2016 Annual Report
The Audit Committee’s assessment of Internal Audit, Internal Control, Risk Management and Regulatory Compliance Functions; Committee Activities during the Reporting Period

Internal Audit (Board of Auditors)

The Board’s fundamental objective is to provide independent and impartial compliance and consultancy services that safeguard the activities of the Bank and its affiliates subject to consolidation and generate added value. Operating within currently applicable laws and related external regulatory frameworks, and the Bank’s own strategies, policies, principles and targets, the board provides assurance to the Senior Management concerning the effective and sufficiency of the Bank’s internal control, risk management systems and governance processes. The board aims to help the Bank reach its targets by introducing a systemic and disciplined approach in order to evaluate and improve the related systems. The Board of Auditors is responsible for performing audits, inspections and investigations on behalf of the Board of Directors in line with the schedule and instructions provided by the Chairman.

Within the scope of the 2016 audit plan, audit activities were conducted in various selected branches and units in the Headquarters based on the risk-oriented audit approach. In addition, audits into the information systems were maintained by IS inspectors. With these audit activities, investigations and inspections regarding the board’s declaration were conducted.

As a result of the audit activities, incomplete and improper applications are reported to the Audit Committee on a quarterly basis, and their completion statuses are followed.

Detailed training programs were prepared to increase the knowledge level of inspectors as well as bringing their personal developments to highest level. Accordingly, internal and external trainings were received.

As of 31 December 2016, the staff of the Board of Auditors consisted of 43 people.

Areas of responsibility as the Chairman of Internal Audit are: Branch, Headquarters, Information Systems Audits, Reviews and Investigations.

Internal Control

The Internal Control Department is responsible for overseeing all aspects of Türkiye Finans’ organization and activities so as to ensure that the Bank’s business is conducted effectively, productively, and in a manner consistent with the requirements of Banking Law and regulations, the Bank’s policies and rules, and ordinary banking practices and also for ensuring the reliability, integrity, and timely accessibility of the accounting and financial reporting systems and of the information contained therein. The Internal Control Department reports directly to the Board of Directors and provides information to the Bank’s senior management. Another function of the Internal Control Department is to develop early warning systems capable of identifying risks in advance and taking measures accordingly.

The Internal Control Department conducts its activities through 5 main services: Central Control, On-site Control, Information Systems and Compliance Checks, Reporting and Action Tracking and Risk Monitoring Self-Assessment.

Within the scope of the 2016 control plan, risk oriented control activities were conducted in the branches. At the same time, control design and test activities as well as inquiry investigations including controls within the scope of board’s declaration were conducted in the Headquarters’ units.

As a result of control activities, any incomplete and improper applications are reported to the Audit Committee on a quarterly basis and their completion statuses are followed.

Detailed training programs were prepared to increase the level of knowledge of internal control personnel as well as bringing their personal developments to the highest level. Internal and external training was provided accordingly.

As of 31 December 2016, the staff of the Internal Control Department consisted of 36 people.

Risk Management

Risk management organization is responsible for central management of risks that are likely to be encountered through effective coordination across the Bank. The main purpose of Risk Management system is to provide identifying, measuring, reporting, monitoring and controlling risks on a consolidated and unconsolidated basis via policies, implementation procedures and limits set in accordance with the nature and magnitude of the Bank’s activities based on its risk-return profile, as well as the determination of the overall capital requirement relative to the risk profiles.

The Bank aims to achieve the following targets by implementing effective risk management strategies and policies;

The Risk Management system is a process within which all units of the Bank are involved. The basic issues regarding effective Risk Management processes are;

As of 31.12.2016, Risk Management Center consists of 13 people. In order to increase personal and professional development of the personnel, the personnel are ensured to participate in internal and external trainings, conference and seminars. Thus, efforts are made for their practical knowledge level in the field of risk management to continually increase. As part of efforts to increase the effectiveness of risk management within the Bank, during 2016 the Risk Management Centre was upgraded from the Directorate level to the Assistant General Manager level.

In 2016, a Risk Committee at the Board level was established in order to support the Board of Directors in this framework by carrying out surveillance activities regarding risk management policies and practices; to review the risky activities’ compliance with the Bank’s existing risk appetite and strategic objectives; to review the studies into risk appetite with the ISEDES (Internal capital adequacy evaluation process).

Risk management activities which have been carried out through 2016 are classified and summarized below.

