You are here: Home / Topics / Information technology

Document Actions

Information technology

2018 Annual report No. 25 – Shortcomings in inventory management of the Armed Forces’ stocks of explosives

We found shortcomings in the Armed Forces’ inventory management of their stocks of explosives. The central explosives database does neither cover the total number of explosives nor all their locations. One major shortcoming is that the Armed Forces also failed to centrally record the stocks of an agency responsible for research and testing of explosives.

The Armed Forces have been adapting the database module used since 2016 to ensure full inventory management of explosives. It is not known when data on explosives will have a better quality. Since the overall data quality is currently inadequate, the project manager and the central ammunition control unit established at an Armed Forces technical centre can perform their duties only to a limited extent.


2018 Annual report No. 24 – Armed Forces jeopardise IT security at their technological and scientific agencies

Shortcomings in IT security have persisted for years at the technological and scientific agencies of the Armed Forces. In our opinion, this jeopardises the reliable mission performance of these agencies. One of their key tasks is to analyse and assess the assets to be used by the Armed Forces. The Federal Office of Armed Forces Equipment, Information Technology and In-Service Support that is responsible for this matter has acknowledged our findings, but has so far not made sufficient efforts to mitigate the risks we stated. The Office argued that it was lacking appropriate staff for this purpose. We expect the Ministry to promptly address the IT security shortcomings. To do so, the Ministry should make available to the agencies a sufficient number of specialist staff to address key IT security functions. The Ministry needs to ensure that such staff is adequately trained and provided with pertinent support software.


2017 Annual report - spring report - No. 12 - VAT control procedure provide full coverage

Since 2010, the VAT control procedure has also covered intra-Community services. Due to a lack of ICT support, the tax authorities’ ability to control these services was inadequate. The Federal Finance Ministry should close the gaps in the system in order to ensure effective control.

Since 2010, the EU-wide control procedure has also covered intra-Community services. Accordingly, taxable persons have to report the delivery of services in their recapitulative statements. This concerns e.g. lawyers or experts who advise clients resident in other EU Member States. The Member States share data received in these statements for control purposes. Furthermore, taxable persons shall report their intra-Community turnovers in their preliminary VAT returns and their annual VAT returns.

Responsibilities for the processing of the returns are fragmented. The preliminary and annual VAT returns are filed with the tax office. The recapitulative statements are received by the Federal Central Tax Office. The tax offices periodically communicate the data on intra-Community services from the preliminary and annual VAT returns to the Federal Central Tax Office.

We found that the Federal Central Tax Office did not match the amounts of the recapitulative statements against those of the VAT returns. It was therefore unable to identify deviations between the recapitulative statements and tax returns. Control of cross-border services was thus not ensured. In the light of a turnover of more than €126 billion in 2015, this represents a considerable risk to tax revenues.

We recommended that the relevant data in recapitulative statements, the preliminary and annual VAT returns be compared electronically. The authorities should scrutinise any deviations found.


2017 Annual report No. 07 - Federal Office for Economic Affairs and Export Control has for years ignored risks of its payment-relevant IT systems

The Federal Office for Economic Affairs and Export Control paid a total amount of several hundreds of millions of euros through IT systems operated improperly. In spite of a commitment to the contrary, it did not eliminate weaknesses known since 2014. Weaknesses of the internal control system facilitated accounting and payment errors.

Most managers of federal budget funds are linked to the Federal Government’s central accounting system via IT systems. They have to guarantee that controls prescribed by budgetary law are in place to ensure an orderly and secure operation of their IT systems.

Each year, the Federal Office for Economic Affairs and Export Control pays grant funds in the range of hundreds of millions of euros by means of IT systems. As early as in 2014, we found that the operation of two of the Office’s IT systems for the disbursement of grants did not comply with the applicable regulations. A follow-up audit carried out in 2017 revealed the continued lack of key procedural documents, e.g. official instructions. Furthermore, the Office had not complied with regulations providing for the separation of functions in the development and maintenance of the systems and in processing.

Sampled vouchers showed such errors as the remittance of grant funds to wrong accounts. The Office argued that this was mainly attributable to individual processing errors and unavoidable in mass procedures. We consider this assessment unconvincing as long as the Office has not defined, documented and implemented structured control programmes such as the cross-checking principle.

The Office must now comply with the provisions of budgetary law and develop adequate internal control systems for its procedures.


2017 Annual report No. 26 - Tax offices lack IT support for processing tax returns of large partnerships

As from 2011, tax returns for partnerships are filed electronically. However, the tax offices are unable to electronically receive and process tax returns where the number of partners exceeds the level of 500. The lack of IT support causes high administrative burden and leads to losses of tax revenue.

We noted with concern the lack of IT support. It is no longer acceptable that the tax administration is unable to fully implement the legal provisions because of technical weaknesses. For nine years now, the Federal Government and the federal states have had the time to address the problem.

The lack of IT support ties up valuable human resources in the tax offices. The proper inspection under aspects of tax law thereby loses priority and tax revenue is lost. For instance, it took one tax office more than one year to process the tax return of a large partnership. It had to manually enter 380 pages of hard copy tax returns. The resulting errors caused losses in tax revenue of more than €400,000.

We urged the Federal Finance Ministry to take steps, in conjunction with the federal states, to make sure that the tax offices are provided with the necessary IT support immediately.


2017 Annual report No. 04 - Insufficient monitoring of consultancy work in large-scale IT projects by the Federal Ministry of the Interior

The Federal Ministry of the Interior did not adequately plan, monitor and control consultancy work in two large-scale IT projects. For instance, the Ministry remunerated the consultants according to the amount of work without evaluating the work done. Since the Federal Ministry of the Interior did not set detailed key performance indicators for the consultants, it should have thoroughly monitored their work.

The Federal Ministry of the Interior intends to update, centralise and enhance the security of the federal IT system by means of the two large-scale projects “Networks of the Federal Government” and “Federal IT Consolidation”. For this purpose, the Ministry commissioned consultants. It needs to ensure that deadlines are met, cost limits are complied with and project results are of the required quality.

In 2015 and 2016, the Ministry arranged for being charged according to the amount of work done in 109 out of 110 consultancy contracts. However, these contracts did not specifically define the expected success. As from 2017 until 2022, the Ministry intends to pay more than €230 million for external consultants for the two projects.

We requested the Federal Ministry of the Interior to efficiently use the working hours of external consultants. We demand that the Ministry continuously plan and monitor consultancy work, especially when consultants are paid according to the amount of work. We expect the Ministry to establish a quality management system and make its application mandatory for large-scale IT projects.


2016 Annual report Volume II No. 22 - Armed Forces intend to address grave security shortcomings in the operation of an IT system relevant for payments

Following our advice, the Federal Office for Armed Forces Equipment, Information Technology and In-Service Support has promised to address grave security shortcomings in the operation of an IT system relevant for payments. As a consequence of remedial action, the system would be better protected against abusive and unintentional changes of data relevant for payment.

