Audit Committee's Assessment of the Operation of the Internal Audit, Internal Control, and Risk Management Systems
The internal audit, internal control and risk management activities at Ziraat Bank are carried out by the Board of Auditors and Internal Control and Risk Management Group, which have segregated duties and responsibilities, are organizationally independent from each other, but work in coordination.
Set up to cover all units, branches and the Bank’s subsidiaries subject to audit, the organization aims to ensure complete and secure pursuance of banking activities, realization of long-term profit targets, reliable financial and administrative reporting, and minimization of unexpected risks that might negatively affect the Bank’s reputation and financial stability.
OPERATION OF THE INTERNAL AUDIT SYSTEM
The Board of Auditors adopts a risk-focused approach to auditing and monitors the compliance of the activities carried out by all of the Bank’s head office units, domestic and international branches, and subsidiaries under its control with the law and other applicable legislation, as well as the Bank’s internal strategy, policy, principles and targets, including internal control and risk management. The Board of Auditors keeps the Bank’s Senior Management informed and pursues its efforts in a manner to contribute to the decision-making processes of the Senior Management.
Having 167 members and working in line with the international internal audit standards, in 2013 the Board of Auditors audited and evaluated the effectiveness and efficiency of transaction steps that make up the primary processes, and the secondary processes, besides auditing the compliance of the Bank’s activities with the processes that they are governed under. In addition, the Bank’s IT Inspectors audited the processes set out in the Regulation on Bank Information Systems and Banking Processes published by the Banking Regulation and Supervision Agency (BRSA) in line with the Bank’s implementations.
In addition to the on-site audits that are conducted using the reporting structure integrated into the Bank’s system, the Centralized Audit Team, which operates under the Board of Auditors and plays a key role by applying various scenario analyses to identify realized irregularities and by producing a dissuasive effect on possible irregularities in order to prevent them, thus continues to increase its contributions to the activities of the Board of Auditors.
In addition, members of the Board of Auditors strived to build up the personnel’s practical knowledge through on-site training sessions provided in the branches in 2013. At the same time, the inspectors have the opportunity to conduct audit in different units periodically and thereby constantly build on their professional knowledge and experience; they were also given training at certain intervals to support their personal and professional development. In this context, in 2013 the Bank continued to implement the training catalogue, which is formulated by identifying the training programs for each member of the Board of Auditors of all seniority levels, and opportunities were created for members of the Board of Auditors to take part in numerous external (outside the Bank) meetings, conferences and workshops during the reporting period.
Having made it a principle and a goal to contribute significantly to the Bank’s qualified and high-quality human resources, the Board of Auditors provided an intensive transition of its members to administrative duties during 2013; hence, the Bank’s experienced members who have been involved in the examination and inspection of the Bank’s various domestic and international branches, regional offices and Head Office units continued to offer administrative services to our Bank’s different units in various regions. On the other hand, the recruitment process for 41 assistant inspectors was completed in January 2013, and the individuals started working in their new posts.
The Board of Inspectors continues to evaluate the organizational changes at the Bank, the modules introduced in lending decisions and the systematic differences arising from the launch of centralized allocation structures, and the Operations Center, and continues to work on the New Auditing Model.
In the coming period, the Board of Auditors will continue to be guided by a high sense of responsibility and duty in the execution of the internal audit plan to be devised in line with the targets and policies determined by the Bank’s Senior Management and within the framework of the modern approach to auditing; in the reporting of their outcomes to the Board of Directors through the Audit Committee and in monitoring the precautions to be adopted based on audit reports.
OPERATION OF THE INTERNAL CONTROL SYSTEM
Internal control activities are organized in such a way to cover the activities of the Bank’s domestic and international branches, regional directorates and head office units under the Regulation on Banks’ Internal Systems issued by the BRSA, and are constantly revised in line with the Bank’s requirements.
The scope and implementation of the approach are in line with the Bank’s main goals and strategies. After the change in risk perceptions and a new service model implementation, a proactive structure is adopted in accordance with the changes in the strategy and circumstances. Thanks to this adopted proactive structure, the Bank’s operations are performed at higher standards than the sector norms in accordance with both domestic and international codes and competitive conditions.
Internal control programs are enforced upon approval from our Committee. Controls are carried out on an average of 840 branches each quarter within the scope of the program, within the framework of the branches’ risk map prepared by the risk management department.
Internal control activities at all of our international branches are conducted in accordance with the annual control plans that are approved by our Committee.
