INTERNAL CONTROL SYSTEM

Internal Control System targets to set forth the rules and procedures for the internal control systems and the risk management systems to be established in order to monitor and control the risk encountered by Kobirate Uluslar arası Kredi Derecelendirme ve Kurumsal Yönetim Hizmetleri A.Ş. The Risk Management and Internal Control Systems boost the attainment of Kobirate’s objects by development of systematic approaches to monitor and control the internal control and management processes.

Legal Reference

The Internal Audit System is based on the Banking Act No.5411 promulgated on the Official Gazette of 01.11.2005 No.25983, the Communiqué numbered VIII 51, issued by the Capital Market Board, relating to Operations and Formation of Rating Firms, promulgated on Official Gazette of 12.07.2007, no.26580, the Directives issued by the Banking Regulating and Supervising Agency, on rules for Bank’s Internal systems and on Authorisations and Operations of Credit Rating Firms, promulgated on Official Gazette of 01.11.2006, No: 26333, the Modifications Directive on Rules for Authorisation and Operations of Rating Firms, issued by the Banking Regulating and Supervising Agency  and promulgated on Official Gazette of 29.09.2007, no. 26658.

Factors Determining the Effectiveness of the Internal Audit Functions

Kobirate has to develop the Human Resources Regulations, written internal rules, policies or regulations on the following topics to ensure that the internal control and risk management functions are carried out effectively.

a)   Data Security Policies

b)    The decision making processes and determining accountability.

Responsibility of the Board for Internal Control Functions

The Board of Directors is liable to the General Assembly, develops and approves important strategies and policies involving internal control and risk management operations, controls periodical implementation thereof.

It assigns unanimously two Directors for one year for establishment, sustainability and reporting of controls of the risk management and internal control systems. Upon proposal by the Director responsible for internal control on the basis of business development, the Board may cause an internal control and quality assurance department to be formed within the organisation and employ staff in proposed number.

 The responsibility of the President and the Vice- Presidents

They are responsible for development and implementation of ethic rules, internal control strategies, policies and processes approved by the Board of Directors and for formulation thereof so as to incorporate new risks if necessary and control of their effectiveness in harmony with the organs that will use the internal control and risk management  systems mentioned herein. Further, it has liability to the Board for the development of means and implementation procedures for determination, measurement, monitoring, controlling of risks assumed by Kobirate.

Obligations of The Other Personnel

For an effective control, all employees must perform their obligations under Kobirate’s Human Resources Directive, Ethical Rules, Risk Management and Internal Control Regulations and share with the top management the practices contrary to the Professional ethics and such matters as activities in contravention of Kobirate policies and laws which they have faced on job.

Controls on IT System

IT systems and data processing Technologies risks involved therein must be controlled effectively to ensure that Kobirate’s operations are performed uninterruptedly and possible losses are avoided.

Such controls include general checking, data back-up and other operation improvements in the used basic software and new software planning’s, data access policies, physical and logical security controls for data Access, measures against illegitimate and unauthorized uses. Present organisation is established and expands permanently to ensure the effective operation of Kobirate’s internal control and risk management system. The Kobirate organisation structure is designed to allow fort the vertical, uprising and horizontal flow of data to be received by all management levels and staff.

By the training programs to be provided, it is ensured that all employees at every level are familiar with the Kobirate’s methodologies, ethical rules, policies, data processing system, work processes and operational procedures

The content of training programs has been approved by the resolution of the Board of Directors of 14.07.2008 no.5 which was publicized through the website.

Human Resources Directive is introduced to set forth Kobirate’s personnel policy and rights and obligations of its employees.

For decision-making processes, duties of staff and other issues, the Kobirate methodology, ethical rules and Human Resources Directive are applicable.

The Objective and Essentials of Internal Control and Risk Management System

Internal Control and Risk Management Operations target to ensure that achievement of efficiency, effectiveness, security of managerial and other data, integrity and obtainable in time and the complete compliance of Kobirate’s operations to the laws and regulations.

To this end, the internal control system is designed to allow for;

a.    The effective planning and controlling the performance of Kobirate operations in compliance with legal regulations, strategies and policies adopted by the Board of Directors,

b.    The performance of operations and obligations ( duties ) based on special authorisations,

c.    The recognition of risks arising from the faults and taking the required measures to minimize them.

Main Control Areas

Main control areas cover the regular routine controls and special visits or field of activities on which urgent and fast supervision focus.

Below are the main control areas;

a.    Ensuring the compliance of Kobirate to the applicable regulations,

b.    Special inspection of main operation fields,

c.    Control of automation and data processing,

d.    Contingency planning.

Identification and Measurement of Risks:

Risks to which Kobirate might be exposed to are described below:

Operational Risk : Possibility of damage or loss attributable to negligence of errors and irregularities, failure of company management and staff to comply with the time and conditions, managerial mistakes, failures in information and technological systems, such events of force major as earthquake, fire, food disaster.

Risk of Non-Compliance to the Legislation and Regulation: Means the consequences that might result from non-compliance to legal provisions and requirements

Measurement of risks ensures the numeric and analytical expression of risks to which Kobirate is exposed by using certain measures and/or criteria.

Dimensions of risk to which Kobirate might be exposed in three separate measurement category follows:

a-    Measurement category 1: Estimated loss and damage

b-    Measurement category 2: Unpredictable loss and damage

c-    Measurement category 3: Loss and damage estimated under pressure stress within  the scenario envisaged.

Risk Policies

Risk policies and relevant implementation principles are developed and introduced by the Board of Directors. All employees are informed of thedecisions made and implementation guidelines adopted by the Board in connection with the risk policies and practices.

Organising Risk Management and Internal Control

In consideration of Kobirate’s current business potential and the rising possibility of risks that might occur, the members who are indicated in Article 5 hereof and who have been unanimously appointed by the Board, who are responsible for development of policies and for risk management may expand its organisation pursuant to the decision of the Board and provisions of personnel directive in effect for risk management and internal control.

By a decision made, the Kobirate’s Board of Directors transfers the adequate resource in this respect to the General Management. The transferred resource is determined by the Board independent of revenues from the rating services, if required, the transfer of funds is deemed one of priority items of the Board. The established system itself, its operation, results the new projections made will be shared with the public semi-annually. It is the responsibility of risk management and internal control department to set up, use of benefit from an archive to keep the company documentation.

Assessment of Internal Control and Risk Management Systems

By using the on – site audit systems, Kobirate’s Board of Directors and Auditing Board examine and assess all the audit and management systems. It has new control matrices to be developed in case it is concluded that the existing systems and audit conditions are insufficient after development of new products by the current business potential and business development groups.