The Audit Committee’s Assessment of Internal Audit, Internal Control, Risk Management and Compliance Functions; Committee Activities During the Reporting Period

In accordance with its roles within the scope of legislation, the Audit Committee continued to oversee whether the internal audit system covers the Bank’s current and planned activities and risks arising from these activities by reviewing the effectiveness and adequacy of internal systems, processing of accounting and reporting systems in line with the related regulations, integrity of information produced and the internal audit plans. In this context, the Audit Committee monitored and evaluated the activities of the internal systems regularly throughout the year. At the same time, it continued to monitor the activities of external audit, valuation and other support companies selected by the Board of Directors and assess the independent audit findings. In this context, the Audit Committee convened 8 times in 2023 with the participation of internal systems managers and, when necessary, relevant business group leaders. In addition, 2 meetings were held with the members of the Advisory Committee. The Committee informed the Board of Directors about all its activities, evaluations, external audit and evaluation companies, support service providers and other issues.

Internal Audit (Board of Auditors)

The Board’s fundamental objective is to provide independent and impartial compliance and consultancy services that safeguard the activities of the Bank and its affiliates subject to consolidation and generate added value. Operating within currently applicable laws and related external regulatory frameworks, and the Bank’s own strategies, policies, principles and targets, the Board provides assurance to the Senior Management concerning the effective and sufficiency of the Bank’s internal control, risk management systems and governance processes. The Board aims to help the Bank reach its targets by introducing a systemic and disciplined approach in order to evaluate and improve related systems. The Board of Auditors is responsible for performing audits, inspections and investigations on behalf of the Board of Directors.

Within the scope of the 2023 audit plan, audit activities were conducted in various selected branches and units in the Head Office based on the risk-oriented audit approach. In addition, audits into the information systems were maintained by IS inspectors. In addition, various process and compliance audits were carried out, taking into account the developments in the legislation and the Bank’s strategies.

Along with the said audit studies, detailed examinations were made within the scope of the Management Statement regarding the effectiveness, adequacy and compliance of the Bank’s information systems controls and business process controls.

In accordance with the Communiqué on Compliance with Interest-Free Banking Principles and Standards, matters related to the execution of bank activities in accordance with the principles and standards of interest-free banking and the resolutions of the Advisory Committee are also considered as an integral part of all audit activities. Audit results were periodically reported to the Audit Committee and the Board of Directors.

As a result of the audit activities, incomplete and improper applications are reported to the Audit Committee and their completion statuses are monitored.

Quality assurance and development studies are carried out regarding the execution of internal audit activities in accordance with International Internal Audit Standards and Code of Ethics. Internal audit activities are evaluated within the scope of independent quality assurance studies, at a maximum of every five years. In addition, self-evaluation studies are carried out by the Board of Inspection.

Detailed training programs were prepared to increase the level of knowledge of inspectors as well as raising their personal development to the highest level. Accordingly, internal and external training was provided.

As of 31 December 2023, the staff of the Board of Auditors comprised of 45 persons.

Internal Control and Compliance Directorate

Internal Control and Compliance Directorate continues its activities under four functions consisting of two departments and two separate services. Employees of the Directorate own certificates such as CICP, CCSA, CRMA, PSM I, SEGEM, SPL 1, SPL 3, Derivative Instruments, Individual Pension Intermediary, Information Systems Independent Audit, Corporate Governance and Credit Rating licenses and Competition Law, Non-Interest Banking Principles and Standards Compliance and Audit Certificates based on their operational areas.

As of 31 December 2023, Internal Control and Compliance Directorate consist of 40 employees.

The Internal Control Department is responsible for overseeing all aspects of Türkiye Finans’ organization and activities, to ensure that the Bank’s business is conducted effectively, productively, and in a manner consistent with the requirements of the Banking Law and regulations, the Bank’s own policies and rules, and ordinary banking practices; and also for ensuring the reliability, integrity, and timely accessibility of the accounting and financial reporting systems and of the information contained therein. The Internal Control Department reports directly to the Board of Directors and provides information to the Bank’s senior management.

Another function of the Internal Control Department is to develop early warning systems capable of identifying risks in advance and taking measures accordingly. The Internal Control Department conducts its activities through four main activity areas: Head Office Control, Branches Control, Information Systems and Compliance Checks, and Reporting, Quality and Inquiry Development.

On-site and distant control activities were conducted in the branches within the scope of the 2023 control plan. At the same time, deficiency analysis, control design and test activities, as well as inquiry investigations including controls within the scope of board’s declaration were conducted in the units of the Head Office. As a result of the audit activities, incomplete and improper applications are reported to the Audit Committee on a quarterly basis, and their completion statuses are monitored. Detailed training programs were prepared to increase the level of knowledge of the internal control personnel, as well as raising their personal development to the highest level. Internal and external training was provided accordingly.

The Participation Banking Compliance Department conducts operations to establish a corporate structure in line with the principles and standards of participation banking and to implement the structure effectively, managing the process of organizing and signing the minutes of meetings within the scope of the secretariat activities of the Advisory Committee, ensuring coordination between the Bank and the Turkey Association of Participation Banks (TKBB), answering questions from both within and outside the bank with respect to existing and new products or applications, providing participation banking training to personnel within the scope of the training planned by the Bank, the examination of intra-bank legislation and documents within the scope of compliance activities with participation banking principles and standards, transferring the decisions of the Central Advisory Board and Bank Advisory Committee operating within the framework of the TKBB to the relevant documents and providing feedback to document owners for the creation of checkpoints, informing the Board of Directors and relevant departments and staff of the principles and standards of interest-free banking, as well as the decisions of the Advisory Committee and their possible consequences, and ensuring that the necessary work is carried out in the bank.