We audited an Armed Forces IT system relevant for payments. The Federal Office for Armed Forces Equipment, Information Technology and In-Service Support used this system to effect payments of €8 million annually, especially for defence projects.

We found shortcomings in the operation of the IT system:

  • Inadequate provisions on access authorisation: The Federal Office had not promulgated adequate provisions about who was to have access to what extent.
  • Lack of control: The Federal Office had not stipulated which instances of access to the system were to be recorded.
  • Too generous access authorisations: Especially the administrators in charge of providing technical support for the use of the IT system had excessive access authority

We considered these facts grave security shortcomings. In particular, we drew the Federal Office’s attention to the fact that staff could abusively or unintentionally change data relevant for payment without this being noticed.

The Federal Office intends to eliminate the security deficiencies.


2016 Annual report Volume I No. 68 - Ensure taxation of new vehicles of EU origin

Information exchange between the EU Member States about the intra-Community acquisition of new vehicles for private purposes is inadequate. As a result of gaps in cooperation and a lack of IT support, the taxation of the acquisition of vehicles is not ensured.

Private buyers have to pay tax in their Member State on their acquisitions of new vehicles in other EU Member States. They are obliged to assess the resulting VAT liability themselves, to file the VAT return with the tax office and to pay the tax due. Sellers of new vehicles must report any delivery to private individuals in other EU Member States to their responsible tax authority. For the purpose of cross-checking, the EU Member States exchange and match the buyer and seller data. Germany has opted for participation in this information exchange. The responsible German authority is the Federal Central Tax Office.

We found that the Federal Central Tax Office was unable to check whether all German sellers complied with their reporting duty. The necessary IT system did not exist. As a consequence, Germany was not able to ensure that it communicates complete data to the other EU Member States. There was the risk that vehicles bought in Germany remain untaxed in other EU Member States.

Moreover, several EU Member States do not participate in the information exchange. Therefore, the German tax authorities were informed insufficiently about the acquisition of new vehicles by German buyers. This implies the risk of losses of tax revenue in Germany.

We requested the Federal Finance Ministry to ensure that the IT system will be operative by not later than 2017. Moreover, it should advocate an enhanced information exchange at EU level. Only if all Member States feed data into the system, gaps in the taxation of new vehicles of EU origin can be prevented.


2015 Annual report Volume I No. 15 - Higher expenditures and delays in implementing the digital enforcement system operated by the Customs Administration

Expenditures incurred by the Customs Administration in implementing a new IT procedure more than doubled compared to initial planning. The implementation of the new procedure delayed by four years and total costs increased by €9.1 million.

The Customs Administration needs to implement a new IT procedure to enforce pecuniary claims. It does not only enforce own claims but also the claims of other federal bodies, health insurance bodies and the Federal Employment Agency.

Total costs of the new IT procedure increased from €7.3 million to €16.4 million. Although it was planned that the procedure be operational as early as in 2012, the Ministry estimates that its implementation can only be finalised by year-end 2016.

We believe that a poor project management by the Ministry caused the delays and higher expenditures. In particular, the Ministry did not define procedural requirements at project start. As a result, it was not possible to estimate the resources and time required to implement the project. Moreover, the project progress could not be measured so that the body responsible was not in the position to consider alternative action in a timely manner – for example to withdraw from the project or not to use certain functions.

We advised the Ministry to develop a control system for IT projects in order to avoid such an undesirable development.


2016 Annual report Volume I No. 11 - Cost-intensive data centres stood idle for years

Between 2011 and 2016, the Federal Ministry of the Interior paid €26 million for renting two data centres for the “Networks of the Federal Government” IT project. The data centres stood largely idle. The Ministry failed to adequately assess the project risks. The Ministry needs to avoid similar shortcomings in the proposed federal IT consolidation project.

The “Networks of the Federal Government” project was launched in 2007. Its purpose is to provide a secure voice and data network for federal authorities. As part of its federal IT consolidation project adopted in 2015, the Federal Government is planning to pool 80 per cent of IT operations at a federally owned service provider. The Ministry is in charge of the two projects.

The “Networks of the Federal Government” project has repeatedly been delayed, inter alia, because two departments concerned failed to reach agreement on any action to be taken. Nevertheless, the Ministry signed long-term rental agreements for two data centres that were largely not in use. Until 2016, the Federal Government has paid some €26 million for the idle data centres.

As part of the “IT consolidation” project, the number of 96 data centres and 1,245 server rooms is to decrease strongly by year-end 2022. For this purpose, the Ministry intends to terminate existing contracts for data centres or modernise the centres. The Ministry also intends to rent or build new data centres. The Ministry has no overview of the centres in place, e.g. their rental and operating costs, size and technical equipment. It is also unaware of the Federal Government’s IT office space requirements. The Ministry is therefore not in the position to reliably assess the impact of the measures proposed.

The Ministry needs to ensure that similar weaknesses as those of the “Networks of the Federal Government” project do not occur again to avoid a major bearing on the federal budget. We recommended that jointly with the Institute for Federal Real Estate the Ministry develop an overview of the data centres in place with their key parameters, including rental and operating costs. The Ministry has to take such data into account for the capital expenditure appraisal on IT consolidation.


2015 Annual report – spring report - No. 06 - Data from Armed Forces IT system hardly usable for analysing purchases

The Armed Forces are unable to accurately analyse and control their purchases. This is attributable to the inadequate use of their IT system for purchasing decisions and to pour data quality. By analysing its purchasing operations, the Armed Forces could save budget funds. The Federal Ministry of Defence should work out a strategy for remedying the deficiencies and assign overall responsibility for implementing the strategy to a specific administrative entity.

In 2004, the Armed Forces introduced a new IT system which they can use to purchase goods and services. It intends to analyse and control its purchasing operations. One of the system’s functions is to centrally record and combine blanket agreements. According to their own estimates, the Armed Forces can save up to 10 per cent of the value of their purchases by analysing its purchasing operations.

In 2013, the Armed Forces purchased goods and services worth €4.5 billion. The major portion of this total (€3.8 billion) was not ordered through the Armed Forces IT system. Therefore, the Armed Forces lacked important data for analysing its purchase operations, e.g. quantities and prices. The reason was that the Armed Forces had not required all its sectors to use the IT system for purchasing.

In their IT system, the Armed Forces created the same suppliers several times and with different spellings. Furthermore, it recorded the durations of many blanket agreements inaccurately. Analyses relating to suppliers therefore generate inaccurate results. Moreover, the Armed Forces cannot identify expiring contracts in order to merge them in a new invitation to tender. The Armed Forces created data bases on blanket agreements outside their general IT system. They argued that the data of the general IT system were insufficient and unreliable. The databases contained only part of the blanket agreements. The Armed Forces thus failed to achieve their goal of recording all blanket agreements centrally.

