The OA-IA only provides detailed information on selected audits in its annual report. For each completed audit, it publishes a summary of the results on its website.2
The OA-IA performs risk-oriented audits in the following audit areas:
- Strategy and planning
- Information gathering
- Data processing and archiving
«The OA-IA worked on 19 audits in 2022 and performed all audit procedures of a total of 16 audits.»
In total, the OA-IA worked on 19 audits. Planned were 15 audits for the year 2022. Since the topic of HUMINT had already been covered in 2021, the OA-IA decided not to conduct Audit ‘22-9 Human Intelligence (HUMINT)’ again in 2022 and postponed this audit to 2023. It also conducted two audits from the year 2021 and three unplanned audits. The OA-IA therefore worked on 19 audits in 2022 and performed all audit procedures of a total of 16 audits. The reporting of seven audits was also completed in 2022, with a further six audits being reported in the first quarter of 2023.
Audits conducted in 2022
Strategy and planning
In the area of ‘Strategy and Planning’ the OA-IA checks issues that relate to the short-, medium- or long-term strategic planning of Swiss intelligence agencies and their objectives. The following audit was planned for the year 2022:
- 22-1 Anticipation and early detection (FIS)
[22-1] Anticipation and early detection (FIS)
The anticipation and early detection of relevant threats, strategic developments and corresponding opportunities are vitally important in security policy. But what exactly do these activities entail? Early detection helps to identify and understand a threat. This can be new or result from a change in the situation. Once a given circumstance has been detected, the next step is to take action to influence the development of a situation. This action is essential: the aim is to become an agent of change by planning and taking measures today that will allow us to prepare for a possible change in the future.
The FIS plays an important role in the anticipation and early detection of relevant threats. According to the foreword given by the head of DDPS in the ‘Security Switzerland 2021’ situation report, improved early detection should enable more targeted action to counter cyber threats, disinformation and influence activities directed against Switzerland and also diffuse hybrid threats. The latter occur in modern conflict scenarios when conventional military operations are combined with economic pressure, computer attacks or propaganda in media and social networks. These phenomena are becoming increasingly important from a security policy standpoint and require greater attention.
Information gathering and processing facilitate the early detection and prevention of threats to internal and external security. Social and technical advances as well as the increasingly global nature of today’s threats require the FIS to improve its ability to detect these threats earlier and to respond to them more quickly and effectively.
The amount of publicly accessible information available in real time via modern information technologies does not make intelligence services superfluous. They still need to: sift through and evaluate countless reports; supplement and verify information using data that is not publicly accessible; condense raw data in a way that enables timely situation analyses. This is the only way to ensure that the Federal Council has a sound basis for strategic decisions. The OA-IA included this audit in its audit plan in order to determine whether and how the FIS fulfils this important task. The audit report was being finalised at the time this annual report was being written. Once the final report has been completed and submitted to the DDPS, the OA-IA will publish the audit summary on its website.
In the area of ‘Organisation’ the OA-IA checks the suitability of the structure and processes of the intelligence services and asks whether they enable the authorities to carry out their legal mandate in a lawful, expedient and effective manner. The OA-IA conducted the following audits in this area in 2022:
- 22-2 Business Continuity Management and Disaster Recoveries in IT Operations (EOC)
[22-2] Business Continuity Management and Disaster Recoveries in IT Operations (EOC)
Unforeseen events such as damage to cables caused by construction work, natural disasters such as floods, or direct attacks on the information technology infrastructure affect not only private individuals, but also companies and state institutions. Business continuity management (BCM) involves analysing and managing the risks that such threats pose for the entire organisation. Given the heavy reliance of business operations on information technology, the existence of a fail-safe IT infrastructure is essential for the survival of an organisation. In this sense, IT-BCM provides technical support for business continuity management and ensures that the IT infrastructure and corresponding IT services can withstand a disaster and/or be restored within a reasonable timeframe and in accordance with established priorities. BCM is therefore concerned with maintaining a minimum production capacity in any situation and identifying the critical business processes needed for this purpose. IT-BCM, on the other hand, ensures a certain redundancy of the required IT infrastructure, data and applications. It also enables service to be restored within a reasonable period of time after disruptions.
