Abstract

Digitalization has opened up completely new horizons for the public sector. Smart and systematically driven digital transformation can lead to a more effective, more efficient and more open state. Without proper governance, the increasing role of technology could change relations in a way that reinforces existing problems rather than dissipating them. The risks associated with these problems need to be managed.

Around 25 years ago, the development of e-governance was set as the goal of the Estonian public sector and the government started to systematically build up databases, create a safe environment for data exchange and digital authentication and promote the creation of e-services. It has been a challenge for the National Audit Office of Estonia (NAOE) to cope with this new situation in its dual role as an independent observer of these events but at the same time being subject to the same changes.

Externally, the NAOE has to ensure that all e-governance systems are functioning as planned and delivering the data they are supposed to be delivering, and that their development is not lagging. Internally, the creation of new skills, tools, products, communication and possibly even a new approach to auditing is needed.

Digital transformation has become a horizontal topic for the NAOE. There are a number of audits conducted by the NAOE which deal with digitalization and new technology issues. The case of the NAOE illustrates that supreme audit institutions also have a number of roles and functions in this changing world, whether that be highlighting problems, providing solutions or supporting good governance, but also certainly in changing themselves.

 

Key words: digitalization, e-governance, Estonia, data, auditing

 

1. Digitalization, governance and supreme audit institutions

New technology and digital innovations have penetrated into our everyday tasks and interactions and reshaped our society, economy, culture and lifestyle. These changes have affected the way we live, learn, work and socialize to a significant extent.

Over the last 25-30 years, most countries have incorporated digital agendas in their policy portfolio. In the last decade, the word “digital” has started to blink regularly on the radar of politicians and decision-makers all over the world. Every country and society can become a digital society, i.e. one where the creation, distribution, use and integration of digital information is a significant economic, political and cultural activity. Many governments are moving this process to the top of their political agendas.

Digitalization promises tremendous benefits, but it also raises complex challenges: new divides around access to and control of data, manipulation of information, cyber threats, inequality caused by the “digital gap”, etc. For example today, in 2019, well over half the people in the world are using the Internet on a regular basis and yet the “digital gap” remains between those who use the Internet as a tool for inclusive and sustainable growth for society and those who lag behind.[1] The situation in Europe is also unsatisfactory: 169 million Europeans aged between 16 and 74 – which amounts to 44% of all Europeans – do not have basic digital skills.[2] This means that a large proportion of the population cannot fully benefit from the advantages of the digital society. This in turn leads to lower competitiveness on the labour market. Every phenomenon can have both positive and negative effects, and digitalization is no exception. George Westerman, a research scientist with the MIT Sloan Initiative on the Digital Economy, has said, “When digital transformation is done right, it’s like a caterpillar turning into a butterfly, but when done wrong, all you have is a really fast caterpillar.”[3]

Digitalization has opened up completely new horizons for public governance as well by creating new opportunities, but also threatening with new risks.  Smart and systematically driven digital transformation in the public sector can lead to a more effectively functioning and a more efficient state – with more active civic participation, better policy-making, more open government, better administrative capacity-building, better public services and, last but not least, thoughtful use of public money.

All of these developments are important for supreme audit institutions (SAI) at both the practical and strategic levels. It has been said that technological development is faster than ever before, but it is more accurate to say that technological development will never be as slow as it is now. The train is already moving fast, and gaining more speed. SAIs must be on that train.

Cybersecurity, the digital gap, digital applications, big data, blockchain, interconnectivity, e-services, the broadband network, digital skills - 10 years ago, perhaps even less, these keywords did not feature prominently on SAI agendas.

SAIs have since realized the importance of this topic. The National Audit Office of Finland, with the assistance of the Turkish Court of Accounts, organized a very meaningful and interesting EUROSAI Emerging Issues Workshop in November 2018 in Istanbul[4]. To prepare for the workshop, the National Audit Office of Finland arranged a web-based dialogue for SAIs that raised the questions: What does the future look like to you? What are the most important emerging issues for SAIs?

One of the main conclusions was that technological advances ­–AI, advanced data analytics, automatization and robotization – get top priority in discussions as emerging issues. But in fact the future is already here: digitalization and new technologies are no longer “emerging issues”, but issues which have already emerged and which are becoming, in the world of auditing, as common as fighting fraud or inefficiencies in public administration.

Around 25 years ago, the development of e-governance was set as the goal of the Estonian public sector and the government started to systematically build up databases, create a safe environment for data exchange and digital authentication and promote the creation of e-services. This has certainly changed for the NAOE the audit environment as well as the ways in which we perform audits.

In the following chapters I will give a brief description, from the auditing point of view, of key aspects of the development of e-governance in Estonia and of the challenges and responses of the NAOE in relation to digital transformation.

 

2. Changes in the audit environment: an overview of the evolution of Estonia’s e-governance policy

Estonia’s competence in using digital technologies for the people’s benefit has evolved in parallel with the rapid development of information and communication technologies. In general, the government implemented what was referred to as development-driven policy-making, not policy-driven development. In the first decade of its e-government planning and implementation this was the main approach. Many e-government policy and strategy aspects were described only after the government had implemented them technologically.[5]

The main focus was on increasing citizens’ access to the Internet and improving digital literacy, while stimulating the development of new digital services. In 1996 the Tiger Leap Program was launched. This program was built on three pillars: computers and the Internet; basic teacher training; and native-language electronic courseware for general education institutions. In order to achieve these goals, the Tiger Leap Foundation was established in 1997. The first step was to provide all schools with computers and Internet access, which was achieved by 2001. Basic ICT courses for teachers were also organized: thousands of teachers participated in a 40-hour computer basics training course in 1997, with thousands more doing the same in subsequent years.[6]