The Ministry informed us that it had meanwhile ordered all master data to be entered and maintained centrally and that datasets created several times had been deleted.

In addition to that, we hold that it is necessary to require all sectors of the Armed Forces to use the general IT system. Furthermore, they necessary data need to be defined. Only thus can the Armed Forces achieve the necessary data quality for reliable analyses of their purchasing operations. Such analyses are indispensable in order to achieve savings. We therefore recommend that the Ministry develop a comprehensive strategy on the data to be stored, the quality of data and the use of the IT system. Moreover, it should assign overall responsibility to a specific entity.


2015 Annual report No. 88 - Better cross-checking of data prevents duplication of tax refunds

Following our recommendation, the Federal Central Tax Office will give certain local tax offices read access to its data about refunds of input VAT. This will facilitate the cross-checking of data by local tax offices in connection with the general taxation of foreign traders. Such cross-checking can largely prevent the duplication of refunds of input VAT.

Subject to certain conditions, foreign traders may claim the refund of VAT paid in Germany (input VAT) from the Federal Central Tax Office. Where this is not the case, they can only claim the deduction of input VAT from the competent 22 central tax offices in the course of the general taxation procedure. Depending on whether the conditions for the input tax refund procedure are met, the foreign traders must switch from the general taxation procedure to the input tax refund procedure or vice versa. The input tax refund procedure is a mass procedure with more than 100,000 applications each year.

We found that the Federal Central Tax Office had access to the database of the tax administration, enabling it to cross-check whether a general taxation procedure in respect of an applicant was already pending at one of the central tax offices. Conversely, the central tax offices had no access to the data of the Federal Central Tax Office. Therefore, they were unable to self-reliantly ascertain whether and for what period the Federal Central Tax Office had already refunded input VAT to a foreign trader. During our audit, we detected several cases of duplicative tax refunds. We recommended that the Federal Finance Ministry should without delay make arrangements for giving the 22 central tax offices read access to the data of the input VAT refund procedure held by the Federal Central Tax Office.

The Federal Finance Ministry has followed our recommendations. The Federal Central Tax Office will give the central tax offices read access to the electronic data of the input VAT refund procedure not later than in mid-2016. Then both the Federal Central Tax Office and the central tax offices will be able to cross-check data in order to prevent duplicative refunds of input VAT to foreign traders. We will follow up on whether cross-checking actually works.


2015 Annual report No. 87 - Fighting VAT fraud with the European EUROFISC network

The EUROFISC network serves the purpose of fighting VAT fraud in the European Union due to a fast exchange of information. The Supreme Audit Institutions of Austria, Hungary and Germany conducted a joint audit on how the network had been implemented in their countries. They developed recommendations for improvement. The Federal Ministry of Finance will further develop the information system in Germany and advocate improvements at EU level.

VAT tax fraud causes a significant economic loss within the European Union each year. A part of this arises from fraud in intra-Community trade. In order to be able to limit this kind of fraud, the administrations of the Member States have to cooperate closely. They have shared information at bilateral level on cross-border transactions for a long time. Additionally, they transmit information on suspected traders to all Member States in order to disclose fraudulent business relations in good time. For this purpose, they established the EUROFISC network in 2011.

The SAIS of Austria, Hungary and Germany conducted a joint audit on how their countries implemented EUROFISC. They found that EUROFISC improves the chances of national administrations to convict fraudsters in good time. However, as expected, the new system is not yet perfect after only a few years of operation. The SAIs developed recommendations on how the network can be improved. This applies for example to the quality of the shared data sets.

The Federal Ministry of Finance will further refine the exchange of EUROFISC data between the Federal Government and the states in Germany. Furthermore, it will support necessary improvements of the entire network at EU level.

The three SAIs published their findings and recommendations in a joint report. You can access this report on German SAI’s website (


2015 Annual report No. 86 - Splitting income tax liability: Federal Ministry of Finance intends to secure tax revenue through an electronic procedure

The Federal Finance Ministry intends to introduce an electronic procedure for the exchange of information about alimony payments to divorced or permanently separated spouses. This is to replace an expensive paper-based procedure and to prevent losses in tax revenue.

A taxable person’s payments of alimony to the divorced of permanently separated spouse can reduce the income tax base every year. Where the payments made are deducted from the payer’s tax base, the recipient of alimony must pay tax for the payments received (an arrangement known as ‘real splitting’).

To make sure that the tax claim is enforced, the tax office to whose jurisdiction the payer of alimony belongs must each year send an information return to the tax office responsible for the recipient of alimony payments. The tax offices fulfilled this duty only inadequately. Therefore, recipients of alimony often did not pay tax on the payments received, although the payers of alimony had claimed the deduction.

We recommended that the paper-based procedure for sending information returns be replaced by an electronic procedure. The Federal Finance Ministry has taken up our recommendation and requested the development of software for an electronic procedure to be used by the tax administrations of the states.


2015 Annual report No. 51 - Federal Armed Forces eliminated severe safety IT shortcomings

In response to our advice, the Federal Armed Forces eliminated severe safety shortcomings in two IT systems. Thus, they better protected data against intentional and unintentional threats.

We examined what authorisations the Federal Armed Forces’ staff had in two important IT systems. The Federal Armed Forces use these systems, among other things, to pay their staff and to purchase goods and services. In 2013, the Federal Armed Forces paid about €23 billion via the two systems.

In particular the administrators responsible for the systems‘ technical support had almost unrestricted authorisations. Thus, they could change or delete data records of security incidents such as unauthorised system access. Several thousand other employees could create suppliers and pay them at the same time.

We noted that the Federal Armed Forces did not specify user authorisations according to their functions. Furthermore, there were too many users with extensive authorisations. They allowed administrators to act in the systems in an almost unrestricted and undetected way and other staff to change payment data without anyone knowing. We recommended to the Federal Ministry of Defence developing an authorisation concept for all staff, to implement it and to periodically review compliance.

The Federal Ministry of Defence concurred with our view. The Federal Armed Forces almost entirely eliminated these shortcomings; they intended to address the remaining shortcomings by mid-2015. We will follow up on that matter.


2015 Annual report No. 28 - IT security gaps at the Federal Institute for Risk Assessment

The Federal Institute for Risk Assessment uses insecure IT components, thus putting at risk its own IT networks and those of the Federal Government at large. Its IT security is not soundly organised and it disregards binding requirements of the Federal Government’s IT security directive.

The Federal Institute for Risk Assessment comes under the remit of the Federal Ministry of Food and Agriculture and is responsible for consumer health protection. Physicians report potential cases of poisoning of patients; manufacturers of certain products submit confidential information about the product’s ingredients.

During our audits in 2014 and 2015 we found that the Institute

  • maintained an IT link more than 20 km long in Berlin, which it did not encrypt for more than nine months and afterwards did so in a way not in compliance with applicable guidance;
  • used an unapproved remote access technology for those of its staff that were teleworkers and
  • only had a draft IT security strategy in place that dated from September 2009.