The primary task of intelligence services is to obtain and process data in order to gather information that is needed to safeguard our country’s security interests. Like all other organisations whose business model is based on information processing, they are particularly dependent on IT systems that remain highly available. Therefore, the above-mentioned disasters also affect the business processes of such organisations directly. This is because the loss of information technology directly affects their ability to guarantee critical business processes. For these organisations, BCM and IT-BCM are closely related. This prompted the OA-IA to review the business continuity management of information technology as well as the IT-disaster recovery at the EOC.
The OA-IA noted in its audit that the EOC bases its considerations mainly on internal risk management. In this context, preventing and reducing risks to an acceptable level are just as important as ensuring the recovery of the IT infrastructure after a disaster scenario occurs.
In addition, the EOC is constantly working to optimise its BCM and disaster recovery capabilities in IT operations. This includes the creation and further development of strategies and plans, but also ongoing investments in the IT infrastructure to ensure that back-up and disaster recovery mechanisms remain technologically up-to-date.
Overall, the OA-IA concluded that the EOC is well equipped in the area of BCM and disaster recovery in IT operations.
«In addition to an on-site audit, which includes a technical discussion with the CIS staff in charge and a tour of the premises, the OA-IA also carries random samples of the various information systems.»
The OA-IA checks the level of cooperation between the cantonal intelligence services and national and international authorities. Each year, the OA-IA examines cooperation with selected cantonal intelligence services (CISs). In 2022, it conducted the following audits:
- 22-3 Cantonal Intelligence Service of Valais (CIS / FIS)
- 22-4 Cantonal Intelligence Service of Glarus (CIS / FIS)
- 22-5 Cantonal Intelligence Service of Thurgau (CIS / FIS)
- 22-6 Cantonal Intelligence Service of Zug (CIS / FIS)
- 22-7 Cantonal Intelligence Service of Schwyz (CIS / FIS)
[22-3 to 22-7] Audits of the cantonal intelligence services of Valais, Glarus, Thurgau, Zug and Schwyz (CIS / FIS)
In 2022, the OA-IA audited the intelligence activities of the CIS in the cantons of Valais, Glarus, Thurgau, Zug and Schwyz. Since taking up its oversight activities, the OA-IA has thus audited a total of 22 CISs. The audit of the remaining four CISs3 is scheduled for the 2023 audit period.
To ensure comparability, the OA-IA uses the same procedure to audit all CISs. In addition to an on-site audit, which includes a technical discussion with the CIS staff in charge and a tour of the premises, the OA-IA also carries random samples of the various information systems.
All CIS audits 2022 found that the FIS and the CISs basically cooperate well to very well in all areas of intelligence. The CISs have a good to very good understanding of intelligence tasks and possess the motivation needed to accomplish these tasks. The OA-IA examined an average of five mandates that the FIS had given to the respective CIS from the years 2020 to 2022. It considered aspects such as the purpose of information gathering, the actions taken, the results achieved and whether or not the CISs met the deadlines set by the FIS. The results of these samples, as well feedback from FIS performance assessments, led the OA-IA to conclude that the audited CISs completed the mandates given to them by the FIS in a lawful manner, on time and provided a level of quality deemed satisfactory by the FIS.
Due to a lack of resources and technical means for data processing, CIS Zug kept unprocessed audio files on an external hard drive for an extended period of time. The OA-IA recommended the FIS to ensure that the CIS comply with the applicable requirements regarding the duration of the retention period of data outside the FIS network. In the future, the FIS quality assurance unit should include verification of data on external data storage media when conducting periodic random samples.
Differences in the way individual CISs operate are particularly visible in small CISs with limited staff numbers. In one CIS, the head did not carry out any intelligence activities and did not have access to FIS information systems. In another CIS, the deputy head only filled in when the head was absent, but was not involved in the day-to-day operations. In both cases, however, these individual forms of organisation had no discernible negative effects on the fulfilment of the mandates given.