The government took the decisive lead in managing the digital transformation. The idea was that the government was not just a user of technology with the aim of making public administration more efficient by implementing ICT, but that it also recognized that in order to achieve the full impact and inclusivity of the digital transformation, it needed to adopt a leading role in the development of the digital roadmap for Estonia. Digital solutions touch on all sectors and areas of life, so the sectors and expertise from these sources need to be engaged in the process and the process itself needs to be coordinated.[7]

The country’s initial e-government policy was only launched in 1998 when the principles of Estonia’s information policy were adopted by the Riigikogu (the Estonian parliament). The current strategy for e-Estonia, the Digital Agenda 2020, was approved by the government in 2013 and reviewed in 2018. Its four goals were:

1. ICT infrastructure that supports economic growth, the development of the state and the welfare of the population;
2. more and higher value-added jobs, improved international competitiveness and a higher quality of life;
3. smarter governance and proactive services;
4. promotion of exports and awareness of Estonia’s e-government.[8] 

Three elements (organisational arrangements, leadership and policy formulation) have been the key components in enabling and supporting the digital transformation process. In a lengthier discussion it should not be forgotten that changes to the legal framework and resources were needed in order to spark these changes. The starting point of digital transformation is important for auditors to understand so as to establish the proper context when designing audits and interpreting findings.

2.1 Principles of Estonian e-governance

For the same reason, i.e. to gain a good understanding of your auditing environment, the auditor must understand the goals and principles of the governance system or policy that requires auditing. This will help in the auditor’s choice of relevant criteria.

According to the UN definition, electronic governance or e-governance is the use of ICT to more effectively and efficiently deliver government services to citizens and businesses It is the application of ICT in government operations to achieve public ends by digital means. The underlying principle of e-government, supported by an effective institutional framework of e-governance, is to improve the internal workings of the public sector by reducing financial costs and transaction times so as to better integrate work flows and processes and enable effective resource utilization across public sector agencies aiming for sustainable solutions[9]. The definition given by the Cambridge English Dictionary explicitly adds to service provision and efficiency gains the aspect of the improved participation of citizens[10]. e-Governance has been a strategic choice for Estonia, whose e-governance policy seeks to grasp both aspects of the definition and take it further. The goals of the government are the transparent and efficient use of ICT in state administration (e-Administration), the active involvement of citizens in decision-making processes (e-Participation) and the provision of user-friendly public services online (e-Services). It also aims to improve the competitiveness of the country and in general to increase the well-being of its people. The government has been attempting to raise the level of trust among citizens in public organizations and the government, and also in technical innovations in the public sector. Eventually the government hopes to meet citizens’ expectations of modern, problem-free interaction with the government for obtaining public services and to raise the level of willingness among citizens to participate in decision-making processes.

In order to achieve these goals, the government has set seven principles for developing and running its e-governance ecosystem (see Table 1).

1. Integrity – Data exchanges, machine-to-machine communication, data at rest and log files are, thanks to blockchain technology, independent and fully accountable. 2. Transparency – Citizens have the right to view their personal information and check how it is being used by the government via log files. 3. Open platform – Any institution may use the infrastructure, which works as an open source. 4. No legacy – Continuous legal amendments and organic improvement of the technology and law.

5. Decentralisation – There is no central database  and every stakeholder, whether a government department, ministry or business, gets to choose its own system. 6. Interconnectivity – All system elements exchange data securely and work together smoothly. 7. Once only – Data are collected only once by an institution, eliminating the duplication of both data and bureaucracy.

Table 1. Principles of developing and running Estonia’s e-governance ecosystem[11]

The following are examples of what the government has done to achieve its e-governance goals and of where the key principles have been applied: [12]

1. e-Cabinet (example of e-administration): Information necessary for the decisions of the Government of the Republic (the Cabinet) can be queried directly from the e-Cabinet information system 24 hours a day. Avoiding the need to prepare extensive documents should reduce bureaucracy. The e-Cabinet is a multi-user information source and scheduler that keeps relevant information organised and updated in real time, while offering ministers an overview of each item under discussion.
    
2. Gateway to legislative drafting (example of e-administration): The information system established for legislative drafting which enables transparent and paper-free preparation of policy documents, draft laws and regulations. Citizens can also see which documents are open for public consultation and request updates on topics they are interested in.
    
3. i-Voting (example of e-participation): i-Voting is an additional voting method which is designed to increase accessibility to elections. It should not be confused with other electronic voting systems that only use electronic means of communication in a process of voting or recording the act of voting at a polling station. Since 2005 the i-Voting system has allowed citizens to vote at their convenience, no matter how far they are from a polling station. By mid-2019, Internet voting had already been used without any serious security issues on 11 occasions, and more than 40% of voters prefer this method. [13]
    
4. State portal (example of e-services): The state portal eesti.ee was established as a central gateway to government agencies and hundreds of public services. Once logged into the system with a secure and government-trusted electronic ID, the user does not have to repeat the log-in process in order to access any of the other services that are available.

For every auditor these government initiatives represent an intriguing list of audit topics. Along with the goals and principles, the auditor has an almost perfect description of performance audit criteria ­– but of course in reality their application in audits is not as straightforward, as we will later see.

2.2 Enabling the cornerstones of Estonia’s e-governance

In addition to policy goals and principles there are also core components –­ major cornerstones – which support the processes of delivering government e-services, exchanging information and facilitating digital data management. These cornerstones are the eID (secure digital identity) and X-Road (the secure data exchange layer for information systems).[14] It should also be mentioned that the existence of these cornerstones has changed the ways in which NAOE auditors can conduct audits and interact with the existing e-governance ecosystem.

2.2.1 Secure digital identity

Today, every Estonian has a government-issued digital identity. Thanks to the national electronic identity scheme (eID), the country has managed to solve one of the key problems of e-governance: how to authenticate people without actual physical contact at the nationwide level.[15]

eID enables users to be digitally identified by information systems and to safely sign all kinds of documents. Since 2000, a digital signature has had the same legal value as a conventional signature in Estonia. Nearly 50 million digital signatures are given annually in the country, which is more than the entire European Union put together. The ID card and its capabilities can be used by both the people of Estonia and e-Residents.[16] eID was the first cornerstone of e-Estonia and it enables citizens to benefit from safe, convenient, fast and problem-free e-services. 