We noted that the Institute disregarded the Federal Government’s binding IT security guidance and did not meet its obligations as a user of the Federal Government’s IT network. There is a risk that attackers may read or modify unencrypted or inadequately protected IT network links.

We asked the supervising Ministry to take immediate action against threats to IT security. To do so, it must instruct the Institute to establish without delay an adequate IT security management and to remedy all security deficiencies.


2015 Annual report No. 27 - Federal Institute for Risk Assessment purchased unnecessary software

The time needed by the Federal Institute for Risk Assessment to introduce a new software was nearly three times as long as originally scheduled. The costs also nearly trebled. Moreover, the Institute purchased unnecessary licences for expanding the software.

In November 2009, the Institute let a contract worth €500,000 for the supply and introduction of software. This was designed to implement cost and performance accounting, plan its resources and carry out business processes. The project was to be completed by mid-2011. Up to late 2013, the Institute paid the contractor about €1.3 million. Operation of the software with the time recording function needed for cost and performance accounting began in early 2014.

At year-end 2010, the Institute bought a software extension with 500 user licences for an ordering system which it exchanged against other software directly from the manufacturer two years later, since it did not need it. Moreover, it bought 500 user licences for a reporting system. For more than four years, the Institute used only one of these licences. It paid the manufacturer maintenance fees of about 20 per cent of the software price. It had not assessed the cost effectiveness of the software extensions.

We highlighted that the Institute’s project management was flawed. By soundly assessing its needs, it could have avoided the premature purchase of unnecessary licences. Erroneous assessment of needs led to considerable avoidable maintenance costs. In future, the Institute will have to comprehensively plan its projects, heed recommendations of the federal administration and buy licences only at the time when they are actually needed.


2014 Annual report – spring report - No. 06 - Arrangements to administer insurance tax in line with the state-of-the-art needed

By virtue of the 2009 Federalism Reform, the Federal Government has taken charge of administering insurance tax. Since then, it has not succeeded in implementing the IT systems for a state-of-the-art administration of insurance tax. Thus, a large input of manual work is required. Moreover, the Federal Government must rely on the assistance of Bavaria when it comes to collecting the assessed insurance tax. The Federal Finance Ministry must take speedy remedial action.

Insurance tax generates annual federal revenues of more than €11 billion. Until the 2009 Federalism Reform, the German states administered this tax. Effective from 1 July 2010, the responsibility for this tax was transferred to the Federal Central Tax Office. Following that transfer of responsibility, we found that the Federal Central Tax Office did not have an IT system for administering insurance tax. To ensure tax collection, the Federal Government had purchased IT support from the State of Bavaria. At that time, the Federal Ministry of Finance told us that it would take steps to ensure full federal IT support. However, hardly any improvements were made from 2013 to 2014. The staff of the Federal Central Tax Office had to manually enter the data of each taxable person several times. Moreover, there was a lack of functional IT support for tax audit, statistics, dunning and enforcement. To collect insurance tax, the Federal Central Tax Office still had to rely on Bavarian assistance. For this, it paid €200,000 annually. The date of implementing the Federal Government’s own IT solution was unclear.

We called for a speedy development of the necessary IT system, which is a prerequisite for state-of-the-art administration of insurance tax. We urged the Federal Ministry of Finance to strive for independence from Bavarian assistance still in 2015.

The Federal Ministry of Finance admitted the need for functional IT support but argued that it was necessary first to draw on external expertise in order to develop an appropriate technical concept. The Ministry argued that the contract for such consultancy would probably be awarded in 2015 and that it was impossible to estimate when the technical concept could be implemented. In any case, the Federal Government would have to rely on Bavarian technical assistance in 2015.

Since the 2009 Federalism Reform, insurance tax is the exclusive domain of Federal Government. We would have expected that the Federal Government would use this amendment to demonstrate its capabilities in the field of tax administration and IT support. Against this background, we consider progress made so far and expected for the coming years as dissatisfactory. It is likely that, in 2016, the Federal Government will still have to rely on the costly support from Bavaria for the collection of insurance tax. We demand that the Federal Ministry of Finance not permit any further delays and take speedy action to ensure appropriate IT support. The target should be to become independent from the support of any state government for collecting insurance tax by 2017.


Good Practice Note 08/06: Stockpiling of IT equipment


(1)     Departments and agencies should not procure IT equipment in excess of
their current needs.

(2)     They should speedily sell old IT equipment if doing so is profitable



Assets may only be acquired where they are needed to fulfil federal government tasks in the foreseeable future (Art. 63 FBC). The requirement of efficiency has to be complied with in budget execution (Art. 7 FBC).

Stockpiling new IT equipment necessarily ties up budget funds and causes interest losses. Furthermore, part of the guarantee period is wasted. Departments and agencies cannot benefit from later price reductions or enhancements of performance.

Departments and agencies also must comply with the principle of efficiency in the disposal of IT equipment no longer needed. Non-compliance with that principle exists where IT equipment no longer used is stockpiled over years in large quantities instead of selling it speedily. The longer the storage, the lower are the proceeds that can be obtained by sale. Prior to any sale, it is necessary to ensure that the expenditure needed to refurbish the IT equipment for sale is not disproportionate to the proceeds of sale likely to be obtained. An exception list (annex 4 on the guidance for period of use, discarding and sale of IT hardware and software) determines the types of IT assets where a sale can be dispensed with.

(1)     During our audits, we found a number of cases in which departments or agencies stored their IT equipment for months or years. In individual cases, new hardware was procured, although hundreds of items of the same kind were still held in store.

Departments and agencies stockpiled too many new IT hardware items. They had not analysed the need for a replacement reserve and therefore did not take the following aspects into account:

  • number of IT workplaces,
  • structure of the department or agency (field offices),
  • different types of hardware,a
  • vailability requirements in line with operations (separate for different branches of operation) and
  • terms and conditions of service and guarantee (e.g. duration of the guarantee, replacement on the next workday.

We pointed out that the framework contract available on the federal e-awarding and ordering platform (“federal department store”) offers the possibility to procure IT assets at short notice without an expensive and time-consuming tendering procedure. One agency renounced the stockpiling of new IT equipment. In view of delivery deadlines shorter than two weeks, it requested IT assets under framework contracts when needed.

(2)     Departments and agencies often sold their discarded IT assets belatedly. They stored large quantities of such assets for several years. The Customs Auction provided the opportunity to sell IT equipment. The proceeds generated by sale depended essentially on the age of the IT assets. Departments and agencies were able to obtain high proceeds, if they sold IT assets immediately.


The panel of IT officers of the federal departments has taken up our advice. It adopted the guidance on the duration of use, discarding and sale of IT hardware and software on 6 December 2013, thereby imposing requirement for the stockpiling of IT assets on all federal departments and agencies.