The distribution formula used to calculate the amount of compensation that the FIS pays to the CISs remained unchanged until the end of 2022. After that, this formula will be adjusted. The smaller CISs, in particular, which are affected by a possible reduction in compensation, became disgruntled by the proposed changes. The FIS and the Conference of Cantonal Police Commanders of Switzerland (CCPCS) therefore set up a working group to jointly establish the criteria to be met for the next distribution formula. Since their work began only in early 2023, the period of validity of the current distribution formula has been extended until the end of 2023.
3 Lucerne, Nidwalden, Obwalden and Uri
«The FIS is required to choose the information-gathering measure that has the least impact on the fundamental rights of the persons concerned.»
Information gathering is a core task of intelligence services. Various means can be used for this purpose. The OA-IA pays special attention to those that most deeply invade the privacy of the persons concerned.
Each year, a special audit is conducted in the area of HUMINT. Audit ‘21-15 HUMINT’ planned for 2021 could not be fully carried out in the year itself and was only completed in 2022. Therefore, Audit ‘22-9 HUMINT’ scheduled for 2022 was cancelled. The HUMINT area was also covered in 2022 by another audit in the Resources area ‘22-13 Legended financial flows.4
In the area of information gathering, the OA-IA conducted the following audits in 2022:
- 21-15 HUMINT
- 22-8 Operations, operational clarifications and information-gathering measures requiring authorisation (FIS)
- 22-10 Information-gathering measures not requiring authorisation (FIS)
- 22-11 Information gathering management (FIS)
- 22-12 Sensor control and selection in military intelligence (MIS)
[22-10] Information-gathering measures not requiring authorisation (FIS)
In order to fulfil its tasks, the FIS obtains information from publicly and non-publicly accessible information sources5. In each case, the FIS is required to choose the information-gathering measure that has the least impact on the fundamental rights of the persons concerned. e FIS can take certain measures to gather information independently and without having to obtain specific external authorisation. This is because the intensity of interference with fundamental rights of such measures is relatively low. These measures include gathering information from public sources, carrying out observations in public and generally accessible places, using human sources and issuing alerts regarding individuals and property. The OA-IA mainly focused on observations (e.g. video and audio recordings) in public and generally accessible places (e.g. airports, streets or railway stations) and the use of the computerised police search system (RIPOL), including the national part of the Schengen Information System (N-SIS).
Any observation carried out in public and generally accessible places requires a very careful analysis of the circumstances on site, as the question of whether or not permission for information gathering is required may depend, for example, on the angle of a camera shot. Recording conversations can also be tricky, especially because the criminal law definition of what is and what is not a private discussion makes it difficult to implement measures in real situations. The OA-IA therefore examined all processes used to implement these measures as well as the corresponding technical means used to obtain and process such information.
RIPOL is used by federal and cantonal law enforcement agencies to issue alerts concerning persons and property in Switzerland. The FIS can also issue alerts in RIPOL for persons and vehicles if there are well-founded indications that the person in question poses a concrete threat to the internal and external security of Switzerland, if a vehicle is being used for such a threat, or if establishing the whereabouts of a person or vehicle is necessary to safeguard vital national interests. The N-SIS is used to process the same alerts, but on an international level in the Schengen area. The OA-IA examined the processes leading to the issuance of alerts in RIPOL and the N-SIS. Auditors also checked access authorisations as well as the management and control of data searches from the two systems. To do this, the OA-IA conducted its audit activities at the FIS and obtained clarifications from the Federal Office of Police (fedpol).
The audit report had not yet been completed at the time this annual report was being drafted. For this reason, no assessment could be made at that time.
4 See Section 5.2.5 below.
5 Art. 5 of the Federal Act of 25 September 2015 on the Intelligence Service (Intelligence Service Act, IntelSA; SR 121).
[22-11] Information gathering management(FIS)
The Information Management Division (IM) is part of the Information Gathering Directorate of the FIS. It performs one of the core tasks of the directorate by coordinating information-gathering assignments. It also provides a continuous overview of the information-gathering activities carried out by the FIS. In this respect, the IM Division serves as the directorate’s nerve centre.