Secure digital authentication also allows auditors to be sure of the authenticity of digital documents, data and other digital evidence, which saves a lot of time during audits. At the same time, an obvious audit question arises here: Is the eID system as a whole trustworthy? This system comes under the regular monitoring of the NAOE and is a highly ranked audit topic for inclusion in our annual work programme.

2.2.2 X-Road – secure data exchange

All public organizations tend to have their own information systems with which to manage databases relevant to the state and provide public services for its citizens. They run on different systems designed to best suit the function of their organization. These databases are like islands, lacking connections to other databases.To cope with this challenge, the X-Road data exchange platform was established. This platform was initially used solely for making queries in national databases. Now it is also used as a platform for securely amending data in a number of databases, for the transmission of large data sets and for executing searches across databases.

The X-Road system works like a secure open-source highway for data traffic. It links public and private databases, which are held in a distributed manner, providing access 24/7 upon request. The lack of a centralized master database is the unique aspect of Estonia’s e-governance. Every institution manages its own processes, and government institutions can decide independently which platforms and technologies they will link to the X-Road. The system ensures that data exchange between organisations and information systems is interoperable; in other words, able to work together so as to enable the “once-only” principle of data collection wherein data are requested from a citizen only once.[17]

The open-source backbone of e-Estonia, the X-Road is an invisible and crucial environment. It has been estimated by the government that it saves more than 1400 years of working time for the state and its citizens annually. [18]

How does the invisible X-road work? For example, when using eID and logging in to the Tax and Customs Board (TCB) portal, you can permit the system to extract the necessary data automatically from the Population Register and create a connection with a bank account to pay the necessary taxes in the required amounts. In this way, a pre-populated tax declaration is prepared that can be submitted with just one click. This takes around three minutes in total, while data from different portals can be viewed or accessed only by the relevant citizen (i.e. the TCB cannot view your account balance in the bank, and so on).

Textbox 1. Example of X-Road[19]

The NAOE also uses the X-Road system to exchange documents. The system’s options allow the NOAE to avoid having to develop its own super database for auditing, and hopefully at some point we will have real-time access to all of the data we need from our office information system.

2.2.3 E-services

These cornerstones, along with data management, established the conditions necessary for the development of e-services. This has led to a situation where almost all state services involving digital data exchange in Estonia are available online 24/7. People trust e-solutions, which results in widespread usage.

Even though 99% of public services involving digital information exchange are available digitally at this point, the government is striving to reach the next level, which means the provision of proactive services, or so-called invisible services, by relying on the efficient use of data that the state already has. Proactive service delivery means that the government starts providing a service without waiting for citizens to request it.[20]

The government has defined 15 life-event and business-event services to start with. Such events – for example the birth of a child, retiring and social benefits – are essentially designed to be transactions that can be completed as seamlessly as possible for the user. This means that life-event or business-event services are activated with a maximum of one interaction, or ideally automatically based on the events taking place in a person’s life.

In October 2019 the Social Insurance Board of Estonia launched its first proactive service, wherein parents can use the family benefits service without submitting a traditional application. The board has set itself the goal of developing all of its services based on the principle that once the state has the necessary information, it no longer has to ask the person for it. Proactivity in services means that, for example, when a family has a child, entering the child in the Population Register activates all subsequent services without the parents having to apply for them. This is also important because it reduces administrative costs.

Textbox 2. Example of proactive service provision

This level of e-services means that for the NAOE there is no field of government operations in which IT aspects are irrelevant. To date we have focused our attention on critical services like e-health (see below for more details), where we look at how a particular service is provided. In the systems approach, our auditors need to ask whether the government has considered every opportunity to utilize the technology as well as existing IT systems for better service provision.

2.3 Data management and databases

Another element in the mix of proper e-governance is efficient and secure data management. The government and municipalities hold a large amount of digital data in different information systems and more data are generated through the provision of e-services and the development of information systems. Digitalization in the public sector opens up new horizons for more effective policymaking through the smart use of digital data. It will also provide policymakers, evaluators and auditors with improved and possibly automated evaluation of national strategies, which as a whole should lead to the creation and delivery of new and improved e-services.

2.3.1 Data for better governance

Nobody is likely to argue that reliable, accessible and timely data are anything less than critical for better governance. Taking data into account is crucial for policy implementation and decision-making, for monitoring the progress of achieving strategic goals and targets, for designing and implementing new public services and, lest we forget, for ensuring meaningful accountability and facilitating participation.

Digitalization of the public sector and public services has provided data that allow us to effectively monitor and audit the progress of national policies. Moreover, it is also creating unique opportunities to integrate and even go beyond the national level, for example monitoring the implementation of sustainable development goals and targets as well (or, if needed, designing new and more relevant indicators).

Digitalization has provided a powerful new tool for more effective governance and planning. The digitalization of information exchange in the public sector, interconnected information systems and digitalized e-services have created a policy-making environment that enables the government to make better-informed decisions more quickly. Decision-makers can analyse the continuous and massive flow of data in different formats, referred to as Big Data.

Another important aspect is that in principle the government can obtain information about almost any policy area in real time. Up-to-date and easily accessible data provides an opportunity for dynamic national strategic management and policy implementation. Digitalization makes it possible to start measuring progress in many cases in real time and to implement data-intensive indicators.

