The activities of internal audit, internal control, compliance and risk management in our Bank are carried out by the Supervisory Board, Directorate of the Internal Control and Compliance Department and Directorate of the Risk Management Department within the Internal Systems Group under the Audit Committee.

The following is aimed with the organization that is established in a way to include all units, branches and subsidiaries subject to auditing:

• To continue banking operations in a secure manner in line with the legislation, policy, principles and objectives,
• To achieve sustainable profitability targets,
• To perform the financial and administrative reporting in a timely, complete and secure manner,
• To define Ziraat Participation’s legal, nominal and financial risks, to measure, report, and monitor the risks and to minimize the concerned risks by controlling them.

Functioning of Internal Audit

The Supervisory Board audits whether the operations carried out by the Bank’s all units, local branches, the international branch and subsidiaries are in accordance with the law and other relevant legislation and the Bank’s strategies, policies, principles and objectives; the effectiveness and adequacy of internal control and risk management systems within the framework of risk-based audit approach.

In line with the BRSA’s Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks, the Regulation on Audit of Bank Information Systems and Banking Processes to be Performed by Independent Audit Organizations, the Regulation on Information Systems and Electronic Banking Services of Banks, the Communiqué on Compliance with the Principles and Standards of Interest-Free Banking, especially the Law on Banking, and other relevant external legislative provisions and the Bank’s in-house regulations, the Bank’s activities, transaction steps and work processes, which constitute the primary and secondary processes, were evaluated by the Board of Auditors in terms of accuracy, effectiveness and efficiency.

Activities of the Board of Inspectors in 2022 are presented below:

When 2022 internal audit plan was determined, risk-based audit and internal audit plan provisions of BRSA’s Regulation of Internal Systems and Internal Capital Adequacy Assessment Process were observed. When risks the Bank is exposed to in its operations and controls related with those risks are assessed by the Board of Inspectors, information and data were obtained from the departments at Headquarters and managers’ opinions were considered. Based on these data and opinions risk assessment report and risk matrix were created. Consequently, departments, branches and business processes, information systems and other audit activities to be included in the scope of internal audit plan were determined.

Audits of branches, work processes, information systems, Head Office departments, external/support service firms and others included in the internal audit plan were completed.

Internal audit activities and results conducted in accordance with the “internal audit reports” provisions of BRSA’s Regulation of Internal Systems and Internal Capital Adequacy Assessment Process were included in quarterly activity reports.

Reviews/investigation activities which were not included in the audit plan due to their nature were conducted by the Board of Inspectors in detail when the cases subject to review / investigation were detected by or reported to the Board of Inspectors. Resulting reports were sent to the Head Office departments or related institutions.

Management Representation for 2022, which is prepared to give assurance on effectiveness, adequacy and compatibility of controls over information systems and work processes, included reports on work process audits, information systems audits and external/support service companies’ audits.

During the audits conducted by the Board of Inspectors, compliance audits for interest-free banking principles and standards were performed as well. Results of these audits and actions taken as a result of outcomes were taken to the agenda of the two meetings of the Audit Committee and the Advisory Committee.

Suspicious transactions which are caught in basic scenarios created within the scope of central audit activities are reviewed. Central audit activities will continue in 2023 with increased number and variety of scenarios.

Internet-based audit program which is being used at some of the subsidiaries within Ziraat Finance Group is being actively used by continuing developments.

The Supervisory Board closely monitored the changes stipulated by the legislative regulations, the decisions of the Banking Regulation and Supervision Agency and the Central Bank of Türkiye, the Bank’s Senior Management and the Headquarters units, and regularly revised the audit points.

In June, 7 assistant inspectors started working after they passed the entrance exam. They attended the Banking and Finance graduate program at Ankara University within T.C. Ziraat Bankası Banking School and they successfully completed the program. Regular onsite and external trainings were held to increase our current staff’s level of knowledge. Our inspectors who work on information systems audit attended trainings organized by Turkish Institute of Standards and TÜBİTAK BİLGEM for compliance with Presidential Digital Transformation Office Information and Communication Security Guidance and audit trainings.

Moreover, our inspectors who attended Compliance with Interest-free Banking Principles and Standards and Audit certification program organized by TKKB completed the exam at the end of training and received their certificates.

With its activities, the value it generates and its recommendations, the Audit Board aims to contribute positively to the decision making processes of the Bank’s Senior Management.

