Türk Eximbank - 2021 Annual Report

The General Assessment of the Audit Committee for the Year 2021 Regarding Activities and Risk Management, Internal Control and Internal Audit Systems at Türk Eximbank

As the sole official export credit agency in Türkiye, Türk Eximbank supports the exports sector with its credit, guarantee and insurance programs through non-profit activities. However, the Bank also seeks to ensure the most appropriate rate of return in order to maintain its capital and financial strength, and it complies with broadly accepted banking and investment principles in all its activities. In this regard, while conducting its legal function, which is “to provide financial support to exports sector”, the Bank maintains its risk level without weakening its financial strength.

As per the provisions of the legislation issued by the BRSA regarding Banking Law No. 5411, necessary organizational changes were made at the Bank on 31 October 2006, internal systems of the Bank were established with their current status, and an Audit Committee was established. Internal Audit, Internal Control, Risk Management and Compliance departments carry out their activities under the supervision of the Audit Committee made up of two members elected by the Board of Directors from amongst its own members.

Internal Audit

The Internal Audit Department carries out its responsibilities to the Board of Directors via the Audit Committee, which was established to perform the supervisory and regulatory obligations of the Board of Directors and to perform the following tasks within the framework of Audit Committee Regulation issued within the scope of the Regulation on Internal Systems of Banks and Internal Capital Adequacy Assessment Process:

Analyzing and evaluating the compliance of the Bank’s activities with the relevant laws, regulations, decrees, communiqués, articles of association, banking principles, instructions and other statutes;
Reviewing and evaluating the functioning, efficiency and adequacy of the Bank’s internal control and risk management systems;
Providing opinions, suggestions and comments regarding effective and efficient use of the Bank’s resources,
Reviewing the accuracy and reliability of accounting records and financial reports,
Evaluating the operation, efficiency and adequacy of the Bank’s information systems and communication channels,
Conducting audits and examinations of operations, accounts and activities in the Bank’s headquarters units, regional directorates and branches.

Assigned with risk-based auditing of all activities of the Bank without any limitations periodically, the Internal Audit Department performs its activities in an impartial and independent manner exercising the required professional diligence, with the aim of ensuring that the resources are used efficiently and that all activities make the maximum contribution to the Bank.

The annual Audit Plans are prepared and implemented in keeping with this understanding, using other comprehensive criteria in line with the Bank’s risk assessment matrix. Auditing the Bank’s units, branches and processes financially, operationally and in terms of compliance and reporting within the framework of the annual Audit Plan, the Internal Audit Department communicates the findings covered in the reports that are produced as a result of the audits to the Board of Directors via the Audit Committee and closely monitors the steps taken in relation to the findings. In addition, the Board of Directors keeps abreast of the activities of the Internal Audit Department through its quarterly and annual activity reports submitted via the Audit Committee.

According to the relevant legislation issued by the BRSA, the Bank must present a “management declaration” to its external independent auditors, signed by the Board of Directors for each audit period, concerning the current situation and internal control activities carried out on information systems and banking processes. In this regard, the control and audit activities intended to be the basis of this management declaration were prepared by the Internal Control Department and the Internal Audit Department for information systems and banking processes, and the report prepared was presented to the Board of Directors. The Management Declaration was signed by the Board of Directors and submitted to the external auditor.

The Audit Committee continued its activities in 2021 with the aim of developing the activities of the Bank and adding value to them, and it ensured that the internal control activities that form the basis of the management declaration are performed in a coordinated manner.

Internal Control

Carrying out its activities within the scope of the Regulation on Banks’ Internal Systems and Internal Capital Adequacy Assessment Process, the Internal Control Department works to ensure that assets are protected and that the Bank’s activities are carried out effectively and efficiently and in compliance with the Law, other applicable legislation, internal policies, guidelines and banking customs. The Department is also responsible for guaranteeing the reliability and integrity of accounting and financial reporting system, and timely availability of information.

The duties of the Internal Control Department are set out in the Internal Control Department Regulation which is approved and enforced by the Board of Directors decision no. 108, dated 31 August 2021.

