E-Document Private Integrators Information Systems Audit Guide

This comprehensive guide details all technical, administrative, and operational requirements set forth in the E-Document Private Integrators Information Systems Audit (ÖEBSD) Guide published by the Turkish Revenue Administration (GİB). The guide addresses, as a whole, the 208 control points that private integrators are required to comply with, along with the governing principles for managing these processes.

What is ÖEBSD and What Is Its Purpose?

ÖEBSD is an independent audit process designed to assess the security, continuity, and regulatory compliance of the information systems used by private integrators while providing e-Document services (such as e-Invoice, e-Archive Invoice, e-Delivery Note, etc.).

The primary objective of this audit is to ensure the confidentiality, integrity, and availability of critical taxpayer data, thereby safeguarding the security of the digital economy.

The audit process is conducted within the framework of the General Communiqué of the Tax Procedure Law No. 509 and applies to all organizations that have obtained or will obtain authorization from the Revenue Administration. Through this audit, private integrators are required to align their infrastructures with international standards (ISO 27001, ISO 20000, ISO 22301) as well as with GİB-specific technical criteria.

Audit and Approval Process Workflow

Candidates applying for private integrator authorization are required to have the audit conducted and to include the audit report in their application files. For existing integrators, the audit cycle operates as follows:

Periodic Audit: An audit must be conducted every 2 years following the initial audit.
Validity of the Report: Audit reports are valid for a maximum of 2 years from the report date, and a renewed report must be submitted to GİB before expiration.
Notification Period: Completed reports must be submitted to GİB in writing within 15 days of the report date.
IT Systems (BİS) Report Update: An up-to-date Information Processing Systems (BİS) report must be submitted to GİB and the audit firm at least 1 month prior to the audit.

GİB may publish audit results on its official website. Integrators that fail to submit reports within the specified timeframes will first have their authorization suspended; if no report is submitted within an additional 6-month grace period, the authorization will be revoked.

Who Should Conduct the Information Systems Audit of Private Integrators and How Often?

The Information Systems Audit of Private Integrators (ÖEBSD) must be conducted by independent audit firms authorized to perform information systems audits under banking and capital markets legislation. The audit is required both during the initial authorization stage and periodically every 2 years thereafter.

Details on how organizations should manage these audit processes are categorized below.

1. Organizations Authorized to Perform the Audit

Audits may not be conducted by any technology company or consultancy firm; they must be carried out exclusively by institutions holding specific authorizations:

Authorized Audit Firms: Audits are conducted by independent audit firms that are authorized to perform information systems audits under Banking and Capital Markets legislation.
Auditor Rotation: Private integrators may receive audit services from the same auditor no more than two consecutive times. Provided that the audit team changes, services may be obtained from the same independent audit firm (as a legal entity) up to five times.

2. Audit Timing and Frequency

The timing of audits varies depending on the organization’s status (candidate or authorized):

Application Phase: Candidates seeking private integrator authorization must include the ÖEBSD Opinion Letter and Audit Report in their application files.
Periodic Audits: Authorized organizations are required to repeat the audit every 2 years from the date of the initial audit.
Report Validity: Independent audit reports are valid for a maximum of 2 years from the report date. A new report must be submitted to GİB before the current one expires.
Presidential (GİB) Audit Authority: Independently of periodic audits, GİB may conduct on-site audits using its own personnel at any time or may request a new ÖEBSD audit even if the two-year period has not elapsed.

3. Pre- and Post-Audit Notification Procedures

To formalize the audit process, specific notification timelines must be observed:

