Oversight activities

In the area of strategy and planning, the OA-IA examines issues relating to the short, medium or long-term strategic planning of the Swiss intelligence services and their objectives. The following audit was planned for 2024:

[24-1] Artificial intelligence (AI) at the FIS

In this audit, the OA-IA is examining whether the FIS acquires, uses and controls this technology in accordance with the law and in terms of effectiveness and expediency. The OA-IA carried out preparatory work in 2024 and will conduct the actual audit in 2025.

In the area of organisation and tasking, the OA-IA examines the adequacy of the structure and processes of the intelligence services and asks whether they enable the intelligence services to fulfil their mandate in a lawful, expedient and effective manner. In 2024, the OA-IA carried out the following audits in this area:

[23-2] Legal services of the FIS

Compliance with the law is particularly important in the field of intelligence. If the FIS or its employees do not act in accordance with the law, fundamental rights – such as data protection, privacy or trade secrecy – may be violated. On the other hand, if the FIS does not make full use of the legal framework for conducting intelligence activities, Switzerland’s security may be compromised and its reputation damaged, leading to a loss of public confidence in the institution. For this reason, the OA-IA decided to examine the effectiveness and expediency of the tasks, powers and responsibilities of those providing legal services at the FIS.

For this audit, the OA-IA interviewed members of staff from different departments and with different functions on five areas covered by the audit. It also inspected various documents. The OA-IA found that although the FIS provides mandatory training to its staff, the implementation of the training policy could be optimised in all organisational units following the transformation of the agency. Like other bodies of the Federal Administration, the FIS may draw on external expertise. However, in recent years, it has only awarded a few specific external mandates for legal services, suggesting that its own resources are sufficient.

«Legal services are provided particularly by the organisational units responsible for quality assurance, compliance and legal services. The OA-IA found that there is a need for action in all three areas, or at least that certain areas require greater attention in light of the ongoing transformation.»

Legal services are provided particularly by the organisational units responsible for quality assurance, compliance and legal services. The OA-IA found that there is a need for action in all three areas, or at least that certain areas require greater attention in light of the ongoing transformation.

The OA-IA made two recommendations concerning the activities of the Compliance Unit and their accountability, the active involvement of the Legal Service in certain matters, and work processes. The current structure and competences of the Legal Service do not allow it to meet the requirements and expectations of the service. Addressing this will require more than simply updating the job description of the head of the Legal Service. The last formal compliance audits took place in 2021. At that time, only the Reporting Office was being actively supported by the Compliance Unit, but there is no record of this activity. With regard to the Quality Assurance Unit, there is a high turnover of legally trained staff, who need to be replaced as soon as possible in order to address the backlog of work in updating documentation.

[23-4] Service Continuity Management (ITSCM) and Disaster Recovery at the FIS

In this audit, the OA-IA examined whether the FIS has effective and appropriate procedures in place to deal with emergencies in IT operations, so that the critical business processes of the FIS can be guaranteed and its data recovered.

Major unforeseen incidents such as fires, floods and criminal activity pose a threat to every organisation and can cause damage – particularly to IT infrastructure – that is far worse than a simple loss of service. Organisations therefore need to ensure that they have business continuity management (BCM) in place, which analyses the risks posed by an incident with the aim of minimising its impact on critical services and business processes.

Given the heavy reliance of business operations on information technology, the existence of a resilient IT infrastructure is essential to the survival of an organisation. ITSCM, together with BCM, ensures that even in the event of major incidents, the IT services that the organisation has identified as critical can be delivered. It does this by assessing and implementing measures to be adopted in the event of an incident (strengthening resilience and response). ITSCM must ensure that information and communications technology (ICT) services and infrastructure are available after a failure or can be restored within an agreed period. IT Disaster Recovery, on the other hand, aims to restore ICT services and infrastructure after a failure.

Effective ITSCM must take into account current and specific risks. With increasing digitalisation and the status of data processing as the core activity of the FIS – and against the backdrop of potential energy shortages, increasing cyberattacks and a war in Europe – the FIS is more dependent than ever on the continuous and reliable operation of IT infrastructures. Furthermore, data loss threatens the FIS’s ability to fulfil its mandate.