Unfortunately, our audits and analyses indicate that the public sector in Estonia does not take full advantage of the opportunities that digital data offer. This is due to gaps in ability, legal restrictions on the use of data (especially in the case of personal data) and often also ethical dilemmas. For example, the NAOE is now dealing with concrete ethical dilemmas regarding the use of big data and profiling in audits in which we plan to experiment with advanced data analytics. But despite the challenges and problems, digitalization has increased the efficiency of the public sector in Estonia by considerably reducing the time taken to obtain and process different types of information, and the NAOE must keep pace with this.

In recent years, the NAOE has audited the databases of and use of data by public institutions. I would like to highlight two examples:

1. Use of the welfare data collected by local authorities (December 2019): The NAOE audited the collection, management and use of the information required for the organization of social services and benefits by local governments. The focus was on the information collected from individuals and the bureaucratic burden this created for the local authorities. The audit also analysed how the information collected by municipalities is used by the state and the collateral burden on municipalities.

This is important because a lot of information is collected in the field of social welfare. This is understandable, as situations are often complex, and many aspects need to be considered in order to find the best solution to help a person. At the same time, collecting data from individuals entails a considerable burden, so care must be taken not to collect information that is not really needed or that is already available. Well-organized information management also helps to reduce bureaucracy, improve the quality and cost-effectiveness of services and develop new services.

We found that neither the collection of information in the context of municipal social work nor the management and use of this information is currently well organized. There are uncoordinated or inadequately resolved issues at the municipal and state levels that deepen problems. The result is both excessive burden and the fact that information is not being used in the best way. A lot of unnecessary information is collected, because of which the “once-only” principle is not working. The current situation is also a good example of how unresolved problems in information system design, running and development are beginning to negatively affect the development of e-governance.

2. Overview of the databases kept in towns, cities and municipalities (2017):[21] The NAOE audited which databases are kept by local governments, whether they comply with requirements, what the practice is for registering databases and whether the state supervises them.

It is important to taxpayers to have an overview of the data that are collected about them, to know why the data are collected and to know that such data are prudently kept. The other interest of the taxpayer is to have easy and convenient access to public services without becoming entangled in technical details, such as the need to constantly submit data to a local government (or to constantly request them).

As a result of the audit we found that local governments have hundreds of databases between them, but that they are not taking advantage of the technical possibility for secure data exchange via the X-road or that the selected manner of maintaining the database (e.g. on paper) does not support data exchange. No supervision authority has included the supervision of local governments in its work plan. Supervision competency has been repeatedly transferred from one agency to another, but there have been no assessments of how this has improved supervision. The audit report also noted that national registers have been structured according to the needs of the state and that the data required by local governments have not always been considered.

To support improved data management and the use of advanced data analytics in the public sector, the NAOE will be issuing an audit report in early 2020 about the availability and use of data for smart state management. With the help of this audit we hope to find answers to the questions: What is the state of play in the conducting of advanced data analytics by public institutions? What are the main obstacles or barriers to conducting advanced data analytics on a larger scale?

2.3.2 Application of e-governance to monitor government actions

Digitization and easy access to data also make it possible to create more effective monitoring systems. It is commonly understood in the INTOSAI community that SAIs play an important role in reporting on progress in achieving SDGs.  Although it is not an initiative of the NAOE, let me give a practical example of how digitalization, e-governance and functioning data management can provide an effective way of tracking progress towards SDGs.

Statistics Estonia is responsible for providing internationally comparable national data on moving towards international and national strategic goals. To that end, it has built-up a national data platform that serves as a central repository for all national data and it uses real-time data from national databases through the X-Road data exchange platform. Based on this repository, Statistics Estonia launched in October 2019 a new web application called the Tree of Truth[22]– a gauge of important national indicators, giving a simple, honest and objective picture of how the country is doing. The Tree of Truth compares results using the 135 measurable indicators included in the government action plan 2019-2023 (short-term goals), the reform programme Estonia 2020 (medium-term goals) and the Estonian National Strategy on Sustainable Development ‘Sustainable Estonia 21’ (long-term goals). The tree displays data from 15 activity areas and the results are visible as leaves coloured green (goal achieved), yellow (some progress made) or red (significant catch-up needed).

The comparisons visualised on the Tree of Truth are a good basis for planning strategic activities and analysing results currently and in the future.[23] The application also facilitates the work of the NAOE by indicating problems, but it also calls for explanations as to why indicators are showing these particular results. This is where an audit can and should shine a light.

Statistics Estonia launched in October 2019 a new web application called the Tree of Truth https://tamm.stat.ee/

 

3. National Audit Office of Estonia and digital transformation

As shown above, the audit environment has changed for us in the last few decades. This has posed a challenge to the NAOE to cope with the new situation in a dual role as an independent observer of events but at the same time as subject to the same changes.

The vision of the NAOE has been that our office should be at the forefront of change and benefit from them. Everything that happens in the public sector must be, and has been, on the horizon of the NAOE. In previous sections I pointed to some of the impact that digitalisation has had on our audit activities and issues awaiting audits. The ongoing changes related to the digitalization and development of new technology bring with them ever more challenges and new risks, but also enable us to make the work of our office more efficient and effective. The NAOE needs to catch and ride the “wave”.

3.1. Digital transformation – benefits for the NAOE

The digitalization of information exchange in the public sector, interconnected information systems and digitalized e-services have created an environment that, if operated properly, will allow the NAOE to obtain information about almost all policy areas in real time. Just to give a few examples of the use of money in different sectors, of public service users, of costs of services, of the input and output of processes, etc., it provides an opportunity to analyse data across areas and from different angles or to connect different kinds of data, as well as to view effective contracts, invoices, the implementation of the budgets of public entities and more without leaving the NAOE building. The law has provided auditors with easy access to massive amounts of data. The NAOE does not have to download data on its server or create parallel information systems. In most cases we have access in real time. This makes it possible for us to remain as informed as ministries and other public authorities.

Easy and fast access means that efficiency gains in planning and conducting audits should follow. Less time and fewer auditors should be needed and more audits should be able to be conducted. The adoption of new technologies has the capacity to notably reduce the amount of manual operations carried out by auditors, thus saving time.

