Copyright 2008 ISACA. All rights reserved. www.isaca.org.

Lessons From a Fraud Case in Turkey

By Mustafa Ayaz, CISA
The Imar Bank Case
those were not deposits and were not covered by the insurance. In 2007, a law was enacted by the parliament that requires the Treasury to make payments to bond holders. In essence, this is an example of a financial fraud where IT systems were directly used to hide and manipulate data. There is a lot to learn from this costly example, and it shaped the actions taken by BRSA in the years since. The collapse of the Imar Bank in 2003 was not a big surprise to Turkeys financial markets. From 1999-2003, more than 25 banks were transferred to the Savings Deposit Insurance Fund for liquidation. The Imar Bank had been on the watch list of the supervisory authority for about 10 years, as its loan portfolio, characterized by an exceptionally connected lending practice, consisted mainly of loans to Lessons Learned companies owned by the main shareholder group. The bank The fraud resulted in lessons learned in the following areas: had severe problems when the licenses of two power Internal controlsInternal controls are more important for companies, which provided the cash flow of the main financial institutions because they deal with other peoples shareholder group, were revoked. Depositors ran on the bank money. In 1998, the Basel Committee set principles for and this resulted in more liquidity problems. The Banking internal control. Principle 6 (segregation of Regulation and Supervision Authority duties), principle 8 (independent monitoring (BRSA) revoked the license of the bank This is an example of a of data systems) and principle 11 (internal because it did not take the required audit) are particularly important in this measures and failed to fulfill its obligations financial fraud where context. Accordingly, there should be in a timely manner. At that time, all deposits IT systems were directly used appropriate segregation of duties and were under the coverage of deposit insurance. It appeared to be an ordinary to hide and manipulate data. personnel should not be assigned conflicting responsibilities. An effective takeover, as it was a small bank. internal control system requires reliable However, the real scale of the problem information systems that cover all significant activities of and an unexpected type of fraud were realized when the the bank to be in place; there should be effective and BRSA examined the case to finalize the exact amount to be comprehensive internal audits of the internal control system paid to depositors. The examination revealed that there were carried out by operationally independent, appropriately discrepancies between the official deposit balances and actual trained and competent staff. In 2006, BRSA published new balances. Total deposits of the bank amounted to TL 753 legislation, annulling the old one, which regulates internal million (approximately US $500 million), according to the control and the audit of banks in detail. last daily balance sheet prepared and sent to BRSA by the Corporate governanceCorporate governance, an essential bank. However, based on the examination, the real amount aspect of internal controls, is a set of processes and policies was much higher than the amount reported. The actual that companies direct and control. Considerable attention is amount was TL 8.1 billion (more than US $5 billion)more being given to corporate governance all over the world, than 10 times the reported amount. especially after the collapse of a number of large US firms, The examinations revealed that the banks information such as Enron and WorldCom. In Turkey, the new Banking technology (IT) firm, which was a group company that solely Law enacted in 2005 mentions corporate governance 10 did business with the bank, had partly deleted and damaged times and includes a section on regulating the basics of the magnetic records of the bank during the takeover. A corporate governance. According to the Banking Law, the double record-keeping system was discovered: one official, board of directors should have adequate professional one unofficial. That is to say, the bank had a double experience to be able to satisfy the requirements laid down accounting system where the true information existed at the in the corporate governance provisions of the Banking Law branch level, but headquarters falsified it and then reported it and perform the planned activities. Additionally, to BRSA. All previous onsite examinations were also done implementation of corporate governance principles is through the fake records. considered by BRSA in granting operation permission, It has been a painstaking struggle for the government to opening branches, and determining the banks minimum or clean up the mess. First, information and documents obtained maximum standard ratios. from all branches were collected at a single center and External controlsExternal controls may be as important examinations were initiated for the determination of real as internal controls, and they need to be regulated. depositors. Deposits were paid to more than 300,000 Generally, the function of the external auditor is to certify depositors by the insurance fund. However, investors who that the financial statements reflect the true financial bought government bonds were not paid at that time, because
JOURNALONLINE 1

position and performance of the bank. At this point, harmonization of accounting rules is very important. Within the last couple of years, Turkeys accounting standards have become almost completely harmonious with international accounting standards and best practices. The quality of external audits also depends on the quality of the auditor. External auditors are to be licensed by BRSA to conduct audits in banks, and any misconduct may lead to cancellation of the license. IT auditIn essence, the previously mentioned case was an IT-related financial crime. The bank management used the subsidiary technology company to conceal the true data of the bank. Hence, BRSA has strictly regulated the operation of banks outsourcing activities. According to the Banking Law and relevant regulations, banks cannot outsource basic operations without prior authorization, and outsourcing does not discharge the responsibility of the board of directors. Another big step is independent IT audit. Independent audit companies conduct IT audits in banks operating in Turkey to

prevent the risks related to repeated information systems or double registry systems and test basic application controls. Moreover, BRSA is planning to conduct onsite IT audits in banks starting in 2008, with a team of 18 ready to go, seven of whom already hold the Certified Information Systems Auditor (CISA) designation.

Conclusion
Technology is developing and changing very rapidly. This rapid change leads innovative forgers to come up with new methods to break the rules. The motto for supervisors should be be alert, be up to date. Mustafa Ayaz, CISA is the senior banking specialist of the information management department at BRSA.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. 2008 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

JOURNALONLINE