The internal audit, internal control and risk management activities at Ziraat Bank are carried out by the Board of Auditors and Internal Control and Risk Management Group, which have segregated duties and responsibilities, are organizationally independent from each other, but work under the coordination of Internal Systems Assistant General Manager Office.

Set up to cover all units, branches and the Bank’s subsidiaries subject to audit, the organization aims to ensure complete and secure pursuance of banking activities, realization of long-term profit targets, reliable financial and administrative reporting, and minimization of unexpected risks that might negatively affect the Bank’s reputation and financial stability.

Operation of the Internal Audit System
The Board of Auditors adopts a risk-focused approach to auditing and monitors the compliance of the activities carried out by all of the Bank’s head office units, domestic and international branches, and subsidiaries under its control with the law and other applicable legislation, as well as the Bank’s internal strategy, policy, principles and targets. The Board of Auditors keeps the Bank’s Senior Management informed and pursues its efforts in a manner to contribute to the decision-making processes of the Senior Management.

Having 184 members and working in line with the international internal audit standards, in 2014 the Board of Auditors audited and evaluated the effectiveness and efficiency of transaction steps that make up the primary processes, and the secondary processes, besides auditing the compliance of the Bank’s activities with the processes that they are governed under. In addition, the Bank’s IT Inspectors audited the processes set out in the Regulation on Bank Information Systems and Banking Processes published by the Banking Regulation and Supervision Agency (BRSA) in line with the Bank’s implementations.

• The Centralized Audit Team, which operates under the Board of Auditors and plays a key role by applying various scenario analyses to identify realized irregularities and by producing a dissuasive effect on possible irregularities in order to prevent them continued its activities in 2014.
• R&D team carried out activities for revising processes and legislation by closely monitoring business processes of Board of Auditors and the Bank’s all other units. Completed audit reports were analyzed and shared with related units if necessary. Laws, BRSA decisions, and changes that are proposed by the Bank’s senior management and Head Office units were closely monitored and audit points are kept updated by doing so.
• Scenario Team was formed in order to produce scenarios and offer quick and effective solution for the Bank by applying these scenarios in line with detecting deficiencies in the Bank’s processes, improving processes and increasing efficiency. This team carried out very important projects in 2014. Their works are offered to use of the Bank’s units and were helpful in taking several important actions.
• Central Audit Team which was formed to increase audit frequency of certain branch groups by monitoring them from the center continuously and which was formed to increase efficiency started its operations. In 2014, 244 branches were audited in line with the same principles that are applied to on-site audit.
• Management Declaration which was prepared to offer guarantee about effectiveness, adequacy and compliance of internal audit on information systems and banking processes; which was prepared for the first time in 2011 was offered to independent audit firm in January. With Management Declaration application, offering a guarantee regarding current situation and activities that are carried out is aimed by enabling Board of Directors to evaluate effectiveness, adequacy and compliance of the Bank’s internal audit on information systems and banking processes from the perspective of Information Systems Audit period.
• Information Systems and Banking Processes Audit Guide is prepared in line with Regulation on Bank Information Systems and Banking Processes Audit that will be Carried Out by Independent Auditors which was published on Official Gazette numbered 27461 and dated 13 January 2010.
• Risk points of branches are determined by giving weights- in certain periods- to each criteria that were set as a result of the Committee’s works. Risky branches were determined as a result of this work. These branches were prioritized in audit planning. (Branch Risk Work)
• Within the scope of Virtual Archive project, inspectors were provided with e-signatures. Reports are started to be signed with e-signatures and wet signature process was terminated.

The inspectors have the opportunity to conduct audit in different units periodically and thereby constantly build on their professional knowledge and experience; they were also given training at certain intervals to support their personal and professional development in 2014.

Inspectors are encouraged to take on administrative duties, thus continuing to supply qualified human resources to the Bank’s administrative personnel. In addition, 54 assistant inspectors who were hired in 2014 started to work.

As a result of The Board of Inspectors’ evaluation of organizational changes at the Bank, the modules introduced in lending decisions, and the systematic differences arising from the launch of centralized allocation structure, New Auditing Model that includes all business processes is started to be used. Results of the audit were presented to the all units of the Bank.

With Finding Follow-Up Mechanism, a consciousness of fulfilling/correcting deficiencies that are subject to findings within certain period is started to be created without satisfying only reporting these findings that were obtained during audit.

In the coming period, the Board of Auditors will continue to be guided by a high sense of responsibility and duty in the execution of the internal audit plan to be devised in line with the targets and policies determined by the Bank’s Senior Management and within the framework of the modern approach to auditing; in the reporting of their outcomes to the Board of Directors through the Audit Committee and in monitoring the precautions to be adopted based on audit reports.

Operation of the Internal Control and Compliance System
Internal control activities are organized in such a way to cover the activities of the Bank’s domestic and international branches and head office units under the Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process and are constantly revised in line with the Bank’s requirements.