For example, the digital transformation has significantly changed the way in which financial auditing is organized in the case of both the annual evaluation of the consolidated annual financial report of the state and other kinds of financial audits. Any information needed for financial auditing from different databases is available for financial auditors using the Internet and virtual private network (Image 1, page 14). The data is easily accessible and able to be processed, because all government entities have moved their accounting to one system and almost all invoices at the government level are e-invoices.[24] Actual field work is only very rarely needed. Compared to the pre-digital transformation era, there is no need for a high number of financial auditors, and this has led to a significant reduction in staff numbers at the NAOE over the past 20 years. The new challenge is designing and implementing more automated controls and analyses of data in the audit process.

Image 1. Financial auditors have remote access to all of the databases necessary for conducting the financial audit.

New technologies also provide an opportunity to increase the impact of audits. Visualization and IT tools make it possible to create more understandable reports. Displaying information in visual form makes it easier to explain a problem. Digitization and new creative applications have also made it easier to create visual stories in these reports. Moreover, digital tools can be created for auditees as a result of an audit.

For example, in 2016 the NAOE conducted an audit about the condition of local government real estate and related investment decisions[25]. We used and combined data from various digital databases and gained a very good overview of the condition of buildings and facilities all over Estonia. Our auditors concluded that the audit results were not worth presenting solely as a descriptive story or simply in PDF format, so in cooperation with Statistics Estonia they created an application[26] in which each local government or inhabitants thereof could look at the situation of their local government facilities and how this affects the quality of services. In addition to being used as a tool, it also helps visualize audit results more effectively.

Digitalization and easy access to data increase opportunities to make more sophisticated analyses through the skilful use of data. As early as in 2012, the NAOE conducted an audit titled “Prevention of corruption in the transactions of municipalities and cities”[27] scrutinising local government transactions with a high risk of corruption. We audited the economic transactions performed by local authorities to ascertain whether officials have abstained from involving themselves in transactions that are prohibited under the Anti-corruption Act. This audit was conducted by analysing combined data from the electronic Population Register and the electronic Commercial Register.

Good, fast access to data does not only mean opportunities for the NAOE, but also obligations. Collecting information and verifying its accuracy no longer takes as long as it did a decade ago. The NAOE can use large amounts of data and foresight, conduct advanced data analyses and so on. Thus, the work and results of the work of the NAOE cannot be the same as they were 10 years ago: the rapid availability of information means that we also need to increase the pace of our working processes. At the same time, the NAOE needs to use its capacity to generate more added value using new techniques. The developments of the e-state in our audit environment also require us to rethink our work and create a response capacity corresponding to the e-state. For this purpose two things are needed: one external and one internal. Externally, the NAOE has to ensure that all e-governance systems are working as planned and delivering the data they are supposed to be delivering, and that the development of the systems is not lagging. Internally, the creation of new skills, tools, products, communication and possibly even a new approach to auditing is needed.   

3.2. Digital transformation – need for new skills

New challenges mean the need for new skills. Technological development has changed and continues to change the work of auditors. “Traditional” audit methods focusing on long-defunct ex-post events can prove inadequate if the audited entities have adopted new technological solutions. A great number of processes in the public sector are completely digital, so it is inevitable that audits are conducted in the digital environment – directly within information systems, where applicable – using advanced CAATs (Computer Assisted Auditing Technology) by applying a variety of controls, making (digital) extracts, analysing logs, looking for patterns, etc.

The adoption of new technologies can notably reduce the amount of manual operations carried out by auditors and thus save time. However, it requires auditors to undergo training in the relevant fields and amend their working methods. For example, a financial auditor should acquire a great deal more IT skills for performing operations within financial accounting systems. The NAOE provides this training to our auditors and considers the current ability of our auditors adequate for their tasks.

If auditees have adopted new technological solutions, the auditors should be able to understand these new technologies and carry out corresponding audits to a certain extent. Several new technologies (like blockchain) are complex in nature, meaning that substantive auditing of the implementation and use of such technology requires the involvement of external technical experts (in this case, cryptography experts). It is also important that auditors are able to identify situations that require the involvement of relevant external experts. 

Digital transformation in the public sector has led to a situation where every auditor also needs to be something of an IT auditor. For example, when financial auditors from the NAOE are evaluating the consolidated annual financial report of the state, they must also assess the reliability of accounting systems and other relevant information systems. This means completely new requirements and competences for financial auditors.

Irrespective of these challenges and problems, digitalization has increased the efficiency of the public sector. As a by-product, it has made it possible for the NAOE to do its job more effectively and more efficiently. As I already said, real-time access to topical data gives the NAOE a substantive opportunity to share expertise and experience in decision-making processes proceeding from our role. Last but not least, the traditional auditor’s skill of “asking the right questions” and “picking the right topics” are still very much alive and are even more relevant when the pace of the audit process increases.

 

4. Digital transformation – new challenges and new risks for auditing

As shown above, the scope of digital transformation is overwhelming. New technologies have reached every sphere of public administration and there is hardly a single audit topic that bears no relation or potential relation to digitalization or advanced data analytics. There are a number of audits conducted by the NAOE that either directly or indirectly deal with digitalization and new technology issues. The digital transformation and the introduction of new technologies have become horizontal topics, and the NAOE has recognised this by looking at IT aspects in nearly every audit we conduct.

For each of our audit ideas, we test whether there are significant risks related to information technology that, if realized, will have a negative impact on the provision of public services, governance or accounting.

If the auditing of IT aspects is planned systematically from the outset in audit plans, then there is a good opportunity to conduct meta-analyses (e.g. a landscape review type of product) of the performance of the government in implementing the new technologies, to discover systemic problems and to make high-impact recommendations to the administration.

