MILLIRE 2021 ANNUAL REPORT

ACTIVITIES AND MAJOR DEVELOPMENTS RELATED TO ACTIVITIES GENERAL INFORMATION FINANCIAL RIGHTS PROVIDED TO THE MEMBERS OF THE GOVERNING BODY AND SENIOR EXECUTIVES RESEARCH & DEVELOPMENT ACTIVITIES 36 MİLLİ RE ANNUAL REPORT 2021 Internal control system has an important role in ensuring continuation of the Company’s operations within efficiency, productivity, compatibility and reliability principles. The purpose of the internal control system is to ensure that the Company assets are well protected, activities are carried out efficiently and effectively and in compliance with regulations, Company policies, rules, and precedents of insurance business, to enable reliability and integrity of accounting and financial reporting system, and prompt accessibility of data. In this regard, internal control activities are designed to encapsulate transactions in respect of Company’s operational activities, communication channels, information systems, financial reporting system and conformity controls. Internal control activities are carried out in accordance with the relevant internal and external legislation. “Control Center” has been structured through “Internal Control and Risk Management Department” which was established in order to perform internal control activities, and “Control Environment” has been structured through assignment of Company employees within the scope of these activities. The Control Group consists of 24 people, of whom 2 are located in the control center and 22 are located in the control environment. Activities Conducted from Control Center Workflows, duties and responsibilities, authorities and limits related to Company activities are documented and communicated to all employees; they are reviewed and updated in line with the changing conditions and risks. The personnel have complete, accurate and up to date information associated with their duties and responsibilities. Control activities cover the entire business processes and operations of the Company. Business processes and the processes related to information technologies, risks related to these processes are identified in a written form, and controls for the identified risks are established. Control activities are carried out according to the frequency of business processes and in accordance with the principles set out in the annual Internal Control Plan. Findings ascertained as a result of controls, assessments in respect of these findings and recommendations regarding the actions to be taken for the elimination of findings are monthly reported to General Manager by Internal Control and Risk Management Department via Internal Control Reports. The outcomes of internal control activities are also monitored regularly by the Board of Directors. Authority identifications of system users are conducted in accordance with “segregation of duties” principle. Besides, actions that are performed by users within these authorizations, log records of actions in respect of critical transactions are controlled through reports received from log management system instantly and on a daily basis, and conformity to segregation of duties principle is reviewed systematically. Moreover, following the approval of the relevant business unit, transactional authorities that users requested in line with the activities, are assessed and approved by Internal Control and Risk Management Department in terms of the mentioned principle. Development and change requests of users on systems based on their business requirements or solution requests in respect of malfunctions arising in systems are monitored through Help Desk Service and critical issues that may affect the financial statements or that could lead to legal risks are given the priority. In case of detection of any adverse situation within control activities, urgent action is taken in order to perform necessary adjustments and take preventive measures Activities Conducted from Control Environment Control points stated in the relevant department’s flowchart and those risks and control points determined by Control Center are taken into consideration during the control activities conducted in departments, while those performed in IT Center are based on COBIT (Control Objectives for Information Related Technologies) standards. In this context, transactions in respect of reinsurance processes, accounting transactions, payments, processes in respect of fulfillment of legal obligations, transactions in respect of debt collection, accounting periods, and preparation of financial statements; marketing, processes related to reporting and information systems are controlled by considering practice frequencies of related processes. Detected issues are reported to Control Center via Risk Warning Reports. Therefore, it is ensured that preventive and supplementary measures are instantly taken, appropriate and applicable solutions that will improve processes and operations are put into practice. INTERNAL CONTROL