The activities of internal audit, internal control, compliance, and risk management in the Bank are carried out by the Supervisory Board, the Directorate of Internal Control and the Directorate of Compliance, and the Directorate of Risk Management within the Internal Systems Group under the Audit Committee.
The organization, that is established in a way to include all units, branches, and subsidiaries subject to auditing, aims to:
Continue banking operations in a secure manner in line with the legislation, policy, principles and objectives,
Achieve sustainable profitability goals,
Perform the financial and administrative reporting in a timely, complete and secure manner,
Define Ziraat Katılım’s legal, nominal and financial risks, to measure, report, and monitor the risks and to minimize the concerned risks by controlling them.
In order to increase the internal systems personnel’s individual and occupational development, the personnel were ensured to attend internal and external training, conference and seminars, thus, their practical knowledge level is constantly being developed.
FUNCTIONING OF INTERNAL AUDIT
The Supervisory Board audits whether the operations carried out by the Bank’s all units, local and international branches, and subsidiaries are in accordance with the law and other relevant legislation and the Bank’s strategies, policies, principles and objectives; the effectiveness and adequacy of internal control and risk management systems within the framework of risk-based audit approach. The Internal Audit Department informs the Bank’s senior management and continues its efforts to contribute to the senior management’s decision-making processes.
In line with the BRSA’s Regulation on Banks’ Internal System and Intrinsic Capital Adequacy Assessment Processes, the Regulation on Independent Audit of Information Systems and Business Processes, the Regulation on Information Systems and Electronic Banking Services of Banks, the Communiqué on Compliance with the Principles and Standards of Interest-Free Banking, especially the Law on Banking, and other relevant legislative provisions and the Bank’s in-house regulations, the Bank’s activities, transaction steps and work processes, were evaluated by the Board of Auditors in terms of accuracy, effectiveness and efficiency.
Activities of the Audit Board in 2024 are presented below:
When 2024 internal audit plan was determined, risk-based audit and internal audit plan provisions of BRSA’s Regulation on Banks’ Internal System and Intrinsic Capital Adequacy Assessment Processes were taken into account. When risks the Bank is exposed to in its operations and controls related with those risks are assessed by the Audit Board, information and data were obtained from the departments at Headquarters and managers’ opinions were considered. Based on these data and opinions risk assessment report and risk matrix were created. Consequently, departments, branches and business processes, information systems and other audit activities to be included in the scope of internal audit plan were determined.
Audits of branches, work processes, information systems, Headquarter departments, external/support service firms and others included in the internal audit plan were completed. Internal audit activities and results conducted in accordance with the “internal audit reports” provisions of BRSA’s Regulation of Internal Systems and Internal Capital Adequacy Assessment Process were included in quarterly reports.
Reviews/investigation activities which were not included in the audit plan due to their nature and content were conducted by the Audit Board in detail when the cases subject to review / investigation were detected by or reported to the Audit Board. Resulting reports were sent to the Headquarter units or related institutions.
Management representation for 2024, which is prepared to give assurance on the effectiveness, adequacy, and compatibility of controls over information systems and work processes, included reports on work process audits, information systems audits, and external/support service companies’ audits.
During the audits conducted by the Audit Board, compliance audits for interest-free banking principles and standards were performed as well. Results of these audits and actions taken as a result of outcomes were taken to the agenda of the two meetings of the Audit Committee and the Advisory Committee.
In the audit application used for branch audits, system improvements have been completed so that information systems and business processes audits can also be performed end-to-end through the application, and information systems and business processes audits will also be performed through the application as of 2025. The control points on the application are regularly updated in line with legal regulations and the decisions of the BRSA and the CBRT, as well as the changes envisaged by the Bank’s Senior Management and Headquarter units.
In 2024, centralized audit activities, which involve the execution of scenario-based analyses and the implementation of controls to detect potential fraud, continued. The number and variety of scenarios were increased, thereby expanding the scope of these audits. Efforts have been initiated to integrate artificial intelligence technology into centralized supervision processes. Accordingly, it will be possible to detect and examine a greater number of potentially fraudulent cases arising from branch transactions more promptly and efficiently. Application developments are underway to enable centralized audit activities to be carried out end-to-end through the audit application and it is planned to be operational as of the first quarter of 2025.