The NAOE submits an annual report to the Riigikogu on the most important national issues selected by our office. Our 2019 report focused on macro issues concerning the development and sustainability of Estonia’s e-governance ecosystem and sought to give answers to questions as to how Estonia’s e-state is functioning and whether the e-state remains healthy.[28]

In the following paragraphs I will give examples three highly important audit topics – cyber security; IT investments; and e-services – in regard to which the NAOE has been conducting audits for a number of years.

4.1. Auditing of cyber security

Cyber security[29] is one of the most important topics for every country when it comes to e-governance. High dependence on ICT infrastructure and e-services prompted the Estonian government ensure that electronic solutions would not be an Achilles heel for society, but instead a secure basis for modern development. In this context, cyber security is considered not a brake that restricts digitalisation, but an enabler that makes rapid digital innovation possible.[30]

The aforementioned X-Road interoperability network could be considered Estonia’s official “territory” in cyberspace and the national electronic identity scheme (eID) as the “passport” to this virtual territory, both of which need to be protected against threats. For e-services, the eID and X-Road are fundamental for ensuring the highest possible level of national cyber security. In 2007 the Estonian cyber security concept and the technologies it had already implemented were robustly tested in real life when the country experienced large-scale cyber-attacks against its entire ICT infrastructure. Internet service providers came under attack as well as government websites and email systems, online banking and other electronic services. This experience demonstrated that Estonia’s cyberspace is sufficiently protected and trustworthy and able to survive the damage.[31] But this cannot be taken for granted.

Since information about almost everything is kept digitally, cyber security is the key issue. One side of the challenge is the protection of data from involuntary disclosure or unauthorised processing. But even more important is the integrity of data: confidence that the data in information systems are protected from amendment and destruction. We can only imagine the confusion if somebody were able to amend digital data in the digital land register in an unauthorized way (e.g. changing the name of the owner of a property or size of a property), or if somebody amended data about a person’s blood group in the e-health information system – which in critical situations could be lethal to a person whose data were manipulated.

There should be a special focus on data protection because electronic data is generally perceived as less secure. Even if such a perception is not necessarily true, it may cause ignorant politicians or people to be wary of electronic transactions, or loopholes in data security to be abused. Law and technology should work together, with technical solutions employed to protect data, and the law obliging such solutions to be used.

Cyber security is the cornerstone of building trust in e-governance. SAIs have a clear role to play by conducting audits in critical areas and thus ensuring that the data in public databases are kept securely and information systems are maintained.

Over the years, the NAOE has conducted several audits focused on cyber security and has also audited cyber security-related issues horizontally in other audits. Two examples of relevant audits are as follows:

1. Guaranteeing the security and preservation of the critical state databases of Estonia (2018):[32] The NAOE audited how the government has selected the data and databases that are critical to guaranteeing national sustainability. We also checked whether and with which tools the security of these data and databases is guaranteed as well as whether and how the long-term continuity of the databases containing these data is guaranteed.

The importance of this topic is obvious: risk scenarios and the increasing number of information security incidents, such as cyber-attacks and data leaks, may also jeopardise the data and databases that are of the greatest importance to the state. If data of primary importance to the state are amended without authorization, or if they are leaked or destroyed, the state will no longer be able to perform the necessary functions.

The audit revealed that despite the implementation of the security system ISKE, there are significant deficiencies in guarantee information security in several critical databases, such as the analysis of logs, penetration testing and protection of mobile devices. The government has launched the activities required for the protection of critical data, but the critical databases project is at a stage where it requires a legally mandatory set of rules.

2. Implementation of a system of IT security measures in local governments (2018):[33] The NAOE audited whether the data entrusted to local governments are kept securely.

The NAOE audited this topic because the data collected from people are concentrated in the hands of the state and local government agencies. The possibility to develop better, more convenient and cheaper public services increases the quantity of data as well as the risk that the data will end up in the wrong hands, be destroyed, become damaged, etc. The databases of the state and local governments exchange data via the X-Road, which means that vulnerabilities to which no attention is turned in local governments are passed on and may cause damage on a much larger scale.

We discovered that the security of the data entrusted to local governments is not guaranteed as required. Risks related to IT security are still not acknowledged by many local governments, and as such, the requirements established by the state are not being complied with, even though they have been in effect for almost 10 years. State supervision is inadequate and does not compel local governments to act. Neither have the awareness-raising activities and financial support of the state led to the expected developments.

4.2. Auditing of IT investments

From the classical audit point of view, it is also absolutely necessary to pose efficiency questions in the domain of e-governance. This is especially the case because the level of risks in IT investments is usually greater than in other areas of public spending. Often the cost of IT projects does not remain within the limits of the budget, the deadline is significantly exceeded, the projects are interrupted or the assumed quality is not achieved. Compared to traditional infrastructure investments, both software and IT infrastructure investments are more complex.

SAIs also need to consider the risks associated with IT investments. This again means new challenges for auditors. In addition to asking, “Do the projects remain within budgetary limits?” or “Are the projects completed on time?”, auditors have to answer more specific questions: “Is the required functionality achieved?”, “Are the solutions user-friendly?” or “Is the method appropriate to achieve its aims?”

Assessment of the IT investments of an auditee’s information technology systems forms part of the NAOE’s work programme. Two examples:

1. Effectiveness of the development of a broadband network on high-speed Internet (2015):[34] The NAOE audited whether the state has made every effort to ensure that everybody can have unlimited access to high-speed Internet by 2020. We also analysed whether the network of fibre-optical cables or the basic broadband network which should guarantee a high-speed Internet connection has helped to achieve this goal.

We found that the opportunities of Estonian people and institutions to use high-speed Internet via a fixed network have not improved significantly (as at 2015). Mobile Internet providers have so far benefited most from the establishment of the basic broadband network. Making high-speed Internet accessible to all people in Estonia by 2020 is also rendered difficult by the lack of a clear action plan. The government has failed to agree on the rules of establishment and management of the basic broadband network with the developers of the network.