BCM has already been the subject of a report by the DDPS Internal Audit (Report I 2022-01 of 15 August 2022). One of the recommendations in the report called on the DDPS administrative units to update their BCM documentation. The FIS is working on the implementation of this recommendation. In addition, the management of the FIS has decided to wait until its transformation is complete before approving and implementing a new BCM plan. The OA-IA has therefore taken a cautious approach to BCM issues.

The OA-IA found that certain ITSCM documentation was missing due to insufficient IT governance within the FIS. Measures have been taken in this area, but only at a technical level. The FIS ICT unit has taken numerous measures to ensure business continuity in the event of a major incident. The planned measures are effective and proportionate to the situation. In particular, they ensure the redundancy of the ICT infrastructure and data security strategy, and minimise risks. However, there is no testing strategy, so it is not certain that the ICT delivery service would actually maintain its high level of stability in the event of a major incident. Furthermore, the ITSCM plan cannot be updated without extensive and regular testing. Recommendations were made in relation to ITSCM documentation and the organisation of testing.

[24-2] Intelligence activities by the Armed Forces Preventive Protection Service (AFPPS)

The aim of this audit is to examine the cooperation interfaces between the FIS and the AFPPS in order to identify intelligence activities. The OA-IA will therefore examine the legality, effectiveness and expediency of the cooperation between these two services.

In 2024, several interviews were conducted regarding the OA-IA’s responsibility for the oversight of the AFPPS (see News from the OA-IA office below). The actual audit will take place in 2025.

[24-3] Organisation of partner service contacts at the CEA

No intelligence service can identify and avert all threats on its own. Close and confidential cooperation with partner services is therefore essential. This also applies to the intelligence services in Switzerland and thus to the CEA (formerly the Electronic Operations Centre EOC). The fact that the CEA is a relatively small service, is not integrated into multilateral bodies (e.g. SIGINT Seniors Europe) and does not have access to all signal flows in the same way as other countries due to Switzerland’s geographical location, makes the CEA’s tasks particularly difficult. This makes bilateral contacts at the operational level with selected partner services all the more important.

These contacts are based on a give-and-take approach. When the CEA receives information from a partner service, it provides information of interest to that partner service in return.

Although this exchange is essential for the CEA, it involves risks and raises some questions. For example, the nature of the information exchanged could lead to unlawful actions on the part of the service. In addition, the process and the way in which contacts with partner services are managed also pose risks in terms of effectiveness and expediency.

For this reason, the OA-IA decided to review the contacts between the CEA and its partner services in 2024.

With regard to the legal issues, the OA-IA concluded that the CEA complies with the legal requirements and that it only maintains intelligence-related contacts with its partner services on behalf of the FIS. The vast majority of contacts with partner services are of a technical nature. When sensitive data are exchanged, the FIS Legal Service verifies the legal basis for the respective data exchange in advance.

«With regard to the effectiveness and expediency of the partner service contacts, the OA-IA concluded that the existing contacts are organised and carried out effectively under the given circumstances. The approach to developing future partner service contacts in the areas of cyber and electromagnetic activities also appears to be effective and efficient.»

With regard to the effectiveness and expediency of the partner service contacts, the OA-IA concluded that the existing contacts are organised and carried out effectively under the given circumstances. The approach to developing future partner service contacts in the areas of cyber and electromagnetic activities also appears to be effective and efficient. From a purely technical point of view, participation in international bodies in the field of SIGINT would promise more efficient partner service contacts. However, this cannot be decided at the level of the CEA or the FIS, but requires a fundamental political decision.

Based on the overall findings that the CEA strictly adheres to the legal framework and makes the best of its contacts with partner services, the OA-IA did not make any recommendations.

[24-11] Security aspects under Article 6 paragraph 7 of the Federal Act of 25 September 2015 on the Intelligence Service (Intelligence Service Act, IntelSA, SR 121)

The FIS has a duty to protect its staff, facilities, sources and the data it processes. The OA-IA decided to audit how the FIS fulfils this obligation in certain areas.

