Internal audit, internal control, and risk management activities at Ziraat Bank are performed by the Board of Inspectors, the Internal Control & Compliance Department, and the Risk Management Department. These units’ duties and responsibilities, which are strictly segregated from one another, are coordinated by the Assistant General Manager for Internal Systems.

This organization is structured so as to embrace all Bank units and branches as well as Bank-owned subsidiaries subject to the Bank’s oversight. Its purpose is to minimize any risks that might adversely affect the thoroughgoing and secure conduct of banking operations, the fulfillment of long-term profit targets, the reliability of financial and administrative reporting, and/or the Bank’s reputation and financial stability.

Internal Audit System
The Board of Inspectors takes a risk-focused approach in the fulfillment of its responsibilities to ensure that the activities and operations of the Bank’s headquarters units, domestic and international branches, and subsidiaries comply with the requirements of laws and regulations and are compatible with the Bank’s own strategies, policies, principles, and objectives. The board conducts its activities in such a way as both to keep the Bank’s senior management informed and to contribute to their decision-making processes.

The Board of Inspectors has 139 Bank inspectors on its staff. The board conducts its activities in line with internationally-accepted internal auditing standards. Besides checking the Bank’s operations for their compliance with statutorily mandated procedures, in 2017 the board also reviewed and assessed the effectiveness and efficiency of the transaction procedures involved in both primary and secondary processes. In addition, processes governed by Banking Regulation and Supervision Agency (BRSA) regulations pertaining to information systems and banking processes were also audited in line with the Bank’s own practices.

Board of Inspectors activities in 2017:

• The Central Audit Team continued its intensive operations in 2017 by performing scenario analyses which are influential in preventing irregularities from being committed. The team reviewed the effectiveness of its existing scenarios and developed new ones to cope with the possible abuses made possible by newly-introduced business processes. It has also continued to develop systematic procedures aimed at minimizing risks arising from the remaining manually-conducted processes involved in internal audit.
• The R&D Team kept a close watch on all of the Bank’s other business units, revised and kept the auditing module up to date in light of changes in business processes and the regulatory framework, and modified auditing points as made necessary by laws, BRSA decisions, and changes demanded by Bank’s senior management and headquarters units.

Improvements also continued to be made in all processes from the development of an auditing index to the monitoring of audit findings. Systemic changes that make it possible for inspection findings concerning critically important transactions to be drawn to the attention of business units increased the effectiveness of the finding follow-up process and had a beneficial impact on the overall percentage of findings subjected to corrective action.

• The recommendations that inspectors in the field included in their reports or made with respect to a particular transaction or practice were also circulated among the business units concerned and the outcomes of such recommendations were observed.
• A Global Auditing Module project that is aimed to be implemented at all Ziraat Finance Group members was initiated at Ziraat Bank in the last quarter of 2015. Work on this module’s operating system and the task analyses for adapting it to different banking systems continued in 2017. The project of which a pilot implementation has been implemented at ZiraatBank BH d.d., is targeted to be launched in 2018.
• The Inspection Scenario Team that was set up and charged with formulating scenarios both to identify shortcomings in bank processes and to develop and improve the effectiveness of such processes and with submitting these scenarios to the appropriate business unit so as to ensure that speedy and effective solutions for dealing with them are devised throughout the Bank continued to operate in 2017. The actions business units took and the improvements they made with respect to these scenarios were closely monitored.
• During 2017, the Central Inspection Team that was set up to increase the frequency and effectiveness of inspections by constantly and centrally monitoring designated branch groups performed centralized inspections on 212 of the Bank’s branches in accordance with the same criteria employed for on-site inspections.
• The Data Security team, which operates with the intention of protecting the confidential information of customers and the Bank, continued to work in 2017 as well.
• The practice of recruiting qualified human resources for the Bank’s administrative staff by allowing inspectors to transfer to such positions continued in 2017.

In keeping with its strong sense of responsibility and awareness of its duties, the Board of Inspectors will continue to execute the internal auditing plan in line with goals and policies set forth by Ziraat Bank’s senior management and within the framework of current auditing approaches, to report its findings to the Board of Directors through the Audit Committee, and to observe what action is taken on the basis of its reports.

Internal Control & Compliance System
Internal control activities at Ziraat Bank are structured so as to embrace the operations of all headquarters units and of all domestic and international branches as required by BRSA’s “Regulation on bank internal system and intrinsic capital adequacy assessment processes”. Such activities are conducted so as to be compatible with the Bank’s primary objectives and strategies from the standpoint of their scope and methodology; however a proactive approach is adopted in order to more readily accommodate changes in strategies and conditions arising from altered risk perceptions and from the changeover to a new service model.

