Compliance Analysis of COBIT and BRSA Information Systems Regulations: Processes, Differences, and Strategic Recommendations
1. Scope of the Compliance Analysis between COBIT and BRSA Information Systems Regulations
The management and audit of information systems in the banking sector is not merely a technical requirement; it is also an area of strategic importance in terms of customer security, operational continuity, and regulatory compliance. The investment made by the banking sector in Turkey in information technologies, the pace of digitalization, and the importance placed on data security are clear indicators of this trend. For instance, banks’ investments in digital transformation have steadily increased in recent years; both fintech companies and banks have been moving customer services into digital platforms, allocating a significant share to this area (DergiPark).
As of 2024, the number of digital, internet, and mobile banking transactions in Turkey has exceeded hundreds of millions, while annual growth in mobile banking users has been consistently in double digits (The Banks Association of Turkey). In parallel, banks’ spending on information security and cybersecurity solutions is also on the rise. The Turkish cybersecurity market is projected to reach approximately USD 37.5 million by 2025, with an annual compound growth rate of over 12%. The financial sector accounts for about 29% of this market (Mordor Intelligence).
However, digitalization has also brought with it risks of cyberattacks and data breaches. Ransomware attacks, which have increased by 1318%, along with social engineering–based threats, have made the banking sector a primary target (DergiPark). These developments necessitate that the regulatory framework for information systems be not only a compliance requirement but also a strategic defense shield.
At this point, the internationally recognized COBIT framework provides a strong structure for IT governance and control, while in Turkey, the regulation of this area is ensured through various circulars, communiqués, and regulations issued by the Banking Regulation and Supervision Agency (BRSA). This regulatory framework covers critical areas such as authentication, transaction security, independent auditing, penetration testing, and system continuity, largely aligning with COBIT control objectives.
This study conducts a comprehensive compliance analysis between COBIT control objectives and seven core regulations issued by the BRSA; similarities, differences, and areas for improvement are examined within the context of sector practices and banking processes. In addition, concrete recommendations are presented to support the integration of regulations with COBIT.
2. COBIT and BRSA Regulations: Definition and Scope
What is COBIT?
COBIT (Control Objectives for Information and Related Technologies) is a globally used framework for IT governance and control. COBIT provides a set of processes, control objectives, and metrics that enable organizations to identify risks related to their information systems, implement controls, and measure performance. The 2019 version of COBIT adopts a risk-based, measurable, and continuous improvement–focused approach, particularly for the management of information systems in financial institutions.
Definition and Importance of BRSA Regulations
In Turkey, the management and audit of information systems have been established on a legal basis through seven core regulations. These regulations introduce comprehensive requirements in areas such as the security, audit, continuity, and service quality of banking information systems:
-
Circular on the Criteria Required for Authentication and Transaction Security in Electronic Banking Services and Establishment of Contractual Relationships in Electronic Environments
→ Defines criteria for transaction security, multi-factor authentication, and digital signature processes in electronic banking. It shapes mobile banking, remote identification, and transaction approval processes. -
Communiqué on Reports Related to Independent Audit of Information Systems and Business Processes
→ Regulates independent audits of banks’ information system processes, defines reporting formats, and sets requirements for submission to the BRSA. Aligns with COBIT’s “evaluate and monitor” structure. -
Communiqué on the Management and Audit of Information Systems of Information Sharing Institutions and the Risk Center
→ Regulates the security, continuity, and audit of information systems of institutions such as the Credit Bureau and the Risk Center. Strategic in ensuring the reliability of external data sources. -
Regulation on the Independent Audit of Information Systems and Business Processes
→ Details who may conduct information systems audits, their frequency and scope, as well as the authorization and supervision criteria for audit firms. -
Regulation on Remote Customer Identification Methods and the Establishment of Contractual Relationships in Electronic Environments
→ Governs how banks use biometric recognition, video calls, e-signatures, and similar technologies in remote customer acquisition processes. Aligned with COBIT’s “technology enablement” approach. -
Regulation on Banks’ Information Systems and Electronic Banking Services
→ Regulates management structures, risk management, information security, backups, and outsourcing for banks’ information systems. Contains provisions directly related to almost all COBIT control domains. -
Circular on the Independent Audit Tracking System (BADES)
→ Ensures electronic submission and monitoring of data from independent audit processes to the BRSA. Supports COBIT’s continuous monitoring and improvement objectives. -
Circular on Penetration Testing Related to Information Systems
→ Defines requirements for banks to regularly conduct penetration tests, including scope, methods, and reporting processes. Directly overlaps with COBIT’s “security controls” module.
