MILLI_RE_ANNUAL REPORT 2022

The internal control system has an important role in protecting the assets of the Company and maintaining its activities within the framework of effective, efficient, compliant and reliable principles in accordance with the Law, the relevant legislation and the internal policies of the Company. Within the scope of internal control activities, it is aimed to establish the Company’s control environment and control points and to provide reasonable level of assurance in order to ensure the reliability and integrity of the Company’s accounting and financial reporting system and the timely availability of information. Thus, internal control activities are designed to cover the Company’s operational activities, communication channels, information systems, financial reporting system and compliance controls, and are carried out in accordance with internal and external legislation. “Control Center” has been structured through “Internal Control Department” which was established in order to perform internal control activities, and “Control Environment” has been structured through assignment of Company employees within the scope of these activities. The Control Group consists of 24 people, of whom 4 are located in the control center and 26 are located in the control environment. Activities Conducted from Control Center Workflows, duties and responsibilities, authorities and limits related to Company activities are documented and communicated to all employees; they are reviewed and updated in line with the changing conditions and risks. The personnel have complete, accurate and up to date information associated with their duties and responsibilities. Control activities cover the entire business processes and operations of the Company. Business processes and the processes related to information technologies, risks related to these processes are identified in a written form, and controls for the identified risks are established. Control activities are carried out according to the frequency of business processes and in accordance with the principles set out in the annual Internal Control Plan. Findings ascertained as a result of controls, assessments in respect of these findings and recommendations regarding the actions to be taken for the elimination of findings are monthly reported to The Board of Directors by Internal Control Department via Internal Control Reports. Authority identifications of system users are conducted in accordance with “segregation of duties” principle. Besides, actions that are performed by users within these authorizations, log records of actions in respect of critical transactions are controlled through reports received from log management system instantly and on a daily basis, and conformity to segregation of duties principle is reviewed systematically. Moreover, following the approval of the relevant business unit, transactional authorities that users requested in line with the activities, are assessed and approved by Internal Control Department in terms of the mentioned principle. Development and change requests of users on systems based on their business requirements or solution requests in respect of malfunctions arising in systems are monitored through Help Desk Service and critical issues that may affect the financial statements or that could lead to legal risks are given the priority. In case of detection of any adverse situation within control activities, urgent action is taken in order to perform necessary adjustments and take preventive measures. Activities Conducted from Control Environment Control points stated in the relevant department’s flowchart and those risks and control points determined by Control Center are taken into consideration during the control activities conducted in departments, while those performed in IT Center are based on COBIT (Control Objectives for Information Related Technologies) standards. In this context, transactions in respect of reinsurance processes, accounting transactions, payments, processes in respect of fulfillment of legal obligations, transactions in respect of debt collection, accounting periods, and preparation of financial statements; marketing, processes related to reporting and information systems are controlled by considering practice frequencies of related processes. Detected issues are reported to Control Center via Risk Warning Reports. In this respect, it is ensured that preventive and supplementary measures are taken and implemented immediately, appropriate and applicable solutions that will improve processes and operations are put into practice. Internal Control ACTIVITIES AND MAJOR DEVELOPMENTS RELATED TO ACTIVITIES GENERAL INFORMATION FINANCIAL RIGHTS PROVIDED TO THE MEMBERS OF THE GOVERNING BODY AND SENIOR EXECUTIVES RESEARCH & DEVELOPMENT ACTIVITIES 40 MİLLİ RE 2022 ANNUAL REPORT