Corporate governance and internal control requirements in Turkey have become far more important for boards of directors, shareholders, investors, compliance teams, and foreign companies entering the Turkish market. In Turkish law, this subject is not limited to a single compliance statute. It is built primarily on the Turkish Commercial Code, supported by the Capital Markets Board’s corporate governance regime for listed companies, and reinforced by the auditing framework applied to risk detection and reporting. For that reason, any company trying to understand governance obligations in Turkey must read board duties, risk oversight, internal organization, reporting, and disclosure rules as part of a connected system rather than as separate technical requirements.
For businesses, the practical significance is clear. A weak governance structure in Turkey does not only create managerial inefficiency. It can also lead to deficient board supervision, inadequate financial planning, poor reporting lines, insufficient risk management, weak internal control, and disclosure failures. Turkish law increasingly expects companies to establish a structure in which authority is allocated clearly, management is supervised effectively, risks are identified early, and the company can demonstrate that it has taken reasonable steps to protect its continuity and lawful operation. That expectation is especially visible in the Turkish Commercial Code’s non-delegable board duties and in the Capital Markets Board’s corporate governance principles for listed companies.
Why Corporate Governance in Turkey Is More Than a Formality
One of the most important features of Turkish corporate law is that governance is treated as an organizational and supervisory responsibility of the board, not merely as a matter of corporate image. Article 365 of the Turkish Commercial Code states that a joint stock company is managed and represented by the board of directors. Article 369 adds that board members and third persons entrusted with management must perform their duties with the care of a prudent manager and protect the interests of the company in good faith. This means that governance in Turkey is not only about attending meetings or signing resolutions. It includes a real duty of care and loyalty that frames how directors are expected to manage information flow, oversight, decision-making, and internal discipline.
This legal approach matters because many governance failures begin long before any litigation, insolvency concern, or regulatory inquiry becomes visible. Problems often start with blurred reporting lines, undocumented delegation, absence of approval thresholds, poor risk escalation, and weak oversight of senior managers. Turkish law addresses exactly those structural risks. The Code does not assume that management discipline will arise spontaneously. It requires an internal organization capable of supervision and lawful operation. That is why internal control in Turkey should be understood not simply as an accounting tool, but as part of the broader governance architecture through which the board exercises its legal responsibilities.
The Board’s Non-Delegable Duties Under Turkish Law
The clearest legal foundation for corporate governance and internal control requirements in Turkey is Article 375 of the Turkish Commercial Code. That provision lists the board’s non-delegable and inalienable duties. These include top-level management of the company and issuance of related instructions, determination of the management organization, establishment of the order necessary for accounting, financial audit, and financial planning to the extent required by management, appointment and dismissal of managers and persons with similar functions, and top-level supervision of whether those entrusted with management act in compliance with the law, the articles of association, internal directives, and the board’s written instructions. The same provision also refers to maintaining certain corporate books, preparing the annual activity report and corporate governance statement, preparing general meetings, and implementing general meeting resolutions.
This article is central for any company operating in Turkey because it shows that internal control is not an optional compliance preference. The board must establish the framework for accounting, financial audit, and financial planning. It must also supervise whether management complies with law and internal rules. In practical terms, this means Turkish companies should have documented reporting lines, approval structures, internal instructions, financial controls, and governance records that allow the board to show it has not abandoned its oversight function. A company that has no meaningful internal directives, no documented delegation, and no monitoring of management conduct is exposed not only commercially but legally.
Internal Organization, Delegation, and Internal Directives
Turkish law allows boards to structure management, but it does so within a controlled framework. Article 366 states that the board may form committees and commissions to monitor the course of business, prepare reports on matters to be submitted to the board, implement its decisions, or serve internal audit purposes. Article 367 goes further and allows the board, if authorized by the articles of association, to delegate management partially or fully to one or more board members or third persons under an internal directive. That internal directive must regulate the company’s management, define the necessary duties, show positions, and in particular determine who is subordinate to whom and who is obliged to provide information to whom.
This is a particularly important rule for internal control requirements in Turkey because it links delegation to documentation and reporting structure. Delegation is not meant to weaken governance. On the contrary, Turkish law expects delegation to be organized through a written internal directive that clarifies hierarchy, authority, and information flow. In practice, this means that a Turkish company cannot safely rely on informal management habits or purely verbal authority allocations. If management is delegated, the governance model should show who has authority, how decisions are escalated, and how the board continues to receive the information needed to discharge its non-delegable duties.
Internal Control as a Board-Level Responsibility
Although the Turkish Commercial Code does not define internal control in one short formula, the statutory structure clearly treats internal control as a board-level responsibility. Article 375 requires the board to establish the necessary order for accounting, financial audit, and financial planning. Article 366 allows committees and commissions for internal audit purposes. Article 367 requires a documented management structure and reporting lines. When these provisions are read together, the result is clear: Turkish law expects the board to create an internal environment in which financial integrity, reporting discipline, and supervisory visibility can operate in practice. That is the legal heart of internal control under the Code.
