Author: Kaya Kazmirci, CISA, CISM, CISSP
During the 1990s, numerous crises occurred in the Turkish banking sector (including several high- profile bank failures) that led to the development of a rigorous set of standards by the Turkish Banking Regulation and Supervision Agency (BRSA). All Turkish banks are required to become compliant with these standards. The first of these standards, Banking Internal Audit and Risk Management Systems Communique, related to technology infrastructure and was published in 2001. Subsequent related publications detailed the high-level approach that the first banking technology standard described, and mandated COBIT implementation and compliance in all Turkish banks.
These standards1 clearly state that COBIT compliance should be based on the most recent COBIT version. Therefore, on a biyearly basis, during the audit of 48 operating Turkish banks, all external auditors must complete COBIT-based IT audits and have a Certified Information Systems Auditor (CISA), as well as a financial auditor, sign the related audit report. The resulting maturity assessments and audit results dramatically increased the Turkish banking industry’s IT awareness as well as its IT control understanding. As a result, banking industry leaders learned of many control weaknesses, especially during those first audits, and implemented many technology and related control improvements.
Since all Turkish banks are required to use the current version of COBIT for statutory audits, the release of COBIT 5 in 2012 initiated a reading frenzy for all who work in or around the Turkish banking sector.
The Turkish Banking Association (TBA) recently commented on the COBIT 4.1 migration to COBIT 5 and its relevant impact on banking operations.2 The TBA team3 that completed the work on which this article is based recommends that each member bank form a work group with the members drawn from the bank’s inspection board, operational process management and internal systems management departments. These work groups should each conduct a detailed review of COBIT 5 and then share their findings with each other (under TBA auspices), external auditors and the BRSA. The review’s goal should be to outline a COBIT 5 implementation road map as well as to clearly define any improvement areas.
The consensus among the TBA team is that upgrading to COBIT 5 will have a value-added impact on both internal control systems and general banking operations. Areas that will require detailed planning and assessment prior to successfully migrating to COBIT 5 include:
- Organizational scope—COBIT 5 is premised on an end-to-end approach to control. Optimally, IT operates in concert with all areas of the bank to provide seamless service, control and governance. While COBIT 4.1 was primarily implemented in the Turkish banking industry’s technical purview, COBIT 5 implementation will require enhanced operational, audit and governance coordination and integration. Bank internal/external audit, inspection boards as well as industry, tax, antitrust and treasury regulators will need to clearly align with the BRSA standard and create transparent real-time governance coordination with stakeholders.
- Audit approach—DSS06 Manage business process controls includes (within its scope) all banking activities. Traditionally, a bank inspection board’s financial experts have audited banking operations and services, and bank IT auditors have conducted technology audits. COBIT 5 requires a coordinated approach that includes combined financial and technology teams focusing on specific operational processes and then reporting in a coordinated fashion to leadership.
- Assurance guidance—Bank inspection boards will need to read the COBIT 5 for Assurance publication for guidance during audit planning (scheduled for release in second quarter 2013).
- Assessing new and changed processes—COBIT 5 includes several new processes and one new domain, as well as several processes that have been significantly revised. As existing experience with these processes is limited, the TBA team plans to utilize 2014 to assess and plan implementation as well as to rectify any potential conflicts with existing operations and/or approaches. The banking sector is presently assessing the new processes and developing a prioritized implementation plan.
- Process assessment model—Changes in the COBIT Process Assessment Model (PAM) could lead to processes having lower maturity scores in COBIT 5 capability assessments. For example, a COBIT 4.1 control objective that attained a maturity score of two (repeatable) may not have sufficient documentation to achieve even a zero (if the process does not achieve its stated goals) in COBIT 5. COBIT 5 requires a minimum of work product (inputs and outputs), base practice and process outcome to be defined for a capability score of one. In contrast, a COBIT 4.1-based maturity assessment could result in the same score without any documentation.4
- Timing—The process for migrating to COBIT 5 in an enterprise with an existing COBIT 4.1 implementation will require communication and consensus among all stakeholders, which should include, at a minimum, banks, external auditors and the BRSA. Achieving this consensus and developing a common implementation plan will take hard work on behalf of all related parties. How much time this development will take and when the work results will be accepted and implemented is under discussion. The BRSA has announced that, while COBIT 5’s implementation in 2014 is possible, the related changes in operational scope, method and approach will be significant compared to COBIT 4.1. The BRSA further stated that it would continue to review the matter and make a broader announcement at a later date.5
Turkish Banks and external auditors appear to have significant work remaining to detail a COBIT 4.1 to COBIT 5 migration road map. This road map should include a clear description of COBIT 5 including organizational scope and responsibility (i.e., which departments will be responsible for implementing and auditing specific COBIT 5 processes and domains), a description of how the new and revised processes and domains are to be implemented and audited, and a detailed understanding of the COBIT 5 PAM’s required documentation. Once this road map is complete, the Turkish Banking Industry can plan and schedule its upgrade to COBIT 5. The BRSA has announced that the earliest possible time frame for this migration is 2014; however, based on industry developments, a later implementation date is also possible.
The author would like to thank the following experts for their invaluable support in crafting this article: Necdet Almaç, Murat Lostar, Mustafa Gülmüs, Emre Özbek, Izzet Gökhan Özbilgin, Ph.D., Asli Dogrusöz, Emre Besli, Funda Çetintas, Betül Öz, Serdar Güzel, Baris Bagci, Cem Ergül and Baris Yalçin.
1 See Turkish Banking Regulation and Supervision Agency, “BRSA Regulation on Bank Information Systems and Banking Processes Audit to Be Performed by External Auditors,” published in The Turkish Official Gazette dated, 13 January 2010, Nr. 27461, www.bddk.gov.tr/WebSitesi/english/Legislation/8800regulationonbankingprocesses.pdf. The Information Systems Audit Regulation, “Information System Audit,” 24th article’s second item specifies COBIT-based bank audits. The same document’s ”Definitions and Abbreviations,” fourth article, first item, subitem f, defines COBIT as the most recent standard published by ISACA.
2 Many members of the review team were also ISACA Istanbul Chapter COBIT 5 work group members who shared their work.
3 Please see acknowledgments for a list of team members.
4 COBIT 4.1 PAM was released in September 2011 and COBIT 5 PAM was released in the first quarter of 2013.
5 BRSA, Letter to TBA regarding COBIT 5 use in IT and process audits, 4 January 2013
Kaya Kazmirci, CISA, CISM, CISSP, offers IT governance-related training and consulting services. He was previously the internal audit director in Istanbul, Turkey, for Avea, a mobile telecommunications operator. Kazmirci has more than 30 years of experience in information technology and business, with extensive experience in restructuring the IT function and implementing audit methodologies in large banks and telecommunication operators. Kazmirci’s experiences include extensive reviews of financial management systems including banking, billing and charging, accounting and enterprise resource planning (SAP & Oracle) systems, and IT organizations. He is well versed in generally accepted IT standards and frameworks, such as COBIT, ISO 27001, WebTrust and SysTrust.
–> Orjinal article can be recieved here