VKF_FRAE_2018_uyg11

VakıfBank Annual Report 2018 113 ASSESSMENT OF THE INTERNAL SYSTEMS AND 2018 OPERATIONS INTERNAL AUDIT ACTIVITIES Concerning the activities of the Bank’s head office departments, domestic and foreign branches, subsidiaries and Information Technology Department, the Audit Board looks into the following: • Whether these activities are carried out in conformity with the Banking Law, other legal regulations, internal regulations, strategies, policies, principles and objectives; • Accuracy of the financial information and adequacy of practices in place to protect the assets; • Effectiveness of internal control and risk management systems. The Audit Board also audits the persons and organizations from which support services are received within the framework of related regulations. Additionally, it inspects and investigates irregular and unlawful transactions that may have been performed by the Bank employees as well as any fraudulent, deceitful and counterfeiting transactions against the Bank by third parties. The Audit Board conducts audit activities in the form of on-site audits, centralized audits, and information systems and process audits with a risk-based approach. On-site audits are performed at departments, branches, consolidated subsidiaries and the persons and entities which the Bank procures support services from, in line with the Bank’s objectives and strategies, and within the scope of the risk-based annual audit plan prepared considering the funding sources of the Audit Board. Within the scope of the 2018 Internal Audit Program, 370 branches, 68 satellite branches, 3 foreign branches, 37 head office departments and 10 affiliates were audited. COBIT processes were audited at the Head Office information systems departments. Furthermore, the audit on information systems was conducted at 4 affiliates and 20 service providers. ICAAP audit was performed; management statement activities were carried out; service providers were evaluated as part of the annual evaluation, and the audit of risk center data transfer process was completed. Controls on information systems and banking processes are audited as part of information systems and process audit activities. Additionally, accuracy of the data used in the Internal Capital Adequacy Assessment Process Report, adequacy of the systems and processes, and whether or not the data, systems and processes enable accurate information and analyses, are audited within the framework of the procedures and principles determined by the Audit Board. In the light of the audits, inspections and investigations conducted by the Audit Board; proposals are made for the correction of any detected issues, for taking measures to prevent similar events, for improving the processes and for enhancing the internal control system, while the actions taken regarding these issues are followed up. Within the scope of centralized audits; computer-aided remote auditing techniques (e-auditing techniques) are used for early detection of situations with potential risks and for taking timely measures in branches and departments. The Audit Board only provides an advisory service on the issues requested by the Bank, and this does not mean these issues are approved. The Audit Board acts on the principle of continuous development. Internal and external training programs are planned to support professional and personal development of auditors. Auditors are also trained before performing audit activities that require special expertise. Certification, internationally recognized certificates in particular, is encouraged. INTERNAL CONTROL ACTIVITIES The Internal Control function is structured to ensure i) establishment and coordination of a healthy internal control environment; ii) protection of the Bank’s assets; iii) effective and efficient performance of the activities in conformity with the Banking Law and relevant legislations, internal policies and rules as well as banking practices, iv) reliability and integrity of the accounting and financial reporting system; and v) timely accessibility of information. Accordingly, the Bank’s domestic and foreign branches and head office departments are subject to internal control activities based on a risk- centered approach. Domestic branch controls are conducted on site or from the Head Office within the framework of the control programs organized every year according to risk conditions. Additionally, real time controls are carried out for transactions performed at branches. In 2018, internal control activities were performed at 864 domestic branches. Internal control of foreign branches is carried out according to an annual plan. In 2018, internal control activities were performed at 3 foreign branches. On the other hand, permanent controllers carry out control activities in 18 Head Office departments as necessary and where there is a large amount of operational transactions. Controls are also conducted to ensure information systems activities are performed safely and in conformity with the rules established by the Bank. Findings and recommendations under all these control activities are reported and shared with relevant departments as the actions taken are monitored. The Internal Control function i) controls the distribution of roles and responsibilities and the functional classification of tasks to identify, measure and prevent the Bank’s risks; ii) sets up auto-control mechanisms in all processes, procedures and projects to be deployed in a manner that will cover potential risks; and iii) establishes and enhances system controls. Activities are carried out to increase the effectiveness of control activities and minimize operational risks. In conformity with the objectives and strategies of the Bank; changing needs, risks, regulations and technological developments are followed and necessary adjustments and updates made to ensure the effectiveness and functioning of the internal control system. Activities continue with the aim of enhancing the internal control culture in the Bank.