This audit was not announced and will be completed in 2025.

The OA-IA examines cooperation between the intelligence services and national and international authorities. To this end, it audits individual cantonal intelligence services (CISs) every year. With the audit reports on Nidwalden (23-6 CIS NW) and Obwalden (23-7 CIS OW) and the publication of the summaries on the website, the OA-IA has now completed its audit of all 26 cantons and can draw a conclusion.

In the area of cooperation, the following audits were carried out in 2024:

[23-6] Cantonal Intelligence Service Nidwalden (CIS NW)

The OA-IA examined whether the cooperation between the FIS and the CIS NW is lawful, effective and expedient. It concluded that the FIS and the CIS NW cooperate well and that the CIS NW generally responds to FIS requests in a timely and substantive manner. However, the OA-IA had the impression that the CIS NW was not sufficiently aware of the need to separate the infrastructure of the cantonal police and the CIS. This creates a risk of information leaks. The OA-IA therefore made a recommendation to this effect.

The OA-IA also examined whether the personal data stored met the legal requirements in terms of relevance to the task, compliance with the data processing restrictions, and the accuracy and relevance of the information. The OA-IA found that outstanding data storage issues or technical issues relevant to data protection are not handled with the necessary diligence, and that it is not always possible to understand or trace the relevance of a task due to staff turnover. This creates a risk of unlawful data processing or leakage of information. The OA-IA has made a recommendation to this effect.

[23-7] Cantonal Intelligence Service Obwalden (CIS OW)

The OA-IA examined whether the cooperation between the FIS and the CIS OW is legal, appropriate and effective. The OA-IA concluded that the FIS and the CIS OW cooperate well on current issues and that communication is unbureaucratic and straightforward. The CIS OW fulfils the FIS’s mandates on time and in terms of the relevant content and resources. The OA-IA gained the impression that the CIS OW has good intelligence capabilities and the necessary qualities, as well as the conditions and motivation to fulfil its tasks.

The OA-IA also checked whether the personal data stored complied with the legal requirements in terms of relevance to the task, restrictions on data processing and the accuracy and relevance of the information. The OA-IA did not find any irregularities in this respect.

CIS audits in recent years

Between 2019 and 2024, the OA-IA carried out an audit of all 26 CISs. The basic audit strategy was the same for all CISs, but with additional, specific questions for each canton.

For 11 CISs there were no concerns. For the remaining 15, the OA-IA found room for improvement, particularly in data processing, resource management and the use of technical tools. All of the recommendations made in the last audit have been implemented, which the exception of one which is not yet due. Thanks to the measures taken by the FIS, some of the concerns raised by the OA-IA over the years have not been repeated. The OA-IA also found that a recommendation made to one canton sometimes also had an impact on other cantons.

«Through these audits, the OA-IA has acquired detailed knowledge of the CISs, their activities and their individual characteristics.»

Through these audits, the OA-IA has acquired detailed knowledge of the CISs, their activities and their individual characteristics. Some cantonal oversight authorities regularly send their oversight reports to the OA-IA, which provides the OA-IA with additional information.

The OA-IA has decided that, in future, CIS audits will no longer be based on standardised audit questions, but on risk-based considerations relating to specific topics in the individual cantons (see 7.1, OA-IA visits to the cantons).

[23-10] Cooperation between the FIS and private actors

The FIS cooperates with private actors. These can be private individuals, organisations or companies. Cooperation [with organisations or companies] in the administrative field is based primarily on the usual contractual relationships. In the operational field, it takes place with private individuals (known as ‘supporters’), who assist the FIS in fulfilling the tasks defined in Article 6 IntelSA.

Initially, the OA-IA investigated an issue that had been raised during an inspection by the Swiss Federal Audit Office (SFAO) concerning administrative cooperation between the FIS and organisations and private individuals. To this end, the OA-IA carried out spot checks on several ongoing service contracts between the FIS and various companies. It also carried out spot checks on payments in the FIS’s accounts, including covert payments to undercover sources, which are present in the FIS accounts. In a second step, the OA-IA expanded its audit to payments made to individuals (supporters) for operational cooperation.

