The Independent Oversight Authority for Intelligence Activities (OA-IA) began its work in summer 2017, giving it five years of experience to build from. The 2023 audit plan was optimised accordingly and new approaches adopted. For example, the OA-IA has planned an audit to check the controlling procedures used to monitor implementation of its recommendations.
In 2022, the OA-IA also welcomed a new director and three new staff members. This means that 40% of our staff are new to the organisation and have only just begun their supervisory work.
From a technical standpoint, two audits proved particularly challenging for the OA-IA. One was an audit dealing with personnel issues within the Federal Intelligence Service (FIS) (‘22-14 Recruiting-, support and leaving process’). This audit was complex for several reasons: the large number of interviews conducted; analysis of the input given in these interviews; and a transformation project launched by the FIS Director, which also had to be taken into account in our reporting. The second challenging audit was Audit ‘22-18 Data collection by Cyber1 FIS’, which proved to be much more complex than expected as a result of current events and associated reporting on these events.
In 2022, the OA-IA set out to conduct fifteen planned audits for 2022 and two audits carried over from the 2021 audit period. Over the course of the year, it added three additional audits. In the year under review, all audit procedures of a total of 16 audits were performed. The final report on seven of these audits was drafted and sent to the Federal Department of Defence, Civil Protection and Sport (DDPS). For seven other audits, the report is still being drafted and will be formally completed in the first quarter of 2023. Additional audit activities are planned for three audits in 2023.
In the case of the FIS, the OA-IA conducted five audits (four audits of the cantonal intelligence services of Valais, Thurgau, Zug and Schwyz, plus ‘21-15 HUMINT’). One audit dealt with the Military Intelligence Service (MIS) and another audit with the Electronic Operations Centre (EOC). The OA-IA audited the MIS regarding sensor control and the EOC regarding business continuity management (BCM) and disaster recovery in IT operations.
1 Organisational unit specialising in the protection of critical infrastructures against threats from state actors from the internet/cyberspace.