2019 INTEGRATED ANNUAL REPORT
AUDIT COMMITTEE’S ASSESSMENT OF THE OPERATION OF THE INTERNAL AUDIT, INTERNAL CONTROL, AND RISK MANAGEMENT SYSTEMS IN 2019

Internal audit, internal control, and risk management activities at Ziraat Bank are performed by the Board of Inspectors, the Internal Control & Compliance Department, and the Risk Management Department. These units’ duties and responsibilities, which are strictly segregated from one another, are coordinated by the Assistant General Manager for Internal Systems.

This organization is structured so as to embrace all Bank units and branches as well as Bank-owned subsidiaries subject to the Bank’s oversight. Its purpose is to minimize any risks that might adversely affect the thoroughgoing and secure conduct of banking operations, the fulfillment of long-term profit targets, the reliability of financial and administrative reporting, and/or the Bank’s reputation and financial stability.

INTERNAL AUDIT SYSTEM
The Board of Inspectors takes a risk-focused approach in the fulfillment of its responsibilities to ensure that the activities and operations of the Bank’s headquarters units, domestic and international branches, and subsidiaries comply with the requirements of laws and regulations and are compatible with the Bank’s own strategies, policies, principles, and objectives. The board conducts its activities in such a way as both to keep the Bank’s senior management informed and to contribute to their decision-making processes.

Board of Inspectors activities in 2019:

In keeping with its strong sense of responsibility and awareness of its duties, the Board of Inspectors will continue to execute the internal auditing plan in line with goals and policies set forth by Ziraat Bank’s senior management and within the framework of current auditing approaches, to report its findings to the Board of Directors through the Audit Committee, and to observe what action is taken on the basis of its reports.

INTERNAL CONTROL AND COMPLIANCE SYSTEM
Internal control activities at Ziraat Bank are designed so as to embrace the operations of all headquarters units, all domestic and international branches and subsidiaries subject to consolidation as required by Article 9 Paragraph 3 of “Regulation on bank internal system and intrinsic capital adequacy assessment processes” which states “Internal control system is structured to include the bank’s domestic and foreign branches, headquarters units, subsidiaries subject to consolidation and all of their operations.”

Such activities are conducted so as to be compatible with the Bank’s primary objectives and strategies from the standpoint of their scope and methodology.

This more proactive structure helps ensure that Ziraat Bank’s operations exceed sectoral norms and that they are conducted in a manner that is compatible with both internal and external regulations as well as with the demands of competition.

Domestic branch checks are performed both on location and centrally within the framework of a program that is prepared taking into account branches’ current levels of risk exposure. Control functions, which for the most part are structured so as to be technology-intensive and centralized, are intended to ensure that commonly-occurring mistakes are quickly corrected at the appropriate business-unit level.

With the Instant Control system operational transactions and their accounting in real time are checked. Transactions are evaluated in light of specific scenarios and if a transaction is deemed to be in error, it can be corrected the same day. Real-time transaction checking allows increased efficiency and embeds the internal control system within the Bank’s day-to-day operations instead of retrospective transaction controls. To this end, instant incident and action management tools such as EVAM are also employed effectively. Accordingly, it is adopted as a basic principle to avoid possible errors and omissions in recording assets and liabilities and capturing them in financial reports.

Headquarters unit control cycles are determined taking into account the units’ functions, potential risks, terms of reference, and impact on the Bank’s balance sheet. These cycles are revised as needs may require.

Internal control operations at Ziraat Bank branches located outside Turkey are carried out in line with control programs that are prepared for each year.

The findings ascertained as a result of all of these activities are periodically circulated among appropriate business units and the members of senior management.

Besides performing their internal control functions in 2019, internal control personnel also continued to prepare and issue reports containing suggestions of ways to improve existing processes at the Bank and to mitigate the risks inherent in them. The aim of this practice is to preclude risks by spotting them in advance, to make the Bank more competitive by improving its business processes, and to increase customer satisfaction while also taking measures to cut costs.

On the other hand, internal controllers began to be recruited from within the Bank; after the first internal recruitment that occurred in 2015, the process continued also in 2019. Thanks to recruitment from within, the existing banking knowledge of the team sped up their adaptation to internal control processes, which resulted in significant reduction of their training time. As a natural consequence, these individuals began performing productively in a very short period of time. On another front, banking and field experiences of the team contributed remarkably to internal control processes.

The practice of recruiting qualified human resources for the Bank’s administrative staff by allowing internal control personnel to transfer to such positions continued in 2019.

In addition to such matters, compliance reviews were also carried out by internal control personnel as required by article 18 of BRSA Regulation on bank internal system and intrinsic capital adequacy assessment processes. In the course of these reviews, all operations conducted or planned by the Bank as well as new transactions and products are checked to be sure that they comply with laws and regulations, with the Bank’s own policies and rules, and with generally-accepted banking practices. During such compliance reviews, existing Bank-internal rules and proposed changes in them are also examined and views concerning them are circulated among appropriate units.

Within the scope of the Compliance Program set up in by the Bank to comply with the legislation published under the Prevention of Laundering of Proceeds from Crime and Financing of Terrorism, activities to prevent such activities are carried out in accordance with national and international regulations.

The policy established by the Bank regarding the prevention of laundering of proceeds from crime and financing of terrorism which the Bank’s foreign branches, subsidiaries and other related parties are also obliged to comply with has been revised and shared with public at the Bank’s web site.

