The Communiqué on the Report on Independent Audit of Information Systems and Business Processes (‘‘Communiqué’’) drafted by the Banking Regulation and Supervision Agency has been published in the Official Gazette dated March 25th, 2022, numbered 31789, and entered into force on the same date. Pursuant to the Communiqué, the Communiqué on the Report on Independent Audit of Bank Information Systems and Bank Processes has been abolished. |
The purpose of the Communiqué is to determine the rules and procedures regarding the content and format of the independent audit report to be prepared within the scope of the Regulation on Independent Audit of Information Systems and Business Processes. |
Pursuant to the Communiqué: |
- The auditor ensures that the report is complete, accurate, objective, evidential, and as clear and concise as the subject allows.
|
- The auditor classifies significant control deficiencies and important control deficiencies to be supported by adequate and convenient audit evidence and includes them in the report by coding them according to the determined principles.
|
- The auditor reports the auditee’s opinions on the findings, results, and planned corrections, if any.
|
- Evaluation of information systems includes the provisions of: (i) information on employee profile of the information technologies department, (ii) direct contact information of the auditee’s managers who are responsible for the audit fields, (iii) information on the organizational structure of the information technologies department, (iv) general information on the applications/systems/tools which are used to carry out the auditee’s activities, (v) brief information regarding the information system architecture of the auditee, (vi) explanation of the network infrastructure and network topology of the auditee, (vii) demonstration of software and tools related to the auditee’s activities on the information systems architecture, (iix) brief information regarding tools which support critical control objectives such as change management, security management, if an information systems audit has been performed.
|
- In the report, the auditor interprets the audit objectives, audit findings and, if any, the opinions of the auditee, and includes evaluations in line with her/his own inferences and opinions, and explanations, if necessary.
|
You can access the full Turkish text of the Communiqué via the link below.
https://www.resmigazete.gov.tr/eskiler/2022/03/20220325-7.htm |