Risk management and internal control system

STRUCTURE OF THE RISK MANAGEMENT SYSTEM AND INTERNAL CONTROL SYSTEM AT VOLKSWAGEN

The organizational design of the Volkswagen Group’s RMS/ICS is based on the internationally recognized COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework for enterprise risk management. Volkswagen has chosen a holistic, integrated approach that combines a risk management system, an internal control system and a compliance management system in a single management strategy (governance, risk and compliance strategy). Structuring the RMS/ICS in accordance with the COSO framework for enterprise risk management ensures that potential risks are covered in full; opportunities are not captured.

In addition to fulfilling legal requirements, particularly with regard to the financial reporting process, this approach enables us to manage significant risks to the Group holistically, i.e. by incorporating both tangible and intangible criteria.

Another key element of the RMS/ICS at Volkswagen is the three lines of defence model, a basic element required, among others, by the European Confederation of Institutes of Internal Auditing (ECIIA). In line with this model, the Volkswagen Group’s RMS/ICS has three lines of defence that protect the Company from significant risks occurring.

No significant changes were made to the RMS/ICS compared with the previous year.

THE THREE LINES OF DEFENCE MODEL

First line of defence: operational risk management

The primary line of defence comprises the operational risk management and internal control systems at the individual Group companies and units. The RMS/ICS is an integral part of the Volkswagen Group’s structure and workflows. Events that may give rise to risk are identified and assessed locally in the divisions and at the investees. Countermeasures are introduced immediately, their effects are assessed and the information is incorporated into the planning in a timely manner. The results of the operational risk management process are incorporated into budget planning and financial control on an ongoing basis. The targets agreed in the budget planning rounds are continually reviewed in revolving planning updates.

At the same time, the results of risk mitigation measures that have already been taken are incorporated into the monthly forecasts on further business development in a timely manner. This means that the Board of Management has access to an overall picture of the current risk situation via the documented reporting channels during the year as well.

The minimum requirements for the operational risk management and internal control system are set out for the entire Group in uniform guidelines. These also include a process for the timely reporting of material risks.

Second line of defence: capturing systemic risks using the standard Governance, Risk and Compliance process

In addition to the units’ ongoing operational risk management, the Group Governance, Risk and Compliance (GRC) department each

year sends standardized surveys on the risk situation and the effectiveness of the RMS/ICS to the material Group companies and units worldwide (standard GRC process). This feedback is used to update the overall picture of the potential risk situation and assess the effectiveness of the system.

Each material systemic risk is assessed using the expected likelihood of occurrence and various risk criteria (financial and nonfinancial). In addition, the risk management and control measures taken are documented at management level. This means that risks are assessed in the context of any risk management measures, i.e. in a net analysis. In addition to strategic, operational and reporting risks, risks arising from potential compliance violations are also integrated into this process. Moreover, the effectiveness of key risk management and control measures is tested and any weaknesses identified in the process are reported and rectified.

All Group companies and units selected from among the entities in the consolidated Group on the basis of materiality and risk criteria – including Ducati Motor Holding S.p.A., which was consolidated in 2012 – were subject to the standard GRC process in fiscal year 2013. Only the Scania, MAN and Porsche brands were excluded.

The Scania brand, which has been consolidated since July 22, 2008, has not yet been included in the Volkswagen Group’s risk management system due to various provisions of Swedish company law. According to Scania’s Corporate Governance Report, risk management and risk assessment are integral parts of corporate management. Risk areas are evaluated there by the Controlling department and reflected in the financial reporting.

MAN SE and Dr. lng. h.c. F. Porsche AG had already implemented their own central processes for capturing risks at the time they were consolidated and are included in the Volkswagen Group’s annual reporting.

ANNUAL STANDARD GOVERNANCE, RISK AND COMPLIANCE PROCESS

Third line of defence: checks by Group Internal Audit

Group Internal Audit helps the Board of Management to monitor the various divisions and corporate units within the Group. It regularly checks the risk early warning system and the structure and implementation of the RMS/ICS as part of its independent audit procedures.

