Information and communication
One component of the internal control system is that of
“Information and Communication”. It ensures that all
the information needed to achieve the objectives set for
the internal control system is made available to those
responsible
in an appropriate and timely manner. The
requirements relating to the provision of information
relevant for financial reporting at the level of BMW AG,
other consolidated Group entities and the BMW Group
are primarily
set out in organisational manuals, in guidelines
covering internal and external financial reporting
issues, in accounting manuals and through training.
These instructions, which can be accessed at all levels
via the BMW Group’s intranet system, provide the framework
for ensuring that the relevant rules are applied
consistently throughout the Group. The quality and
relevance of these instructions are ensured by regular
review as well as by continuous communication between
the relevant departments.
Organisational measures
All financial reporting processes (including Group financial
reporting processes) are structured in organisational
terms in accordance with the principle of segregation
of duties. These structures allow errors to be identified at
an early stage and prevent potential wrongdoing. Regular
comparison of internal forecasts and external financial
reports improves the quality of financial reporting. The
internal audit department serves as a process-independent
function, testing and assessing the effectiveness
of the internal control system and proposing improvements
when appropriate.
Controls
Extensive controls are carried out by management in all
financial reporting processes at an individual entity and
Group level, thus ensuring that legal requirements and
internal guidelines are complied with and that all business
transactions are properly executed. Controls are
also carried out with the aid of IT applications, thus reducing
the incidence of process risks.
IT authorisations
All IT applications used in financial reporting processes
throughout the BMW Group are subject to access restrictions,
allowing only authorised persons to gain access
to systems and data in a controlled environment. Access
authorisations are allocated on the basis of the nature
of the duties to be performed. In addition, IT processes
are designed and authorisations allocated using the dual
control principle, as a result of which, for instance, requests
cannot be submitted and approved by the same
person.
Internal control training for employees
All employees are appropriately trained to carry out
their duties and kept informed of any changes in regulations
or processes that affect them. Managers and
staff also have access to detailed best-practice descriptions
relating to risks and controls in the various processes,
thus increasing risk awareness at all levels.
As a consequence, the internal control system can be
evaluated
regularly and further improved as necessary.
Employees
can, at any time and independently, deepen
their understanding of control methods and design
using
an information platform that is accessible throughout
the entire Group.
Evaluating the effectiveness of the internal
control system
Responsibilities for ensuring the effectiveness of the
internal
control system in relation to individual entity
and Group financial reporting processes are clearly defined
and allocated to the relevant managers and process
owners. The BMW Group assesses the design and
effectiveness of the internal control system on the basis
of internal review procedures (e. g. management self-audits,
internal
audit findings). Continuous revision
and further development of the internal control system
ensure its continued effectiveness. Group entities are
required to confirm regularly as part of their reporting
duties that the internal control system is functioning
properly. Effective measures are implemented whenever
weaknesses are identified and reported.