The control intervals at head office units are determined in view of the units’ functions and risk exposure, their job descriptions and their impact on the Bank’s balance sheet, and are revised in line with the Bank’s needs.
The findings contained in the reports prepared following these activities are categorized under certain headings, and are shared with relevant units and the Senior Management.
In 2013, on-site Internal Controllers continued to conduct examinations regarding matters established during the control activities and which were deemed to require further examination. The necessary action to be taken by the Bank based on the preliminary examination reports was taken and transactions which were suspected of being subject to abuse were shared with the Board of Auditors in order to ensure that the necessary examinations/investigations were undertaken.
In addition to the above, compliance control activities are also carried out by the internal control function within the framework of Article 18 of the Regulation on the Banks’ Internal Systems. Accordingly, all past or planned activities of the Bank, as well as new products and transactions are checked for compliance with the Law and other applicable legislation, internal policies and guidelines, and established banking practices. Furthermore, regulations that are issued or modified by the Bank are also reviewed within the scope of compliance controls and resulting opinions are shared with the related units.
Besides control activities, recommendation reports continued to be issued, which are aimed at improving the processes related to the activities carried out at the Bank by Internal Controllers and at prevention of possible risks. The objectives of this implementation are to prevent risks by identifying them in advance, improving processes so as to achieve alignment with the competitive environment and customer satisfaction, and taking cost-saving measures.
Internal Controllers are encouraged to take on administrative duties; accordingly, 19 Internal Controllers were transferred to administrative positions during 2013, thus continuing to supply qualified human resources to the Bank’s administrative personnel. In addition, the decision was taken to hire 36 assistant internal controllers from outside the Bank to be trained to replace the internal controllers who had been transferred to administrative duties, and to sustain the dynamic nature of the internal controller staff.
OPERATION OF THE RISK MANAGEMENT SYSTEM
The fundamental approach to risk management activities carried out at the Bank is to achieve the best possible practices in risk management functions by inculcating a culture of risk-awareness throughout the Bank and by continuously improving both the system and the human resources. The utmost attention is taken towards ensuring that the risk management activities undertaken are conducted with the coordinated participation of all units that are involved in every activity associated with each category of risk. Risk management activities cover the main headings of credit risk, market risk, operational risk and balance sheet risks (interest rate risk arising from banking accounts and liquidity risk), and have the ultimate objective of achieving compliance with international best practices.
Under credit risk management activities, work is undertaken to define, measure, monitor and report credit risk, employing methods that are in alignment with Basel II. In this context, legal reporting process started using the Basel II Standardized Method from 1 July 2012. The amount of credit risk is reported to the BRSA each month on a solo basis and quarterly on a consolidated basis. Efforts are ongoing at the Bank to measure the creditworthiness in connection with advanced measurement methods. Accordingly, work is being carried out on the outcomes of scoring models used for different loan portfolios. Validation is carried out using statistical methods to measure the accuracy and performance of these scoring models. Furthermore, credit risk limits that are approved by the Board of Directors are monitored, and work is in progress to conduct scenario analyses and stress testing for the non-performing loans ratio. Methods that are in alignment with Basel III have been prepared and will be implemented in the new operational year.
Under the operational risk management activities, operational risks are defined, classified, measured and analyzed. The operational risk loss database in the Finart environment allows incidents of operational risk to be tracked. Risks arising from information technology and actions taken are followed up. An Operational Risk Map is being prepared for use in the Internal Control audit program for the purpose of establishing the risk levels of the Bank’s branches. In addition, risk exposure assessments are conducted for companies providing outsourced support services within the framework of the BRSA’s regulations in force.
Within the scope of market and balance sheet risk management activities, market risk, liquidity risk, and interest rate risk arising from banking accounts are measured, analyzed, limited, reported and monitored, and the analyses conducted are supported through stress tests.
To determine the amount of shareholders’ equity that is aligned with the loss our Bank may sustain due to its risk exposure, a capital adequacy assessment is conducted using the economic capital approach and the results are reported to the senior management.
The results of the analyses conducted under risk management activities and the risk indicators are reported to the Board of Directors and our Committee at six month intervals, and to the executive units and internal system units at monthly, weekly and daily intervals.
The new operating period will be marked by continued activities under all risk categories on the basis of internationally accepted advanced risk management techniques, as well as execution of these activities as an integral part of the Bank’s strategic decision-making processes.
Feyzi ÇUTUR |
Muharrem KARSLI |