Feature story from Albania: Digitalization of services - ALSAI
The Albanian Supreme Audit Institution (ALSAI) is pivotal in enhancing accountability and transparency within public governance at the national level. Aligned with the objectives outlined in the 2023-2027 Strategy, it has underscored that the achievement of success hinges upon its ability to influence the accountability and transparency framework, thereby contributing to the reinforcement of sustainable institutions.
Through its extensive history of conducting performance and IT audits, ALSAI has been instrumental in pinpointing shortcomings and issues in the administration of public services. It has effectively identified potential risks and instances of non-compliance with regulations and spearheaded initiatives to enhance digital public services.
In the context of digitalizing public services, SAIs perform an important task to ensure that these government processes are secure, efficient, and compliant with standards. Through specialized IT and performance audits in the field of information technology, SAIs can identify potential risks to data security and integrity, as well as the effectiveness and efficiency of services provided through these systems. Through their recommendations to government bodies, SAIs can assist in promoting best practices and enhancing capacities for the successful management of digital services. Improving transparency and accountability in this field helps increase trust and improve the provision of more suitable and efficient services to citizens.
"In recent decades, the development of the internet and innovative technological changes have brought fundamental changes and challenges to every society worldwide. Information and communication technologies deeply influence our daily lives, human rights, economies, and social interactions. In cyberspace, there are continuous efforts by various individuals and groups with malicious intentions, which affect the functioning of states. Privacy breaches and identity thefts are also a growing and very concerning societal issue. One of the current and ongoing challenges for all countries is building a developed digital society that is cyber-protected and equipped with the necessary knowledge and skills to maximize benefits and manage risks.[1]"
The main objective of performance and IT audits focusing on improving digital public services has been the evaluation of policies and their effectiveness in the field of cyber security, mainly focusing on the roles, responsibilities, competencies, and responsibilities of state institutions in the field of cyber security and whether they have produced appropriate structures and policies to protect citizens' data during the use of electronic services.
In the field of digital services, the Performance Audit Department conducted a performance audit in 2023 on the topic "Performance of online service delivery."
Every day, hundreds of Albanian citizens seek services from relevant structures within the public sector. At the end of 2019, the Albanian government decided to start the "Digital Revolution of Public Services". Since January 1, 2020, a new process began, turning the applications for and provision of public services for citizens and businesses only online. Citizens and businesses apply solely through the unique government platform e-Albania, and public administration employees collect all state documents for the services. As of May 1, 2022, with a government decision, 95% of services to citizens are offered only online. According to the media, the transition of all services online has brought about a series of difficulties. Many citizens unable to use electronic services turn to various private offices or the nearest offices for assistance, providing them with sensitive personal data. This phenomenon poses a risk of misuse of citizens' data by unfamiliar third parties assisting in the electronic service process.
The audit on the topic "Performance of online service delivery" aimed to evaluate policies and their effectiveness in the field of digital services for:
- secure, fast, and reliable internet access for all: citizens, businesses, and government;
- strengthening and improving digital innovation;
- the productive use of public administration data.
Albania has joined the group of most developed countries in digital governance and is among the first in the region to offer services with digital format documents through the national digital platform.
The results of the audit on the "Performance of online service delivery" found deficiencies in the measures taken by responsible institutions, including:
- Insufficient improvement in the performance of online service delivery for citizens;
- The need for significant investments in digital infrastructure development;
- Inadequate internet network in rural and remote areas;
- The use by government institutions of different technological standards and communication protocols has made interaction difficult;
- The lack of common standards has hindered data and information exchange between institutions;
- Additional financial costs for third-party age groups who cannot use online services or are unfamiliar with digital technology.
One of the best lessons learned during and at the conclusion of this audit was that the failure to monitor the provision of public services online in a timely manner, and the lack of a clear, specific, transparent, and promptly approved legal framework, makes it difficult to determine responsibilities in the field of appropriate digital service delivery, for secure, fast, and reliable access for all.
IT audit developments and capacity building at the Albanian Supreme Audit Institution
The Albanian Supreme Audit Institution has taken significant steps in developing IT audits and related projects. Over the past two years, a collaboration with the Office of the Auditor General of Norway (OAGN) aimed to enhance the professional capacities of IT auditing and their practical implementation, supported by the exchange of experience and adherence to INTOSAI standards. The main objective has been to provide high-quality IT audits with a tangible impact on society. Several activities have been carried out, including training sessions focusing on database auditing (2022), Active Directory (2022), network security (2023), and most recently, cybersecurity (2024).
The capacities and planned activities for IT audit include increasing the priority of IT audits within ALSAI, enhancing integration of IT elements into financial audits and compliance audits, as well as increasing IT audit skills among auditors. ALSAI regards the support for IT audits as highly beneficial, with dedicated teams from both parties actively involved in the process.
In one of the recent audits, IT auditors identified weaknesses in the data security of information systems at the General Directorate of Road Transport Service. The ability of this institution to implement corrective measures was severely limited due to shared responsibility in technology management with the National Agency for Information Society (NAIS).
This audit highlighted that, despite being penalized by the Commissioner for the Right to Information and Data Protection for data breaches in vehicle registries, this institution did not take necessary organizational and technical measures in collaboration with NAIS to ensure data security and cybersecurity. This underscores the critical need for institutions to proactively address cybersecurity challenges and implement strong security measures to protect sensitive information and mitigate potential risks.
Another audit was conducted on Active Directory at the Water Supply Institution of Durrës. The audit concluded that all Active Directory configurations were set at default, meaning that security policies regarding passwords, user rights, security data, etc., were in their initial state since the operating system installation.
IT auditors are continuously implementing lessons learned from cooperation and training with Norwegian counterparts, putting them into practice during the audits conducted within the IT Audit Department.
Prepared by:
Alfred Zylfi (Performance Audit Department)
Elira Cukalla (IT Audit Department)
Dorel Balliu (IT Audit Department)
[1] National Cybersecurity Protection Strategy, DCM No. 1034, dated 24.12.2020, Chapter: Strategic Context