For companies, this has several operational consequences. An effective internal control system in Turkey should usually include approval matrices, segregation of duties, financial authorization rules, clear reporting obligations, reliable bookkeeping, and a process for identifying exceptions or irregularities. The law does not provide one universal control manual for every company, but it does require a structure adequate for the company’s management and financial planning needs. As a result, internal control is expected to be proportionate to the nature, size, and complexity of the company. A small private company and a listed issuer will not look identical in practice, but both are expected to operate within a coherent and traceable system of oversight.
The Risk Early Detection Committee Under Article 378
Article 378 of the Turkish Commercial Code is one of the most important governance provisions in Turkish company law. It states that in companies whose shares are traded on the stock exchange, the board of directors must establish an expert committee for the early detection of causes that may endanger the company’s existence, development, and continuity, for implementing necessary measures and remedies, and for risk management, and it must operate and develop the system. In other companies, such a committee must be formed immediately if the auditor deems it necessary and notifies the board in writing. The committee must evaluate the situation in a report to the board every two months, indicate existing dangers if any, and show remedies; the report is also sent to the auditor.
This provision makes risk management a concrete legal obligation rather than a vague governance aspiration. In Turkish practice, the risk early detection committee is not merely symbolic. It is a statutory mechanism through which the board is expected to monitor threats to the company’s continuity. That includes financial, operational, strategic, and possibly legal risks capable of affecting the company’s existence and development. For listed companies especially, the board cannot credibly claim compliance with Turkish governance expectations if it has no real system for identifying and escalating risk.
The Public Oversight, Accounting and Auditing Standards Authority further reinforces this framework. Its principles on the auditor’s report regarding the risk early detection system and committee state that these rules regulate the auditor’s responsibilities in relation to the system and committee required under Article 378. The same principles define “risk” as developments that may threaten the company’s existence, development, and continuity, and define the “system” as the risk early detection and management system established by the board under Article 378. They also explain that the auditor’s task is to examine whether the required system and committee exist and function within the framework of Article 378.
Auditor Reporting and the Importance of Documentation
The auditing dimension is highly significant in Turkey because it puts external pressure on governance and internal control design. The Public Oversight Authority’s principles explain that the auditor submits the result of the evaluation of the risk system in a separate report to the board and that the board is responsible under Article 378 for establishing, operating, and developing the system and committee. The sample auditor reports in the same document state that the board must establish the committee, operate the system, and develop it, and that the auditor evaluates whether the system and committee function within the Article 378 framework.
The practical meaning is straightforward. Companies in Turkey should not view risk management documentation as internal paperwork with no outside consequence. Where the law requires a risk early detection system and committee, the existence and operation of that system may become the subject of a separate auditor report. That makes documentation, committee functioning, and reporting regularity especially important. A company that claims to manage risk but cannot show committee reports, organizational records, escalation mechanisms, or evidence of functioning oversight may face an unfavorable governance picture.
Annual Reporting and Risk Disclosure Obligations
Corporate governance and internal control in Turkey are also reflected in annual reporting obligations. Article 514 requires the board to prepare the company’s financial statements, attachments, and annual activity report within the first three months of the following accounting period and submit them to the general assembly. Article 516 adds that the annual activity report must reflect the company’s activities and financial status accurately, completely, plainly, truthfully, and honestly, and it must clearly indicate the company’s development and the risks it is likely to face, together with the board’s assessment of those matters. Article 515 separately requires financial statements to present a true and fair view in a transparent and reliable manner.
These provisions matter because they connect governance to disclosure. Under Turkish law, the board does not merely oversee the company internally; it must also report the company’s financial position and risk profile in a truthful and intelligible way. That means internal control weaknesses can spill over into reporting failures, and reporting failures can in turn expose deeper governance deficiencies. For companies seeking investment, financing, or transactional credibility, the quality of governance is therefore visible not only in board minutes or committee charters, but also in the reliability of annual reporting and risk disclosure.
Listed Companies and the Capital Markets Board’s Corporate Governance Regime
For listed companies, Turkish corporate governance and internal control requirements become even more explicit. The Capital Markets Board’s Corporate Governance Communiqué and Corporate Governance Principles provide that the board of directors should establish internal control and risk management mechanisms appropriate to the company in order to minimize the effects of risks that may affect stakeholders, especially shareholders. The same principles state that the board reviews the effectiveness of risk management and internal control systems at least once a year. The communiqué’s publicly indexed text also indicates that risk management and internal control effectiveness must be reviewed annually and that the functioning and effectiveness of the internal audit system are overseen.
This is one of the clearest statements of internal control responsibility in Turkish law. For listed companies, internal control is not just an implicit result of board oversight duties under the Commercial Code. It is also an express corporate governance expectation under capital markets regulation. That means listed issuers should be prepared to show how the board evaluates internal control, how risks are monitored, how deficiencies are escalated, and how the relevant governance bodies interact with internal audit and external audit processes. A paper policy without board engagement is unlikely to satisfy the spirit of the SPK framework.