BİS Report Notification: Private integrators or candidates must submit an updated Information Processing Systems (BİS) Report to GİB and the audit firm at least 1 month prior to the audit date.
Report Submission: The opinion letter and audit report containing the ÖEBSD results must be submitted to GİB in writing within 15 days of the report date.
Scope of the Private Integrator Information Systems Audit (ÖEBSD) and Its 7 Subsections
The Private Integrator Information Systems Audit (ÖEBSD) covers the information systems related to the activities and processes of organizations that have obtained or will obtain authorization from the Turkish Revenue Administration (GİB) regarding e-Document applications. This audit is designed to determine, through independent audit activities, whether the information systems of these organizations comply with the technical and administrative criteria specified in the Guide.
Within the Guide, the following 7 core subsections (components) are defined under the heading “System and Security Assessment Class (ÖEBSD_SIS)”:
The 7 Subsections of the System and Security Assessment
1. ÖEBSD_SIS.1 Physical Conditions and Security Measures
Covers the verification of physical security controls of data centers, including climate control and protection measures against disasters.
2. ÖEBSD_SIS.2 Access Security
Audits the adequacy of both physical and electronic access authorizations and authentication mechanisms for information systems.
3. ÖEBSD_SIS.3 Business Continuity, Risk Management, and Emergency Plans
Controls the compliance of business continuity plans and risk analyses prepared to ensure uninterrupted service delivery.
4. ÖEBSD_SIS.4 Change Management
Reviews version control and approval mechanisms within software development, testing, and production deployment processes.
5. ÖEBSD_SIS.5 Audit Trail Management
Covers the processes for recording all system activities (log management) and securely retaining these records.
6. ÖEBSD_SIS.6 Management of External Service Providers
Verifies whether outsourced services (subcontractor management) comply with the criteria defined in the Guide and contractual requirements.
7. ÖEBSD_SIS.7 Controls Related to Service Software
Audits whether application software such as e-Invoice, e-Archive Invoice, and e-Delivery Note comply with GİB standards, schematron rules, and signature norms.
These subsections are evaluated based on a total of 208 control points during the audit and form the basis for the auditor’s final opinion (unqualified, qualified, etc.).
Classification of Critical Assets and Actors
Assets whose disclosure or alteration could compromise the integrity of the entire system are defined as “Critical Assets.”
Primary Assets
These assets consist of data produced or stored by the private integrator that must be retained for a minimum period of 10 years:
1. Taxpayer Information: Sensitive information protected under the Law on the Protection of Personal Data (KVKK).
2. Transaction Records: All logs related to data transmission protocols and secure communication.
3. e-Document Data: Contents of e-Invoices, e-Archive Invoices, and e-Delivery Notes. These data must be identical to the envelope content submitted to GİB and must be protected against tampering.
4. Archival Data: All documents stored within the scope of archiving services and retained within the borders of the Republic of Türkiye.
Secondary Assets
These are the technological infrastructures used to protect primary assets. This category includes HSM (Hardware Security Module) devices, cryptographic keys, servers, firewalls, network topologies, and authorized user lists.
System Actors and Threat Sources
- Authorized Users: Personnel, installers, maintenance staff, or auditors. They may pose a threat due to negligence, insufficient training, or malicious intent (blackmail, data theft, sabotage).
- Unauthorized Users: Hackers or cyber terrorists attempting to damage the system through social engineering, system vulnerabilities, or cryptographic attacks.
  Technical and Physical Security Standards
  Physical Security and System Room Requirements
  The information systems of the private integrator must be protected by physical safeguards compliant with ISO standards.
  - Environmental Factors: Appropriate climate control, fire suppression systems, power redundancy, and protection mechanisms against natural disasters must be in place.
  - Video Surveillance: Critical rooms must be monitored with 24/7 video recording, and these recordings must be retained for a minimum of 6 months.
  - Access Control: Access to system rooms must be protected by at least two-factor authentication, and doors must be constructed of industry-standard steel materials.
  Access Security and Encryption (Cryptography)
  
  The principle of “at least two authorized persons” applies to system access; meaning that no critical operation may be completed with the approval of a single individual.
  - Password Policy: User passwords must be changed at least once every 90 days and must comply with industry-standard secure password policies.
  - Cryptographic Modules: Cryptographic keys must be stored exclusively in HSM devices certified at FIPS 140-2 Level 3 or EAL 4+, and all cryptographic operations must be performed within these devices.
  - Algorithms: AES-256 must be used for data confidentiality, RSA 2048 for asymmetric encryption, and SHA-2 for hashing operations.
  Operational Resilience: Risk, Business Continuity, and Disaster Recovery Center (DRC)
  Private integrators are required to ensure uninterrupted service delivery with a minimum monthly availability of 99.75%.
  Risk Management and Penetration Testing
  - Risk Analysis: A Risk Assessment Matrix based on probability and impact analysis must be prepared for all assets. Management Review Reports (MRR) must be retained for 10 years.
  - Penetration Testing: Penetration tests covering networks, operating systems, applications, databases, and mobile applications must be conducted at least once per year. Identified vulnerabilities must be remediated according to a scheduled action plan.
  Disaster Recovery Center (DRC)
  Establishing a Disaster Recovery Center is mandatory to ensure service continuity in the event of an outage at the primary site:
  - Location: The DRC must be located in a different province from the primary site.
  - Data Synchronization: Database backups must have a maximum delay of 30 minutes.
  - Recovery Time: Services must be restored and made available via the DRC within 6 hours after the outage begins.
  - Drills: Emergency drills must be conducted at least once per year based on two different scenarios.

