OMV has developed an effective internal control system (ICS) over the years, encompassing all major end-to-end processes to ensure the integrity and reliability of both our financial and sustainability reporting and grounded in a four lines of defense model. Operational management forms the first line of defense by owning and managing risks. The second line includes the Risk Management, Corporate ICS, and Compliance functions that oversee and monitor these practices. Our Internal Audit function serves as the third line of defense, providing independent assurance on the effectiveness of risk management and internal controls. Additionally, OMV views external auditors as a fourth line of defense, ensuring close alignment with ICS-related topics. This approach ensures that risk management and internal control responsibilities are clearly defined and distributed across the organization to maintain the integrity and accuracy of sustainability data and to mitigate any risks that may be related to our sustainability reporting process. OMV’s sustainability reporting process is defined and owned by Group Sustainability. It is evaluated on an annual basis and if there have been any changes, the process is updated. The process is subject to both internal and external audits to ensure that it is effective. Additionally, in alignment with the evolving regulatory landscape, OMV has recently established internal controls specifically designed for EU Taxonomy-compliant reporting.
Our risk management and internal control processes are designed to identify, assess, and mitigate risks that could affect our financial and sustainability reporting. We perform annual risk assessments to pinpoint potential risks of material misstatements based on criteria such as materiality, process complexity, and likelihood of errors. OMV’s internal control framework encompasses policies, procedures, and controls that are reviewed annually and updated to address emerging risks and comply with regulatory requirements. Adhering to the principles in the Enterprise-Wide Risk Management (EWRM) process, sustainability risks are prioritized based on their potential impact on regulatory compliance, our strategic objectives, and stakeholder expectations. OMV’s sustainability reporting process will be reassessed in 2026 to make all the necessary updates based on the requirements outlined in the ESRS.
Potential risks related to the sustainability reporting process include the misstatement of quantitative data, incompleteness of data, and untimely delivery of data. To mitigate these risks, several controls are implemented. Data validation controls are put in place to ensure accuracy through automated checks and manual reviews. Data completeness controls are implemented via comprehensive data collection procedures and regular audits to ensure all necessary data is captured. Timeliness controls are established by setting strict reporting timelines and monitoring adherence to deadlines. The implementation of additional controls for sustainability reporting is in its early stages and will be gradually developed to include comprehensive internal controls to effectively address current and emerging risks.
OMV’s ICS continuously reassesses such risks through regular reviews, conducted every three years for all end-to-end processes within its scope, including the sustainability reporting process. However, if a major change occurs during this period, an ad hoc review is conducted and the three-year cycle restarts from that point. Internal controls are embedded into these processes to ensure comprehensive risk management. When a new risk emerges, it is assessed by the relevant function and, if deemed significant, an internal control is designed and integrated into the Company’s internal control system. OMV’s ICS is based on the COSO framework, which ensures effective controls, the identification of deficiencies and remediation, continuous improvement, and regulatory compliance. OMV has established a process for spot-checking internal controls and an annual internal review. The outcomes of these reviews are reported to top management and the Audit Committee. If issues are identified, remediation actions are implemented and monitored, with their status reported regularly, coinciding with the frequency of Audit Committee meetings, which occur at least four times a year. There is a slot in the Audit Committee meetings dedicated to the ICS to present updates and urgent queries, if needed, thereby ensuring continuous improvement.