2. Management of software development risks in the public sector (2019):[35] The NAOE analysed why the state’s software development projects fail at times.

It has become evident that significant amounts of money are spent on software development and that the resulting software and information systems have an important role to play in the management of the public sector and in the provision of services.

As a result of the audit the NAOE described the 13 most common risks that should be prevented in the management of software development and highlighted success factors in software development on the basis of the assessment of the projects. 

4.3. Auditing of e-services

In a situation where almost all public services in Estonia are available digitally and e-services are widely used, the functioning of the state depends on operational services and exchange of information between the government-to-citizen, government-to-business and government-to-government functional e-services environment. It is unacceptable if e-services are unavailable, unreliable or difficult to use.

Assessment of the e-services of an auditee’s information technology systems forms part of the NAOE’s work programme. Two examples:

1. Usability of public e-services (2016):[36] The NAOE studied four information systems to determine whether the eight e-services they provide are high-quality and create added value, i.e. save time and money for the agencies that provide them and the people who use them. The NAOE also analysed whether the agencies measure the usability of services and use the information they obtain to improve usability.

It is important for the users of e-services that the quality of the public services provided by the state is good and that they are reliable and allow users to communicate with state agencies easily and conveniently (without spending an excessive amount of time or money doing so) and to make use of the services and benefits provided.

The NAOE holds that the state must turn more attention to harmonizing the usability of public e-services, because state agencies have a different understanding of the development of an e-service that is user-friendly, high-quality and state-of-the-art. Although the Ministry of Economic Affairs and Communications has developed many recommendations for harmonizing the quality of e-services, the agencies have not followed them to a sufficient extent. The development of public e-services is fragmented and needs stronger central guidance.

2. Activities of the state in implementing the e-health system (2014):[37] The NAOE assessed whether the objectives set for e-health – the higher quality of the health service and the more efficient organisation of health care – have been achieved. The four main e-health projects were reviewed in the audit: Electronic Health Records; Digital Prescriptions; Digital Registration; and Digital Images. The problems encountered in the development and implementation of e-health and the reasons for these problems were also studied.

The importance of this topic stems not only from e-governance but also from demographic changes. Estonia’s population is aging, and the proportion of elderly people is increasing, as fewer children are being born and people are living longer. This creates a constantly growing need for health care and social services, and patients are also becoming more demanding about the volume and quality of the services provided. More extensive and systematic implementation of e-health solutions helps make the health system more efficient, improves people’s health via more effective prevention, raises the awareness of patients and also contributes to the more reasonable use of health resources. E-health solutions also save patients time.

The audit concluded that the e-health objectives have not been achieved, as despite the initial plans, the data in the e-health system still cannot be used for treatment purposes, national statistics, keeping registries or supervision. Digital Prescriptions represent the only e-solution created by the state that is actively used. The use of the Electronic Health Record and Digital Images has been modest and Digital Registration has not taken off in the five years since its completion. The reason behind the weak launch of e-health is the aimless and random activity of the Ministry of Social Affairs in the performance of its role as strategic manager in the development and implementation of e-health.

4.4 Setting up audit criteria: the e-State Charter

The NAOE has also taken the lead in defining citizens’ rights in e-Estonia. In 2007 we audited the quality of public services in the information society and observed that although legislation prohibits the excessive burdening of people and allows for electronic administration, our administrative agencies tend to continue to provide public services in a manner that is convenient for officials, not for customers. The main conclusion of the audit was that people are “given the run-around” more often than is appropriate in an e-state. In order to improve the situation, the NAOE decided to set out principles of delivering public services in a digital environment and at the same time establish for ourselves audit criteria.

The document was named the e-State Charter (2008) and it was designed to be used as a national standard for e-services^[38]. The charter lists the rights that people have when communicating with public agencies in the e-state. It enables public agencies to review their operations easily and systematically and to set clear and easy-to-measure goals for the establishment of administrative procedures that are more focused on citizens. The charter also covered the need for proper criteria for auditing and good guidelines for the public sector. The NAOE and the Chancellor of Justice updated the charter in 2018. In the current situation, where the majority of Estonian people communicate via ICT and information is often presented, stored and forwarded electronically, it is particularly important not to burden people unnecessarily and to ensure that electronic communication is simple.[39]

 

5. Future perspective – discovering an unknown landscape

New technologies and digitalization have made data accessible and governance more transparent. The media and citizens have access to information that was previously accessible only to governments or to SAIs.

Digital transformation is the result of natural evolution, which has led us to a new situation –an unknown land. These changes are altering how society and the public sector operate. While many changes are visible and positive, many are problematic, and the risks associated with them need to be managed. But there are many risks that are as yet invisible, and which are emerging in the process of developing new technologies. Nobel laureate and former World Bank chief economist Joseph Stiglitz once said, “We have to understand these new technologies better in order to get a clearer picture of where we are headed.”[40]

Digitalization may seem like a one-way road to a better future, but unexpected obstacles may and almost certainly will arise. Dependence on technology and information systems can significantly influence policy-making processes. In the case of Estonia, there have been a few cases where policy decisions have not been made or have been postponed because significant, time-consuming and high-cost changes to information systems are a prerequisite for implementing decisions. Thus, on top of social media manipulation issues, information technology can become yet another very practical – and governance-caused – problem for democracy and political decision-making. All such problems can be prevented or at least managed, but they are often unpredictable at the start of the journey. This concept of accepting the unknown can sometimes be incompatible with the classic auditor’s approach, in which certainty is expected.