These regulations can be directly compared with COBIT control objectives. Particularly in critical areas such as authentication, transaction security, independent audit, and penetration testing, BRSA regulations show a strong degree of alignment with COBIT. However, as detailed analysis reveals, certain advanced control and measurement mechanisms emphasized in COBIT are not yet fully reflected in the regulations.
3. Compliance Table: COBIT vs BRSA Regulations
| COBIT Domain (Control Process) | Relevant Regulation (Number & Type) | Compliance Level | Explanation and Banking Process Example |
|---|---|---|---|
| Authentication & Transaction Security (BAI / Security) | Circular 2023/1 (“Authentication and Transaction Security”) (KPMG sources) | High | In mobile banking, OTP signature + asymmetric key: requires creating a customer-specific private key. Example: during a money transfer, the transferred amount and recipient info must be marked with a verification code. |
| Audit & Reporting Structure (EDM) | Circular on “Independent Audit Tracking System (BADES)”, also Communiqué on “Information Systems and Business Processes …” and Regulation (Mondaq, BRSA) | Medium–High | Banks are obliged to conduct system and process audits with independent firms. Through BADES, reports are monitored by the BRSA. Example: internal audit of credit decision systems and resulting reports. |
| Information Systems Management & Continuity (DSS & APO12) | “Communiqué on the Management and Audit of Information Systems of Information Sharing Institutions and the Risk Center” (MevzuatTR, LEXPERA) | Medium | Institutions like the Risk Center and Credit Bureau are subject to the same IT governance standards as banks. Example: the Credit Bureau system undergoes continuity tests, and non-compliance must be reported to the BRSA. |
| Internal / External Service Provider Management (APO10) | “Regulation on Banks’ Information Systems and Electronic Banking Services” & “Regulation on Remote Customer Identification” (ProCompliance, alomaliye.com) | Medium | Criteria include authorization, domestic service center, intervention team. Example: interface provider SDK requires audit and approval. |
| Penetration Testing & Security Analysis (DSS) | “Circular on Penetration Testing Related to Information Systems” (Article 7) – although limited public sources | Low–Medium | Penetration testing is included in the circular; however, COBIT’s “red-team exercises” and continuous activities are only partially reflected. Example: conducting routine penetration attempts on online payment systems. |
4. Detailed Analysis Based on Banking Processes
-
Mobile Banking Login and Financial Transaction Process – High compliance with COBIT through OTP, asymmetric key generation, and WYSIWYS principle.
-
Credit Evaluation and Risk Reporting Process – Risk Center regulations ensure data accuracy, system continuity, and early detection of scoring errors.
-
Independent Audit and Process Tracking – BRSA regulations (including BADES) ensure structured audit monitoring, aligning with COBIT EDM.
-
Information Asset Management (COBIT: BAI09) – Asset identification enforced, but COBIT’s data lifecycle and quality metrics not fully covered.
-
Risk Management (COBIT: APO12) – Strong alignment in risk identification, weaker in tolerance setting and scenario-based testing.
-
Continuity and Disaster Recovery (COBIT: DSS04) – High alignment, though direct metric obligations (e.g., RTO) not defined.
5. Innovative Recommendations: Deepening Compliance
-
COBIT KPI-Based Mandatory Reporting – e.g., failed authentication session ratios, system access breach counts.
-
Continuous Penetration and Red-Team Exercises – Moving from one-off to routine practices.
-
Data Quality Controls – Introducing metrics for dataset accuracy and correction mechanisms, aligned with COBIT BAI09.
6. Conclusion
The reviewed regulations provide structures that largely support COBIT control objectives, particularly in areas such as authentication and transaction security, independent audits, and system continuity. However, certain advanced COBIT criteria—such as continuous penetration testing, KPI-based performance monitoring, and data quality management—are not yet fully addressed in the regulations.
The recommendations in this analysis aim to contribute to making banking information systems audits more measurable, proactive, and aligned with international standards.
Author: ErdeN Tüzünkan - Partner | IT Audit & Corporate Transformation