Good Practice Note 08/05: Rental/Leasing of workplace IT


(1) Federal entities are obliged to carry out an efficiency/investment appraisal in order to ascertain whether buying, renting or leasing is the most cost-effective option for providing workplace IT (e.g. personal computers and printers). In doing so, they must take the required minimum useful life into account.

(2) The German SAI has found that, for the federal administration, purchasing such workplace IT is usually more cost-effective than renting or leasing it.


The execution of the budget must comply with the principles of efficiency and economy. Adequate efficiency/investment appraisals have to be carried out for all measures having a financial effect (Art. 7 Federal Budget Code).

In the years 2003 and 2004, the German SAI audited rental and lease contracts for information technology in two federal entities. Subsequently, it reviewed further rental and lease contracts at numerous federal entities in the years 2005-2007. It based its assessments of these contracts on the assumption of a minimum useful life of five years as stipulated for the federal administration by the IT Council.

The audit did not cover renting and leasing of photocopiers and multi-functional hardware (copier, scanner and fax machine combined).

(1) The entities had not appraised cost-effectiveness prior to making the contracts or had done so inadequately. The minimum useful life for workplace IT of five years obligatory for the federal administration was significantly undercut in most rental or leasing contracts.

(2) The German SAI found that all rental and leasing agreements for workplace IT were uneconomical in comparison to purchase, because the purchase prices apportioned over the rental or leasing term and the premiums charged by the lessors for their profits, financing interest charges and administrative costs. Some authorities extended the contracts and acquired the previously rent hard and software against the payment of residual values after termination of the lease.


In 2007, the Public Accounts Committee (PAC) of the German Parliaments Budget Committee endorsed the German SAI’s findings by urging the audited entities:

  • to terminate rental contracts;
  • to make new rental and lease contracts only where these are cost-effective and
  • to use computers at least five years.

In 2008, the PAC demanded that the audited entities should

  • buy information technology, renting it only justified and economically sound exceptional cases and
  • wherever possible, should use computers longer than the minimum useful life of five years prescribed for the federal administration.


Good Practice Note 08/04: Procurement of IT


(1) The binding principles of the procedure for the procurement of IT have been compiled in the document entitled IT Procurement Foundations. The application of that document leads to the uniform and transparent preparation, implementation and documentation of invitations to tender for the supply of IT goods and services.

(2) Exceptions from the principle of public invitation to tender, e.g. restricted invitation to tender and negotiated contract are only admissible, if this is justified by special circumstances or by the nature of the transaction. A contractor’s special IT expertise derived from earlier contract work does not justify the exclusion of other bidders from the competition.

(3) Change requests jeopardise the clarity of IT projects and increases the risks of project failure. Moreover, they often lead to considerable additional costs. They may not be used to circumvent procurement regulations in order to retroactively and significantly increase the contract volume.


As a matter of principle, public entities have to award contracts after public invitation to tender (Art. 55 Federal Budget Code, Art. 3 Regulations on Contract Awards for Public Supplies and Services - Part A). The document entitled IT Procurement Foundations ensures a uniform approach and methodology especially for IT procurements. Federal entities are obliged to use the Foundations when procuring IT.

(1) In the course of its audit, the German SAI found that federal entities regularly did not comply with the Foundations when procuring IT goods and services. They repeatedly awarded IT contracts by negotiated procedure without competition but documented the reasons for doing so only inadequately or not at all.

(2) Entities frequently argued the special IT expertise a contractor had acquired when performing earlier contracts as a reason for omitting invitations to tender. Nevertheless, such expertise acquired by a contractor while performing earlier contracts must not lead to the a priori exclusion of potential other bidders from competitive bidding.

(3) Deficiencies in the functional specifications of IT projects frequently resulted in change requests during the development phase of IT projects. These implied considerable project delays and higher costs. The contracting authorities should ensure that the tender documents describe the supplies and/or services to be provided as precisely as possible.


Good Practice Note 08/02: Needs analysis for IT projects


(1)     Prior to planning new IT projects, authorities need to precisely analyse their needs, taking regard to the requirement of economy.

(2)     When planning new IT projects, authorities need to define the goals to be accomplished by the IT project and to analyse and optimise the business processes to be supported.

(3)     Especially in the case of e-government services, authorities first need to identify the requirements, expectations and, where applicable, problems of the target groups. The primary concern has to be the benefit expected by the recipient of the service (citizens, the business community or other public entities). To this end, it is not sufficient to ask the providers of e-government services what benefits they expect for the recipients.

(4)     A careful analysis of needs is the basis for an efficiency appraisal.


When preparing and executing the federal budget, federal departments and agencies may only estimate and incur expenditures that are necessary to fulfil Federal Government functions (art. 6 FBC). “Needs” that are not absolutely necessary or even superfluous may not be covered by the budget.

According to the Document for the Tendering and Evaluation of IT Services, federal departments and agencies shall precisely plan the resources needed for a new IT project. This requires an analysis of the actual status and a target plan. The latter describes the organisational, technical and staffing needs and indicates alternative options for covering needs. Needs have to be precisely defined on the basis of minimum requirements.

The guidance on Needs Analysis and User Survey for E-Government Services issued by the Federal Ministry of the Interior recommends various direct and indirect methods of survey and analysis.

(1)     In the course of our audits, we found that federal departments and agencies did not carry out adequate prior assessments of necessity before launching IT projects. Since the authorities frequently defined the need for IT support imprecisely or not at all during the preparatory stage, they were unable to base their assessment on minimum requirements.

(2)     We frequently found that federal departments and agencies rarely ever defined the goals to be achieved by the IT projects. This rendered later project results evaluations difficult or impossible. Departments and agencies often did not study the business processes underlying the IT projects or did not optimise them after the studies. This resulted in frequent cases where suboptimal processes were supported by IT and conserved.

(3)     According to our findings, the degree of utilisation of e-government services fell short of the overly optimistic expectations of the departments and agencies. The reason for the poor distribution and use was an unfavourable cost-benefit ratio for the recipients of the service. The low degree of the utilisation of e-government services resulted in lower monetary benefit for the Federal Government. Thus, the respective IT project often provided poor value for money. Only in a few cases had federal departments and agencies conducted prior surveys of the requirements, expectations and potential problems of the prospective users of the e-government services. Instead, they surveyed suppliers/providers of IT and IT decision-makers in the departments and agencies in order to assess potential benefits. However, such surveys of suppliers or providers cannot substitute surveys about the requirements of prospective users. Therefore, federal departments and agencies were unable to realistically forecast periods of implementation and market penetration or degrees of utilisation.

(4)     Since needs analyses were frequently lacking, efficiency appraisals (art. 7 FBC) were informed by wrong assumptions and led to erroneous results.


Good Practice Note 08/01: Management of software licenses


(1) Each department and agency must keep an inventory of its licensed software.

(2) By their software licence management, departments and agencies must ensure that they do not use more software than permitted under copyright law. They also should purchase only the software they need.