The units active either in Turkey or abroad as part of the Ziraat Finance Group pursue their operations in accordance with national and international legislation in line with the policies and procedures they have devised in view of local and international regulatory framework, and in a manner to immunize the Bank’s products and services from any operational or reputational risk in connection with the laundering proceeds of crime and financing of terrorism.

Internal training programs are carried on, which are organized between the Bank and compliance units of overseas branches and domestic and international subsidiaries and which are designed to exchange information regarding the development of joint standards, creation of joint processes, and acting in line with the shared policy target related to “Prevention of Laundering Proceeds of Crime and Financing of Terrorism”.

Additionally, regular contacts are established within the frame of the coordinated strategy conducted in relation to compliance activities with overseas branches and subsidiaries, as well as domestic subsidiaries. Along this line, meetings were held with compliance officers of subsidiaries and overseas branches/subsidiaries, during which joint studies were carried out to verify compliance with national and international obligations and to identify process and software needs, if any. These meetings and efforts will be ongoing also in the future.

Additionally, all employees were provided to get trainings on prevention of laundering of proceeds from crime and financing of terrorism.

Both the Internal Control and Compliance units will be utilizing the analytical infrastructure and technological means at the maximum extent possible and will carry on with their activities aimed at maximizing productivity and efficiency with a risk-based approach.

RISK MANAGEMENT SYSTEM
Ziraat Bank risk management activities are conducted subject to the requirements of BRSA’s Regulation on bank internal system and intrinsic capital adequacy assessment processes and other pertinent regulations as well as of BRSA Best Practices Guidelines. They are carried out with the aim of aligning the Bank’s risk management functions with best practices by fostering a risk culture throughout the entire and constantly improving system and human resources. The principal risk categories are defined as “Credit Risk”, “Market Risk”, “Operational Risk”, and “Balance Sheet Risks”, the last including the interest rate risks and liquidity risks to which the Bank is exposed on account of its banking business operations. Care is given to ensure that all activities related to risk management system are coordinated through the involved participation of the operational branches with which each type of risk is associated.

Under the heading of credit risk management, Basel III-compatible methods are used to define, measure, monitor, and report credit risk. The Bank has been calculating its core credit risk exposure and reporting it monthly on the basis of its solo and consolidated accounts to BRSA ever since this practice was mandated by law as of 1 July 2012. The credit limits approved by the Board of Directors are monitored and scenario analysis and stress tests are carried out by applying various shocks to credit risk factors. Counterparty Credits are measured for counterparty risk. In addition, with the participation of different units within the scope of Credit Risk Management Project with advanced methods, studies are being carried out to calculate credit risk based on internal rating and to use its outputs in different areas.

Under the heading of market risk management, such risk is measured, analyzed, reported, and monitored. Analyses are supported by conducting stress tests. Risk measurements are performed on all accounts whose inclusion in the Bank’s capital adequacy ratio calculation is mandatory as well as by means of the “value-at-risk” (VaR) methodology. The results of VaR measurements are validated by means of backtest analyses. The values on which market risk is calculated are periodically reviewed and compared with of Board of Directors-approved limits while senior management is kept informed about the results of mandatory and internal limit monitoring.

Under the heading of operational risk management, the operational risks to which the Bank is exposed are defined, classified, quantified, and analyzed. Operational risk signal and limit values approved by the Board of Directors are also monitored at regular intervals. Amount subject to Operational Risk is calculated using the Basic Indicator Approach pursuant to the Regulation on the Measurement and Assessment of Capital Adequacy of Banks. Operational risk incidents as a result of the lost data base in the banking software are being followed. Information technology risks and associated actions are followed up in coordination with the related units. Activities for business continuity plans and portfolio custodian services along with risk assessments for companies providing outsourced support services are being carried out.

Under the heading of balance sheet risk management, liquidity and interest rate risks arising from banking business accounts are measured, analyzed, delimited, reported, and monitored. Analyses are also supported by means of stress tests. The work on liquidity risk takes into consideration best practice guides, and Time to Maturity Analysis is conducted to oversee the maturity composition of the Bank’s balance sheet; Liquidity Gap and Structural Liquidity Gap Analyses to classify assets and liabilities items according to their respective times to maturity and to determine the gap amount; and Liquidity Stress Test to assess the Bank’s liquidity position in the worst case scenario. In addition, the Bank follows up the renewal rates of deposits that make up the Bank’s key funding source on a daily basis, and performs core vs. volatile deposits analyses using the deposit renewal analysis.

For monitoring the interest rate risk stemming from the banking accounts, Repricing Gap (GAP), Duration, Net Interest Income Analyses and Interest Rate Shock Reduction in Value Analyses are periodically conducted.

Liquidity risk as approved by the Board of Directors and signals and limits of the interest rate risk resulting from banking accounts are also monitored at regular intervals.

Internal Capital Adequacy Assessment Process (ICAAP) reports are also prepared and sent to BRSA at year-end. In the latter reports, the Bank’s capital adequacy is analyzed over the next three-year period on the basis of a set of Base/Negative/Overly Negative scenarios not supplied by BRSA.

The results of the risk management analyses and the associated risk indicators are reported to the Board of Directors and to the Audit Committee at six-month intervals and to the Senior Management on a daily, weekly, and monthly basis.

Ziraat Bank will continue to make use of internationally-recognized advanced risk management techniques in order to carry out its risk management activities for all risk categories and to make such risk management an integral part of its strategic decision-making processes in the future as well.