lessons from a fraud case in turkey
TRANSCRIPT
-
7/29/2019 Lessons From a Fraud Case in Turkey
1/2
Copyright 2008 ISACA. All rights reserved. www.isaca.org.
JO U R N A L ON L I N E
The Imar Bank Case
The collapse of the Imar Bank in 2003 was not a big
surprise to Turkeys f inancial markets. From 1999-2003, more
than 25 banks were transferred to the Savings Deposit
Insurance Fund for liquidation. The Imar Bank had been on
the watch list of the supervisory authority for about 10 years,
as its loan portfolio, characterized by an exceptionally
connected lending practice, consisted mainly of loans to
companies owned by the main shareholder group. The bank
had severe problems when the licenses of two power
companies, which provided the cash flow of the main
shareholder group, were revoked. Depositors ran on the bank
and this resulted in more liquidity problems. The Banking
Regulation and Supervision Authority(BRSA) revoked the license of the bank
because it did not take the required
measures and failed to fulfill its obligations
in a timely manner. At that time, all deposits
were under the coverage of deposit
insurance. It appeared to be an ordinary
takeover, as it was a small bank.
However, the real scale of the problem
and an unexpected type of fraud were realized when the
BRSA examined the case to finalize the exact amount to be
paid to depositors. The examination revealed that there were
discrepancies between the official deposit balances and actual
balances. Total deposits of the bank amounted to TL 753million (approximately US $500 million), according to the
last daily balance sheet prepared and sent to BRSA by the
bank. However, based on the examination, the real amount
was much higher than the amount reported. The actual
amount was TL 8.1 billion (more than US $5 billion)more
than 10 times the reported amount.
The examinations revealed that the banks information
technology (IT) firm, which was a group company that solely
did business with the bank, had partly deleted and damaged
the magnetic records of the bank during the takeover. A
double record-keeping system was discovered: one official,
one unofficial. That is to say, the bank had a double
accounting system where the true information existed at thebranch level, but headquarters falsif ied it and then reported it
to BRSA. All previous onsite examinations were also done
through the fake records.
It has been a painstaking struggle for the government to
clean up the mess. First, information and documents obtained
from all branches were collected at a single center and
examinations were initiated for the determination of real
depositors. Deposits were paid to more than 300,000
depositors by the insurance fund. However, investors who
bought government bonds were not paid at that time, because
those were not deposits and were not covered by the
insurance. In 2007, a law was enacted by the parliament thatrequires the Treasury to make payments to bond holders.
In essence, this is an example of a financial fraud where IT
systems were directly used to hide and manipulate data. There
is a lot to learn from this costly example, and it shaped the
actions taken by BRSA in the years since.
Lessons Learned
The fraud resulted in lessons learned in the following areas:
Internal controlsInternal controls are more important for
financial institutions because they deal with other peoples
money. In 1998, the Basel Committee set principles for
internal control. Principle 6 (segregation ofduties), principle 8 (independent monitoring
of data systems) and principle 11 (internal
audit) are particularly important in this
context. Accordingly, there should be
appropriate segregation of duties and
personnel should not be assigned
conflicting responsibilities. An effective
internal control system requires reliable
information systems that cover all significant activities of
the bank to be in place; there should be effective and
comprehensive internal audits of the internal control system
carried out by operationally independent, appropriately
trained and competent staff. In 2006, BRSA published newlegislation, annulling the old one, which regulates internal
control and the audit of banks in detail.
Corporate governanceCorporate governance, an essential
aspect of internal controls, is a set of processes and policies
that companies direct and control. Considerable attention is
being given to corporate governance all over the world,
especially after the collapse of a number of large US firms,
such as Enron and WorldCom. In Turkey, the new Banking
Law enacted in 2005 mentions corporate governance 10
times and includes a section on regulating the basics of
corporate governance. According to the Banking Law, the
board of directors should have adequate professional
experience to be able to satisfy the requirements laid downin the corporate governance provisions of the Banking Law
and perform the planned activities. Additionally,
implementation of corporate governance principles is
considered by BRSA in granting operation permission,
opening branches, and determining the banks minimum or
maximum standard ratios.
External controlsExternal controls may be as important
as internal controls, and they need to be regulated.
Generally, the function of the external auditor is to certify
that the financial statements reflect the true financial
Lessons From a Fraud Case in TurkeyBy Mustafa Ayaz, CISA
This is an example of a
financial fraud where
IT systems were directly used
to hide and manipulate data.
-
7/29/2019 Lessons From a Fraud Case in Turkey
2/2
position and performance of the bank. At this point,
harmonization of accounting rules is very important. Within
the last couple of years, Turkeys accounting standards have
become almost completely harmonious with international
accounting standards and best practices. The quality of
external audits also depends on the quality of the auditor.
External auditors are to be licensed by BRSA to conduct
audits in banks, and any misconduct may lead to
cancellation of the license.
IT auditIn essence, the previously mentioned case was anIT-related financial crime. The bank management used the
subsidiary technology company to conceal the true data of
the bank. Hence, BRSA has strictly regulated the operation
of banks outsourcing activities. According to the Banking
Law and relevant regulations, banks cannot outsource basic
operations without prior authorization, and outsourcing does
not discharge the responsibility of the board of directors.
Another big step is independent IT audit. Independent audit
companies conduct IT audits in banks operating in Turkey to
prevent the risks related to repeated information systems or
double registry systems and test basic application controls.
Moreover, BRSA is planning to conduct onsite IT audits in
banks starting in 2008, with a team of 18 ready to go, seven
of whom already hold the Certified Information Systems
Auditor (CISA) designation.
Conclusion
Technology is developing and changing very rapidly. This
rapid change leads innovative forgers to come up with newmethods to break the rules. The motto for supervisors should
be be alert, be up to date.
Mustafa Ayaz, CISA
is the senior banking specialist of the information
management department at BRSA.
JO U R N A L ON L I N E2
Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription tothe Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the ITGovernance Institute and their committees, and from opinions endorsed by authors employers, or the editors of thisJournal. Information Systems Control Journal does not attest to the originality ofauthors' content.
2008 ISACA.All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from theassociation. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articlesowned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expresslyprohibited.
www.isaca.org