Insights from inside

In 2023, the OA-IA – as budgeted – set a target of ten staff members. There were two departures from the OA-IA in 2023, while two new members of staff were welcomed during the year.

Data science training from armasuisse

This year, the OA-IA once again took advantage of the opportunity offered by armasuisse to learn more about the status of current research projects. As in the previous year, the OA-IA focused on the data science research programme. While last year’s speakers focused on how to determine the authenticity of image and media content, this year’s symposium dealt with the use of artificial intelligence and AI-supported tools in data analysis, as AI is developing at a tremendous pace. Today, AI is able to take data and extract information that can be used to generate knowledge – for example, AI tools are used to recognise patterns and repetitions in data sets. The aim of armasuisse’s current research is to develop AI that can use this knowledge to make reliable statements about the future. An understanding of correlation and spurious correlation of data plays an important role here, as do the methods that can be used to ensure the robustness of the reasoning used.

Further training on conducting audits

Two OA-IA staff members attended a training course on conducting audits offered by the Federal Administration Training Centre. They chose this training course because it covered best practices in the auditing field, refreshed certain skills and allowed them to compare their own practice with that of other Federal Administration offices that conduct audits.

The training course covered the various steps of an audit, from preparation to finalisation, as well as the role of an auditor and the principles of auditing. Course participants could compare their experiences in various group exercises. Finally, the formulation of recommendations and conclusions during an audit was also covered.

The latter was of particular value for OA-IA staff, as there are currently internal discussions regarding the formulation of recommendations and how to make improvements in this area. OA-IA course participants were able to explore the topic in detail as part of a transfer project. The conclusion of the transfer work was that recommendations must be comprehensively formulated but give the audited service room for manoeuvre. Well-formulated recommendations defining what risk must be minimised help the audited service to understand and accept the recommendation and take responsibility for implementing it. The document drafted by the course participants will serve as a basis for reflection in future to enable targeted optimisation within the OA-IA.

Certificate of Advanced Studies (CAS) ‘Digital Forensics and Cyber Investigation Fundamentals’

In the year under review, one OA-IA staff member completed a CAS Digital Forensics Fundamentals. The course consisted of four block modules: digital forensics fundamentals, cyber investigation fundamentals, cybercrime overview and digital forensics acquisition. The knowledge gained from the course flowed directly into Audit 22-18 and the associated data analysis. For example, a method employed in digital forensics was used to analyse an extensive data set.

CAS ‘Communication’

The OA-IA creates its own website content in addition to compiling and publishing the annual report. In order to deepen their technical expertise in communication, one staff member is working towards a CAS Communication, which she will complete in 2024.

Information Systems Audit and Control Association (ISACA) Europe Conference: ‘Digital Trust World’, 18–19 October 2023, Dublin

The ISACA is an independent professional association for auditors, IT auditors and professionals working in the fields of IT governance and information security. A member of OA-IA staff who holds ISACA certification as an IT auditor took part in the association’s annual two-day European conference.

Various presentations on current topics relating to a secure and trustworthy digital ecosystem offered the opportunity to enhance expertise and discuss findings, trends and best practices. The focus was also on the influence that AI and machine learning could have on the security situation, and also on auditing activities in the cyber sector. The findings were incorporated into the OA-IA’s own risk management and audit activities.

Federal Data Protection and Information Commissioner (FDPIC) event on data protection, 17 August 2023, Fribourg (Switzerland)

In view of the entry into force of the new Data Protection Act (FADP), the FDPIC held an information event for data protection officers working in the federal government. Two OA-IA staff members participated in the event, where they also met with staff from the audited units.

The FDPIC and his staff, as well as representatives of the National Cyber Security Centre and the Federal Office of Police, presented topics relating to the amendments to the FADP. These included data protection impact assessments, the use of the new register of processing activities, the FDPIC’s new powers to investigate breaches of data protection regulations, logging and more. This successful event featured instructive presentations that will be useful both in the OA-IA’s administrative activities and in the context of supervisory activities.

The SFAO is the supreme financial supervisory body of the Swiss Confederation, and is independent and autonomous within the scope of legal and constitutional provisions. The OA-IA’s institutional independence is likewise enshrined in law.

The SFAO carries out financial supervision according to the criteria of regularity, legality and economic efficiency. Its tasks include examining internal control systems and using spot checks to examine the payment orders issued by the administrative units. It is responsible for auditing the administrative units, including accounting and holdings. The OA-IA does not conduct its audits according to the same criteria. Its legal mandate is clearly differentiated from that of the SFAO.

In its 2023 annual audit programme, the SFAO announced that it would audit the OA-IA. The audit took place from 14 August to 1 September 2023. Its aim was to assess the effectiveness and expediency of the OA-IA’s supervision of intelligence activities. On 12 June 2023 the SFAO presented the OA-IA with the audit questions:

1. Does the OA-IA’s supervision of intelligence activities comply with the legal basis?
2. Does the OA-IA have sufficient resources for adequate supervision of all actors in intelligence activities?
3. Does the IT infrastructure enable supervision to be carried out efficiently?

In spring 2023 the OA-IA provided the SFAO with six complete audit dossiers from 2021 and 2022 selected at random along with other documents such as concepts and manuals. The SFAO conducted numerous interviews with OA-IA staff, employees of the various audited bodies and the General Secretariat of the DDPS.

In their assessment, the SFAO auditors faced the challenge of not comparing the two authorities (SFAO and OA-IA) too closely. From the OA-IA’s perspective, it was important for the SFAO to understand that the OA-IA performs a different oversight activity and therefore does not function in the same way as the SFAO. These fundamental differences were discussed again in the final meeting in order to reconcile the two authorities’ respective powers. The SFAO continues to carry out its supervision according to its own criteria; the creation of the OA-IA has not changed anything with respect to its scope of responsibility.

As part of the decentralised Federal Administration, the OA-IA works on behalf of citizens. They have a right to know what the authorities are doing and how they are fulfilling their mandate. As a result, citizens have the right to gain access to information and at the same time the authorities have a duty to provide information.

The Freedom of Information Act (FoIA, SR 152.3) determines the scope and boundaries of passive information. Any person may request access to official documents without having to claim a special interest. The OA-IA did not receive any requests for access to official documents in the reporting year.