In its previous audits, the OA-IA had repeatedly come into contact with the IM Division, but had never reviewed its activities in detail. Therefore, in this audit, the OA-IA examined the following in particular:
- whether the tasks, remits and responsibilities of the IM Division are expedient and effective with regard to fulfilment of the tasks entrusted to FIS under Art. 6 IntelSA;
- whether the IM Division is adequately integrated within the FIS structure;
- whether cooperation with other organisational units within the FIS and with third parties is expedient and effective.
In this audit, the OA-IA reviewed the entire IM Division. Auditors examined actual information gathering management – also referred to as collection management – as well as two other areas.
In its audit, the OA-IA also reviewed the extensive documentation describing the tasks, remit and responsibilities of the IM Division and the areas included. This documentation was comprised of manuals, processes, memos and business management processes.
The OA-IA then checked to see whether the procedures described in the documentation were actually followed. The OA-IA obtained this information from interviews with IM staff and by consulting the FIS file storage system and then randomly reviewing cases handled by the IM staff interviewed.
In order to assess the level of cooperation with other organisational units in the FIS and with third parties, the OA-IA conducted interviews with other FIS employees, for example from the Evaluation Division, whose daily work is directly affected by the activities of the IM Division. Analysts prepare information gathering assignments, which are then reviewed by the IM Division and, if necessary, sent back for additions and/or corrections. Written questions were also sent to external bodies to find out more about their daily cooperation with the IM Division. These bodies included in particular the independent Post and Telecommunications Surveillance Service (PTSS) and the EOC.
It can be stated out, that the auditors were unable to clearly determine who specifically was responsible for information gathering assignments. The OA-IA recommended optimising certain processes. The DDPS has forwarded the two recommendations to the FIS for implementation.
[22-12] Sensor control and selection in the Military Intelligence Service (MIS)
This audit mainly dealt with the question of whether sensor control and selection in the MIS take place lawfully, expediently and effectively during missions of the Swiss Armed Forces. In its letter dated 26 November 2021 on the draft 2022 audit plan, the Control Delegation of the Swiss Parliament (CDel) informed the OA-IA that, for example, the issuing of assignments for radio communications intelligence and the planning of MIS contacts with partner services were long-term undertakings and could not be adapted to new procurement objectives at short notice. Therefore, auditors were told that it did not make sense to analyse sensor control from the standpoint of MIS administrative processes. Instead, it made more sense to examine sensor control within the context of specific missions carried out by the Swiss Armed Forces. The OA-IA took this advice on board in the audit design and focussed its audit activities on selected specific missions of the Swiss Armed Forces at home and abroad.
«The OA-IA found that MIS sensor control and selection during domestic assistance missions were handled in a lawful, expedient and effective manner.»
The OA-IA found that MIS sensor control and selection during domestic assistance missions (specifically the 2022 World Economic Forum Annual Meeting and the 2022 Ukraine Recovery Conference) were handled in a lawful, expedient and effective manner. In addition to the usual audit activities, such as inspecting documents, auditors also visited the MIS operations room and conducted interviews with staff members in the audited unit. All participants in the above-mentioned discussions gave a positive assessment of MIS actions. The OA-IA also took this into account in its assessment.
The OA-IA’s audit activities also revealed that the MIS obtains and evaluates information on foreign countries that is significant for the Swiss Armed Forces; auditors confirmed that sensor control and selection was carried out lawfully, expediently and effectively. That said, the MIS is not directly involved in peace building or support missions abroad; thus, the OA-IA could not audit MIS sensor control and selection in these circumstances due to the lack of an auditable object.
In the area of ‘Resources’, the OA-IA considers whether the intelligence services are handling resources in an expedient manner and whether intelligence activities are carried out effectively.
In 2022, the OA-IA conducted the following audits relating to ‘Resources’:
- 22-13 Legended financial flows (FIS)
- 22-14 Recruiting-, support- and leaving process (FIS)
[22-13] Legended financial flows (FIS)
The FIS conducts most of its information gathering activities covertly. This is essential because if the affected states and actors become aware of these activities, they can take countermeasures. In addition, covert activities protect FIS staff and facilities as well as the human sources working undercover. These are individuals who have exclusive access to information and are willing to give this information to the FIS. Human sources often charge money for their information. The FIS is authorised to provide them with adequate compensation for their activities.6 Payments made by the FIS to undercover sources – and thus proof of their work for the FIS – can pose a great risk in the source’s country of origin as well as in their personal environment if their work becomes public. Suspicion of income due to intelligence connections and activities can damage a source professionally, destroy his/her reputation and, depending on the country and environment, put him/her at great risk to life and limb. Therefore, for reasons of self-protection and to protect undercover sources, the FIS must have the means of transferring money that does not reveal the FIS as the original sender.