(3) To ensure an effective management of software licenses, regulations must be in place in each department and agency governing the procurement and use of software as well as the drawing up and maintenance of the software inventory.

(4) The software in place has to be regularly checked against the recorded inventory.


Software is protected by the Copyright Act. Under-licensing contravenes the Copyright Act and an offender may have to face criminal proceedings and/or claims of damages by the copyright owner. Such an offence is being committed where a department or agency possesses fewer licenses than copies of software it has installed.

Over-licensing of software contravenes the efficiency requirement of Art. 7 of the Federal Budget Code. It exists where a department or agency holds licenses in excess of the software copies it has installed.

Departments or agencies can avoid over-licensing or under-licensing, if they have, at any time, an overview of the software licenses bought and regularly check these against the actually installed licenses.

(1) In the course of its audits, the German SAI found that departments and agencies rarely kept inventory records of the software licenses, some of which were quite expensive. Moreover, the inventory records often did not provide an adequate audit trail; they often consisted of spreadsheets that did not permit the verification of who had entered, changed or deleted data.

(2) Furthermore, the German SAI found that departments and agencies often did not have in place centralised management of their software licenses. They purchased software licenses, although they owned licenses in other parts of their organisation. On the other hand, more software copies were installed than licenses held due to lack of information about the number of the software licenses already installed.

(3) There often was a lack of precepts about the handling of storage devices and licence certificates. Original storage devices and licence certificates were partly kept locally in the organisational units that used the software. Only in very few cases were centralised inventory records in place to provide information about where the software and the pertaining licence certificates were kept after purchase. Due to the differing quality of the decentralised inventory lists, departments and agencies lacked complete overview of their inventory of software licenses which would have been the necessary prerequisite for the cost-effective purchase of licenses. It was difficult to identify licence violations.

(4) Only infrequently did departments compare the licenses used with the licenses procured. In order to avoid a licensing surplus or shortage, a regular comparison needs to be made between the licenses purchased, the licenses installed and the licenses needed.


2014 Annual report No. 74 - Advances in the evaluation of automatic risk management

The Federal Ministry of Finance took up our recommendation to improve the evaluation of automatic risk management in employees’ income tax assessment. It took corrective action in the evaluation or aims at remedying deficiencies. In addition, it intends to exercise its federal supervision more actively than in the past.

The tax authorities process the employees’ tax returns by means of an automated risk management. A programme-controlled risk filter decides whether the income tax is automatically determined or whether tax office staff select cases for review. In order to ensure an equal and legal taxation, risk management needs to be constantly evaluated. For this purpose, the states develop data supposed to give information on the risk management’s effectiveness which are known as standard evaluations.

We found that standard evaluations were based on incomplete and at times inaccurate data, a fact which can be attributed to conceptual inaccuracies and programming errors. Furthermore, the data were not proper for a national evaluation.

The Federal Ministry of Finance did not gather sufficient information on the evaluation by the states and could not appropriately assess the risk management’s effects on the tax enforcement. We believe that the Ministry exercised its federal oversight function only insufficiently.

We pointed out that the standard evaluations were only partly reliable due to the deficiencies found. This may affect the evaluation results and thus lead to undesirable developments of the risk management. In a number of cases, an equal and legal taxation would not be ensured. We therefore demanded that the standard evaluations be improved. Furthermore, we recommended to the Federal Ministry of Finance to more actively exercise its federal oversight function.

The Federal Ministry of Finance took up our recommendations. Some deficiencies of the standard evaluations have already been remedied, others have been addressed by the federal government department. Moreover, it intends to monitor the risk management’s evaluation more closely. We believe that the initiated or implemented steps can enhance refining automated risk management.


2014 Annual report No. 70 - Finally updating the central information system for VAT control

The German part of the information system for VAT control in the European Union is obsolete. However, an efficient exchange of information between fiscal authorities is a key element of the control in order to prevent tax losses and fraud. The Federal Ministry of Finance therefore has to provide for the information system’s immediate update after eight years of planning and previous unfulfilled promises for completion.

In the case of the intra-Community movement of goods between traders, despatches to other EU Member States are exempt from tax for the selling trader. The purchaser has to pay VAT for the imported goods in the country of destination. For monitoring the compliance with this requirement, the Member States’ tax administrations exchange information on intra-Community supplies and purchasing transactions. In the 1990s, the VAT Information Exchange System (VIES) was set up for this exchange of data.

The responsible Federal Ministry of Finance has known for a long time that the German part of the system is obsolete and lacks user-friendliness. An update until 2009 was already proposed in 2006 but remained unsuccessful. In 2011, the federal government department still developed a detailed strategy for the update. We therefore demanded in our 2011 annual report that the update be completed immediately. The federal government promised the Public Accounts Committee to complete the updated system (VIES-neu) by 30 June 2014.

In April 2013, however, the federal government department postponed further implementation of VIES-neu for at least two years. We criticised the new delays and referred to the Public Accounts Committee’s clear decision.

The federal government department admitted that VIES-neu had to be implemented immediately. It stated that the development, however, had to be postponed in favour of priority projects but it intended to use all possibilities resulting from available resources for an accelerated implementation.

We consider this declaration as insufficient. After eight years of planning, VIES-neu has to be implemented immediately. The federal government department’s reference to other projects does not justify the postponement. All IT systems required for fighting tax losses and VAT fraud have to be developed. We therefore demand that a binding overall planning for the information system’s update be established by the Federal Ministry of Finance. The planning should include clear deadlines and milestones. The federal government department has to carry out regular reviews, and, if necessary, make adjustments.


2014 Annual report No. 03 - Risks in the operation of IT systems relevant for payments

The management of federal budget funds is vulnerable to partly considerable risks in the IT systems of the fund-managing entities that are connected to the Federal Government’s central accounting system. Our auditors found large infringements of applicable regulations, e.g. non-compliance with the cross-check principle or excessive user rights. The IT systems often did not meet the requirements of information security in connection with operations. Together with the responsible line ministries, the Federal Ministry of Finance must speedily reduce the risks.

The computerised system for federal budgeting, cash management and accounting (financial management system) is the Federal Government’s central accounting system. Hundreds of users from federal, state and local government are connected to this financial management system by their own computerised systems (IT systems) via electronic interfaces. In this way, they manage federal budget funds, e.g. by arranging for disbursements. At present, more than 1,000 different payment and accounting systems are connected to the federal financial management system. As a rule, the funds’ managers are not required to seek permission for establishing such connection. It is sufficient if they notify the Federal Ministry of Finance of their IT system and certify that they comply with the minimum requirements promulgated by the Federal Ministry of Finance for the use of computerised procedures in connection with the federal financial management system. These minimum requirements call for elementary organisational and technical controls to ensure operational regularity and information security. In particular, this includes a security strategy, administrative instructions, separations of functions and the cross-check principle. Responsibility for the compliance with the requirements lies with the respective supreme federal authority.

