What do the guidelines for information and communications security audits provide? – Accounting and Auditing


To print this article, simply register or connect to Mondaq.com.

The Office of Digital Transformation of the Presidency of the Republic of Turkey (“DTO”) released the Guidelines for Information and Communications Security Audits (“Audit Guidelines”) on October 27, 2021. The Guideline provides details on the audit procedures that public institutions and companies providing critical infrastructure services must ensure the security of critical data.

Recent development

The audit guidelines issued by the DTO in accordance with the Information and Communications Security Directive explain the methodology regarding the audit procedures that public institutions and companies providing services in critical infrastructure sectors such as that energy, electronic communications, health and finance must lead. The guidelines are available online here In Turkey.

What do the audit guidelines say?

Establishments falling within the scope of the Information and Communications Security Directive must complete their operations to ensure compliance with the measures provided for in the said directives within 24 months. After this period, institutions must begin their audit process.

In this regard, the Audit Guidelines explain the audit process, which should be followed by public institutions and companies providing critical infrastructure services. Institutions should conduct their audit process primarily through internal audit units. If internal audit units are not available or insufficient, the process can be carried out by other staff of the institution, staff to be assigned from other public institutions and organizations, or through contracts. Services. In this context, a separate directive, which sets out the criteria for the staff and companies that will carry out the audits, has also been published. You can access the relevant directive here.

The audit guidelines also include the obligations of contracted institutions and auditors. Accordingly, institutions should obtain audit services from companies authorized under the certification program and should not obtain audit services from companies and auditors that have provided consultancy services to companies. relevant institutions in accordance with the Information and Communication Security Directive.

In accordance with the Audit Guidelines, the purpose of the audits is to assess the implementation of the Information and Communications Security Directive and the effectiveness of the measures applied to groups of assets. Audits consist of three stages:

(i) Planning of the audit procedure
(ii) Execution of the audit procedure
(iii) Communication of audit results

As part of planning the audit procedure, the audit team and the scope of the audit should be determined; and the audit strategy and audit program must be prepared. The audit team should consist of at least two people and the staff should have the necessary certificates or authorizations. In order to identify the operations of the institution, the audit team should analyze the organizational structure of the institution, business processes, previous audit reports, groups of assets of the company, etc. The group of assets that are covered by the audit should be identified. To this end, the audit team should act according to a risk-based audit approach and be based on materiality criteria. In accordance with the Guidelines, the audit team should include at least one group of assets in the audit, which relates to one of the main groups of assets defined as part of the compliance studies. After these steps, the audit strategy and program should be prepared in accordance with the audit objectives. Various methods such as interviews, reviews, security audits, penetration testing and source code analysis specified in the Audit Guidelines can be used in performing the audit procedures. However, the procedure can also be performed using additional methods.

Once the audit is complete, an audit report should be prepared and submitted to the DTO.


The audit guidelines provide guidance to public institutions and companies providing critical infrastructure services on audit procedures for implementing the guidelines on information and communications security and for measuring effectiveness. measures applied to groups of assets. In this context, the institutions concerned and the providers of critical infrastructure must manage their audit process in accordance with the guidelines, submit their reports to the DTO and closely follow the announcements and orientations of the competent authorities in the matter.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

POPULAR POSTS ON: Accounting and Auditing of Turkey

Update of the CSSF FAQ on AIFM: Use of US GAAP

ELVINGER HOSS PRUSSEN, public limited company

On June 30, 2021, the CSSF updated its FAQ on the Luxembourg law of July 12, 2013 on alternative investment fund managers (“AIFM Law”) to specify that article 14, L2 of …

How to choose your auditor

Borg Galea & Associates

Choosing the right auditor is an important decision that companies must make.

Leave A Reply

Your email address will not be published.