Since 2018, the OA-IA has conducted annual audits of the HUMINT Division. During these audits, random sampling is used to verify the legality, expediency and effectiveness of source management. Auditors also consider whether the amount paid out to undercover sources is justified on the basis of performance. The present audit, however, dealt exclusively with the path of money and legended financial flows within the FIS.
«Incorrectly executed payments can allow third parties to draw undesired conclusions about FIS staff and facilities as well as about the sources, thereby putting them at risk.»
Incorrectly executed payments can allow third parties to draw undesired conclusions about FIS staff and facilities as well as about the sources, thereby putting them at risk. If these risks were to occur, they would inevitably damage the reputation and credibility of the FIS. There would also be operational effects such as hindering or even preventing information gathering.
In order to assess the legality, expediency and effectiveness of the methods used by the FIS to handle legended financial flows, the OA-IA reviewed the financing of two institutions, six financial infrastructures used to pay undercover sources as well as one case where the FIS and a foreign partner intelligence service jointly managed a source. It also reviewed another case in which the FIS worked with a partner intelligence service to conduct a joint operation.
The audit activities were completed by the end of 2022 and the final audit report was being finalised as this annual report went to press. While the results of the final audit report cannot be anticipated, it can be stated that the FIS uses legal, expedient and effective methods when providing funds to a beneficiary. Nevertheless, the OA-IA intends to submit a recommendation to the DDPS7 regarding the completeness of reporting.
6 Art. 15 para. 2 IntelSA
7 According to Art. 19 IntelSO
[22-14] Recruiting-, support- and leaving process (FIS)
There are significant security risks from within intelligence services as their own employees can betray their organisation, steal data or engage in espionage. Therefore, in 2019, the OA-IA conducted an audit of both the MIS and the EOC with the same audit questions as the ones used for Audit 22-14 of the FIS.8
In 2019, the OA-IA found that different classification practices regarding personnel security screening (PSS) had been established for the three intelligence services, FIS, MIS and EOC. Under current legislation, there are three different PSS levels: basic security screening, which is required when employees have access to information classified as confidential; enhanced personnel security screening, when the person concerned has access to information classified as secret; and enhanced PSS combined with questioning, when the person has regular access to classified internal and external security information.9
All employees of the three intelligence services must undergo such an audit whenever they start working in the services. This audit is repeated at regular intervals. The OA-IA was unable to understand the different classification rules objectively and logically. It therefore recommended to the head of the DDPS that the classification practice for the three intelligence services be reviewed and, if possible, standardised.
The new Information Security Act and its implementing regulations provide for only two levels of personnel security screening instead of three. The extent to which classification practices will be standardised after the draft legislation comes into force cannot be assessed at this time.
For Audit 22-14, the OA-IA shifted its focus compared to the two audits mentioned above, focusing instead on the recruiting and support of FIS staff. The poor results from the last staff survey in the Federal Administration and the high staff turnover rates, combined with frequent changes at the top-management level, justified this approach. Less attention was paid to the audit questions regarding deactivation of access to buildings and information systems after staff departure. Auditors also paid little attention to the process of re-initiating regular PSS. This was due to the fact that the OA-IA already checks access processes in its regularly conducted audits of information systems. In addition, the FIS follows the strictest PSS classification practice of all three intelligence services and has established documented processes for this purpose.
Here, the OA-IA wanted to obtain a representative sample through interviews with staff members. For this purpose, it carried out the logistically challenging task of conducting over thirty interviews. Appropriate consideration was given to the gender, age, language composition, selection of members of FIS working groups and hierarchical levels of the staff interviewed. Several FIS employees spontaneously made themselves available for an interview, others asked if they could make additional statements in connection with previously held interviews. The OA-IA did not disclose all the names of the staff interviewed to FIS management. This ensured that they could answer without bias. In the course of the audit, the OA-IA analysed over 350 pages of interview transcripts and carried out random sampling in 38 personnel files.
