Security Audits

In general terms, application controls are the totality of controls on the scope of application systems for the regulation of data, separation, matching and balancing of business processes and reporting of errors. In other words, application controls are performed to ensure that:

• The information entered into the system is precise, complete, accurate and has been created only by authorized persons.
• Information is entered into the system in an acceptable time and in a targeted manner.
• The information held in the system is complete and accurate
• Outputs from the system are complete and accurate
• Entering the information into the system, storing and printing processes in the system

There are many methods used to perform application controls. For example, the input control is performed to check the integrity of the information entered in the system and how it is contaminated. This information may be entered directly into the system by employees or by a remote partner, or may be entered via the Internet. Data processing control is performed to ensure that the information entered into the system is complete, accurate and authorized. Output controls are performed to determine how the information received from the system is used. Integrity checks are performed to ensure that the information is consistent and complete. Management trail controls are carried out with the aim of tracking the historical trace of applications for entering, processing and printing of information.

Essentially, application controls are carried out in two directions: preventive controls and detection controls. Both types of application control are intended to prevent errors in the application. However, preventive checks are performed to ensure that the information entered is in accordance with the logic of the software. In this case, only the correct data can be entered into the system. Incorrect information is prevented at the time of entry. In the determinative controls, it is subsequently checked whether the information entered into the system is appropriate in terms of the logic of the software.

Application controls are specific to a particular application. However, the general controls of information technologies are specific to the completeness, accuracy and completeness of all records in the system.

our organization provides application controls services within the scope of audit services. In these studies, operates in accordance with the relevant legal regulations, standards published by domestic and foreign organizations and generally accepted audit methods.

Information technology audit is carried out with the aim of assuring whether the expected benefits are obtained from the infrastructure and processes. These benefits can be listed as follows:

• To what extent are infrastructure and processes capable of meeting business needs? (Efficacy)
• How efficient are the resources used? (activity)
• To what extent is the protection of the confidentiality, integrity and continuity of information assets ensured? (security)
• Finally, how much legal regulations are being followed on these issues?

The information technology audit to be performed is a separate area of ​​expertise. However, it should not be completely separate from the general audit principles and criteria; In this respect, IT security audits also require a risk-based and objective evidence-based audit process.

Organizational, process and technical controls form the basis of information technology audits. In addition, physical controls that support the protection of information technology infrastructure against security gaps should not be ignored.

In addition to these general principles, it is possible to carry out special security audits depending on the field of activity and service conditions of the enterprises. Many different methods can be used in these inspections. However, each method has different effect criteria in itself. Some critical controllable areas may have different characteristics depending on the activities of Krum. Some areas may also gain importance in certain periods depending on the differentiation of business objectives. What is important is to realize these priorities and prioritize these differences in audit planning.

Different applications and standards can be applied in information technology audits. For example,

·         COBIT (Control Objectives for Information and Related Technology)

·         TS ISO / IEC 27001 Information technology - Security techniques - Information security management systems - Requirements

·         TS ISO / IEC 27002 Information Technology - Security Techniques - Application Principles for Information Security Controls

·         PRINCE (Projects in Controlled Environments)

·         CMMI (Capability Maturity Model Integration, Capacity Maturity Model Integration)

·         ITIL (Information Technology Infrastructure Library)

our organization within the scope of auditing services. In these studies, operates in accordance with the relevant legal regulations, standards published by domestic and foreign organizations and generally accepted audit methods.

Manually conducting business processes in an enterprise leads to the preparation of incorrect financial statements, higher number of employees, greater operational risks each day, and possible malicious behavior. Therefore, it is extremely important to have a solid information technology infrastructure and to establish a strong control environment in order to increase the power of enterprises.

Generally, general controls of information technologies in enterprises are important in various aspects. In this way, system-based controls and business processes are supported and financial and operational risks are minimized. In addition, the efficiency of the controls and processes connected to the system has been increased and most importantly, assurance has been provided to them. In addition, information integrity, completeness and accuracy are assured.

In general, general controls of information technologies are concentrated in three stages. Inspection of these areas is to identify control points and test how effective these control points are. These fields are:

• Access to data (information security, authorization, physical access, access management and monitoring processes are controlled in this area)
• Program and application development (application development methods, data transformation, development, testing, approval and application processes are controlled in this field)
• Software changes (software development, testing and approval, transfer of software to production environment, configuration work and urgent change processes are controlled in this area)
• Information technology operations (operations follow-up, backup and return operations and problem management processes are controlled in this field)

The general controls of information technologies performed have positive effects on business processes. Today, these controls are the mainstay of business processes. If these general controls are not made strong, it is difficult to rely on system-based controls and processes under the supervision of any business process. General controls ensure the integrity, accuracy and completeness of the data held in the systems. Therefore, all business processes using the system are affected by the general controls of information technologies.

our organization within the scope of audit services provides general controls of information technologies. In these studies, operates in accordance with the relevant legal regulations, standards published by domestic and foreign organizations and generally accepted audit methods.

COBIT stands for Control Objectives for Information and Related Technology in English and stands for Control Objectives for Information and Related Technologies. Companies operating in the field of information technologies develop an information technology management model and try to protect the assets of their businesses. However, COBIT is not only a control tool, but rather a management tool. Nevertheless, it focuses more on supervision. In this way, it aims to provide benefit in the existence and success of the enterprise from the management staff of the enterprises to the employees in the field of information technologies.

The importance of COBIT, especially in the finance sector in our country, has been recognized and has been seen in many areas in recent years. COBIT sets forth the objectives to be achieved in information technology management. COBIT offers a framework covering all information technology functions. COBIT includes four groups of process areas and 34 processes, all of which cover the whole of IT management. In fact, COBIT focuses on information technology management, not on information technology processes. It was first released in COBIT 1996.

For the first time in our country, some banks have been subjected to COBIT-based special audit by BRSA. This type of audit was extended to all banks in 2006 and was mandatory. It is now repeated once every two years. Although there were some problems in the past, today banks manage their information technology processes in accordance with this standard and manage their processes more efficiently and effectively.

In fact, even before the BRSA stipulated, some banks managed their information technology processes in accordance with COBIT. However, banking is not the only area where COBIT is applied. Many companies in the finance and manufacturing sectors use COBIT for process management.

The audit of information technology processes is no longer an area of ​​engineering based on information technology and includes accounting and reporting within the scope of business science. The independent audit to be carried out in conjunction with the information technology audit becomes more important, especially when commercial life becomes more reliable and developments in the banking sector are taken into consideration.

our organization provides COBIT audits. In these studies, operates in accordance with the relevant legal regulations, standards published by domestic and foreign organizations and generally accepted audit methods.