In particular, it analysed the legality of the mandates given by the FIS to private individuals according to the criteria defined in the IntelSA and IntelSO (Intelligence Service Ordinance). It also analysed the expediency and effectiveness of cooperation with private individuals by examining the FIS’s portfolio management and the lifecycle management of these private individuals.

The OA-IA also analysed risk management and tested various assumptions. This included looking at whether measures that generally require authorisation had been circumvented by giving mandates to private individuals, unlawful behaviour by private individuals, payments made without consideration, and cooperation with private individuals whose reputation could damage the FIS.

«The OA-IA found that the FIS’s supervision of private actors and its follow-up documentation were adequate and that there had been improvements in this area.»

The OA-IA found that the FIS’s supervision of private actors and its follow-up documentation were adequate and that there had been improvements in this area. However, it found that there was room for improvement in the handling of security breaches by private actors. It concluded that the practice of delegating certain operational tasks to private actors should be clarified. The OA-IA drew the attention of the FIS to these points, without making any recommendations.

[24-4] Cooperation between the FIS and the State Secretariat for Migration (SEM)

The OA-IA reviewed the cooperation between the FIS and SEM and examined whether their exchange of data is legal, effective and expedient.

Information gathering is a core task of the intelligence services. Various means can be used for this purpose. The OA-IA pays special attention to those that most deeply intrude into the privacy of the persons concerned. Every year, the OA-IA examines operations (OP) and intelligence gathering through human sources (HUMINT) due to the risks associated with these activities. In 2024, the OA-IA carried the following audits in this area:

[23-11]  FIS operations, operational inquiries and information-gathering activities requiring authorisation

Intelligence service operations (OPs) and operational inquiries (OPIs) are among the core tasks of the FIS. They are more complex than day-to-day operations and require operational management. OPs may involve information-gathering activities that require authorisation. The OA-IA regularly reviews OPs and OPIs, as their complexity often poses risks with regard to their effectiveness and expediency. It also regularly examines information-gathering activities that require authorisation, as these always involve a legal risk due to their invasion of privacy.

The OA-IS found no significant changes in the volume of OPs and OPIs compared to the previous year, nor in the topics covered. The OA-IA also re-audited a number of long-running but now completed OPs and OPIs: the OA-IA considers that this is appropriate and should be continued in the future.

«On the basis of the audits, the OA-IA found nothing to indicate that the five OPs and eleven OPIs had not been carried out in a legal, effective and expedient manner.»

On the basis of the audits, the OA-IA found nothing to indicate that the five OPs and eleven OPIs had not been carried out in a legal, effective and expedient manner.

The OA-IA also examined whether the relevant decisions of the Federal Administrative Court (FAC) had been implemented in the case of eight authorised operations, three urgent operations and one operation that had been rejected. On the basis of the audits, the OA-IA had no reason to believe that the operations had not been carried out in compliance with the authorisation process. Nor was there any evidence to suggest that the FIS had unlawfully carried out operations despite the refusal of authorisation.

Based on this overall positive impression, the OA-IA decided not to make any recommendations.

[23-12] Human intelligence (HUMINT) in the FIS

Human intelligence is an area where secrecy is a cornerstone of the activity. It requires particularly strict security and protection measures with regard to employees (including the use of alias identities or cover stories to conceal their association with the FIS) and their place of work, the financial flows necessary to conceal the origin of payments, the obligations to protect sources, etc. The risks in these areas are numerous and constantly increasing, which justifies an annual audit by the OA-IA.

In view of the transformation and the strategic reorientation of the FIS, the main objective of the OA-IA was to determine the status of the HUMINT division prior to the transformation of the agency. In the context of audit 23-12, the OA-IA was therefore particularly interested in the development of the source portfolio, be it in strategic terms, in terms of HUMINT personnel, development and learning capacities, or in terms of ongoing projects. The audit also provided an opportunity to take stock of the functioning and difficulties of the HUMINT division prior to the agency’s transformation. To this end, oral and written interviews were conducted with all HUMINT staff. The OA-IA found that although staff were generally satisfied with their work and highly motivated, the transformation of the FIS was exacerbating a number of pre-existing difficulties already identified by the OA-IA.

