OMV has developed a robust internal control system over the years, which encompasses all major end-to-end processes to ensure the integrity and reliability of both our financial and sustainability reporting. Our commitment to maintaining high standards of governance and transparency is reflected in our active implementation of a four lines of defense model. Operational management forms the first line of defense by owning and managing risks. The second line includes the Risk Management, Corporate ICS, and Compliance functions that oversee and monitor these practices. Our Internal Audit function serves as the third line of defense, providing independent assurance on the effectiveness of risk management and internal controls. Additionally, OMV views external auditors as a fourth line of defense, ensuring close alignment with ICS-related topics. This approach ensures that risk management and internal control responsibilities are clearly defined and distributed across the organization to maintain the integrity and accuracy of sustainability data and to mitigate any risks that may be related to our sustainability reporting process.
OMV’s sustainability reporting process is defined and owned by Group Sustainability. It is evaluated on an annual basis and if there have been any changes, the process is updated. The process is subject to both internal and external audits to ensure that it is effective. Additionally, in alignment with the evolving regulatory landscape, OMV has recently established internal controls specifically designed for EU Taxonomy compliant reporting. These controls ensure that our sustainability activities and disclosures meet the stringent requirements set forth by the EU, thereby enhancing the credibility and transparency of our sustainability reporting.
Our risk management and internal control processes are designed to identify, assess, and mitigate risks that could affect our financial and sustainability reporting. We perform annual risk assessments to pinpoint potential risks of material misstatements based on criteria such as materiality, process complexity, and likelihood of errors. OMV’s internal control framework encompasses policies, procedures, and controls that are reviewed annually and updated to address emerging risks and comply with regulatory requirements. Adhering to the principles in the Enterprise-Wide Risk Management (EWRM) process, risks related to sustainability reporting are prioritized based on their potential impact on regulatory compliance, our strategic objectives, and stakeholder expectations. OMV’s sustainability reporting process will be reassessed in 2025 to make all the necessary updates related to the requirements outlined in the ESRS. This will also include a process on the materiality assessment. Additional internal controls to meet the minimum ESRS disclosure requirements will be implemented gradually. The initial focus is on implementing robust internal controls for quantitative data related to greenhouse gas (GHG) emissions, health, safety, security, and environment (HSSE), own workforce, human rights, and sustainable procurement. This phased approach allows us to build a solid foundation for comprehensive and accurate sustainability reporting.
Potential risks related to the sustainability reporting process include the misstatement of quantitative data, incompleteness of data, and untimely delivery of data. To mitigate these risks, several controls are implemented. Data validation controls are put in place to ensure accuracy through automated checks and manual reviews. Data completeness controls are implemented via comprehensive data collection procedures and regular audits to ensure all necessary data is captured. Timeliness controls are established by setting strict reporting timelines and monitoring adherence to deadlines. The implementation of additional controls for sustainability reporting is in its early stages and will be gradually developed to include comprehensive internal controls to effectively address current and emerging risks. OMV’s robust internal control system (ICS) continuously reassesses risks through regular reviews, conducted every three years for all end-to-end processes within its scope, including the sustainability reporting process. However, if a major change occurs during this period, an ad hoc review is conducted, and the three-year cycle restarts from that point. Internal controls are embedded into these processes to ensure comprehensive risk management. When a new risk emerges, it is assessed by the relevant function and, if deemed significant, an internal control is designed and integrated into the Company’s internal control system.
OMV’s ICS is based on the COSO framework, which ensures effective controls, the identification of deficiencies and remediation, continuous improvement, and regulatory compliance. OMV has established a process for spot-checking internal controls and an annual internal review. The outcomes of these reviews are reported to top management and the Audit Committee. If issues are identified, remediation actions are implemented and monitored, with their status reported regularly, coinciding with the frequency of Audit Committee meetings, which occur at least four times a year. For ICS, there is a dedicated slot in the Audit Committee meetings for updates and urgent queries if needed, ensuring continuous improvement. OMV’s Internal Audit reviews the Group Sustainability processes, ensuring the completeness, accuracy, and quality of GHG accounting and confirming that Scope 1, 2, and 3 emissions are correctly reported in alignment with international standards. This thorough audit maintains high standards of transparency and accountability in sustainability reporting. The Audit Committee oversees the internal control environment, ensuring controls are effective and aligned with strategic objectives. Additionally, external assurance on financial and sustainability data further enhances the reliability of OMV’s reporting.