SLOVENIA: Lessons from SPIRIT Slovenia’s Control Data Acquisition System

In its latest IT audit, the Court of Audit of the Republic of Slovenia assessed the technical setup and organization of ex-post controls under the Act Governing Aid to Businesses to Mitigate the Impact of the Energy Crisis (ZPGOPEK). The findings offer not only valuable lessons, but also a few wry smiles for IT auditors working in public sector oversight.

Subsidies First, Data Later

In 2023, energy prices soared across Europe, and Slovenia acted quickly. One of the emergency measures included a subsidy scheme that allowed large companies to apply for compensation based on anticipated energy costs. The government received 1,966 applications.

To avoid delays, subsidies were paid in advance — based on estimates of future consumption and pricing, not actual data. This introduced a major control challenge: how do you adjust aid that’s already been paid out, based on projections to the actual consumption?

The Burden of Data Provision Shifts from Beneficiaries to Energy Suppliers

Responsibility for this subsidy program — including its retrospective checks — fell to SPIRIT Slovenia, the public agency tasked with supporting the Slovenian business sector. To obtain accurate data, SPIRIT turned to energy suppliers, requesting real consumption and pricing information for each subsidized customer.

And here’s where the technical story gets interesting.

Custom APIs… for Everyone?

SPIRIT required every supplier to develop their own API, based on a provided technical template, and make data available for retrieval. There was no central portal or shared API, no upload form, no standard file interface — just a requirement for everyone to build an API and make their data available to SPIRIT.

The assumption may have been that all suppliers were large utilities. But once the applications were analyzed, it turned out that hundreds of suppliers were in fact small organizations — municipalities, churches, and fire brigades — who had become accidental suppliers simply by hosting mobile phone antennas on their rooftops (and paying the electricity bill). In fact, 346 of them had only one customer. Unsurprisingly, many of these organizations had no IT staff, no budget, and no knowledge of how to build an API. Yet they were legally required to comply — or face a €100,000 fine.

Poor Communication, High Security Risk

SPIRIT did not notify these energy suppliers of their obligations until just 40 days before the deadline — despite the fact that most had no way of knowing they had even been listed as suppliers in subsidy applications. The agency offered little support and did not inform suppliers when it had finished downloading their data, meaning they left their systems unnecessarily open for weeks or months.

Security practices were also questionable: SPIRIT required permanent (24/7) API availability and instructed providers to send credentials to a shared agency inbox. In at least one case, an employee forwarded these credentials to a personal Gmail account — entirely outside the agency’s secure environment.

A Cautionary Case for IT Auditors

The audit concluded that SPIRIT was inefficient in both the technical setup and organizational management of data collection. As governments increasingly rely on data-driven controls and reporting obligations, the design of data acquisition systems — including their proportionality, feasibility, and security — is becoming a critical subject for IT audit. Poorly planned systems not only increase operational risk, but may also create significant and unnecessary administrative burdens for businesses and non-profits alike.

The Court of Audit provided SPIRIT with a set of recommendations aimed at enhancing information security.

Full report (in Slovene language):

https://www.rs-rs.si/en/audits-auditing/audit-archive/audit/implementing-control-zpgopek/