The Ethics and Regulations Services works to ensure that maximum contribution is being provided for the continuous management of the Bank’s operations in line with regulations, legislation and ethical principles in terms of their structure and functioning. In this context, following up of developments in regulations, informing of the Bank management and related units, publication of regulatory newsletters, coordination, monitoring and reporting of compliance activities to changes in legislation are being carried on. In addition, controlling of the Bank’s planned operations, new products and services, changes in existing products and services, advertising activities, communication of findings, opinions and ideas related with these are among the unit’s operations. Management of calls to the Bank’s Ethics Hotline, developing ethics culture within the Bank and conducting awareness and training activities to accomplish competition compliance activities are among its significant responsibilities. In 2023, remote “Compliance and Ethical Principles Training” was provided to newly recruited personnel and 95% of the existing bank personnel, and 92% of the existing bank personnel were provided with “Competition Law Compliance E-Training” within the scope of Competition Law compliance studies. The training of the remaining employees continues.

Risk Management

The Risk Management organization is responsible for the central management of risks that are likely to be encountered through effective coordination across the Bank. The main purpose of Risk Management system is to identify, measure, report, monitor and check risks on a consolidated and unconsolidated basis through policies, implementation procedures and limits set in accordance with the nature and magnitude of the Bank’s activities based on its risk-return profile, as well as the determination of the overall capital requirement relative to the risk profiles.

The Bank aims to achieve the following targets by implementing effective risk management strategies and policies:

  • Instilling a common risk culture across the Bank,
  • Establishment of risk limits and effective management of implementation procedures,
  • Increasing the asset quality of the Bank,
  • Ensuring the Bank fulfills its obligations,
  • Determination of the Bank’s risk appetite in a manner consistent with its strategies, goals and activities,
  • Determination of the Bank’s capital level in accordance with risk appetite.

The Risk Management system is a process within which all units of the Bank are involved. The basic issues regarding effective Risk Management processes are;

  • Effectively managing the risks which the Bank is exposed to on the basis of materiality. To possess a centralized and integrated risk management structure that includes all important risk aspects,
  • Managing the existing and potential risks from the very beginning with the help of directional risk strategies, policies and procedures, models and parameters,
  • Ensuring that a risk-focused management approach is adopted in the strategic decision-making processes,
  • Fulfilling legal obligations in the field of risk management,
  • Being open to change and development in accordance with dynamic market conditions.

As of 31 December 2023, the Risk Management Center consisted of 23 staff. In order to promote the personal and professional development of the personnel, it is ensured that personnel participate in internal and external training programs, conferences and seminars. As a result, their practical knowledge level in the field of risk management has increased continuously.

Risk management activities carried out during 2023 are classified and summarized below.

Identification and Measurement of Risks

Processes, other related legislation and internationally accepted standards are identified, measured, reported and monitored under the main titles of credit risk, market risk, liquidity risk, operational risk and other risks by considering the best implementations. Within this scope, in accordance with the relevant legal regulations and best banking practices, risk management processes are being established and updated. The Bank’s risk management system is reviewed within the framework of the strategy, policy and implementation procedures, legislative amendments and the Bank’s needs. The Bank’s risk management is reviewed at least once a year and updated as and when necessary. Within this scope, risk management policies, procedures and processes were reviewed in 2023 and following documents were updated with the approval of the Board of Directors/Related Parties;

  • Risk Policies
  • Risk Management System Policy
  • ICAAP Policy
  • ICAAP Procedure
  • Türkiye Finans Anti-Fraud Management Policy
  • Market Risk Management Procedure
  • Stress Test Program Procedure
  • Operational Risk Management Procedure
  • Credit Risk Management Procedure
  • Internal Rating Models Development Procedure
  • Model Validation and Monitoring Procedure
  • ICAAP Process
  • Risk Reporting Process
  • Operational Risk Management Process
  • Support Services Risk Management Program

In addition, risk opinions are formed by carrying out risk and impact evaluations upon monitoring the changes in internal policies, the procedures and work flows of the Bank and new activities, channels or product designs.

Within the scope of the “Regulation on the Support Services of Banks”, the Risk Management Program is presented annually through the Audit Committee to the Board of Directors. In addition, within the scope of the regulation, a risk opinion is established in line with the “Risk Analysis” and “Technical Competency Reports” and Legal and Loans departments’ opinion submitted by the related units, and also taking into account information security, KVKK (Personal Data Protection Law), Compliance, Fraud assessment. The Audit Committee’s view is sought by submitting the risk opinion and reports to the Audit Committee.

Türkiye Finans utilizes statistical risk measurement and rating systems which are developed individually for all customer and credit types to effectively measure and manage risks. These systems are regularly monitored and their validation activities are carried out. Remedial actions are taken if necessary. Model validation and monitoring activities are being conducted to carry out an independent review to guarantee that the developed models were reliable, fit for purpose and complied with internal and external regulations.

Risk Monitoring and Reporting

The Risk Management Center Directorate estimates and measures the impact of these developments on the Bank by closely monitoring economic, political, sociological and cyclical developments and intra-bank changes. With the proactive risk management approach, the related parties and the senior management are informed and actions are implemented as required by carrying out necessary analysis and evaluations into any areas which could include the elements of risk in the future. In addition to the legal reports on risk management submitted to the BRSA, periodical and other reporting is carried out for the related departments, committees and the senior management at a detailed level in order to manage risks effectively.

Compliance with the risk appetite structure determined at a Board level or with the limits determined within the scope of internal legislation is reported to the related parties and the senior management by monitoring compliance periodically.

Necessary monitoring activities are conducted for all risk types identified in connection with the Bank. The details are categorized into risk types and provided in the “Information about Risk Management Policies on the Basis of Risk Type” section.