13 Assistant Auditors who succeeded in the Bank’s Assistant Auditor entrance examination completed the Master’s degree program at Ankara University Banking School and commenced their duties in July. Also, regular onsite and external trainings were held to increase our current staff’s level of knowledge. The inspectors who attended Compliance with Interest-free Banking Principles and Standards and Audit certification program organized by TKBB completed the exam at the end of training and received their certificates.
In the upcoming period, the Audit Board will undertake the implementation of the internal audit plan to be formulated in alignment with the objectives and policies established by the Bank’s senior management. The Board will report the outcomes of audit activities to the Board of Directors through the Audit Committee and diligently monitor the corrective measures to be implemented based on audit findings, with a strong sense of responsibility and professional commitment.
OPERATION OF THE INTERNAL CONTROL SYSTEM
The activities of the Internal Control Department are composed of branch controls, central controls, Headquarter unit controls, information systems controls, and interest-free banking compliance controls in line with the Bank’s strategies, objectives, and policies and in compliance with legal regulations. A proactive structure is adopted to provide compliance with changing strategy, risk perception and conditions on a timely basis.
The purpose of Internal Control activities is to ensure the protection of the Bank’s assets, effective and efficient conduct of the operations, unity and reliability of the accountancy and reporting system and timely access to the information.
The Internal Control system of the Bank was designed in a way to cover the Headquarter Units, domestic branches, foreign branches and the subsidiaries subject to consolidation as per the provision of the Article 9, paragraph 3 of the “Regulation on Banks’ Internal System and Intrinsic Capital Adequacy Assessment Processes,” which is the “Internal Control system is designed to cover the domestic and foreign branches, headquarter units, the subsidiaries subject to consolidation and all activities of the Bank.”
Control programs were prepared by taking into account the opening dates of newly opened branches, the periodic risk status of existing branches, and the dates of the last report issued, and branch control activities were carried out in this context as on-site, remote, and central control activities. In order to increase the risk and control awareness during the internal control activities of the branch and to prevent the losses arising from operational risks, the branch personnel were continuously informed.
Central control activities contributed to internal control culture across the Bank and establishment, development of the internal control system, prevention and reduction of risks via early action and also, continuous monitoring function. In 2025, the Bank will continue to develop central control processes for proactive, effective and more efficient internal control activities.
In order to render control activities more effective and efficient, the control activities of the branches are carried out through the control application. Thanks to the control application, the Bank contributed to compliance of the Bank’s operations with external legislation and competitive conditions.
The control activities carried out in the Headquarter units are designed in accordance with national and international legislation, the Bank’s internal policies and rules, and banking customs, taking into account the functions of the relevant units, the risks they carry, their impact on the Bank’s balance sheet, and their job descriptions.
At the Bank, Internal Control activities were carried out on the following topics: functional segregation of duties; division of responsibilities; establishment of the accountancy and reporting system, the information system and the Bank’s internal communication channels in a manner that they will operate effectively; the creation of work flow charts in which the controls on the Bank’s work processes and work steps are indicated.
R&D studies are conducted in order to carry out centralized, real-time, technology-focused Internal Control Activities and to enable the relevant business units to take faster action on widespread deficiencies.
In 2024, recommendation report application continued to be prepared for the improvement of processes regarding the operations carried out in the Bank and the establishment of control points on these processes, which will be complied and implemented by the personnel from all levels, increasing the effectiveness of the controls on the processes, prevention of possible risks, ensuring customer satisfaction and taking cost reducing measures.
In addition to the issues specified, the compliance of all the activities, which are realized or planned to be realized by the Bank, and new transactions and products of the Bank with the Law and other relevant legislation, the Bank’s in-house policies and rules, and banking practices and customs are controlled. The legislation issued or amended is also examined within the Bank within the scope of compliance controls and the opinions formed are shared with the relevant work units.
