementation and effectiveness of internal controls or monitoring compliance-related key indicators.

The appropriateness and effectiveness of the financial reporting process are communicated to the Board of Executive Directors and the Audit Committee (as the responsible organ of the Supervisory Board) to inform them of any control deficiencies with respect to reporting on Scope 1 or Scope 2 CO₂ emissions.

This communication includes the control deficiencies identified with respect to other sustainability topics that we report on as well as the actions taken to compensate for or eliminate the deficiencies.

We have begun compiling a central risk register to enable risk to be accounted for consistently in the internal control systems of all relevant BASF Group entities and to ensure proper sustainability reporting. The register contains a list of generic risks that could arise from incorrect collection or preparation of the necessary information and reporting with regard to ESRS guidelines. The following risks are included:

• Incomplete or incorrect implementation of methods for performing the double materiality assessment as required by ESRS 1 paragraph 3 for the purpose of identifying, selecting and prioritizing the sustainability topics to be reported on
• Incorrect calculation of reporting boundaries under the ESRSs, which in the case of operational control may deviate from the reporting thresholds used in financial reporting as determined by concept of financial control
• Insufficient or untimely availability of data on the upstream or downstream value chain
• With respect to the collection and processing of information, the risk of the information being incomplete, inaccurate or invalid or being intentionally or unintentionally manipulated due to having allowed unrestricted access to information collection devices (such as measuring equipment) or IT systems
• General risk associated with operating and managing access to the IT systems used to prepare the Sustainability Statement
• Risk associated with failing to include in the Combined Management’s Report the qualitative data points required by ESRS for proper sustainability reporting as listed in ESRS 2, Appendix B.

If the materialization of risk cannot be avoided, the risks are addressed as part of the internal control system. In this context, the risk register serves as the basis for performing a systematic analysis of the existing internal control system with the aim of identifying potential gaps in the ICS for sustainability reporting and taking compensatory measures to hedge the risks until they can be eliminated. The units that collect or process the reporting data are responsible for designing and implementing the controls put in place to minimize risk.

We are currently developing a concept aimed at enabling uniform, systematic, Group-wide assessment of the appropriateness and effectiveness of the internal control system with respect to all sustainability topics on which we report. The concept is expected to be implemented gradually from 2025 onward.

Controls are also in place. Critical reviews are held at various management levels during the draft stage of preparing the BASF Report, including the Board of Executive Directors. In addition, BASF’s Sustainability Reporting and Controlling Committee acts as a central decision-maker with regard to financial and management accounting issues arising in relation to sustainability reporting. In 2024, the Corporate Audit unit of the Corporate Center additionally audited the implementation of ESRS guidelines in BASF’s reporting process.