This legal alert seeks to outline the rules and principles regarding information systems management and independent audit of information systems according to the Communiqués recently published by Capital Markets Board of Turkey.

On January 5, 2018, Capital Markets Board (“Board”) published 2 (two) new communiqués; (i) Communiqué on Information Systems Management numbered VII-128.9 (“Communiqué numbered VII-128.9”) and (ii) Communiqué on Independent Audit of Information Systems numbered III-62.2 (“Communiqué numbered III-62.2”), which have entered into force on the day they have been published in the Official Gazette.

Communiqué numbered VII-128.9 sets forth the rules, policies and procedures regarding the management, security, sustainability and efficient operation of information systems of the entities which are respectively, Istanbul Stock Exchange (Borsa Istanbul A.Ş.), organized markets, pension funds, Istanbul Clearing, Settlement and Custody Bank (Istanbul Takas ve Saklama Bankası A.Ş.), Central Securities Depository of Turkey (Merkezi Kayıt Kuruluşu A.Ş.), custodians, Capital Markets Licensing Agency (Sermaye Piyasası Lisanslama Sicil ve Eğitim Kuruluşu A.Ş.), capital markets institutions, publicly held joint stock companies, Turkish Capital Markets Association (Türkiye Sermaye Piyasaları Birliği) and Turkish Appraisers Association (Türkiye Değerleme Uzmanları Birliği). Besides, Communiqué numbered III-62.2 sets forth the rules, policies and principles regarding the independent audit of the information systems of such entities.

It is worth to note that as per Article 2 of the Communiqué numbered III-62.2, banks, insurance companies, financial lease, factoring and finance companies are already required to comply with the rules and principles regarding information systems arising from their own legislation and such entities are deemed to be compliant with the above-mentioned Communiqués as long as they comply with their own applicable legislation regarding information systems. Notwithstanding the afore-mentioned, the same Communiqué as per Article 29, requires these entities to provide a copy of their independent audit reports to the Board within 30 days’ period following the expiry of the respective audit term.

As regards to the Communiqué numbered VII-128.9, we would like to highlight the following provisions applicable to the entities enlisted under the respective Communiqué.

• The management of the information systems of the entities has become a part of corporate governance practice,
• “Information Security Policy” shall be executed by the executive management and approved by the Board of Directors (BoD) of the respective entity for the establishment, management and use of information systems,
• Executive management of the entity is responsible and liable for the exercise of Information Security Policy,
• BoD is liable to conduct efficient and sufficient controls over the entity regarding the operation of information systems in the framework of Information Security Policy,
• For data protection, specific measures shall be taken as precaution to protect the secrecy of the data received, processed or undisclosed in the course of the information systems operations such as network security, identity verification, monitoring of the outsource companies, physical access only through authorized persons,
• Specific other precautions shall be taken for protection of client data acquired through information systems,
• The primary and secondary systems of the entity are required to exist within the territory of Turkey,
• The penetration test shall be made at least once a year,
• Entities explicitly listed under the Communiqué numbered VII-128.9 such as asset management companies whose paid-in capital is equal to or less than 5 million TRY, brokerage companies with limited authority, asset lease companies, publicly held companies are held exempt from certain requirements regarding authorization, identity verification or information secrecy violation,
• Further rules and procedures with respect to sustainability of primary and secondary information systems, maintenance, recording mechanism and violation of such systems are set forth under this Communiqué.

As regards to the Communiqué numbered III-62.2, we would like to highlight the following provisions applicable to the entities enlisted under the respective Communiqué.

• Independent auditor company reports whether the audited entity is in line with the information system management principles in terms of its operations, equipment and software pursuant to Communiqué numbered VII-128.9,
• Independent auditor company intending to independently audit the information systems of an entity and carrying the criteria envisaged under the Communiqué numbered III – 62.2 applies to the Board to be authorized for such independent audit service,
• Independent auditor company is selected among the companies enlisted under Board’s authorized independent auditors and shall employ adequate number of personnel to duly complete the information systems auditing.
• The entity to be audited shall make available all the information systems documentation and also any records, information and system for independent audit process,
• The entity to be audited shall execute an “information systems independent audit agreement” within the first 4 (four) months of the term subject to audit, and a copy of the agreement shall be submitted to Board within 6 (six) days following its execution¹;
• Independent auditor company shall present a written report to the BoD of the entity upon the preparation of the opinion, and following a declaration of the BoD regarding its acceptance of such report, the entity shall provide a copy of the independent audit report and acceptance declaration to the Board,
• Further rules and principles with respect to auditing methodology, reporting requirements and exemptions applicable for certain entities are set forth under this Communiqué.

In the table hereunder, we would like to present the frequency of the information systems audits that are rendered compulsory by the Communiqué numbered III – 62.2 to be conducted by the respective entities:

***

¹ The 4 months-restriction for contract signing is not enforceable for the first audit term of the entity according to the first provisional article of the Communiqué.