Skip Ribbon Commands
Skip Navigation LinksHome > For media > Press releases > A number of government organisations have insufficient information security
The front page illustration of the document

A number of government organisations have insufficient information security

​There are significant flaws in information security in a number of government organisations, including the Norwegian Petroleum Directorate, according to the 2016 accounting audit by the Office of the Auditor General. The Norwegian Petroleum Directorate processes information from the oil sector, the protection of which is of the utmost importance. "It is strongly reprehensible that the Directorate still does not have a satisfactory information security system", said Auditor General Per-Kristian Foss.

Published 11/14/2017 1:00 PM

​Document 1 (2017–2018) The Office of the Auditor General's report on the annual audit and control for the 2016 budget year was submitted to the Storting on 14 November 2017.

The following main findings were highlighted in the report:

  • The accounts are generally of good quality.
  • There are flaws in information security in a number of organisations, including the Norwegian Petroleum Directorate.
  • There are significant flaws in the police handling and follow-up of confiscated goods in criminal cases.
  • There are significant flaws in the work of the Norwegian Labour and Welfare Administration regarding unemployment benefits payments.
  • The Office of the Auditor General cannot comment on the annual accounts of the Armed Forces and Defence Materiel Agency.

Good quality in the majority of accounts

The Office of the Auditor General has submitted its report on 235 accounts for 2016. The accounts are generally of good quality and the number of modifications made post-audit was lower in 2016 than it was in 2015. For 2016, the Office of the Auditor General has no significant observations regarding the management of the Office of the Prime Minister, the Ministry of Children and Equality, the Ministry of Local Government and Modernisation, the Ministry of Culture, the Ministry of Education and Research and the Ministry of Foreign Affairs.

Flaws in information security

The Office of the Auditor General has repeatedly highlighted that a number of government organisations have significant flaws in their information security management systems. The 2016 audit demonstrates that there are still large deficiencies in this area.

"Poor management and follow-up regarding information security leads to a risk of sensitive information, including personal data, falling into the wrong hands and important services being rendered inoperable", said Auditor General Per-Kristian Foss.

Digitalisation is contributing to making critical social functions vulnerable and increasingly advanced cyber attack methods are being used on government organisations.

The Norwegian Petroleum Directorate

The Office of the Auditor General has previously reported significant flaws in information security at the Norwegian Petroleum Directorate. The 2016 audit shows that the Directorate's information security management system is still incomplete.

There is no clear correlation between risk and vulnerability and the security measures in place. In addition, evaluation and improvement of the information security management system has not taken place.

"It is incredibly disappointing that the Petroleum Directorate still does not have a satisfactory information security management system in accordance with the eGovernment regulations and recognised standards", said the Auditor General.

The Petroleum Directorate has national responsibility for data from the continental shelf and processes internal and external information from the oil sector which must be safeguarded.

"Inadequate information security increases the risk of incidents which can damage the reputation of the Directorate in the eyes of society and which could have commercial implications for the oil sector", Foss highlighted.

Information in the Foreign Exchange Register should be more secure

The audit highlights that there are also challenges in information security within the Foreign Exchange Register, which the Directorate of Taxes is responsible for. The Foreign Exchange Register contains a large amount of personal data regarding currency trading and the transfer of payments into and out of Norway. The Directorate of Taxes has not carried out information security risk assessments for the Foreign Exchange Register. Insufficient demands on, and monitoring of the external data processing companies who manage and operate the Register, have led to flaws in information security. More people than necessary have administrator access, which presents opportunities for information to be read, copied, changed and deleted. Furthermore, there are no procedures in place ensuring that unauthorised use will be detected.

"It is reprehensible that the Directorate of Taxes has not protected the information in the Foreign Exchange Register in accordance with the Foreign Exchange Register Act and the Personal Data Act", said Foss.

Significant flaws in police handling of confiscated goods

The audit shows significant discrepancies in police handling of confiscated goods in criminal cases. This was also highlighted by the Office of the Auditor General in 2009.