Work has been finalized on the Control Model that was introduced and put into effect: it is no longer just a reporting model but one that requires action to be taken. The goal of this more proactive structure is to help ensure that Ziraat Bank’s operations exceed sectoral norms and that they are conducted in a manner that is compatible with both internal and external regulations as well as with the demands of competition. Domestic branch checks are performed both on location and centrally within the framework of a program that is prepared taking into account branches’ current levels of risk exposure. Control functions, which for the most part are structured so as to be technology-intensive and centralized, are intended to ensure that commonly-occurring mistakes are quickly corrected at the appropriate business-unit level.

Taking full advantage of the improvements in the Bank’s technological infrastructure, the Ziraat Bank Instant Control Project is unique in the Turkish banking industry. This system is now being used to check operational transactions and their accounting in real time. Transactions are evaluated in light of specific scenarios and if a transaction is deemed to be in error, it can be corrected the same day. Based on the principle of preventing errors and omissions from occurring when assets and liabilities are recorded and subsequently being used as input for financial reporting, the Instant Control System has become an integral part of the Bank’s day-to-day activities because of the significant improvement in operational effectiveness that is achieved by checking transactions immediately rather than in retrospect.

Headquarters unit control cycles are determined taking into account the units’ functions, potential risks, terms of reference, and impact on the Bank’s balance sheet. These cycles are revised as needs may require.

Internal control operations at Ziraat Bank branches located outside Turkey are carried out in line with control programs that are prepared for each year.

The findings ascertained as a result of all of these activities are periodically circulated among appropriate business units and the members of senior management.

Besides performing their internal control functions in 2017, internal control personnel also continued to prepare and issue reports containing suggestions of ways to improve existing processes at the Bank and to mitigate the risks inherent in them. The aim of this practice is to preclude risks by spotting them in advance, to make the Bank more competitive by improving its business processes, and to increase customer satisfaction while also taking measures to cut costs.

As a result of a complete change in the internal controller recruitment process, Ziraat Bank began recruiting such personal from among its existing personnel in 2015. This application continued also in 2017. By taking advantage of the Bank-specific knowledge and experience that employees already have and thereby accelerating their adaptation to the department’s work processes, this procedure significantly reduced the time it takes to train new internal controllers. One natural outcome of this is that they have also become more productive in their new duties sooner. The other is that the Bank’s business processes benefit significantly from their banking and field experience. The practice of recruiting qualified human resources for the Bank’s administrative staff by allowing internal control personnel to transfer to such positions continued in 2017.

In addition to such matters, compliance reviews were also carried out by internal control personnel as required by article 18 of BRSA Regulation on bank internal system and intrinsic capital adequacy assessment processes. In the course of these reviews, all operations conducted or planned by the Bank as well as new transactions and products are checked to be sure that they comply with laws and regulations, with the Bank’s own policies and rules, and with generally-accepted banking practices. During such compliance reviews, existing Bank-internal rules and proposed changes in them are also examined and views concerning them are circulated among appropriate units.

The obligations set out in the legislation published under the Prevention of Laundering of Proceeds from Crime and Financing of Terrorism, principally in Law No. 5549 on the Prevention of Laundering Proceeds of Crime, are fulfilled by the Compliance Service Authority. The activities carried out within the scope of the Compliance Program prepared in this context have been carried out in accordance with national and international regulations.

The risk management, monitoring and control activities are carried out effectively through the software used in compliance service management and through the modules included in the main banking program and within the framework of the customer identification principle. In order to increase awareness of the work in the prevention of laundering proceeds of crime and financing of terrorism, all personnel were provided with in-class training or distance learning. In addition, a “Ziraat Compliance Workshop” was held for compliance officers at Ziraat Bank’s branches and subsidiaries in order to ensure effective management of global compliance activities, and to ensure that all Ziraat Finance Group acted on the same compliance policy, while adopting a common risk perception concept.

Risk Management System
Ziraat Bank risk management activities are conducted subject to the requirements of BRSA’s Regulation on bank internal system and intrinsic capital adequacy assessment processes and other pertinent regulations as well as of BRSA Best Practices Guidelines. They are carried out with the aim of aligning the Bank’s risk management functions with best practices by fostering a risk culture throughout the entire and constantly improving system and human resources. The principal risk categories are defined as “Credit Risk”, “Market Risk”, “Operational Risk”, and “Balance Sheet Risks”, the last including the interest rate risks and liquidity risks to which the Bank is exposed on account of its banking business operations. Care is given to ensure that all activities related to risk management system are coordinated through the involved participation of the operational branches with which each type of risk is associated.