The Internal Control Department, in cooperation with the senior managers of related units, designs the internal control system and internal control activities that need to be established at the Bank, as well as how the same will be executed, and thus ensures the creation and development of the internal control environment. The Internal Control Department verifies the compliance of the Bank’s activities and products with the Law, other applicable legislation, internal policies and guidelines, and banking customs.

Within the duties delegated to it, the Internal Control Department performed monitoring, analysis and control activities by observing the matters mentioned below, giving priority to processes and transactions identified based on a risk-focused approach and within the materiality criteria during 2021:

Establishing functional separation of duties, distribution of responsibilities and creation of workflow diagrams at the Bank,
Integrity and security of accounting and financial reporting system and information systems, and timely availability of information,
Functionality of internal communication channels that will ensure communicating the information produced and problems confronted with related individuals,
Identification of the deficiencies or weaknesses in the design of operation of internal control mechanisms embedded in information systems applications employed in the performance of operations related to banking processes that are comprised of credit, insurance, accounting, financial reporting and payment systems,
Verification of the existence and operation of manual and systemic approval mechanisms for critical processes and whether restrictions are adhered to,
Verification of the compliance of the Bank’s activities and products with the Law and other applicable legislation, and controls regarding new product processes
Implementation of guidelines set regarding the recording, retention and accessibility of documents and assets kept in physical safe deposit boxes and especially the guarantees received,
Existence and update of business continuity plans consisting of information systems business continuity and emergency and contingency plans,
Activities related to information systems management at the Bank and at the providers of outsourced services, processes supporting these activities, and compliance of the information systems controls in place with the legislation and internal policies, procedures and standards.

Findings of on-site or distant monitoring, review and controls performed manually or with systematic methods conducted by the Internal Control Department in 2021 on matters such as functioning of internal control mechanisms in units where banking operations are performed, compliance with rules and limitations and existence of required control points in information systems, have been shared with the related units. Instructions on correction of deficiencies and flaws were shared and results of the actions taken by the relevant units were followed up.

The quarterly reports of the Internal Control Department relating internal control activities were presented to the Audit Committee regularly. The control and audit activities concerning information systems and banking processes that form the basis of the Management Declaration to be submitted to the independent auditor were carried out by the Internal Control Department and the Internal Audit Department, and the report produced was presented to the Board of Directors via the Audit Committee.

Risk Management

According to the Charter and Procedures of the Risk Management Department approved by the Board of Directors, the Risk Management Department is responsible for:

Describing, measuring and analyzing the Bank’s risk exposure as a whole within the frame of the principles approved by the Bank’s Board of Directors; managing and monitoring them in view of internal limits/early warning thresholds approved by the Board of Directors, and creating and exploring risk policies and implementation procedures,
Performing profit and cost calculations regarding all risks and their manageability in cooperation with related departments, and timely reporting risk data to the Board of Directors via the Audit Committee.

Risk management activities at the Bank are being carried out with the target of bringing the risk management function close to best practices by establishing a risk culture across the Bank and by constantly improving the system and human resource in accordance with the Regulation on the Internal Systems and Internal Capital Adequacy Assessment Process of Banks, other applicable regulations, and the BRSA Best Practices Guides.

Within the frame of risk management activities;

Under the Credit Risk, risks arising from cash and non-cash loan transactions are monitored against the regulatory and Bank-specific limits. Commercial bank risk taken directly or indirectly gets the highest share within the credit risk, which is the largest category of the Bank’s risk exposure. Therefore, cash and non-cash limits made available to banks are assessed in detail, and updated as needed. Credit Risk is reported to the BRSA according to the BRSA’s Standard Method. Counterparty Credit Risk, which is a sub-item of credit risk and refers to the losses that may result from potential deteriorations in creditworthiness upon defaulting of banks particularly engaged in derivatives and repurchasing transactions, is measured using the Current Exposure Method and includes the same in capital adequacy calculations.