RISK EARLY WARNING SYSTEM IN LINE WITH THE KONTRAG

The Company’s risk situation is ascertained, assessed and documented in accordance with the requirements of the Gesetz zur Kontrolle und Transparenz im Unternehmensbereich (KonTraG – German Act on Control and Transparency in Business). The requirements for a risk early warning system are met through the elements of the RMS/ICS described above (first and second lines of defence). Separately, the auditors check the processes and procedures implemented for this as well as the adequacy of the documentation on an annual basis. The plausibility and adequacy of the risk reports are examined on a test basis in detailed interviews

with the divisions and companies concerned that also involve the auditors. The auditors assessed our risk early warning system based on this volume of data and established that the risks identified were presented and communicated accurately. The risk early warning system therefore meets the requirements of the KonTraG.

In addition, the Financial Services Division is subject to scheduled inspections as part of the audit of the annual financial statements and unscheduled inspections within the meaning of section 44 of the Kreditwesengesetz (KWG – German Banking Act) by Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin – the German Federal Financial Supervisory Authority), as well as inspections by the Prüfungsverband deutscher Banken (Auditing Association of German Banks).

Monitoring the effectiveness of the risk management system and the internal control system

The RMS/ICS is regularly optimized as part of our continuous monitoring and improvement processes. In the process, equal consideration is given to both internal and external requirements – such as the provisions of the Bilanzrechtsmodernisierungsgesetz (BilMoG – German Accounting Law Modernization Act). External appraisers assist in the continuous enhancement of our RMS/ICS on a case-by-case basis. The objective of the monitoring and improvements is to ensure the effectiveness of the RMS/ICS. The results culminate in both regular and event-driven reporting to the Board of Management and Supervisory Board of Volkswagen AG.

THE RISK MANAGEMENT AND INTEGRATED INTERNAL CONTROL SYSTEM IN THE CONTEXT OF THE FINANCIAL REPORTING PROCESS

The accounting-related part of the RMS/ICS that is relevant for the financial statements of Volkswagen AG and the Volkswagen Group comprises measures that are intended to ensure the complete, accurate and timely transmission of the information required for the preparation of the financial statements of Volkswagen AG, the consolidated financial statements and the combined Group management report. These measures are designed to minimize the risk of material misstatement in the accounts and in the external reporting.

Main features of the risk management and integrated internal control system relevant for the financial reporting process

The Volkswagen Group’s accounting is organized along decentralized lines. For the most part, accounting duties are performed by the consolidated companies themselves or entrusted to the Group’s shared service centers. The audited financial statements of Volkswagen AG and its subsidiaries prepared in accordance with IFRSs and the Volkswagen IFRS accounting manual and reported on by the auditors are transmitted to the Group in encrypted form. A standard market product is used for encryption.

The Volkswagen IFRS accounting manual, which is prepared using external expert opinions in certain cases, ensures the application of uniform accounting policies based on the requirements applicable to the parent. In particular, it includes more detailed guidance on the application of legal requirements and industry-specific issues. Components of the reporting packages required to be prepared by the Group companies are also set out in detail there and requirements established regarding the presentation and settlement of intragroup transactions and the balance reconciliation process that builds on this.

Control activities at Group level include analyzing and, if necessary, adjusting the data reported in the financial statements presented by the subsidiaries, taking into account the reports submitted by the auditors and the outcome of the meetings on the financial statements with representatives of the individual companies. These discussions address both the reasonableness of the single-entity financial statements and specific significant issues at the subsidiaries. Alongside reasonableness reviews, control mechanisms applied during the preparation of the single-entity and consolidated financial statements of Volkswagen AG include the clear delineation of areas of responsibility and the application of the dual control principle.

The Group management report is prepared – in accordance with the applicable requirements and regulations – centrally but with the involvement of and in consultation with the Group units and companies.

In addition, the accounting-related internal control system is independently reviewed by Group Internal Audit in Germany and abroad.

Integrated consolidation and planning system

The Volkswagen consolidation and corporate management system (VoKUs) enables the Volkswagen Group to consolidate and analyze both Financial Reporting’s backward-looking data and Controlling’s budget data. VoKUs offers centralized master data management, uniform reporting, an authorization concept and maximum flexibility with regard to changes to the legal environment, providing a future-proof technical platform that benefits Group Financial Reporting and Group Controlling in equal measure. To verify data consistency, VoKUs has a multi-level validation system that primarily checks content plausibility between the balance sheet, the income statement and the notes.