Skip Ribbon Commands
Skip Navigation LinksHome > For media > Press releases > A number of agencies have serious security weaknesses in information systems

A number of agencies have serious security weaknesses in information systems

​The Office of the Auditor General (OAG)'s review of central government accounts and transactions for 2014 shows that a number of agencies have significant information security weaknesses. "Several have previously received remarks about this matter. It is a serious matter that many do not have a higher awareness of security issues," says Auditor General Per-Kristian Foss.

Published 10/21/2015 1:05 PM

​Document 1 (2015–2016) The Office of the Auditor General's report on the annual financial audit and control for the 2014 budget year was submitted to the Storting on 21 October 2015.

In its report to the Storting, the OAG furthermore emphasised that

  • the presentation of accounts following amendments intended to provide greater transparency and a better overview is of varying quality
  • there has not been sufficient accounting information to express an opinion on the annual accounts of the Norwegian Directorate of Health and the Norwegian Institute of Public Health 
  • the Labour and Welfare Service's financial management and administrative procedures do not provide sufficient protection against irregularities and error
  • programmes for getting more people into jobs and fewer on benefits are not properly followed up
  • there are inadequate controls and security when passports are issued
  • implementation of safety recommendations from the Accident Investigation Board Norway is inadequate
  • the Norwegian Armed Forces have serious shortcomings within the Home Guard
  • while compliance with the rules for management of public funding has improved, there is still need for improvement
  • ministry buildings have yet to be secured in accordance with regulatory requirements

Of a total of 227 audited agencies, 11 have received reports of material errors and deficiencies in the accounts and 21 have received material remarks on budget transactions. In 2014, 11 of the 15 ministries received material remarks on budget implementation and management.

The presentation of accounting figures according to new standards is of varying quality

"In recent years new requirements have been introduced for annual accounts to improve transparency in public spending, but this requires greater accounting expertise, and it has clearly been difficult for many agencies to produce compliant accounts at the stipulated time," says Foss.

The OAG recommends that the Norwegian Government Agency for Financial Management improve its guidance in areas where a need for this has been identified, and government agencies should go through the process to ensure the best possible reporting.

Insufficient management and follow-up of accounting reporting from agencies under the Ministry of Health and Care Services

The OAG believes it is highly criticisable that the Ministry of Health and Care Services did not follow up reporting from underlying agencies well enough in 2014.

"It is the responsibility of the ministries to ensure that the agencies report relevant and reliable accounting information. This is necessary for the ministries' own management and follow-up, and it is necessary to enable us to perform our duties as the Storting's control body. This year we have been unable, among other things, to express an opinion on the accounts for the Norwegian Directorate of Health and the Norwegian Institute of Public Health, and the Directorate's accounts alone comprise around NOK 40 billion," says Foss.

Weaknesses in the security of information systems

Once again, the OAG notes that a number of agencies have substantial information system security weaknesses. A number of these have also received remarks about this previously – without the measures that have been implemented producing the necessary results.

"Many agencies manage large ICT systems that support essential social services. While the shortcomings of the Police Service are particularly serious, the Labour and Welfare Service and Brønnøysund Register Centre also have criticisable issues," Foss points out.

Access control weaknesses represent a risk of manipulation and theft of sensitive information, and inadequate logging impairs detection capacity and increases the likelihood of irregularities.

"We take a serious view of the shortcomings that have been uncovered. Major improvements require expertise and systematic work, but it is also possible to achieve better security with measures that do not require large resources," says Foss.

Risk of irregularities and errors related to funds managed by the Labour and Welfare Service

The Labour and Welfare Service's accounting system and related infrastructure have weaknesses providing opportunities for unauthorised system access, for broad access authorisations and insufficient division of work.

"This gives rise to a risk of manipulation or theft of data, and unintentional errors. The agency manages major state funds and fundamental social welfare programmes. We consider it highly criticisable that the Ministry of Labour and Social Affairs has not done a better job of following this up," says Foss.

The OAG notes that the agency also does not have a good enough system to prevent and detect sick pay fraud.

Benefit fraud is one of the biggest threats within economic crime, according to the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime. It is criticisable that the Ministry has also failed to follow up the agency's deficiencies in this area well enough," says Foss.
Inadequate follow-up of persons in need of vocational assistance

The Labour and Welfare Service does not use the instruments to get more people into jobs and fewer on benefits as intended. There are significant deficiencies in parts of the follow-up of persons on sick leave and recipients of work assessment allowance: Contact is too sporadic, requirements for employability assessments and activity plans are not adhered to, and follow-up of persons on sick leave takes place too late to fully utilise the Faster Back scheme.

"It is also criticisable here that the Ministry has not followed this up well enough to ensure that the purpose of this scheme, back to work faster, is better met," says Foss.

Serious weaknesses in the issuance of passports

The processing and issuing of biometric passports have significant shortcomings. Similar audits in Belgium, Latvia, Lithuania, Portugal and Switzerland show that Norway ranks last.

Identity checks of passport applicants are inadequate, executive officers can issue passports alone – without follow-up control or division of work, and there are significant deficiencies in the protection of information in the case management system and passport registry.

"It is a serious matter that the Ministry of Justice and Public Security has failed to establish a secure procedure for processing, producing and issuing passports, also because it is an important step in preventing crime and terrorism," says Foss.
Inadequate follow-up of safety recommendations from the Accident Investigation Board Norway

The Ministry of Transport and Communications has not established a satisfactory system for ensuring that road sector safety measures recommended by the Accident Investigation Board Norway (AIBN) are implemented.

This applies in particular to measures which someone other than the Norwegian Public Roads Administration is responsible for implementing, but where the agency does not have the same authority vis-à-vis other actors as that exercised by aviation and railway supervisory authorities.

"We take a serious view of the fact that there is less opportunity to follow up the implementation of measures in the road sector, and that this may therefore affect road safety levels. It is also criticisable that the Ministry of Transport and Communications does not evaluate the measures implemented within the road, rail and aviation sector on the basis of the AIBN's safety recommendations," says Foss.

Serious deficiencies in the Norwegian Armed Forces

Weaknesses, errors and deficiencies in the Norwegian Armed Forces have been uncovered for a number of years, and in 2014 serious shortcomings were uncovered in the Home Guard.

“This includes operational capability: staffing, materiel, logistics, training and exercises. The OAG's report has been submitted to the Storting as classified information," says Foss.

Improved grant management, but still room for improvement

The OAG has demonstrated, for a number of years, weaknesses and deficiencies in the ministries' management of grants delegated in part to subordinate administrative bodies.

"While regulatory compliance improved in general in 2014, there is still a need to improve the follow-up of grant schemes managed by subordinate agencies," says Foss.

Among other things, the OAG points out here that while the Ministry of Children, Equality and Social Inclusion has now implemented a number of procedures and measures to comply with grant management and impartiality requirements, the Ministry of Climate and Environment still lacks procedures and guidelines to follow up grant schemes managed by its subordinate agencies.

The requirement for permanent protection of ministry buildings has not been met

The OAG notes that the requirement for permanent basic security of ministry buildings stipulated in the Object Security Regulations was still not met in 2014.

"It is a serious matter that regulatory requirements for basic security have yet to be met, and that other security upgrades have been seriously delayed or put on hold," says Foss.

Riksrevisjonen, Storgata 16, P.O. Box 8130 Dep, 0032 Oslo, Norway

Phone: +47 22 24 10 00

Org.nr: 974 760 843