«Overall, the HUMINT division has the necessary skills, ideas, human resources and motivation to resolve current problems.»

The development and digitalisation of society in general are further factors that increase pressure on areas that require secrecy. Ongoing projects, such as a new training programme for source handlers and a new documentation management system, should provide effective solutions. Overall, the HUMINT division has the necessary skills, ideas, human resources and motivation to resolve current problems. The OA-IA has made two recommendations concerning human resources management and the evaluation of information provided by sources.

Finally, the audit found that the areas selected for audit were managed in accordance with the law and adequately documented.

[23-13] Use of undercover cyberagents in the FIS

The global threat situation has changed. In the field of terrorism and violent extremism, communication has shifted from publicly accessible platforms such as Facebook to encrypted communication services and closed communities.

As a result of this evolving situation, the FIS’s use of virtual cover identities to monitor the internet for terrorist or violent extremist activity is becoming less effective, as this tool is primarily used to cover the public domain and does not allow access to [encrypted] communication services and closed communities. To gain access to these services and groups, the FIS needs undercover cyberagents. By establishing contact with potential targets, undercover cyberagents build up enough trust to gain access to these closed forums.

For this reason, the OA-IA examined whether the legal framework for the use of undercover cyberagents is clear and understood by the staff involved. It also examined whether the training of cyberagents in the FIS was adequate and their deployment appropriate.

The OA-IA also examined whether the FIS has the technical and organisational framework to deploy cyberagents effectively and to correctly assess the chances of obtaining intelligence successfully from the outset.

[24-5] FIS operations, operational inquiries and intelligence-gathering measures requiring authorisation

In this ongoing audit, the OA-IA is examining whether the new organisational structure of the FIS will ensure the legality, effectiveness and expediency of operations. To this end, it is reviewing a selected number of OPs and OPIs. It is also examining a number of authorised information-gathering activities to ensure that they are being implemented in compliance with the relevant rulings of the FAC.

[24-6] Human intelligence in the FIS

In this ongoing audit, the OA-IA is examining two main aspects. The first is a follow-up to audit 23-12 and looks at the question of how the FIS has responded to some of the critical issues raised by the OA-IA in its report. The second aspect looks at whether the management of sources (human sources and ‘supporters’) is being documented in a lawful and expedient manner.

In the area of resources, the OA-IA examines whether the intelligence services are using their resources wisely and whether intelligence activities are being carried out effectively. In 2024, the OA-IA carried out the following resource audits:

[24-7] Information and communication technology (ICT) inventory in the FIS

In ICT, it is important for an organisation to have an overview of the hardware it uses for a number of reasons. This overview helps to manage hardware components throughout their lifecycle, thereby ensuring optimal use of resources. In addition, a systematic inventory prevents hardware from being procured and used by unauthorised individuals within the organisation. For the FIS, this last point in particular poses both a reputational risk and a risk of unlawful data processing due to a lack of control mechanisms.

For this reason, the OA-IA decided to examine whether the FIS has an inventory of its hardware and, if so, whether this inventory is being managed effectively and expediently. The aim of this is to determine whether hardware components have been procured or used unlawfully, and to prevent this from happening in the future.

The audit is not focusing on the entire ICT inventory of the FIS, but only on the IT hardware used in connection with the collection and processing of data.

[24-8] Incident and risk management in the MIS

Due to their covert nature, intelligence activities often involve risks. These risks relate, in particular, to the organisation of the work, which may result in a leak of information and therefore lead to a security threat or reputational damage. However, the legal or political aspects of intelligence activities can also pose risks for which the organisation carrying out the intelligence activity is responsible. This is where risk management plays a critical role. Risk management is the process of identifying an organisation’s risks, taking appropriate measures to reduce them, and limiting any potential damage. How an organisation deals with incidents that result from identified risks or that affect the general security of an organisation is an important question and is known as incident management.