Prime Minister Narendra Mody of India highlighted the positive impact of e-governance by saying, “E-governance can bring minimum government and maximum governance. It is easy, effective and economical governance. It brings empowerment, equity and efficiency of the economy. It is a very useful field that can be the greatest problem-solver of the people.”[41] I agree with this view, but the impact of digital development is not in and of itself positive. Joseph Stiglitz rightly emphasizes that digitalization has the potential to increase the productivity of the economy and, in principle, that this could make everybody better off – but only if it is well managed.[42]

Without proper governance, the increasing role of technology in our lives could change relations between people (and between people and institutions) in a way that reinforced existing problems rather than dissipating them. As the case of the NAOE illustrates, SAIs also have a number of roles and functions in this changing world, whether that be highlighting problems, providing solutions or supporting good governance, but also certainly in changing themselves.

 

 

References

BBVA; “Nobel Laureate Stiglitz explores the social challenges posed by the digital revolution”, 2018.  {https://www.bbva.com/en/nobel-laureate-stiglitz-explores-the-social-challenges-posed-by-the-digital-revolution/}

Cambridge Dictionary. {https://dictionary.cambridge.org/dictionary/english/e-governance}

The e-Estonia Briefing Centre; E-Estonia. Building blocks of e-Estonia, 2019. {https://e-estonia.com/solutions/}

The e-Estonia Briefing Centre; E- Estonia. E-Governance, 2019. {https://e-estonia.com/solutions/e-governance/}

The e-Estonia Briefing Centre; E-Estonia guide. {https://investinestonia.com/wp-content/uploads/eestonia-guide-veeb.pdf}

The e-Estonia Briefing Centre; E-Estonia. Factsheet, 2019. {https://invest.gg.go.kr/wp-content/uploads/sites/29/2019/01/1.e-estonia.pdf}

The e-Estonia Briefing Centre; i-Voting. Factsheet, 2019. {https://e-estonia.com/wp-content/uploads/2019sept-facts-a4-v02-i-voting.pdf}

European Commission; Digital Single Market. Factsheet, 2017. {https://ec.europa.eu/digital-single-market/en/news/digital-skills-gap-europe}

The e-Governance Academy; E-Governance. Factsheet, 2019. {https://e-estonia.com/wp-content/uploads/2019sept-facts-a4-v03-e-governance.pdf}

The Information Technology Foundation for Education; Historical overview 1997-2017. {https://www.hitsa.ee/about-us/historical-overview/1997-2000}

Ministry of Economic Affairs and Communications; Digital agenda 202 for Estonia, 2018. {https://www.mkm.ee/sites/default/files/digital_agenda_2020_web_eng_04.06.19.pdf}

MIT Sloan Executive Education Blog; The digital business transformation imperative.  {https://executive.mit.edu/blog/the-digital-business-transformation-imperative#.XbrlqEl7kcQ}

MODI, Narendra; “India should become a digital India, which is a knowledge-based society and economy”, 2014. {https://www.narendramodi.in/india-should-become-a-digital-india-which-is-a-knowledge-based-society-and-economy-5977}

The National Audit Office of Estonia; Activities of the state in implementing the e-health system, 2014. {https://www.riigikontroll.ee/tabid/206/Audit/2311/Area/21/language/en-US/Default.aspx}

The National Audit Office of Estonia; Effectiveness of the development of a broadband network or high-speed Internet, 2015. {https://www.riigikontroll.ee/tabid/206/Audit/2346/Area/4/language/en-US/Default.aspx}

The National Audit Office of Estonia; Ensuring the security and preservation of Estonian national databases of critical importance, 2018. {https://www.riigikontroll.ee/tabid/206/Audit/2462/language/en-US/Default.aspx}

The National Audit Office of Estonia; E-state charter or Everyone’s rights in e-state, 2018.

{https://www.riigikontroll.ee/Riigikontrollipublikatsioonid/Muudpublikatsioonid/Eharta/tabid/305/language/en-US/Default.aspx}

The National Audit Office of Estonia; Implementation of system of IT security measures in local governments, 2018. {https://www.riigikontroll.ee/tabid/206/Audit/2466/language/en-US/Default.aspx}

The National Audit Office of Estonia; Management of software development risks in the public sector, 2019. {https://www.riigikontroll.ee/tabid/206/Audit/2488/language/en-US/Default.aspx}

The National Audit Office of Estonia; Prevention of corruption in the work organisation of rural municipalities and cities, 2012.

{https://www.riigikontroll.ee/tabid/206/Audit/2269/OtherArea/1/language/en-US/Default.aspx}

The National Audit Office of Estonia; Overview of databases kept in municipalities, towns and cities, 2017. {https://www.riigikontroll.ee/tabid/206/Audit/2420/language/en-US/Default.aspx}

The National Audit Office of Estonia; Overview of local governments’ real estate and its management, 2016. {https://www.riigikontroll.ee/tabid/206/Audit/2413/OtherArea/1/language/et-EE/Default.aspx}

The National Audit Office of Estonia; Usability of public e-services, 2016. {https://www.riigikontroll.ee/tabid/206/Audit/2411/language/en-US/Default.aspx}

ROOSNA, Sandra; RIKKE Raul (eds); e-Estonia: e-Governance in Practice, e-Governance Academy, Tallinn, 2019.

Riigikontroll. Ülevaade riigi vara kasutamisest ja säilimisest 2018.–2019. aastal, 2019. {https://www.riigikontroll.ee/Riigikontrollipublikatsioonid/Riigikontrolliaastaaruanneparlamendile/tabid/110/language/et-EE/Default.aspx}

SAMPLE, Ian; “Joseph Stiglitz on artificial intelligence: “We’re going towards a more divided society””, The Guardian, 2018. {https://www.theguardian.com/technology/2018/sep/08/joseph-stiglitz-on-artificial-intelligence-were-going-towards-a-more-divided-society}

Statistics Estonia; The Tree of Truth shows how Estonia is doing, 2019. {https://www.stat.ee/news-release-2019-123}

United Nations. Department of Economic and Social Affairs; UN E-Government Knowledgebase. {https://publicadministration.un.org/egovkb/en-us/About/UNeGovDD-Framework#whatis}