Internal control staff attended numerous trainings during the year for their professional development. In order to increase company-wide awareness for internal control activities, various trainings were organized for Bank employees and Internal Control staff has provided support for those trainings.
The Advisory Committee Coordination Department under the Internal Control Department carried out the secretariat and compliance activities of the Advisory Committee effectively and efficiently within the framework of the Communiqué on Compliance with Interest-Free Banking Principles and Standards. The activities that were conducted within this framework were communicated to the relevant company units.
Other findings resulting from all these activities were periodically shared with the Bank’s relevant business units and senior management.
FUNCTIONING OF COMPLIANCE SYSTEM
Operations of the Bank to prevent the laundering of proceeds of crime, the financing of terrorism, and the proliferation of weapons of mass destruction are conducted in strict compliance with national and international regulations.
As part of compliance activities, compliance controls were carried out in accordance with Article 18 of the Regulation on Banks’ Internal System and Intrinsic Capital Adequacy Assessment Processes. Also, within the context of compliance activities, the Bank’s personnel are informed as soon as possible about the provisions of the law and other relevant legislation and changes in the Bank’s internal policies and rules.
All operations conducted and planned by the Bank, as well as new transactions and products, are thoroughly checked to ensure compliance with national and international legislation, internal Bank policies, rules, and banking practices. The legislation issued or amended is also examined within the Bank within the scope of compliance controls and the opinions formed are shared with the relevant work units. The Bank develops preventive control mechanisms to ensure that the products and services it offers are not used as a tool for illegal activities and takes immediate action in combating the proceeds of crime with proactive measures.
Audit, monitoring, reporting, analysis, and control functions are performed within the scope of activities established in accordance with the “Regulation on Program of Compliance with Obligations of Anti-Money Laundering and Combating the Financing of Terrorism” and carried out in accordance with the compliance program, with the aim of preventing the proceeds of crime, the financing of terrorism, and the proliferation of weapons of mass destruction. The Bank’s employees are provided with face-to-face and online training regarding the prevention of laundering proceeds of crime and financing acts of terrorism to ensure they adopt compliance culture at global standards and implement this culture at their work and activities.
As a part of the Ziraat Finance Group, the units operating both in Türkiye and abroad conduct their operations in accordance with the policies and procedures established by taking local and international regulations into account, in a manner which does not expose the Bank’s products and services to any operational and reputational risk in the areas of money laundering or financing acts terrorism in accordance with local and international regulations. Regular information sharing is carried out within the framework of the coordinated strategy which is executed regarding the compliance activities of foreign branches. In this context, compliance with the legislation on Laundering Proceeds of Crime and Prevention of Financing of Terrorism/ Proliferation of Weapons of Mass Destruction is ensured in our branches abroad.
Controls are being developed to prevent the risk of sanctions, aiming to avoid engaging in business relations with individuals and organizations included in the sanctions programs followed by the Bank, refraining from providing any services related to the activities subject to sanctions, and avoiding intermediating any banking services that would violate the sanctions.
Findings resulting from all these activities related with the operations of Internal Control and Compliance were shared periodically with related business units and senior management.
FUNCTIONING OF RISK MANAGEMENT SYSTEM
The main purpose of the Bank risk management system is to ensure the definition, measurement, monitoring and control of the risks, to which the Bank is exposed, through the policies and the limits determined to monitor, control, and when necessary to change the operations’ nature and level in relation to the risk-return structure that the future cash flows will include.
The Bank’s risk management activities are conducted in accordance with the “Regulation on Banks’ Internal System and Intrinsic Capital Adequacy Assessment Processes” and other pertinent regulations, as well as BRSA Good Practice Guidelines, with the aim of cultivating a risk culture throughout the Bank and bringing the risk management function closer to best practices by continuously improving the system and human resources. Activities carried out within the framework of the risk management system cover the fundamental categories of credit risk, market risk, operational risk, balance sheet risks (profit share rate risk arising from banking accounts, net stable funding rate risk, and liquidity risk), and model-process validation.
