162nd year
TR

Financial Information and Risk Management

The Audit Committee's Assessment of the Effectiveness of Internal Audit, Internal Control, Compliance, and Risk Management Systems

Internal audit, internal control, compliance and risk management activities within the Bank are carried out by the Audit Board, Internal Control Department, Compliance Department and Risk Management Department, which operate under the Head of Internal Systems Group and perform their duties under the supervision of the Audit Committee.

The organisational structure, established to cover all units and branches as well as subsidiaries subject to audit, aims to ensure that:

  • The Bank's activities are conducted securely in line with applicable legislation, policies, principles and strategic objectives,
  • The objective of sustainable profitability is achieved,
  • Financial and administrative reporting is carried out in a timely, complete and reliable manner,
  • The Bank's legal, reputational and financial risks are identified, measured, reported and monitored, and that such risks are effectively controlled and minimised.

In order to enhance the personal and professional development of internal systems personnel, participation in internal and external training programmes, conferences and seminars is supported, ensuring the continuous improvement of their practical knowledge and competencies.

Functioning of the Internal Audit System

The Audit Board audits whether the activities carried out by all units of the Bank, as well as its domestic and overseas branches and subsidiaries, are conducted in compliance with applicable laws and other relevant legislation, as well as the Bank's internal strategies, policies, principles and objectives. Within the framework of a risk-based audit approach, the Audit Board evaluates the effectiveness and adequacy of the internal control and risk management systems. By informing executive management, the Audit Board continues to perform activities that contribute to management's decision-making processes.

In accordance with the Banking Law, primarily, as well as the BRSA's Regulation on Internal Systems and the Internal Capital Adequacy Assessment Process of Banks, the Regulation on the Independent Audit of Information Systems and Business Processes, the Regulation on Banks' Information Systems and Electronic Banking Services, the Communique on Compliance with Participation Banking Principles and Standards, other relevant legislation, and the Bank's internal regulations, the Bank's activities, business processes and transactions have been evaluated by the Audit Board in terms of accuracy, effectiveness and efficiency.

The activities carried out by the Audit Board in 2024 are presented below.

When preparing the 2024 internal audit plan, the provisions of the BRSA's Regulation on Internal Systems and the Internal Capital Adequacy Assessment Process of Banks regarding "risk-based audit" and the "internal audit plan" were taken into consideration. In conducting risk assessments related to the risks faced by the Bank's activities and the related controls, the Audit Board obtained information and data from the relevant Head Office units and consulted the opinions of managers. Based on the data and opinions obtained, a risk assessment report and risk matrix were prepared. Accordingly, the units, branches and business processes, information systems processes and other audit activities to be included in the internal audit plan were determined.

Audits of branches, business processes, information systems, Head Office units, outsourced/support service providers and other audit activities included in the internal audit plan have been completed. In line with the provisions of the BRSA's Regulation on Internal Systems and the Internal Capital Adequacy Assessment Process of Banks regarding "internal audit reports", the internal audit activities conducted by the Audit Board and their results were included in quarterly reports.

Inspection and investigation activities that could not be foreseen within the audit plan due to their nature were conducted diligently and in detail upon identification or notification of the relevant cases to the Audit Board. The reports prepared as a result of these activities were submitted to the relevant Head Office units and competent authorities.

The 2024 management declaration prepared to provide assurance on the effectiveness, adequacy and compliance of controls over information systems and business processes was supported by attaching reports on business process audits, information systems audits and audits of outsourced/support service providers.

During the audits carried out by the Audit Board, compliance audits with participation banking principles and standards were also performed. The results of these audits and the actions taken regarding the findings were discussed at two meetings held jointly by the Audit Committee and the Advisory Committee.

System enhancements have been completed to enable end-to-end execution of information systems and business process audits through the audit application used in branch audits, and as of 2025, information systems and business process audits will also be carried out through this application. In line with legal regulations, decisions of the BRSA and the Central Bank of the Republic of Türkiye, as well as changes envisaged by the Bank's Executive Management and Head Office units, audit checkpoints within the application are regularly updated.

Centralised audit activities aimed at detecting potential irregularities continued in 2024 through scenario-based analyses and controls. The number and diversity of scenarios were increased, thereby expanding the scope of such audits. Efforts have been initiated to integrate artificial intelligence technologies into centralised audit processes. This will enable faster and more effective identification and examination of a greater number of potential irregularities in transactions carried out by branches. Development efforts are ongoing to enable end-to-end execution of centralised audit activities through the audit application, with implementation targeted for the first quarter of 2025.

