Internal Control Processes in Relation to Sustainability Reporting

ESRS-Kennzeichnung:ESRS 2 GOV-5

Topic-specific opportunities and risks (gross risks) are explained in the subchapters of the (Consolidated) Sustainability Statement. The opportunities and risks relevant to our opportunity and risk management processes (net risks) are reported on in Opportunities and Risks.

Our internal control system (ICS) for sustainability reporting also covers the Nonfinancial Statement pursuant to section 315b of the German Commercial Code (HGB). The ICS was designed to reflect the COSO Internal Control – Integrated Framework (ICIF-2013) from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It is an integral part of another framework published by COSO upon which our risk management system is based: Enterprise Risk Management – Integrated Framework (ERMIF-2004).

The main components of BASF’s internal control system for sustainability reporting are thus:

• Internal control environment

• Risk evaluation

• Control activities

• Information and communication

• Monitoring activities regarding the appropriateness and effectiveness of the internal control system.

The components are reflected to varying degrees depending on the topic and the risk assigned to that topic.

We also apply the method used in financial reporting to monitor how Scope 1 and Scope 2 emissions – which are among the most important key performance indicators used in steering the BASF Group – are recorded and reported, including with regard to the appropriateness and effectiveness of these performance indicators (for more information, see Opportunities and Risks). Compared with the control system used in financial reporting, the control systems used in other areas of sustainability reporting have a lower degree of formalization. As a rule, they include organizational security precautions such as compliance with basic principles of transparency, dual control and segregation of duties as well as limited access to information based on the principle of necessity, deployment of sufficiently qualified employees and adequate IT systems. The design of the internal control system depends on the topic at hand and is the responsibility of the units involved in data collection, data preparation and reporting. The controls operate at both management and process level.

The responsible Corporate Center units monitor the appropriateness and effectiveness of the internal control systems designed for specific topics. To this end, the individual units choose different approaches depending on the topic, such as evaluating questionnaires on the effectiveness of the internal control system, conducting sample tests to validate the implementation and effectiveness of internal controls or monitoring compliance-related performance indicators. The appropriateness and effectiveness of the financial reporting control system are communicated to the Board of Executive Directors and the Audit Committee (as the responsible organ of the Supervisory Board) to inform them of any control deficiencies with respect to reporting on Scope 1 or Scope 2 emissions.

We have begun compiling a central risk catalog to enable risks to be accounted for consistently in the internal control systems of all relevant BASF Group entities and to ensure proper sustainability reporting. The catalog contains a list of generic risks that could arise from incorrect collection or preparation of the necessary information and reporting with regard to ESRS requirements. The following risks are included:

• Incomplete or incorrect implementation of methods for performing the double materiality assessment as required by ESRS 1, paragraph 3 for the purpose of identifying, selecting and prioritizing the sustainability topics to be reported on

• Incorrect determination of reporting boundaries under the ESRS, which in the case of operational control may deviate from the reporting thresholds used in financial reporting as determined by concept of financial control

• Insufficient or untimely availability of data on the upstream or downstream value chain

• With respect to the collection and processing of information, the risk of the information being incomplete, inaccurate or invalid or being unintentionally or intentionally manipulated due to having allowed unrestricted access to information collection devices (such as measuring equipment) or IT systems

• General risk associated with operating and managing access to the IT systems used to prepare the Sustainability Statement

• Risk associated with the presentation of information in the Combined Management’s Report regarding the lack of or incorrect consideration of the qualitative characteristics required by ESRS for proper sustainability reporting as listed in ESRS 1, Appendix B

If the materialization of risk cannot be avoided, the risks are addressed as part of the internal control system. In this context, the risk catalog serves as the basis for performing a systematic analysis of the existing internal control system with the aim of identifying potential gaps in the internal control system for sustainability reporting and taking compensatory measures to hedge the risks until they can be eliminated. The units that collect or process the reporting data are responsible for designing and implementing the controls put in place to minimize risk.

A concept aimed at enabling a Group-wide uniform, systematic assessment of the appropriateness and effectiveness of the internal control system with respect to all sustainability topics on which we report has been implemented step by step since the 2025 business year, starting at the level of the Corporate Center units.

In addition, controls are in place as part of critical reviews held at various management levels during the draft stage of preparing the BASF Report, including the Board of Executive Directors. Furthermore, BASF’s Sustainability Reporting Sounding Board is involved as a central decision-making body for issues arising in relation to sustainability reporting and controlling.