The basic approach in risk management activities is to carry out the risk management function with the best practices in accordance with the provisions of the “Regulation on Banks’ Internal System and Intrinsic Capital Adequacy Assessment Processes,” to establish a risk culture throughout the Bank, and to continuously improve both systems and human resources.
The activities carried out within the framework of risk management system are given care to be carried out simultaneously with the contributions of the units included in the business line with which each risk type is related.
The risk management activities cover the basic headings of credit risk, market risk, operational risk, liquidity risk and other risks. The final objective is to comply with the best practices. Within the framework of credit risk management activities, the activities for the definition, measurement, monitoring and reporting of the credit risk by using the Standard Approach methods in compliance with Basel III. In this context, the calculation of the amount subject to credit risk, which started legally as of July 1, 2012, is reported to the BRSA monthly on a solo and consolidated basis. The measurement of counterparty credit risk, which falls under the purview of credit risk, is also made using the Standard Approach (SA-CCR) method. Senior management receives the results of scenario analyses and stress tests related to credit risk. Also, the compliance activities with the Basel III regulations and the regulations revised by the BRSA within the framework of Basel are continuing.
Operational risk management activities comprise the definition, classification, measurement, and analysis of the operational risks. These activities are carried out as part of the Bank’s “Operational Risk Management Regulation” that is prepared in accordance with the arrangements issued on June 28, 2012, by the BRSA to comply with Basel II.
The amount subject to operational risk is calculated using the Basic Indicator Method in accordance with the Regulation on Measurement and Assessment of Banks’ Capital Adequacy.
The operational risk loss database, which is integrated with the Bank and compatible with the accounting system, is established in accordance with a classification that encompasses the loss event type and activity lines of the Basel Banking Supervision and Audit Committee. This database includes data from foreign and domestic branches and subsidiaries, allowing the Bank to monitor its operational risk outlook with effective methods.
The compliance with the operational risk limits approved by the Board, which are determined in order to manage operational risks, is periodically monitored. The risks stem from information technologies and the actions taken are also monitored. The risk assessments are carried out for the companies from which support services are procured within the framework of the BRSA’s regulations currently in effect.
As part of operational risk, media analysis reports relevant to reputation risk and provided daily from the Bank’s Corporate Communication Department are examined.
Within the scope of market and liquidity risk management, measurement, analysis, limiting, reporting, and monitoring activities related to Market Risk, Liquidity Risk, Net Stable Funding Ratio Risk, and Profit Share Ratio Risk arising from Banking Calculations are carried out. The analyses conducted are supported with stress test. The compliance to the market and liquidity risk limits, which are approved by the Board and determined to manage the concerned risks, is periodically monitored. Also, Value at Risk is calculated daily with the internal models regarding exchange risk as part of market risk and retrospective test analyses are carried out for these models.
In order to facilitate the modeling and validation activities of the internal rating system, the Risk Management Department continues its infrastructure work by participating in the development and formulation of ongoing credit rating models within the Bank. The Bank conducts TFRS-9 Expected Credit Loss calculations and performs the development, monitoring, and validation of the Probability of Default, Loss in Case of Default, and Amount of Default models utilized in the calculations. It also undertakes validation studies to assess the performance of the TFRS-9 Expected Credit Loss model and to implement calibrations as required.
In addition to stress test analysis used in periodic reports, Stress Test reports and ICAAP reports are prepared to be sent to BRSA at year-ends and besides BRSA’s scenario sets, equity and liquidity adequacy level is analyzed for the following three years in basis, adverse and extreme scenarios.
The results of the analyses carried out within the scope of risk management activities and risk indicators are reported annually to the Board of Directors, at three months periods to the Audit Committee, at weekly and daily periods to the operational units.
Integrated Annual Report of Ziraat Katılım Bank covers the period from January 1, 2024 to December 31, 2024.
You can share your feedback and suggestions regarding the Ziraat Katılım Bank A.Ş. 2024 Integrated Annual Report via email.
