Kaya Kazmirci, CISA, CISM, CISSP
During the 1990s, numerous crises occurred in the Turkish banking sector (including several high- profile bank failures) that led to the development of a rigorous set of standards by the Turkish Banking Regulation and Supervision Agency (BRSA). All Turkish banks are required to become compliant with these standards. The first of these standards, Banking Internal Audit and Risk Management Systems Communique, related to technology infrastructure and was published in 2001. Subsequent related publications detailed the high-level approach that the first banking technology standard described, and mandated COBIT implementation and compliance in all Turkish banks.
These standards1 clearly state that COBIT compliance should be based on the most recent COBIT version. Therefore, on a biyearly basis, during the audit of 48 operating Turkish banks, all external auditors must complete COBIT-based IT audits and have a Certified Information Systems Auditor (CISA), as well as a financial auditor, sign the related audit report. The resulting maturity assessments and audit results dramatically increased the Turkish banking industry’s IT awareness as well as its IT control understanding. As a result, banking industry leaders learned of many control weaknesses, especially during those first audits, and implemented many technology and related control improvements.
Since all Turkish banks are required to use the current version of COBIT for statutory audits, the release of COBIT 5 in 2012 initiated a reading frenzy for all who work in or around the Turkish banking sector.
The Turkish Banking Association (TBA) recently commented on the COBIT 4.1 migration to COBIT 5 and its relevant impact on banking operations.2 The TBA team3 that completed the work on which this article is based recommends that each member bank form a work group with the members drawn from the bank’s inspection board, operational process management and internal systems management departments. These work groups should each conduct a detailed review of COBIT 5 and then share their findings with each other (under TBA auspices), external auditors and the BRSA. The review’s goal should be to outline a COBIT 5 implementation road map as well as to clearly define any improvement areas.
The consensus among the TBA team is that upgrading to COBIT 5 will have a value-added impact on both internal control systems and general banking operations. Areas that will require detailed planning and assessment prior to successfully migrating to COBIT 5 include:
Turkish Banks and external auditors appear to have significant work remaining to detail a COBIT 4.1 to COBIT 5 migration road map. This road map should include a clear description of COBIT 5 including organizational scope and responsibility (i.e., which departments will be responsible for implementing and auditing specific COBIT 5 processes and domains), a description of how the new and revised processes and domains are to be implemented and audited, and a detailed understanding of the COBIT 5 PAM’s required documentation. Once this road map is complete, the Turkish Banking Industry can plan and schedule its upgrade to COBIT 5. The BRSA has announced that the earliest possible time frame for this migration is 2014; however, based on industry developments, a later implementation date is also possible.
The author would like to thank the following experts for their invaluable support in crafting this article: Necdet Almaç, Murat Lostar, Mustafa Gülmüs, Emre Özbek, Izzet Gökhan Özbilgin, Ph.D., Asli Dogrusöz, Emre Besli, Funda Çetintas, Betül Öz, Serdar Güzel, Baris Bagci, Cem Ergül and Baris Yalçin.
1 See Turkish Banking Regulation and Supervision Agency, “BRSA Regulation on Bank Information Systems and Banking Processes Audit to Be Performed by External Auditors,” published in The Turkish Official Gazette dated, 13 January 2010, Nr. 27461, www.bddk.gov.tr/WebSitesi/english/Legislation/8800regulationonbankingprocesses.pdf. The Information Systems Audit Regulation, “Information System Audit,” 24th article’s second item specifies COBIT-based bank audits. The same document’s ”Definitions and Abbreviations,” fourth article, first item, subitem f, defines COBIT as the most recent standard published by ISACA. 2 Many members of the review team were also ISACA Istanbul Chapter COBIT 5 work group members who shared their work.3 Please see acknowledgments for a list of team members.4 COBIT 4.1 PAM was released in September 2011 and COBIT 5 PAM was released in the first quarter of 2013.5 BRSA, Letter to TBA regarding COBIT 5 use in IT and process audits, 4 January 2013
Kaya Kazmirci, CISA, CISM, CISSP, offers IT governance-related training and consulting services. He was previously the internal audit director in Istanbul, Turkey, for Avea, a mobile telecommunications operator. Kazmirci has more than 30 years of experience in information technology and business, with extensive experience in restructuring the IT function and implementing audit methodologies in large banks and telecommunication operators. Kazmirci’s experiences include extensive reviews of financial management systems including banking, billing and charging, accounting and enterprise resource planning (SAP & Oracle) systems, and IT organizations. He is well versed in generally accepted IT standards and frameworks, such as COBIT, ISO 27001, WebTrust and SysTrust.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.