The National Audit Office announced Monday that while the Estonian state's 2022 annual accounts accurately reflect the state's financial situation, they were unable to verify the Ministry of the Interior's labor costs because the ministry prevented them from being audited.
"This is an unprecedented case in the history of the National Audit Office, where an auditee prevents access to data necessary for auditing the state's annual accounts," Auditor General Janar Holm said, commenting on the incident.
In accordance with the law, Holm informed the Riigikogu's State Budget Control Select Committee of the obstruction of the National Audit Office's work and requested this be discussed within the committee.
Last year, the labor costs of the Interior Ministry's area of government totaled €304.28 million — meaning that the total sum of money the National Audit Office was unable to audit accounts for around a quarter of the central government's total labor costs.
In order to conduct audit procedures, the National Audit Office requires institutions' financial, personnel and wage data. Since last year, this information is automatically collected via X-Road, the state's secure data exchange layer through which various state databases exchange information and which processes personal data in pseudonymized form, with identifying personal data replaced by aliases, numerical codes and other identifiers.
The purpose of this is to process and store data securely, reduce the use of personal data as well as reduce auditors' manual work in order to operate more efficiently and not waste valuable human labor on operations that can be automated. This allows auditors to focus on the substance of the operations.
The National Audit Office collects data from a reporting environment maintained by the State Shared Service Center, which does not include data protected as a state secret.
In the course of the annual accounts audit, three auditees — the Ministry of the Interior, the Government Office and the Ministry of Defense — were not prepared for the exchange of data via the National Audit Office's proposed method, i.e. an automatic exchange via X-Road, however the audit office proposed as an alternative that the institutions in question could submit the necessary economic expense and investment statements and pseudonymized personnel and payroll reports themselves.
The Government Office and the Defense Ministry took them up on the offer and submitted their data this way, and the necessary audit procedures were duly completed.
The Ministry of the Interior, however, rejected the proposed alternative information transmission method, instead wanting the National Audit Office to manually record the necessary data themselves from an HR and payroll reporting environment containing personalized data.
This would have meant that the National Audit Office would have been burdened with technical work extracting data from registers instead of focusing on the substance of the Interior Ministry's operations.
The auditor general called the ministry's approach during the audit contradictory and incomprehensible.
"What's especially curious is the fact that the Ministry of the Interior refused automatic data transmission via the X-Road as well as the alternative means of data transmission that suited the Government Office and the Ministry of Defense citing personal data protection and security risks, but it's precisely the Interior Ministry's own proposed means of exchanging information that, compared with the National Audit Office's proposed solutions, would mean auditors' much greater exposure to personal data and not minimize access thereto," Holm highlighted.
The auditor general modified the organization of the work of the National Audit Office last year precisely to avoid the identification of personal data in HR and payroll reports via single queries as well as National Audit Office auditors' direct access to the very database that the Ministry of the Interior proposed utilizing.
"The claim made in the interior minister's response that the ministry provided National Audit Office auditors access to all of the HR data necessary for assessment in the manner and to the extent prescribed by law is incompetent and interfering with the independence of the National Audit Office," Holm emphasized. "The minister of the interior is not the one who can dictate to the National Audit Office the manner and extent to which the state's supreme audit institution carries out its work, and what is and is not sufficient for drawing substantiated conclusions in the audit. We'll decide that for ourselves."
He added that the National Audit Office is free from guidelines and interference from both legislative and executive state powers in selecting audit objects, in planning and carrying out audits as well as in drawing up audit reports.
The core activity of the National Audit Office is regulated by the National Audit Office Act and, in the case of sensitive information including state secrets, also the State Secrets and Classified Information of Foreign States Act.
The interior minister cited as the grounds for refusing to provide data to the National Audit Office a 2013 government regulation according to which access to the Ministry of the Interior's structural, HR and payroll data is given exclusively with the consent of the ministry itself.
According to the National Audit Office, however, this regulation isn't applicable to their core activity, as the audit institution's rights arise directly from the law, and according to the law, auditees are obligated to provide the National Audit Office with information necessary to an audit.
National Audit Office officials also have the right when conducting audit operations to inspect media carrying state secrets, but this wasn't necessary in the audit in question.
According to the National Audit Office, attempts by public authorities to restrict access to information are becoming more frequent.
Holm stated that there's been a noticeable pattern, in recent times in particular, in the flow of public information, where public authorities are increasingly attempting to impose restrictions on access to information under various pretexts.
"It's especially troubling that national security concerns are now lightly being used as justification, now even when it comes to the National Audit Office," he added.
The National Audit Office also highlighted that the ministry had also delayed submitting data regarding administrative expenses and investments within its area of government, noting that the audit institution only received this information nearly half a year later, during the final stages of the audit.
Ministry objects to criticism
The Ministry of the Interior is unsatisfied with the National Audit Office's criticism. Tarmo Olgo, head of the ministry's Internal Audit Department, said that they provided the National Audit Office access to all of its HR data.
"The Ministry of the Interior provided the National Audit Office with every opportunity to use the same solution in auditing HR costs as has been successfully used in previous year," Olgo said. "The National Audit Office refused, and only wanted to use the methods it itself had proposed — loading data into a data warehouse or forwarding it in the form of an Excel spreadsheet."
According to the ministry department director, the issue is that last year, the National Audit Office decided to change its approach to auditing personal data, and instead of looking at the data in a database, pull HR data from a secure state register and upload it to the National Audit Office's own data warehouse.
"Unfortunately, at the time of the audit, the security and legal arrangement of the storage of the data was unclear, due to which the risk of disclosure of the data of employees under state secret was not mitigated," he explained. "A security test was ordered only after the start of the audit, and its results did not provide reasonable assurance that the desired volume of data can securely be shared there. Submitting data as an Excel spreadsheet would have entailed an unreasonable labor and time cost."
The National Audit Office has audited the Interior Ministry's HR costs for years, and that cooperation has been smooth, he said. The regulation regarding the provision of access to the necessary information hasn't changed during the course of the 2022 audit being conducted, however, and thus the Ministry of the Interior cannot share its employees' data to a data warehouse with an unknown degree of security.
Olgo stressed that under the State Secrets and Classified Information of Foreign States Act, information regarding the personnel of a security authority is classified as a state secret, and the Ministry of the Interior is obligated to verify the security of a release of data each time.
Editor: Aili Vahtla