If risk management is absent or inadequate, an intelligence service may be limited in its ability to carry out its intelligence tasks, thereby losing its effectiveness and relevance. At worst, this could result in an intelligence service such as the MIS no longer being able provide services to the Swiss Armed Forces.

For this reason, the OA-IA decided to audit the risk and incident management of the MIS.

In the area of risk management, the OA-IA found that the MIS has a clear overview of the key risks. However, optimal risk management requires a structured approach to managing these risks. This includes, among other things, the updating of documents, the regular exchange of information on the development to risks, and a discussion of action to be taken. In the opinion of the OA-IA, this does not currently happen sufficiently in the MIS. However, a new risk strategy addressed this shortcoming in 2024.

«The OA-IA has therefore concluded that any new risk strategy should include exercises on responding to serious security incidents.»

With respect to incident management, the OA-IA found that the MIS consistently records security-related incidents that could cause or increase risks arising from intelligence activities. The OA-IA also found that the MIS deals with these incidents and incorporates them into its risk management. However, to date the MIS has had to deal with relatively few incidents. This could lead to a false sense of security. The OA-IA has therefore concluded that any new risk strategy should include exercises on responding to serious security incidents.

Due to its sound risk management, the relatively low number of security-related incidents and the fact that MIS personnel have a heightened risk awareness due to their military background, the OA-IA did not formulate any recommendations.

In the area of data processing and archiving, the OA-IA verifies the legality of information processing. This is because the information processed by intelligence services is highly sensitive and the legal requirements are both extensive and complex. In 2024, the OA-IA conducted the following audits in this area:

[22-15] Open source intelligence (OSINT) in the FIS

Open source intelligence is a rapidly developing area of intelligence. The collection of seemingly infinite amounts of open-source information provides intelligence services with almost endless opportunities to generate intelligence. The analysis of this information, with the aim of extracting useful information is referred to as open source intelligence (OSINT). In addition, the collection of open source information does not require authorisation (Art. 13 IntelSA), which allows the FIS to search for intelligence-relevant data in a large volume of information. The growing importance of OSINT is raising legal and ethical questions within the international intelligence community, such as where to draw the line between OSINT and HUMINT, particularly with regard to the use of online identity aliases to investigate persons of interest or to obtain data sets offered illegally on the internet (leaks). The OA-IA therefore decided to examine the use of OSINT by the FIS.

According to Article 13 IntelSA, public sources of information include publicly accessible media, publicly accessible registers of federal and cantonal authorities, personal data made publicly accessible by private individuals and statements made in public. The boundary between OSINT and information-gathering measures requiring authorisation is not always clear, and this issue is also a subject of discussion among the FIS’s partner services and foreign oversight authorities. If there is no common understanding of these boundaries, there is a risk of unlawful intelligence gathering. The interviews conducted with FIS OSINT staff revealed that they are aware that they are operating in a complex legal situation with regard to OSINT. However, there are no criteria or structured guidelines as to what constitutes OSINT and where the legal limits of OSINT lie. As a result, the FIS does not clearly and consistently regulate the use of different OSINT activities. The OA-IA therefore made a recommendation to define the legal framework for the collection of OSINT-related information and uniform rules for the use of OSINT.

The OA-IA reviewed selected cases of OSINT-related information gathering and found no evidence of unlawful activity. The FIS is required to provide evidence of its own activities through systematic records management. All business-related documents must be registered and filed in the FIS GEVER business management system. The OA-IA found that some cases of OSINT-related information collection had been insufficiently documented and did not comply with the applicable Federal Administration regulations, making it impossible for the OA-IA to assess its legality. The OA-IA issued a recommendation in this instance.