Another challenge resulted from the transformation project launched by the FIS Director, who intends to transform the service. The OA-IA will pay special attention to this circumstance in its assessment. The results of the audit cannot yet be conclusively stated in this annual report. The OA-IA plans to complete the audit at the beginning of the second quarter of 2023 and submit a definitive report.
8 See 2019 OA-IA Annual Report, p.22 pp.
9 Art. 10 to 12 of the Ordinance of 4 March 2011 on Personnel Security Screening (PSSO; SR 120.4)
Data processing and archiving
In the area of ‘Data processing and archiving’, the OA-IA verifies the legality of information processing. This is due to the fact that the information processed by intelligence services is highly sensitive and the legal requirements are as extensive as they are complex.
In 2022, the OA-IA conducted the following audits in this area:
- 21-16 Telecommunication services (FIS)
- 22-15 Open-source intelligence (OSINT) (FIS)
- 22-16 FIS and EOC links to Swiss telecommunication service providers (FIS)
- 22-17 Follow-up 20-19: Archives of the FIS (FIS)
- 22-18 Data collection by Cyber FIS (FIS)
The activities for Audit ‘22-15 Open-source intelligence (OSINT)’ did not start until the fourth quarter of 2022. The activities for Audit ‘21-16 Telecommunication services’, on the other hand, were completed in 2022, although the report was not yet available by the editorial deadline set for the 2022 annual report. With Audit ‘22-17 Follow-up to 20-19: Archives’, the OA-IA intends to assess the action steps decided by the FIS in the wake of Audit ‘20-19 Archives’. The first audit activities have already been carried out.
[22-16] Telecommunication services (FIS)
«When involving telecom service providers, what steps have been taken to ensure that no information is gathered that would require preliminary authorisation?»
Social media platforms such as WhatsApp or Telegram are increasingly being used to exchange information with friends and acquaintances. End-to-end encryption is used by these providers to secure the content of communication. The FIS handles requests for access to information on end-to-end encryption applications operated by Swiss telecom providers. It is important to note, however, that these requests do not focus on the content of communication, but rather only on the marginal data10 that can be used to identify the parties involved in communications.
The FIS has observed an increase in such requests in recent years. For this reason, it centralised the internal processing of such requests. This audit was conducted to ascertain whether centralisation had improved the process.
The OA-IA considered the following questions:
- Is there a valid legal basis for the FIS to directly involve telecom service providers and use the information obtained from them?
- When involving telecom service providers, what steps have been taken to ensure that no information is gathered that would require preliminary authorisation?
- What steps have been taken to ensure that the FIS only receives and processes information relating to the assignment at hand?
- Is the process used for such clarifications expedient?
In addition to interviews, the audit activities focused on a significant number of samples of clarifications processed in the period from 2020 to 2022. Although the audit activities had been completed when this annual report was written, the results are not yet ready. The OA-IA plans to submit the final audit report at the start of the second quarter of 2023. A summary of the answers to the audit questions will therefore be published online in the usual form.
10 Marginal data are data that contain information about the use of electronic infrastructures. They document, for example, which telephone connection, which e-mail sender or which IPT address communicated when, for how long and with whom.
[22-18] Data collection by Cyber FIS (FIS)
From 2015 to 2020, during investigations of suspected cyber attacks, the FIS also obtained information that is subject to telecommunications confidentiality rules. Under IntelSA, these information-gathering measures require authorisation from the Federal Administrative Court. The FIS had not asked the FAC for this authorisation. In addition, it recorded the network traffic of servers used by cyber attackers, also without FAC authorisation.
In May 2021, the FIS Director at the time notified the OA-IA of possible irregularities and informed us that an internal investigation had been launched to examine the processes followed by the Cyber FIS Division. In addition to the internal investigation, the FIS commissioned an external evaluation to obtain a legal opinion. In two anonymous letters, the OA-IA received additional background information on the facts of the case.