Audit Committee and Committee-Based Oversight
Committee structure is another defining feature of governance for listed companies in Turkey. The Capital Markets Board’s indexed corporate governance materials state that the audit committee should evaluate and resolve issues related to complaints and suggestions concerning accounting practices, the internal control system, and the independent audit. The publicly indexed communiqué text also indicates that the audit committee is entrusted with oversight in relation to the company’s accounting and internal control system and independent audit, while a separate risk early detection committee addresses risk management.
From a practical viewpoint, this means Turkish listed companies should not treat the audit committee as a ceremonial body. It is part of the governance machinery through which accounting integrity, internal control effectiveness, and complaint-handling channels are monitored. A listed company with no meaningful committee process, no complaint review logic, no interface between internal control and financial reporting, and no clear division between audit and risk oversight may struggle to justify its governance model under SPK expectations.
What These Rules Mean for Private Companies
Although listed companies face the most detailed corporate governance overlay, private companies should not conclude that internal control is irrelevant to them. The Turkish Commercial Code’s board duties apply more broadly. Even outside the capital markets regime, directors remain subject to duties of care and loyalty, non-delegable responsibilities, organizational obligations, financial planning duties, and supervisory duties. Private companies may not need to mirror every SPK committee structure, but they still need a governance model that matches the scale and risk profile of the business.
For many private companies in Turkey, a sound governance and internal control structure will include a written delegation scheme, internal signature rules, budget and payment controls, reporting lines, periodic management review, and a process for identifying major legal, financial, operational, and solvency risks. If the auditor requests establishment of a risk early detection committee, the company must act immediately under Article 378. In that sense, private companies do not operate outside the governance conversation; they operate within a less prescriptive but still legally meaningful control framework.
How Foreign Investors Should Read the Turkish Framework
Foreign investors often arrive in Turkey with global governance templates, group compliance manuals, and board charters prepared under another legal system. Those materials can be helpful, but they are not sufficient by themselves. Turkish law places specific emphasis on non-delegable board powers, internal directives for delegation, risk early detection, annual activity reports, and, for listed companies, annual review of risk management and internal control effectiveness. A foreign-owned Turkish subsidiary or local target company should therefore be assessed not only for formal policy existence but also for whether its governance model reflects Turkish statutory requirements.
This is especially relevant in due diligence, joint ventures, and post-acquisition integration. A business may appear commercially healthy while still carrying governance risk if it lacks a proper internal directive, board-level supervisory records, risk committee functioning, or reliable internal control mechanisms. In Turkey, such weaknesses are not merely best-practice gaps; they may indicate incomplete compliance with the company-law and capital-markets framework applicable to the business.
Building a Defensible Governance and Internal Control System in Turkey
A defensible system in Turkey should begin with organizational clarity. The company should define which matters remain at board level, which powers are delegated, which internal directives govern that delegation, and how information travels upward. Because Article 367 requires a written internal directive showing duties, positions, subordination, and reporting obligations, governance should be visible in documents and not left to assumption. This is the structural foundation on which internal control can function.
The second step is supervisory discipline. The board should be able to demonstrate that it supervises management’s compliance with law, articles of association, internal directives, and written instructions, as required by Article 375. That usually means regular reporting, documented approvals, compliance or finance briefings, exception reporting, and committee work where appropriate. Without those elements, the board’s statutory oversight duty becomes difficult to prove in practice.
The third step is risk management. If Article 378 applies, the company should ensure the risk early detection committee is properly established, reports regularly, and functions as an active risk-governance tool. Even where a formal committee is not mandatory, Turkish boards should still identify the company’s major continuity risks and create a process for escalation and response. This is especially important for companies with leverage, sectoral volatility, regulatory exposure, or concentrated counterparties.
The fourth step is reporting integrity. Since Articles 514 to 516 require truthful, complete, and risk-aware reporting, companies should ensure that internal control feeds directly into financial statements and annual activity reports. Governance, control, and reporting should not exist in separate silos. In Turkish law, they are part of the same legal logic: a company should be managed prudently, controlled coherently, and reported honestly.
Conclusion
Corporate governance and internal control requirements in Turkey are not decorative principles. They are rooted in concrete statutory duties and regulatory expectations. The Turkish Commercial Code assigns the board non-delegable responsibilities for top-level management, organizational design, accounting and financial planning order, oversight of management, and truthful annual reporting. It also requires listed companies, and in some cases other companies, to establish a risk early detection committee and system. For listed issuers, the Capital Markets Board further requires internal control and risk management mechanisms appropriate to the company and annual board review of those systems’ effectiveness, while committee structures support oversight of accounting, internal control, and risk.
For that reason, any company operating in Turkey should treat governance and internal control as a living management system, not as a file of policies. The real legal question is not whether a company has a board, a committee name, or a control manual on paper. The real question is whether its structure, delegation, supervision, risk oversight, and reporting framework would stand up to scrutiny under Turkish company law and, where applicable, capital markets regulation. A company that can answer that question confidently is in a much stronger legal and commercial position in Turkey.
Yanıt yok