Nearly all managers of federal funds audited by us did not comply with the minimum requirements established by the Federal Ministry of Finance. Apart from risk analyses of the systems, a lack of arrangements for security, data protection, data security and contingency plans for system failures have been noted. In most cases, unauthorised users – including external consulting firms – were able to make accounting entries in contravention of the cross-check principle and to change banks accounts data and system settings. The automatic logging of data changes was not effective as compensatory control because the same users were frequently able also to delete system logs, records of changes or bookkeeping data. In the course of systems operations, the funds’ managers rarely checked whether the IT systems were meeting the minimum requirements set by the Federal Ministry of Finance. They either lacked the necessary risk-consciousness or degree of IT literacy for assessing the risks.

We perceive an urgent need for action. The responsible entities must quickly identify and eliminate the risks inherent in the operation of the IT systems of the fund-managing entities or at least limit them to an acceptable level. Responsibility for compliance with the Finance Ministry’s minimum requirements does not only lie with the supreme federal authorities and the financial management officers. Being the department responsible for the budget, the Federal Finance Ministry has a comprehensive co-responsibility. It must urge consistent compliance with its minimum requirements. We shall step up our audit work on this issue.


2013 Annual report - spring report - No. 10 - Electronic communication of notarial deeds to tax offices is long overdue

Up to the present, notaries are obliged to forward deeds about legal transactions concerning incorporated companies to tax offices as printed format rather than electronically. This impairs the necessary exchange of information. In our opinion, it is necessary and feasible to introduce electronic communication of these deeds without delay. The Federal Chamber of Notaries had submitted proposals to this effect already in 2007. However, these proposals have not yet been implemented. The Federal Finance Ministry should advocate the change in the relevant joint bodies of Federal Government and state government representatives.

Already in 2007, the Federal Chamber of Notaries had suggested to the Federal Finance Ministry to forward deeds about incorporations and certain other legal transactions concerning incorporated companies to tax offices electronically and no longer as printed format. The Federal Finance Ministry then stated that, in principle, this proposal could be implemented in the IT system in place. This has not been done so far.

The current paper-based procedure that is still in use impairs the necessary information exchange. In 2011, we therefore recommended introducing electronic communication of such deeds. The Ministry told us that, before implementing the proposal, it wished to wait for the experience gathered with the technical implementation of another communication procedure. It went on to say that the objective was not only to forward the communications electronically but also to process them by computer. This preparatory phase is still under way.

Already since 2007, notaries have forwarded such deeds to the commercial register electronically. Arranging for their electronic forwarding to the tax offices would have been feasible years ago. Processing there would be significantly facilitated, even if the deeds could not yet be processed completely by computer.

We therefore hold that the electronic communication of such deeds – independent of any other communication procedures – is both necessary and feasible and could be speedily introduced. The Federal Finance Ministry should be committed to switching to electronic communication in the relevant joint bodies of Federal Government and state government representatives.


2013 Annual report No. 56 - Armed Forces pay salaries to newly recruited soldiers inaccurately

The Armed Forces inadequately checked the salary payments to their newly recruited military personnel. 2,000 soldiers received inaccurate amounts of pay. The new IT payroll system does not meet the technical requirements for ensuring that salaries are paid in correct amounts. Therefore, the Federal Defence Ministry should complement the IT system by controls and introduce electronic payroll records.

Based on our audit findings, we had recommended that the Federal Defence Ministry verify the salary payments. When doing so, the Ministry found that nearly 2,000 soldiers had received incorrect, usually too low amounts of pay. The new IT payroll accounting system (SASPF) does not permit a centralised verification of the salaries paid to the soldiers. The Armed Forces keep hardcopy payroll records for their soldiers at several locations. Therefore, a manual ex-post check of the payments involves a large administrative burden. Additional checking functions and soft copy pay records could remedy this deficiency. Due to financial considerations, the Armed Forces have not yet introduced electronic pay records.

The Federal Defence Ministry is obliged to ensure the accurate payment of military salaries. It should make arrangements that personnel expenditure can be verified with a reasonable administrative burden. To do so, it should complement SASPF by verification functions and introduce electronic payroll records.


2013 Annual report No. 53 - Armed Forces still have no modern system for tracing materiel in place

In the 1990’s, the Armed Forces repeatedly attempted to implement an effective system for tracing materiel. These efforts have not been successful so far. In the latest instance, they invested €5 million into a separate IT system for their Afghanistan mission. However, this system turned out to be impracticable. Now they intend to spend more than €8 million on commissioning a civilian contractor to monitor the backflow of materiel from Afghanistan. Nevertheless, the efficiency of the Armed Forces’ materiel management remains limited.

To perform their mission, the Armed Forces have to move and trace materiel worldwide. An IT system for tracing materiel from commissioning up to consumption or decommissioning is to be implemented. We repeatedly found that, especially in connection with missions abroad, the Armed Forces were not able to ensure the necessary transparency of the movement of materiel. With the support of our Munich field office, we looked into the Armed Forces’ system for tracing materiel in 2012.

In the year 2000, the Armed Forces had decided to implement their standard management software (SASPF) also for their materiel management. Since then, they have equipped selected logistic units in Germany with the appropriate systems. However, so far, these systems only support depot management and do not have the capability of tracing shipments or airlift routes.

In 2004, the Armed Forces procured a system costing €5 million for tracing materiel in connection with supplying German troops in Afghanistan. They did not participate in the system used by other NATO Member States. The Armed Forces intended to later integrate their own tracing system into SASPF. They spent the funds of more than €12 million appropriated for this purpose on other partial projects. Since further investment would have been required, the Armed Forces decided to discontinue the use of the system effective from 2011. They now intend to use the support of a commercial contractor for bringing back materiel from Afghanistan. This contractor is to ensure, by means of his own technology and at a total cost of €8 million, the tracing of the return to Germany of about 4,800 containers and 1,200 vehicles.

In our assessment, the steps so far taken by the Armed Forces to improve the tracing of their materiel have been incoherent and inadequate. We perceive an urgent need for the Armed Forces to integrate a system for tracing materiel into SASPF. In our opinion, separate solutions not integrated into the Armed Forces’ logistic system are inefficient. Only by integrated materiel management will the investments add value in the long term.


2013 Annual report No. 34 - Federal Employment Agency spends up to €2.6 million annually for unnecessary document scanning capacity

The Federal Employment Agency had unemployment insurance documents digitised. When contracting out the corresponding services, it failed to accurately specify the quantities of documents to be captured. As a consequence, the capacity made available exceeded the Agency's actual needs. Annual lump-sum costs incurred for the allocated capacity totalled up to €2.6 million. We demanded that the Agency only pay for services actually needed. In a possible renewal contract, the Agency needs to provide for the relevant amendment.