The scope and implementation of the approach are in line with the Bank’s main goals and strategies. After the change in risk perceptions and a new service model implementation, a proactive structure is adopted in accordance with the changes in the strategy and circumstances. Within this scope, the Bank made efforts for New Control mode and started to use this model. Thanks to this adopted proactive structure, the Bank’s operations are performed at higher standards than the sector norms in accordance with both domestic and international codes and competitive conditions.

Domestic branch controls are carried out on-site and from the center within the framework of program that is prepared each period according to risk status.

Internal control activities at all of our international branches are conducted in accordance with the annual control plans that are approved by our Committee.

The control intervals at head office units are determined in view of the units’ functions and risk exposure, their job descriptions and their impact on the Bank’s balance sheet, and are revised in line with the Bank’s needs.
The findings contained in the reports prepared following these activities are categorized under certain headings, and are shared with relevant units and the Senior Management.

In 2014, on-site Internal Controllers continued to conduct examinations regarding matters established during the control activities and which were deemed to require further examination. The necessary action to be taken by the Bank based on the preliminary examination reports was taken and transactions which were suspected of being subject to abuse were shared with the Board of Auditors in order to ensure that the necessary examinations/investigations were undertaken.

In addition to the above, compliance control activities are also carried out by the internal control function within the framework of Article 18 of the Regulation on the Banks’ Internal Systems and Internal Capital Adequacy Assessment Process. Accordingly, all past or planned activities of the Bank, as well as new products and transactions are checked for compliance with the Law and other applicable legislation, internal policies and guidelines, and established banking practices. Furthermore, regulations that are issued or modified by the Bank are also reviewed within the scope of compliance controls and resulting opinions are shared with the related units.

Besides control activities, recommendation reports continued to be issued, which are aimed at improving the processes related to the activities carried out at the Bank by Internal Controllers and at prevention of possible risks. The objectives of this implementation are to prevent risks by identifying them in advance, improving processes so as to achieve alignment with the competitive environment and customer satisfaction, and taking cost saving measures.

Internal Controllers are encouraged to take on administrative duties, thus continuing to supply qualified human resources to the Bank’s administrative personnel.

Operation of the Risk Management System
The fundamental approach to risk management activities carried out at the Bank is to achieve the best possible practices in risk management functions by inculcating a culture of risk-awareness throughout the Bank and by continuously improving both the system and the human resources according to Regulation on the Banks’ Internal Systems and Internal Capital Adequacy Assessment Process.

The utmost attention is taken towards ensuring that the risk management activities undertaken are conducted with the coordinated participation of all units that are involved in every activity associated with each category of risk. Risk management activities cover the main headings of credit risk, market risk, operational risk and balance sheet risks (interest rate risk arising from banking accounts and liquidity risk), and have the ultimate objective of achieving compliance with international best practices.

Under credit risk management activities, work is undertaken to define, measure, monitor and report credit risk, employing methods that are in alignment with Basel II. In this context, legal reporting process started using the Basel II Standardized Method from 1 July 2012. The amount of credit risk is reported to the BRSA each month on a solo basis and quarterly on a consolidated basis.
Efforts are ongoing at the Bank to measure the creditworthiness in connection with advanced measurement methods. Accordingly, work is being carried out on the outcomes of scoring models used for different loan portfolios. Validation is carried out using statistical methods to measure the accuracy and performance of these scoring models. Furthermore, credit risk limits that are approved by the Board of Directors are monitored, and work is in progress to conduct scenario analyses and stress testing for the non-performing loans ratio. Methods that are in alignment with Basel III have been prepared and will be implemented in the new operational year.

Under the operational risk management activities, operational risks are defined, classified, measured and analyzed. These analyses are supported with stress tests. Moreover, operational risk limits that are approved by the Board of Directors are followed periodically. The operational risk loss database in the Finart environment allows incidents of operational risk to be tracked. Risks arising from information technology and actions taken are followed up. An Operational Risk Map is being prepared for use in the Internal Control audit program for the purpose of establishing the risk levels of the Bank’s branches. In addition, risk exposure assessments are conducted for companies providing outsourced support services within the framework of the BRSA’s regulations in force.

Within the scope of market and balance sheet risk management activities, market risk, liquidity risk, and interest rate risk arising from banking accounts are measured, analyzed, limited, reported and monitored, and the analyses conducted are supported through stress tests. In addition, market and liquidity risk limits which are approved by Board of Directors are followed periodically. In line with Basel III regulations, Liquidity Coverage Ratio was started to be calculated pursuant to BRSA regulation. Within the scope of market risk, backward test analyses are carried out for internal models that are used.

To determine the amount of shareholders’ equity that is aligned with the loss our Bank may sustain due to its risk exposure, a capital adequacy assessment is conducted using the economic capital approach and the results are reported to the senior management.

The results of the analyses conducted under risk management activities and the risk indicators are reported to the Board of Directors and our Committee at six month intervals and to the executive units and internal system units at monthly, weekly and daily intervals.

The new operating period will be marked by continued activities under all risk categories on the basis of internationally accepted advanced risk management techniques, as well as execution of these activities as an integral part of the Bank’s strategic decision making processes.

Feyzi ÇUTUR Member of the Audit Committee	Muharrem KARSLI Chairman of the Board of the Directors Member of the Audit Committee