The Imar Bank Case
The collapse of the Imar Bank in 2003 was not a big surprise to Turkey’s financial markets. From 1999-2003, more than 25 banks were transferred to the Savings Deposit Insurance Fund for liquidation. The Imar Bank had been on the watch list of the supervisory authority for about 10 years, as its loan portfolio, characterized by an exceptionally connected lending practice, consisted mainly of loans to companies owned by the main shareholder group. The bank had severe problems when the licenses of two power companies, which provided the cash flow of the main shareholder group, were revoked. Depositors ran on the bank and this resulted in more liquidity problems. The Banking Regulation and Supervision Authority (BRSA) revoked the license of the bank because it did not take the required measures and failed to fulfill its obligations in a timely manner. At that time, all deposits were under the coverage of deposit insurance. It appeared to be an ordinary takeover, as it was a small bank.
However, the real scale of the problem and an unexpected type of fraud were realized when the BRSA examined the case to finalize the exact amount to be paid to depositors. The examination revealed that there were discrepancies between the official deposit balances and actual balances. Total deposits of the bank amounted to TL 753 million (approximately US $500 million), according to the last daily balance sheet prepared and sent to BRSA by the bank. However, based on the examination, the real amount was much higher than the amount reported. The actual amount was TL 8.1 billion (more than US $5 billion)—more than 10 times the reported amount.
The examinations revealed that the bank’s information technology (IT) firm, which was a group company that solely did business with the bank, had partly deleted and damaged the magnetic records of the bank during the takeover. A double record-keeping system was discovered: one official, one unofficial. That is to say, the bank had a double accounting system where the true information existed at the branch level, but headquarters falsified it and then reported it to BRSA. All previous onsite examinations were also done through the fake records.
It has been a painstaking struggle for the government to clean up the mess. First, information and documents obtained from all branches were collected at a single center and examinations were initiated for the determination of real depositors. Deposits were paid to more than 300,000 depositors by the insurance fund. However, investors who bought government bonds were not paid at that time, because those were not deposits and were not covered by the insurance. In 2007, a law was enacted by the parliament that requires the Treasury to make payments to bond holders.
In essence, this is an example of a financial fraud where IT systems were directly used to hide and manipulate data. There is a lot to learn from this costly example, and it shaped the actions taken by BRSA in the years since.
The fraud resulted in lessons learned in the following areas:
- Internal controls—Internal controls are more important for financial institutions because they deal with other people’s money. In 1998, the Basel Committee set principles for internal control. Principle 6 (segregation of duties), principle 8 (independent monitoring of data systems) and principle 11 (internal audit) are particularly important in this context. Accordingly, there should be appropriate segregation of duties and personnel should not be assigned conflicting responsibilities. An effective internal control system requires reliable information systems that cover all significant activities of the bank to be in place; there should be effective and comprehensive internal audits of the internal control system carried out by operationally independent, appropriately trained and competent staff. In 2006, BRSA published new legislation, annulling the old one, which regulates internal control and the audit of banks in detail.
- Corporate governance—Corporate governance, an essential aspect of internal controls, is a set of processes and policies that companies direct and control. Considerable attention is being given to corporate governance all over the world, especially after the collapse of a number of large US firms, such as Enron and WorldCom. In Turkey, the new Banking Law enacted in 2005 mentions corporate governance 10 times and includes a section on regulating the basics of corporate governance. According to the Banking Law, the board of directors should have adequate professional experience to be able to satisfy the requirements laid down in the corporate governance provisions of the Banking Law and perform the planned activities. Additionally, implementation of corporate governance principles is considered by BRSA in granting operation permission, opening branches, and determining the bank’s minimum or maximum standard ratios.
- External controls—External controls may be as important as internal controls, and they need to be regulated. Generally, the function of the external auditor is to certify that the financial statements reflect the true financial Lessons From a Fraud Case in Turkey By Mustafa Ayaz, CISA This is an example of a financial fraud where IT systems were directly used to hide and manipulate data. position and performance of the bank. At this point, harmonization of accounting rules is very important. Within the last couple of years, Turkey’s accounting standards have become almost completely harmonious with international accounting standards and best practices. The quality of external audits also depends on the quality of the auditor. External auditors are to be licensed by BRSA to conduct audits in banks, and any misconduct may lead to cancellation of the license.
- IT audit—In essence, the previously mentioned case was an IT-related financial crime. The bank management used the subsidiary technology company to conceal the true data of the bank. Hence, BRSA has strictly regulated the operation of banks’ outsourcing activities. According to the Banking Law and relevant regulations, banks cannot outsource basic operations without prior authorization, and outsourcing does not discharge the responsibility of the board of directors.
Another big step is independent IT audit. Independent audit companies conduct IT audits in banks operating in Turkey to prevent the risks related to repeated information systems or double registry systems and test basic application controls.
Moreover, BRSA is planning to conduct onsite IT audits in banks starting in 2008, with a team of 18 ready to go, seven of whom already hold the Certified Information Systems Auditor (CISA) designation.
Technology is developing and changing very rapidly. This rapid change leads innovative forgers to come up with new methods to break the rules. The motto for supervisors should be “be alert, be up to date.”
Mustafa Ayaz, CISA
is the senior banking specialist of the information management department at BRSA.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.