Many confiscated goods are not where the system states they should be. This applies particularly to the Oslo police district, which accounts for around 20% of all confiscated goods in the country. 12% of confiscated goods signed for in the Oslo police district are not kept where the police data systems say they are. Furthermore, none of the five police stations visited could produce documentation relating to when and where individual items were destroyed, or to who was present when the material was destroyed.

"We find it strongly reprehensible that many confiscated items within the Police Service are not where the service's computer systems say they should be. It is also reprehensible that the National Police Directorate does not carry out risk assessments and rarely follows up on and documents the handling and monitoring of confiscated items within police districts, particularly as we also highlighted a number of these flaws in 2009", the Auditor General said.

No checks that benefits payments go to genuine jobseekers

Benefits payments partly compensate for the loss of income as a result of unemployment. In 2016, the Labour and Welfare Administration paid out NOK 15.45 billion in benefits. The Office of the Auditor General's report shows a series of discrepancies in the administration's management of this money.

"We have noted that the Labour and Welfare Administration's management of benefits payments issues is of insufficient quality. Our report points out that the administration does not ensure that recipients of benefits are genuine jobseekers, said Foss.

The National Insurance Act states that only genuine jobseekers have the right to these benefits. A genuine jobseeker must be willing to take any job and to take a job anywhere in Norway. The Labour and Welfare Administration offices interviewed said that they had not applied mobility requirements in 2016.

"Insufficient application of the activity and mobility requirements may lead to recipients receiving the payments without fulfilling the requirement of being a genuine jobseeker. The Labour and Welfare Administration must ensure that the scheme is well-administered, which will also maintain public confidence in the benefits scheme as an important part of the social safety net", stated Foss.

The Office of the Auditor General cannot comment on the annual accounts of the Armed Forces and Defence Materiel Agency

The Defence Materiel Agency became a separate entity in January 2016. The Ministry of Defence decided that the Defence Materiel Agency accounts would be presented as a part of the Armed Forces accounts in 2016 and 2017. The Armed Forces and Defence Materiel Agency must both produce their own accounts and report on appropriations to central government accounts. The allocation of funds has been reported to central government accounts correctly. However, the Office of the Auditor General cannot comment on the organisation's accounts due to uncertainties and deficiencies in them.

"It is reprehensible that, when establishing the Defence Materiel Agency, the Ministry of Defence has not ensured that basic aspects of national financial regulations have been followed in accordance with Storting expectations", said Foss.

All organisations are obliged to produce accounts in accordance with the standards and requirements which apply to state accounts.

"Correct accounting is a basic requirement for the management and control of Storting appropriation regulations. The submission of accounts is a requirement for public visibility of the use of public funds and for checks performed by the Office of the Auditor General on behalf of the Storting", the Auditor General pointed out.
A total of NOK 43.1 billion was allocated to the Armed Forces and Defence Materiel Agency in 2016. Among other things, the Defence Materiel Agency is responsible for the procurement of F-35 fighter planes. Due to insufficient internal checks, it has not been possible to confirm the procurement costs for the F-35 in the Defence Materiel Agency accounts. The audit has also discovered that the Armed Forces incorrectly invoiced the Ministry of Justice and Public Security without charging VAT, in connection with emergency helicopter services. According to the Armed Forces, the missing VAT amounts to approximately NOK 170 million.

The Office of the Auditor General also states that the Armed Forces and Defence Materiel Agency will not be in a position to submit independent, auditable accounts in 2017 without requiring an exception to national financial regulations.

"It is strongly reprehensible that the Armed Forces and Defence Materiel Agency will not be in a position to submit independent, auditable accounts without requiring exceptions before 2018", said Foss.

Riksrevisjonen, Storgata 16, P.O. Box 8130 Dep, 0032 Oslo, Norway

Phone: +47 22 24 10 00

Org.nr: 974 760 843