Zyra Kombëtare e Auditimit - Nacionalna Kancelarija Revizije

Kosovo National Audit Office

Civil Status Information System in the Civil Registry Agency

2023 KS2023civilStatusInfo
SCALE
  • - The Civil Registry Agency (CRA) is responsible for managing the processes related to the application of personalization and the issuance of documents for citizens of the Republic of Kosovo, for foreign citizens and for stateless persons, when they have temporary or permanent residence in the territory of the Republic of Kosovo, as well as for foreign citizens who have granted asylum in the Republic of Kosovo. In 2021 Kosovo had: 43 994 births, 22 528 marriages, 18 772 deaths.
COMPLIANCE FOCUS
  • - Law on Civil Status
  • - Law on Civil Register Agency
  • - Government Regulations
  • - Administrative instuctions
PERFORMANCE ASPECT
  • - Effective maintaining data security and privacy, data integrity and availability.

The IT structure in the Civil Registry Agency is distributed in several departments and sectors, as a result of which we have duplication of responsibilities within those departments and sectors. (…) In addition to the duplication of the same responsibilities that have been made possible through the internal organization regulation, there is also a conflict of responsibilities since the database administrator is also the systems administrator.

It has been identified that in the Civil Status System application there were five (5) officials who were in charge of “Administration”. This role enables opening and closing user accounts, as well as defining and changing roles and responsibilities for user accounts. Furthermore, we have identified that the activities of privileged users are not even monitored in the absence of the information security officer.

The lack of a plan for the continuity of information systems and business continuity management increases the risk of failure of the Civil Registry Agency processes in the event of a natural disaster or primary systems failure.

The system allows the registration of the same citizen more than once. So, if only one marked letter of the name or surname that has the same meaning, but is marked in different languages , is treated as a different character. Although Civil Status System supports the use of official languages, the system has not developed a function for comparing the content of characters/letters in different languages, e.g. (Sh, š, Ş). The Civil Registry Agency has not established adequate input validation controls for the address field.

Civil Registry Agency (CRA) has not provided a solution for the information systems disaster recovery centre, but has directed this request to the Agency for Information Society (AIS) to provide the necessary infrastructure. The lack of sufficient justification /description for the realization of the project for raising the hardware capacities by AIS also contributed to the removal of this project. The identified deficiencies present a risk of failure and loss of data and work processes of the CRA, which would make it impossible to achieve the continuity of the organization and the provision of services from the civil status.

For the changes implemented until February 2022, only the economic operator has performed the testing for the change implemented in absence of testing infrastructure. However, during the audit, after we raised the issue of the lack of a testing system, the Civil Registry Agency took action by preparing a testing environment , so that testing can also be performed by the requesting unit. Despite the improvement of the process for carrying out the tests, there are still no records that the testing was carried out, there is no procedure on how a test should be carried out, and no report has been drafted on the carried out tests. As a result of this form of testing, the audit found errors after putting the new version of the system into operation.

Code (gexf) to continue analysis with GephiTerminology graph
svg
The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).