The Bank's Assistant Inspector recruitment exam resulted in 20 candidates being successful, 16 of whom are currently enrolled in the Master's Program at Ankara University Banking School. The remaining four Assistant Inspectors, who had completed this program earlier, commenced their duties in August. In order to enhance the knowledge level of the existing staff, regular in-house and external training programs have been organized.

In the forthcoming period, the Audit Board will continue to execute the internal audit plan to be prepared in line with the objectives and policies determined by executive management, report the results of audit activities to the Board of Directors through the Audit Committee, and monitor the implementation of actions to be taken based on audit reports, with a strong sense of responsibility and duty.

Functioning of the Internal Control System

The activities of the Internal Control Department have been structured in line with the Bank's strategic objectives and policies, and in compliance with applicable legislation, covering branch controls, centralised controls, Head Office unit controls, information systems controls and participation finance compliance activities. A proactive structure has been adopted in order to ensure timely adaptation to changing strategies, risk perceptions and conditions. The purpose of internal control activities is to safeguard the Bank's assets, ensure that activities are carried out effectively and efficiently, and maintain the reliability and integrity of the accounting and reporting system, as well as the timely availability of information. In accordance with Article 9, paragraph 3 of the Regulation on Internal Systems and the Internal Capital Adequacy Assessment Process of Banks, which states that "the internal control system shall be structured to cover the Bank's domestic and overseas branches Head Office units, subsidiaries subject to consolidation and all activities," the Bank's internal control system has been designed to encompass Head Office units, domestic and overseas branches and consolidated subsidiaries.

Consideration the opening dates of newly established branches, the periodic risk levels of existing branches and the dates of the most recent reports. Within this framework, branch control activities have been conducted through on-site, remote and centralised control practices. During the branch internal control activities, branch personnel have been continuously informed in order to enhance risk and control awareness and to prevent losses arising from operational risks.

Centralised control activities have contributed to the establishment and development of an internal control culture and internal control system across the Bank, as well as to the prevention and mitigation of potential risks through early action, and to the continuous monitoring function. In 2026, further development of centralised control processes will continue in order to enhance the proactivity, effectiveness and efficiency of internal control activities.

In order to increase the effectiveness and efficiency of control activities, branch control activities are carried out through the control application. Through this application, the Bank's activities have been supported in being conducted in compliance with both internal and external regulations and competitive conditions.

Control activities carried out within Head Office units are structured by taking into account national and international regulations, the Bank's internal policies and procedures, banking practices, the functions of the relevant units, the risks they carry, their impact on the Bank's balance sheet and their respective job descriptions.

Internal control activities have been carried out to ensure functional segregation of duties within the Bank, the allocation of responsibilities, the establishment of accounting and reporting systems, information systems and internal communication channels to operate effectively, and the preparation of workflow diagrams illustrating the control points and process steps within the Bank's business processes.

Research and development activities are being conducted to enable centralised internal control activities to be performed in real time through technology-oriented solutions and to allow relevant business units to take faster action regarding widespread deficiencies.

Actions continued in 2025 to improve the processes related to the Bank's activities, establish control points to be followed and implemented by personnel at all levels, enhance the effectiveness of controls over processes, prevent potential risks, ensure customer satisfaction and implement cost-reducing measures.

In addition, all activities carried out or planned by the Bank, as well as new transactions and products, are reviewed for compliance with applicable laws and regulations, the Bank's internal policies and procedures, and banking practices. Within the scope of compliance controls, internal regulations established or amended within the Bank are also reviewed, and the resulting opinions are shared with the relevant business units.

In order to contribute to the professional development of internal controllers, participation in various training programmes was supported during the year, and internal controllers contributed to training activities provided to Bank personnel in order to increase organisation-wide awareness of internal control activities.

Within the scope of the Participation Finance Compliance Communique, the Advisory Committee Secretariat and compliance activities were carried out effectively and efficiently by the Advisory Committee Coordination Unit operating under the Internal Control Department, and the activities performed in this context were shared with the relevant business units.

As a result of all these activities, the findings obtained have been periodically shared with the relevant business units and executive management of the Bank.

Functioning of the Compliance System

Activities aimed at preventing money laundering, the financing of terrorism and the proliferation financing of weapons of mass destruction are carried out in the Bank in accordance with national and international regulations.

Within the scope of compliance activities, compliance controls have been performed in line with Article 18 of the Regulation on Internal Systems and the Internal Capital Adequacy Assessment Process of Banks. In addition, within the framework of compliance activities, Bank personnel are promptly informed of amendments to laws, relevant legislation, as well as internal policies and procedures.

All activities carried out or planned by the Bank, as well as new transactions and products, are reviewed to ensure compliance with national and international legislation, the Bank's internal policies and procedures, and established banking practices. Within the scope of compliance controls, internal regulations established or amended within the Bank are also reviewed, and the resulting opinions are shared with the relevant business units.