The OA-IA closely followed the FIS’s internal investigation. The OA-IA insisted that it be provided with reports and documents if the deadlines agreed with the FIS were not met. Over the course of the investigation, it was ascertained that the Cyber FIS Division had heeded the FIS Director’s instruction to cease and desist with the data collection in question. The FIS’s internal investigation mandate also included the right questions. The final report was written quite critically and made various recommendations, such as ensuring that employees of the Cyber FIS Division received proper training on the legal aspects associated with their tasks; and the importance of restructuring the Cyber FIS Division. The latter resulted in the Cyber FIS Division being assigned to the Evaluation Division.
In the same context, the DDPS launched an administrative investigation in January 2022 which should have clarified the open questions from the internal investigation. At the same time, other measures, such as the filing of a criminal complaint, were supposed to be considered.
«Analysis of the final reports from the internal and administrative investigations led the OA-IA to conclude that still not all relevant questions had been answered.»
Analysis of the final reports from the internal and administrative investigations led the OA-IA to conclude that still not all relevant questions had been answered. These related in particular to individual aspects, such as legended financial flows, the use of hardware developed and made available by the FIS for data collection, and a possible transfer of data to an external party.
The OA-IA also received additional internal information from the FIS, which prompted it to conduct its own audit activities. In particular, auditors held interviews with affected staff members and supervisors. The OA-IA then transferred the resulting documentation to Audit 22-18. The following audit questions will be examined in this audit:
- Have all the facts enabling assessment of the events at Cyber FIS been fully documented?
- What steps has the FIS taken to ensure that analysis of data traffic obtained from providers takes place in a lawful manner in the future?
- Are the organisational measures and controls taken by the FIS to prevent such incidents in the future appropriate and effective?
Since the audit activities had not been completed at the time this annual report was written, the OA-IA cannot yet make any statements on possible findings or need for action. However, the OA-IA notified the FIS Director and the head of the DDPS in December 2022 that according to an interim finding, an urgent measure formulated by the FIS itself in the internal audit report had not been implemented. The OA-IA noted on this occasion that action needed to be taken before the audit was completed.
The OA-IA auditors were welcomed by the supervised organisational units in a constructive and professional manner. They were given direct access to the documents and information systems required to carry out their audit tasks. Auditors also had no difficulties reaching interviewees whenever they needed them. Any further questions were answered as quickly as possible.
Controlling of recommendations
Under IntelSA, the OA-IA can make recommendations on the basis of its audit activities and submit these to the DDPS. The DDPS then ensures that these recommendations are implemented. If the DDPS rejects any OA-IA recommendations, it must submit them to the Federal Council.
The legal bases for intelligence services do not explicitly regulate verification of implementation of recommendations. The OA-IA agreed with the DDPS and the supervised authorities that the latter would keep the DDPS and the OA-IA informed of progress on implementation of OA-IA recommendations. Moreover, it was agreed that an annual meeting would be held with the supervised services in the presence of the intelligence advisor to the head of the DDPS to discuss pending and implemented recommendations. When the present annual report was published, 19 of the recommendations made by the OA-IA to the FIS and 4 of those made to the MIS were still pending. So far, the supervised services have implemented 150 recommendations since the OA-IA was established.
The OA-IA keeps a record of the recommendations that it issues. As part of the follow-up process, it receives regular updates from the supervised services regarding implementation. As soon as it receives notification that a given recommendation has been implemented, the OA-IA decides whether the implementation described is sufficient or whether the matter needs to be re-examined more closely. This review can either be included in another planned audit or made part of an additional audit. While the number of recommendations made per audit year was high in the past (2019: 63 recommendations), this number has decreased significantly since then (2022: 13). This was partly due to the fact that the OA-IA had heeded the CDel’s criticism that ‘too many recommendations would mainly create more red tape and lead to excessive regulation of intelligence services’.11 In addition, the OA-IA consistently pursued the approach of ensuring that its recommendations would provide tangible benefits for the supervision and management of the intelligence services. The result has been fewer, but more targeted and effective recommendations.
11 Annual report of the Control Committee (CC) and the Control Delegation (CDel) of 25 January 2022, p. 134 (BBl 2022 513)