Functioning of Internal Control and Compliance System

Internal Control and Compliance Directorate operations were determined based on the Bank’s strategy, objectives and policies as well as national and international legislation in terms of the following:

Branches and Central Control, Head Office Control, Information Systems Control, Participation Banking Control and Compliance, AML/CFT Compliance, In addition to this, a proactive structure is adopted to provide compliance with changing strategy, risk perception and conditions on a timely basis.

The purpose of Internal Control activities is to ensure the protection of the Bank’s assets, effective and efficient conduct of the operations, unity and reliability of the accountancy and reporting system and timely access to the information.

The Internal Control system was designed in a way to cover the Head Office Units, domestic branches, foreign branches and the subsidiaries subject to consolidation as per the provision of the Article 9, paragraph 3 of the “Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks “, which is the “Internal Control system is designed to cover the domestic and foreign branches, headquarter units, the subsidiaries subject to consolidation and all activities of the bank”.

The branch control activities are carried out remotely, on-site and from the center within the framework of the control programs prepared according to the opening dates of new branches, most recent reporting dates and periodical risk situations of current branches. In order to increase the risk and control awareness during the internal control activities of the branch and to prevent the losses arising from operational risks, the branch personnel were continuously informed.

Central control activities contributed to internal control culture across the Bank and establishment, development of the internal control system, prevention and reduction of risks via early action and continuous monitoring function. In 2023, the Bank will continue to develop central control processes for proactive, effective and more efficient internal control activities.

In order to make control activities in branches more effective and efficient, they are performed over a web-based Control Module. Thanks to the Control Module, the Bank contributed to compliance of the Bank’s operations with external legislation and competitive conditions.

Control activities conducted at the Head Office departments are determined based on regulations and other related legislation, bank policies, rules and banking practices, functions of units, risks, their impacts on the Bank’s balance sheet and job descriptions.

At Ziraat Participation, internal control activities were carried out on the following topics: functional segregation of duties; division of responsibilities; establishment of the accountancy and reporting system, the information system and the Bank’s internal communication channels in a manner that they will operate effectively; the creation of work flow charts in which the controls on the Bank’s work processes and work steps are indicated.

R&D studies are conducted in order to carry out technology-focused, central, and real-time internal control activities, and to help the relevant business units to take a rapid action against the common shortcomings.

In 2022, Recommendation Reports were continued to be prepared for the improvement of processes regarding the operations carried out in the Bank and the establishment of control points on these processes, which will be complied and implemented by the personnel from all levels, increasing the effectiveness of the controls on the processes, prevention of possible risks, ensuring customer satisfaction and taking cost reducing measures.

In addition to these issues, the compliance of all the activities, which are realized or planned to be realized by the Bank, and new transactions and products of the Bank with the Law and other relevant legislation, the Bank’s in-house policies and rules and banking practices and customs are controlled.

Moreover, the legislation issued or amended is also examined within the Bank within the scope of compliance controls and the opinions formed are shared with the relevant work units.

Internal Control staff attended numerous trainings during the year for their professional development. In order to increase company-wide awareness for internal control activities, various trainings were organized for Bank employees and Internal Control staff has provided support for those trainings.

Within the framework of 18th article of Assessment Processes of the Banks’ Internal System and Intrinsic Capital Adequacy, compliance controls were carried out in line with the compliance activities. In this context, our Bank’s personnel were informed as soon as possible about the provisions of the law and other relevant legislation, and the changes in the Bank’s policies and rules.

A compliance program was formed in accordance with the “Communiqué on Compliance with Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism”. Activities aimed at preventing the laundering of proceeds of crime have been carried out in line with national and international regulations and standards. Accordingly, the Compliance Service Unit performs the functions of inspection, monitoring, reporting, analysis and control.

The Bank’s Policy regarding the prevention of money laundering and financing of terrorism, to which the Bank’s subsidiaries, foreign branch and other subsidiaries are also obliged to adhere, has been updated. Moreover, the Bank’s employees are provided with face-to-face and online training regarding the prevention of laundering proceeds of crime and financing of terrorism to ensure they adopt compliance culture at global standards and implement this culture at their work and activities.

As a part of the Ziraat Finance Group, the units operating both in Turkey and abroad conduct their operations in accordance with the policies and procedures established by taking local and international regulations into account, in a manner which does not expose the Bank’s products and services to any operational and reputational risk in the areas of money laundering or financing acts terrorism in accordance with local and international regulations.