Under the heading of credit risk management, Basel III-compatible methods are used to define, measure, monitor, and report credit risk. The Bank has been calculating its core credit risk exposure and reporting it monthly on the basis of its solo and consolidated accounts to BRSA ever since this practice was mandated by law as of 1 July 2012.

At Ziraat Bank, credit limits approved by the Board of Directors are monitored and scenario analysis and stress tests are carried out by applying various shocks to credit risk factors. Counterparty Credits are measured for counterparty risk. In addition, with the participation of different units within the scope of Credit Risk Management Project with advanced methods, studies are being carried out to calculate credit risk based on internal rating and to use its outputs in different areas. The calculation of the GAP analysis phase of the project, and the modeling of the risk parameters and data architecture to be used to calculate the volume of risk weighted assets, has been completed. Work on the preparation of the dataset is ongoing.

Under the heading of market risk management, such risk is measured, analyzed, reported, and monitored. Analyses are supported by conducting stress tests. Risk measurements are performed on all accounts whose inclusion in the Bank’s capital adequacy ratio calculation is mandatory as well as by means of the “value-at-risk” (VaR) methodology. The results of VaR measurements are validated by means of backtest analyses. The values on which market risk is calculated are periodically reviewed and compared with of Board of Directors-approved limits while senior management is kept informed about the results of mandatory and internal limit monitoring.

Under the heading of operational risk management, the operational risks to which the Bank is exposed are defined, classified, quantified, and analyzed. Operational risk limits approved by the Board of Directors are also monitored at regular intervals. The operational risk loss database in the Fin@rt environment allows actual instances of operational risk to be tracked.

Amount subject to Operational Risk is calculated using the Basic Indicator Approach pursuant to the Regulation on the Measurement and Assessment of Capital Adequacy of Banks. Information technology risks and associated actions are followed up. Risk exposure assessments are conducted for companies providing outsourced support services as required by current BRSA regulations, business continuity activities are supported by way of business impact analysis, and analyses for portfolio custodian services database are carried out

Under the heading of balance sheet risk management, liquidity and interest rate risks arising from banking business accounts are measured, analyzed, delimited, reported, and monitored. Analyses are also supported by means of stress tests. The work on liquidity risk at Ziraat Bank takes into consideration best practice guides, and Time to Maturity Analysis is conducted to oversee the maturity composition of the Bank’s balance sheet; Liquidity Gap and Structural Liquidity Gap Analyses to classify assets and liabilities items according to their respective times to maturity and to determine the gap amount; and Liquidity Stress Test to assess the Bank’s liquidity needs in the worst case scenario and the loss resulting therefrom. In addition, the Bank follows up the renewal rates of deposits that make up the Bank’s key funding source on a daily basis, and performs core vs. volatile deposits analyses using the deposit renewal analysis.

For monitoring the interest rate risk stemming from the banking accounts, Ziraat Bank periodically conducts Repricing Gap (GAP), Duration, Net Interest Income Analyses and Interest Rate Shock Reduction in Value Analyses. Used for monitoring the interest rate risk arising from the banking accounts, the Repricing Gap Analysis separates balance sheet items in terms of their cash flows with respect to their respective time to repricing, thus allowing to monitor any mismatches among the repricing times of assets and liabilities with the help of gap amounts aggregated by maturity groups.

The liquidity risk limits as may be approved by the Board of Directors are also monitored at regular intervals. The results of mandatory and internal limit monitoring and of liquidity and interest rate gap analyses are circulated among appropriate units for presentation at Asset & Liability Committee (ALCO) meetings.

Besides the stress test analyses that are the subject of periodic reporting within the Bank, year-end Stress Test and Internal Capital Adequacy Assessment Process (ICAAP) reports are also prepared and sent to BRSA. In the latter reports, the Bank’s capital adequacy is analyzed over the next three-year period on the basis of a set of Base/Negative/Overly Negative scenarios not supplied by BRSA.

The results of the risk management analyses and the associated risk indicators are reported to the Board of Directors and to the Audit Committee at six-month intervals and to the Senior Management on a daily, weekly, and monthly basis.

Ziraat Bank will continue to make use of internationally-recognized advanced risk management techniques in order to carry out its risk management activities for all risk categories and to make such risk management an integral part of its strategic decision-making processes in the future as well.

Muharrem KARSLI Chairman of the Board Audit Committee Member	Feyzi ÇUTUR Audit Committee Member