With the rapid digitalisation driven by technological developments in banking processes, criminal organisations have also increased their use of technology and begun to employ more sophisticated tools in order to utilise banks for financing illegal activities. In parallel with its investments in innovations in financial services and new products, the Bank has developed preventive control mechanisms to ensure that the products and services it offers are not used as instruments for illegal activities. Situations that cannot be prevented through preventive controls are structured to be detected in a timely manner, enabling swift action to be taken through proactive measures in combating financial crime.

In order to more effectively identify, manage and control potential risks related to money laundering, the financing of terrorism and the proliferation financing of weapons of mass destruction, projects are being carried out to establish systems based on strengthening the knowledge and analytical capabilities of expert personnel, as well as utilising artificial intelligence and machine learning-based digital solutions capable of responding effectively to the requirements of this field.

In this context, further emphasis will continue to be placed on developing technology-based and innovative processes to enhance the effectiveness and speed of anti-money laundering and counter-terrorism financing measures and obligations, and investments in this area will continue in the forthcoming period.

Within the scope of activities carried out in accordance with the Regulation on Compliance Programmes Regarding Obligations on the Prevention of Laundering Proceeds of Crime and the Financing of Terrorism, functions including examination, monitoring, reporting, analysis and control are performed to prevent money laundering, the financing of terrorism and the proliferation financing of weapons of mass destruction.

In order to ensure that personnel adopt the Bank's compliance culture and establish a compliance culture aligned with global standards in their business processes and transactions, employees are provided with both in-person and remote training on the prevention of money laundering and the financing of terrorism.

As part of the Ziraat Finance Group, both domestic and international units conduct their activities in accordance with local and international regulations, within the framework of policies and procedures designed to ensure that the Bank's products and services are not exposed to operational or reputational risks related to money laundering or the financing of terrorism. Within the framework of a coordinated strategy regarding the compliance activities of overseas branches, regular information sharing is maintained. In this context, compliance of overseas branches with regulations on the prevention of money laundering and the financing of terrorism and proliferation financing of weapons of mass destruction is monitored.

Risk preventive and mitigating controls are implemented in order to prevent establishing business relationships with individuals and entities included in sanction programmes followed by the Bank, providing services related to sanctioned activities, or intermediating banking transactions that would constitute sanctions violations.

As a result of all these activities related to the functioning of the compliance system, findings are periodically shared with the relevant business units and executive management of the Bank.

Functioning of the Risk Management System

The primary objective of the Bank's risk management system is to ensure the identification, measurement, monitoring and control of the risks to which the Bank is exposed, through policies and limits established to monitor, control and, when necessary, adjust the risk-return structure of future cash flows and, accordingly, the nature and level of activities.

Risk management activities are carried out with the aim of embedding a risk culture throughout the Bank and continuously improving systems and human resources in line with the Regulation on Internal Systems and the Internal Capital Adequacy Assessment Process of Banks, other relevant regulations and the BRSA Good Practice Guidelines, thereby aligning the risk management function with best practices. Within the framework of the risk management system, activities primarily cover credit risk, market risk, operational risk, balance sheet risks (including profit share rate risk arising from banking book positions, net stable funding ratio risk and liquidity risk), as well as model and process validation.

Internal audit, internal control, compliance and risk management activities within the Bank are carried out by the Audit Board, Internal Control Department, Compliance Department and Risk Management Department, which operate under the Head of Internal Systems Group and perform their duties under the supervision of the Audit Committee.

The organisational structure, established to cover all units and branches as well as subsidiaries subject to audit, aims to ensure that:

  • The Bank's activities are conducted securely in line with applicable legislation, policies, principles and strategic objectives,
  • The objective of sustainable profitability is achieved,
  • Financial and administrative reporting is carried out in a timely, complete and reliable manner,
  • The Bank's legal, reputational and financial risks are identified, measured, reported and monitored, and that such risks are effectively controlled and minimised.

In order to enhance the personal and professional development of internal systems personnel, participation in internal and external training programmes, conferences and seminars is supported, ensuring the continuous improvement of their practical knowledge and competencies.

Evaluation of Ziraat Katilim's Financial Position, Profitability, and Debt Repayment Capacity

About the Report

Coordination activities related to the 2025 Integrated Annual Report are carried out by the Ziraat Katilim Strategy Planning Department. During the preparation process of the report, contributions from relevant units are obtained and corporate data collection processes are managed through a coordinated approach.

You may submit your opinions, suggestions, and evaluations regarding the Ziraat Katilim Bankasi A.S. 2025 Integrated Annual Report via .