OSINT tools are used to efficiently and effectively generate intelligence-relevant information from the huge amount of data available through publicly accessible online sources. The FIS uses a mix of standard, commercially available products and in-house developments that enable the use of online identity aliases for continuous monitoring and targeted searches. Online identity aliases present anomalies due to their use by intelligence services and could therefore be identified as potential targets by other agencies and become the focus of partner services. To counter this risk, the OA-IA proposed that the FIS and the CISs should inform each other about the online identity aliases they use.

The FIS uses a dedicated IT infrastructure for the collection of anonymised OSINT-related information. This infrastructure has security vulnerabilities and should be upgraded or replaced in the near future. The OA-IA has made a recommendation to this effect.

It can be difficult to verify the results of OSINT research, particularly in the case of information found on the Darknet. The FIS considers it an integral part of intelligence work to treat information with an appropriate degree of suspicion. If information cannot be verified or its veracity cannot be quantified, this is noted in OSINT reports. Source verification, which plays an important role in detecting and exposing fake news, for example, is a particularly well-known problem in the use of complex commercial OSINT products and is also a recurring theme within the intelligence community.

In addition to the FIS, the CISs also conduct OSINT research. The OA-IA therefore examined possible duplication and inefficiency. It concluded that the agencies were aware of the risks and had taken steps to address them, for example by ensuring regular discussion of OSINT in a recently established forum.

The FIS uses the OSINT information system (OSINT Portal) to make data from public sources available internally. During its audit, the OA-IA found no evidence that the OSINT Portal compromised the expediency or effectiveness of data management. OSINT data has a shorter retention period than data generated by other sensors. This eliminates the risk of OSINT data being mislabelled, resulting in an unlawful extension of the data retention period.

[22-18] Information gathering by the FIS CYBER division

The time-consuming audit concerning unlawful data collection by the FIS Cyber division was completed in 2024. As the preparation of the report also proved to be extremely time consuming, the consultation process was still ongoing when this annual report went to press. The OA-IA will therefore publish a summary of the facts and findings of the audit on its website in 2025 and report on it in detail in the next annual report.

[23-16] Information systems, data storage systems and data files outside the scope of Art. 47 IntelSA

Since its establishment, the OA-IA has regularly audited the information systems of the FIS. Data processing is fundamental to the activities of the FIS: if data are not processed correctly or are not available to employees for analysing the security situation, the FIS may not be able to perform its tasks. The information systems used by the FIS for its intelligence activities were regulated for the first time under a single legal provision – Article 47 – with the entry into force of the Federal Act of 25 September 2015 on the Intelligence Service (IntelSA).

The OA-IA’s audit revealed that the FIS operates other information systems in addition to those listed in Article 47 IntelSA. As the question arose during the drafting of the legislation as to whether all systems were listed in Article 47, the OA-IA decided to clarify the matter. It found that the list is exhaustive as far as data in systems used for intelligence activities in the strict sense are concerned: these data must be saved in one of the information systems listed in Article 47.

The OA-IA then examined which other systems are used, for what purposes and whether the legal provisions are adequate. It concluded that the legal provisions governing the operation of the other systems were adequate.

«The audit concluded that the overview of systems operating outside the scope of Article 47 IntelSA needs to be updated and better managed. This overview needs to be shared with the Board of Directors, Quality Control and the technical teams so that the data can be properly stored and checks can be carried out.»

With so many FIS systems in use, it is important that each one is fully and properly managed. It is particularly important to have an accurate and up-to-date overview of the systems to ensure that data processing is lawful at all times. The audit concluded that the overview of systems operating outside the scope of Article 47 IntelSA needs to be updated and better managed. This overview needs to be shared with the Board of Directors, Quality Control and the technical teams so that the data can be properly stored and checks can be carried out. The OA-IA therefore formulated an appropriate recommendation.

[24-9] Spot check of the Information and Analysis System All-Source Integral Control Centre (IASA-ICC)

The OA-IA is currently examining the legality, effectiveness and expediency of the data contained in the IASA-ICC database through random checks and interviews. The audit is ongoing.

[24-10] FIS searches in third-party information systems

The OA-IA is currently examining whether the FIS’s access to third-party information systems and searches made in these databases are lawful and expedient. The audit is ongoing.