Legal AlertNewsThe Regulation on the Independent Audit of Information Systems and Business Processes Was Published in the Official Gazette.

6 January 2022

The Regulation on the Independent Audit of Information Systems and Business Processes (“Regulation”) was published in the Official Gazette dated 31.01.2022 and numbered 31706.

The Regulation regulates the procedures and principles regarding the auditing of the information systems and business processes of the institutions under the supervision and control of the Banking Regulation and Supervision Agency (“BRSA”) by independent audit firms authorized within the scope of this Regulation.

The regulations introduced by the Regulation, different from the previous regulation, are as follows:

  • The reference to COBIT published by the Information Systems Audit and Control Association (“ISACA”) and Information Technologies Governance Institute (“ITGI”) in information systems auditing has been removed, reference has been made to the Regulation of Banks on Information Systems and Electronic Banking Services,
  • Instead of the term bank, the term “organizations under the supervision and control of the Institution” was used, and the information systems in risk center and information exchange organizations, independent auditing of information systems and business processes in information exchange organizations and other institutions under the supervision and control of the BRSA are included in the definition of information systems auditing (“ISA“),
  • Incorporating the information systems audit process in Leasing, Factoring and Financing companies into the BSD Regulation,
  • In article 20 of the Regulation, scope of the audited obliged party’s obligation to submit a management statement has been expanded,  and minimum requirements for the  management statement have been determined,
  • Institutions authorized to conduct audits by the Public Oversight Accounting and Auditing Standards Authority (“POAASA”) has been authorized to conduct independent audits in terms of information systems in non-bank institutions subject to BRSA supervision and control,
  • The privileges of the Information Systems Auditor Certificate (“CISA”) and Internal Auditor Certificate (“CIA”) in evaluations of professional experience and the requirements to have a CISA among the mandatory elements of the Lead Auditor have been removed,
  • A registry application for information systems independent audit firms and auditors have been introduced,
  • New obligations on data security have been imposed on information systems independent audit institutions,
  • Extending the scope of Support Service Organizations by arranging it as an external service organization,
  • Reference is made to the standards published by the POAASA, to ensure the standardization of independent audit terminology.

You can access the full Turkish text of the regulation from the link below.