Regular information sharing is carried out within the framework of the coordinated strategy which is executed regarding the compliance activities of foreign branches. In this context, compliance with AML/CFT regulation is observed at the Bank’s foreign branch.

Operational results conducted effectively and efficiently by the Advisory Committee Coordination Service within the scope of Communique on Compliance with Interest-free Banking Principles and Standards were shared with their related business units.

Findings resulting from all these activities related with the operations of Internal Control and Compliance were shared periodically with related business units and Senior Management.

Functioning of Risk Management System

The main purpose of our Bank’s risk management system is to ensure the definition, measurement, monitoring and control of the risks, to which the Bank is exposed, through the policies and the limits determined to monitor, control, and when necessary to change the operations’ nature and level in relation to the risk-return structure that the future cash flows will include.

The main approach in the risk management activities, instilling risk culture across the Bank in accordance with the provisions of “Regulation on Banks’ Internal System and Intrinsic Capital Adequacy Assessment Processes”, to execute the risk management function with best practices by continuously improving the system and the human resources. The activities carried out within the framework of risk management system are given care to be carried out simultaneously with the contributions of the units that are included in the business line with which each risk type is related.

The risk management activities cover the basic headings of credit risk, market risk, operational risk, liquidity risk and other risks. The final objective is to comply with the best practices.

Within the framework of credit risk management activities, the activities for the definition, measurement, monitoring and reporting of the credit risk by using the methods in compliance with Basel III. In this context, the calculation of the amount subject to credit risk, which began legally as of 1 July 2012, is monthly reported to the BRSA in unconsolidated and consolidated basis. Counterparty credit risk measurements are carried out for counterparty risk.

Due to the fact that our Bank became operational in May 2015, there is not adequate data for the measurement of credit worthiness in relation to the advance measurement methods. The credit risk limits approved by the Board are monitored; the activities to carry out scenario analysis and stress test regarding the credit portfolios are ongoing. Also, the compliance activities with the Basel III regulations and the regulations revised by the BRSA within the framework of Basel are continuing.

Operational risk management activities comprise the definition, classification, measurement, and analysis of the operational risks. These activities are carried out as part of the Bank’s “Operational Risk Management Regulation” that is prepared in accordance with the arrangements issued on 28 June 2012 by the BRSA to comply with Basel II. The amount subject to operational risk is calculated using the Basic Indicator Method in accordance with the Regulation on Measurement and Assessment of Banks’ Capital Adequacy.

The compliance with the operational risk limits approved by the Board, which are determined in order to manage operational risks, is periodically monitored. The risks stem from information technologies and the actions taken are also monitored. The risk assessments are carried out for the companies from which support services are procured within the framework of the BRSA’s regulations that are currently in effect.

As part of operational risk, media analysis reports relevant to reputation risk and provided daily from the Bank’s Corporate Communication Department are examined.

Within the scope of market and liquidity risks management, measurement, analysis, limiting, reporting and monitoring activities are carried out pertaining to liquidity risk and dividend rate risk stemming from banking calculations. The analyses conducted are supported with stress test.

The consolidated and unconsolidated Liquidity Coverage Ratio and the profit share ratio risk ratio arising from unconsolidated banking accounts are periodically reported to the BRSA. The compliance to the market and liquidity risk limits, which are approved by the Board and determined to manage the concerned risks, is periodically monitored. Also, Value at Risk is calculated daily with the internal models regarding exchange risk as part of market risk and retrospective test analyses are carried out for these models.

IFRS 9 Expected Credit Loss calculations at our Bank are done by Risk Management and Probability of Default, Loss in Default and Default Amount models used in those calculations are developed, monitored and validated.

In addition to stress test analysis used in periodic reports, Stress Test reports and ISEDES reports are prepared to be sent to BRSA at year-ends and besides BRSA’s scenario sets, equity and liquidity adequacy level is analyzed for the following three years in basis, adverse and extreme scenarios.

The results of the analyses carried out within the scope of risk management activities and risk indicators are reported annually to the Board of Directors, at three months periods to the Audit Committee, at weekly and daily periods to the operational units.

In order to increase the internal systems personnel’s individual and occupational development, the personnel was ensured to attend internal and external training, conference and seminars, thus, their practical knowledge level is constantly being developed.