Market risk is calculated monthly using the Standard Method devised by the BRSA and is considered in the calculation of the Capital Adequacy Ratio. In order to duly manage the interest rate and exchange rate risks that make up the main elements of the market risk; transactions performed in money and capital markets need to be diversified, taking into consideration the instruments, maturity, currency, type of interest and similar parameters. As the trading portfolio making the basis for market risk have a very little share in risk-weighted assets and as almost the entire trading portfolio is hedged at Türk Eximbank, the market risk obligation is also very low. The Bank implements hedge accounting principles for derivative transactions.

Operational Risk entails identification of risks arising from banking operations, and evaluation and monitoring of controls associated with these risks. Operational risk, which is one of the capital adequacy items, is calculated once a year using the basic indicator method, and reported to the BRSA. IT risks, which represent another source of operational risk, is managed by an independent risk management process, and is included in the integrated risk matrix which consolidates the impact and probabilities for all of the Bank’s risks.

Apart from credit, market and operational risks which make up the First Pillar of Basel II, quantitative and/or qualitative studies are carried out on other risk types such as country risk, concentration risk, structural interest rate risk, liquidity risk and reputation risk that take place within the Second Pillar. All risks that the Bank is exposed to are closely monitored within the frame of Internal Limits and Early Warning Thresholds approved by the Board of Directors.

The ICAAP report prepared based on the actualizations of the previous year-end, which makes the capital planning for the next three years, and the Stress Testing attended thereto, were approved by the Board of Directors and sent to the BRSA in accordance with the BRSA legislation in force. According to the relevant articles of the ICAAP Report that refers to the Risk Appetite, Türk Eximbank has adopted maintaining the capital adequacy ratio in the 13%-15% interval as its risk appetite indicator, and embraced the principle that any capital adequacy ratio level below 13% should trigger initiatives to increase the capital.

In Stress Testing and Scenario Analyses studies, calculations are performed also for Economic Capital under the scenarios of increased loss ratios in case of downgraded country rating or in case of default in credit risk; for Value at Risk using Historical Simulation and Parametric Methods under exchange rate and interest rate shocks for information purposes in Market Risk, and for capital requirements within the frame of stress scenarios such as early recalled debts or non-renewal of debts at maturity and sudden and unforeseeable rises in NPL ratios in Liquidity Risk, and within the frame of scenarios where the severity and significance of findings are assumed to have worsened by one level based on the Operational Risk Methodology approved by the Board of Directors for Operational Risks.

Results of stress tests performed with internal models as well as standard methods demonstrate that, with its stable and strong capital structure, the Bank can operate free of any problems while under intense stress factors.

Real-time cash inflow/outflow are monitored for the Liquidity Risk, which is managed within the frame of the Liquidity Action Plan approved by the Board of Directors and monitored closely by the Bank; continuity and sustainability of liquidity adequacy are ensured with the GAP analyses, scenario analyses and stress/reverse-stress tests conducted. The said policy document also incorporates the set of rules that grades the actions that will be taken depending on the severity of the situation experienced in case of liquidity squeeze. During the year, the Bank did not experience any negativities with respect to Liquidity Adequacy and Liquidity Coverage Rations, which are regulatory reporting techniques, and ratios were registered well above legal requirements.

As per the legislation in force, the Bank is exempted from provisions. Notwithstanding, under the prudence concept, Türk Eximbank makes TFRS 9 New Financial Instruments Set –Expected Credit Loss Provisioning calculations using a validated model, and pursues a highly conservative provisioning policy. The model used is regularly reviewed, and necessary improvements are carried out in coordination with the related units.

Regulatory Compliance

Regulatory Compliance Department follows up regulatory framework in order to ensure compliance of the Bank’s operations with the applicable legislation governing the Bank, makes sure that they are captured in internal practices through the announcements and guidance it provides, and evaluates and forms opinions regarding the regulatory compliance of new products and services. The Department represents the Bank in various Working Groups active within the Banks Association of Türkiye. In addition, the Department carries out the activities for putting into practice the regulations in relation to anti money-laundering and prevention of terrorist financing by keeping a close eye on local/international regulations and regulations related to personal data protection. The Department is also assigned with exchanging opinions with regulatory and supervisory authorities, and sharing the opinions received with related units.

Duygu GÜVEN

Member of the Audit Committee

Nail OLPAK

Member of the Audit Committee