Software Development and Audit Trail (Log) Management

Change Management

To reduce the risk of errors in software processes, test and production environments must be physically or logically segregated.

Version Control: All historical versions of the software must be retained for 5 years, together with change logs detailing who made the change, when it was made, and why.
Data Security: In test environments, anonymized or obfuscated data must be used instead of real taxpayer data.
Integrity: The integrity of software operating in the production environment must be continuously monitored, and automatic alerts must be generated in case of any integrity breach.

Audit Trails (Logs)

All system activities must be logged, including application access, authorization approvals, error records, and network traffic.

Log Content: Logs must include at minimum a description of the transaction, timestamp information, outcome, and the affected system component.
Protection: The integrity of logs must be protected using time-stamping or equivalent mechanisms, and logs must be retained for a minimum of 10 years.
Analysis: Systems capable of real-time analysis and alert generation must be implemented to detect anomalous data uploads or unauthorized access attempts.

Organizational Structure: Personnel and External Service Management

Personnel Requirements

Private integrators must employ separate personnel with expertise in specific domains such as network security, database management, software development, configuration, and testing.

Segregation of Duties: Personnel responsible for software development may not be the same individuals responsible for testing or operational activities.
Notification Obligations: Organizational charts and personnel changes (including Turkish ID numbers, educational background, etc.) must be reported to GİB within 15 days.

External Service Procurement (Subcontractor Management)

Private integrators may outsource certain technical services; however, this does not transfer responsibility.

Contractual Requirements: The scope and duration of outsourced services must be clearly defined in contracts and reported to GİB within 15 days.
Audit Authority: Subcontractors must comply with all requirements specified in the Guide and must allow physical access to auditors.
HSM Requirement: If the HSM device is located at the subcontractor’s premises, it must be exclusively dedicated to the respective private integrator.
Special Controls for Service Software
One of the most detailed sections of the Guide (Annex 1 – SIS.7) defines the technical rules that service software must comply with according to different e-Document types.
e-Invoice Controls
- Schematron and Signature Validation: Prior to submission, documents must pass the current GİB schematron validation and digital signature certificate verification (CRL, OCSP).
- Envelope Management: Erroneous envelopes must be automatically retried at predefined intervals without requiring user intervention.
- 8-Day Rule: Application responses received for commercial invoices must be accepted within 8 days after being delivered to the recipient.
- UBL Delivery: When a customer terminates the service, documents must be delivered to the customer in XML/UBL format.
e-Archive Invoice Controls
- Special Reporting: Each e-Archive Invoice must be included in the e-Archive Report submitted to GİB.
- ETTN and Number Control: The system must prevent the creation of duplicate records using the same ETTN or invoice number.
- Visualization: Emails sent to customers must include either a signed UBL attachment or a download URL.
e-Delivery Note (e-Despatch) Controls
- Response Time: The response generation period for incoming delivery notes is limited to 7 days.
- System Response: Users must not be allowed to send manual system (envelope) responses; this process must be handled automatically by the system.
Audit Results and Evaluation Scoring
Based on the assessment of 208 control points, the auditor issues one of the following four opinions:
1. Unqualified Opinion (Positive Opinion): Full compliance must be achieved for at least 166 out of 208 control points (80%). Additionally, a minimum success rate of 70% in each assessment category (Personnel, Systems, etc.) is required.
2. Qualified Opinion: Issued when sufficient audit evidence cannot be obtained or when minor deficiencies exist. The integrator is granted a 90-day remediation period.
3. Adverse Opinion: Issued in the presence of critical security deficiencies. Operations are suspended, and authorization is revoked if a positive report is not submitted within 6 months.
4. Disclaimer of Opinion: Issued when the auditor is prevented from performing their duties. If this result occurs twice consecutively, operations are suspended.
Conclusion

The ÖEBSD process ensures that private integrators function not merely as technical intermediaries but also as secure data strongholds. Obligations such as ISO certifications, HSM usage, disaster recovery redundancy, and 10-year log retention constitute the foundational pillars of Türkiye’s e-Document infrastructure sustainability. Strict compliance with the rules outlined in this Guide is critical for private integrators, both to avoid legal sanctions and to establish and maintain customer trust.
Note

This E-Document Private Integrators Information Systems Audit Guide has been prepared based on the e-Document Private Integrators Information Systems Audit Guide published in November 2019. The relevant guide can be accessed via the official GİB channels.