Identification and Measurement of Risks

Risks that the Bank is exposed to due within the context of Regulation on Internal Systems of Banks and Internal Capital Adequacy Assessment Process, other related legislation and internationally accepted standards are identified, measured, reported and monitored under the main titles of credit risk, market risk, liquidity risk, operational risk and other risks by considering the best implementations. Within this scope, in accordance with the relevant legal regulations and best banking practices, risk management processes are being established and updated. The Bank’s risk management system is reviewed within the framework of the strategy, policy and implementation procedures, legislative amendments and the Bank’s needs. The Bank’s risk management is updated as and when necessary, and at least once a year. Within this scope, the Risk Policy, the ISEDES Policy and ISEDES Procedure were updated during 2016 with the approval of the Board of Directors.

In addition, risk opinions are formed by carrying out risk and impact evaluations upon monitoring the changes in internal policies and procedures and work flows of the Bank and new activities, channels or product designs. Within the scope of the “Regulation on the Support Services of Banks”, the Risk Management Program is presented annually through the Audit Committee to the Board of Directors. In addition, within the scope of the regulation, a risk opinion is established in line with the “Risk Analysis” and “Technical Competency Reports” submitted by the related units. The Audit Committee’s view is sought by submitting the risk opinion and reports to the Audit Committee.

In order to comply with the good practice guidelines published by the BRSA, the Bank’s level of compliance with the guidelines based on each risk type was determined. The Bank plans to prepare and implement action plans for non-conforming issues.

Türkiye Finans utilizes statistical risk measurement and rating systems which are developed individually for all customer and credit types to effectively measure and manage risks. These systems are regularly monitored and their validation activities are carried out. Remedial actions are taken if necessary.

In addition to the regulations of the RCAP (Regulatory Consistency Assessment Programme), the Alpha regulation entered effect in 2016. The Alpha regulation is used in Capital Adequacy calculations, exposing the share of risk the Bank has been exposed to due to the loans supplied from the funds resourced from participating accounts. The Alpha regulation has had the effect of improving the capital adequacy ratio.

Risk Monitoring and Reporting

The Risk Management Centre estimates and measures the impact of these developments on the Bank by closely monitoring economic, political, sociological and cyclical developments and intra-bank changes. With the proactive risk management approach, the related parties and the senior management are informed and the actions are implemented as necessary by carrying out necessary analysis and evaluations into any areas which could include the elements of risks in the future. In addition to the legal reports on risk management submitted to the BRSA, periodical and other reporting is carried out for the related departments, committees and the senior management at a detailed level in order to manage risks effectively. Compliance with the risk appetite structure determined at Board level or with the limits determined within the scope of internal legislation is reported to the related parties and the senior management by monitoring the compliance periodically.

Necessary monitoring activities are conducted for all risk types identified Bank wise. Details which are categorized into risk types are provided in the “Information about Risk Management Policies on the Basis of Risk Types” section.

Compliance Department

The Compliance Department operates to monitor compliance risk by effectively managing it within the framework of related legislation, regulations and standards while also creating awareness around the Bank.

Within the framework of the “Regulation on the Internal Systems and the Internal Capital Adequacy Assessment Process of Banks”, the Compliance Department performs the following activities: execution of the compliance control activities; within the scope of Legislation on the Laundering of Crime Revenues and the Prevention of Terrorist Financing, implementation of the Compliance Program for definition, measurement, reduction and monitoring of those risks within this scope; with a risk focused approach, ensuring that necessary precautionary measures are taken to prevent that the products and services offered by the Bank are not used for money laundering or financing terror; determination of working conditions for the countries on which sanctions have been imposed within the framework of policies and applications aimed at the sanction decisions issued by National and International Organizations, regional powers and countries; ensuring that obligations under FATCA (Foreign Account Tax Compliance Act) and CRS (Common Reporting Standards) are fulfilled; coordination, monitoring and reporting of compliance work by following up legislative amendments; and the management of feedback received from the Ethics Line and the strengthening of Ethical Culture.

The Compliance Department consists of Products and Services Compliance Control, Fight against Money-Laundering and Foreign Legislation Coordination Services. As of 31 December 2016, the staff of the department consisted of 15 people. The department’s personnel hold CAMS, CERT (FinCrime), CIA, CCSA and CRMA certificates.

In 2016, training on “Prevention of Money-Laundering and Financing Terrorism” was provided to 5% of the personnel face to face and 40% of the personnel through distance learning. In the same period, 5% of the personnel received “Compliance and Ethical Principles Training” face to face and 72% of personnel participated in this training through distance learning.

TR Contact