The Federal Employment Agency wished to introduce electronic files for unemployment insurance issues and child benefit offices. It therefore awarded a contract to a contractor for digitising services. The service provider charges an annual lump-sum for the allocation of digitising capacity.

We found that the amount of documents which the Agency had in fact digitised was significantly lower than originally planned. Nevertheless, the lump-sum paid for the capacity allocated remained unchanged as the contract did not provide for subsequent amendment. For this reason, the Agency is obliged to pay an annual amount of up to €2.6 million for the provision of digitising capacity not needed.

We demanded that the Agency only use its budget funds for procuring the digitising capacity that is actually needed. To this effect, it needs to clearly and consistently specify the type and amount of documents to be processed.

We expect the Agency to amend the inefficient contract accordingly prior to its possible renewal.


2013 Annual report No. 33 - German Occupational Safety and Health Exhibition intends to increase its outreach efforts by providing online services

The Federal Institute for Occupational Safety and Health operates the German Occupational Safety and Health Exhibition located in Dortmund. By offering supplementary online services, the Institute intends to enhance the exhibition's outreach to stakeholders all over Germany.

The German Occupational Safety and Health Exhibition is, in particular, designed to inform the public about the importance of organising work in accordance with employees' needs. In 2013, expenditure of more than €8.5 million has been appropriated for the exhibition.

Each year, the exhibition was visited by 150,000 to 190,000 visitors. Although the exhibition was targeted at people from all over Germany, a huge majority of its visitors came from the immediate vicinity or closer surroundings. Until 2012, the exhibition's website contained visitor information and a calendar of upcoming events. Educational films, e-learning courses or other online services of this kind were, however, not provided.

We recommended that the Institute make available adequate educational services on the Internet to share part of its relevant knowledge and expertise, thus creating a significantly larger, nationwide impact.

At year-end 2012, the Institute redesigned its website and ensured that information provided was more in line with the interests of individual target groups. Apart from the contents that have already been available before, it is now also possible to download files for preparing teaching units in schools. The Institute intends to expand its Internet service by adding more photos, video clips and more advanced subject matter papers.

We hold that the supplementary online presentation of learning contents is suitable for improving the outreach to stakeholders across Germany. The Institute should evaluate if and to what extent this approach helps to achieve this goal.


2013 Annual report No. 32 - Following our audit, Federal Insurance Office obtained reimbursement of IT expenditure totalling almost €500,000

After our audit work, the Federal Insurance Office was refunded an additional amount of nearly €500,000 from the Health Fund for the years 2009-2011.

Since 1 January 2009, contributions paid by individuals insured under the statutory health insurance programme as well as the corresponding federal grant flow into the Umbrella Health Fund, which allocates lump-sums to health insurance institutions to help them cover their expenses. The Health Fund is managed by the Federal Insurance Office. Expenditure incurred by the Office due to its management function is to be reimbursed from the Health Fund.

Before our audit, the Office stated its refundable IT expenditure inconsistently and inadequately or not at all. Acting on our recommendation, the Office developed a strategy for IT expenditure accounting in connection with the Health Fund. It checked all statements of accounts and identified the outstanding amount for the years 2009-2011.

We expect the Office to consistently apply and, where necessary, update its new strategy for IT expenditure accounting.


2013 Annual report No. 25 - Federal fiscal administration reduces risks related to electronic salary systems operated by service providers

The Federal Ministry of Finance specifies the rules of procedure for salary processing. This helps to reduce risks related to transmission errors and manipulations in connection with electronic salary systems operated by service providers. For instance, such payments may not be authorised by one staff member alone.

We found deficiencies in the authorisation and recording of salary payments, which are due to risks involved in computer-assisted salary payment systems operated by service providers. Where these risks materialise, salary payments could be unlawfully authorised over a period of several years.

If the documents substantiating the payments in question, such as performance appraisals, work time records or drivers' logbooks, are not fully submitted to the service provider, the personnel management service is required to duly ensure and document the accuracy of the facts and of the accounts. Furthermore, personnel management staff in charge needs to have access to salary data of all staff.

Our audit findings and recommendations have prompted the Ministry to refine the rules of procedure for salary processing. In particular, it has established clear rules for compliance with the cross-check principle, according to which two staff members need to certify the accuracy of the facts and authorise payments. In addition, the Ministry intends to implement a new IT application to grant the personnel management services access rights to pay slips. This will help to reduce risks related to transmission errors and potential manipulations that might lead to excess staff expenditure for an indefinite period of time.


2013 Annual report No. 20 - Federal Interior Ministry merges automated border checks to a single system

Following our recommendation, the Federal Interior Ministry will develop a single system of automated border checks by 2014. Under this system, the Federal Police identifies travellers by means of the digital photograph in the electronic passport and thus can renounce the expensive procedure of identifying individuals by means of an iris scan. This will lead to one-time savings in capital expenditure of €2 million and subsequent annual operating costs of €200,000.

The Federal Interior Ministry currently operates two systems for automated border checks on a trial basis at Frankfurt Airport. These systems are designed to reduce staffing needs and accelerate border checks. They rely on biometric data.

The fully automated ABG (Automated Biometrics-Supported Border Control) system identifies travellers by iris scan, whereas the partly automated EasyPASS system is based on the digital photo in the electronic passport. The Ministry intended to expand both systems. Non-recurring capital expenditure of €2 million and annual operating expenses of €200,000 had been earmarked for the ABG system.

We found that the Federal Police had neither carried out capital expenditure appraisals before nor during the two projects. In particular, it had failed to evaluate target achievement perspectives prior to deciding on the system expansion. Moreover, our audit evidence shows that ABG user numbers have declined.

We recommended evaluating the effectiveness of both systems. The Federal Interior Ministry and the Federal Police followed our recommendation and had real-time project evaluations carried out. They found that only EasyPASS was cost-effective and therefore pledged to exclusively focus on this system. Data of travellers participating in the ABG system are to be migrated to the EasyPASS system by year-end 2014.


2013 Annual report No. 05 - Parallel development and operation of human resources management systems is inefficient

The Federal Government has failed to develop an overall plan for human resources management systems (HR systems) in federal departments and agencies and to coordinate the relevant efforts. As a result, departments and agencies have since 1996 developed and operated four large and many small systems that are among each other incompatible and inadequately at a cost in the range of a 9-digit euro amount. This lack of standardisation makes the necessary restructuring in the federal administration more expensive and difficult.

HR systems support human resources planning, recruitment, allocation, development, payroll accounting and management.

These tasks are largely identical in all departments. Nevertheless, these did not agree common standards for their HR systems. Some used the same and some different technologies and products. There was duplication in the development of components. As a consequence of incompatible HR systems, transferring part of human resources management of the Armed Forces to the Interior Ministry and the Finance Ministry has become difficult and more expensive.

The Federal Government needs to develop measurable goals for merging its HR systems and implement them in a consistent and efficient way. Moreover, it has to set up an appropriate interdepartmental steering system for federal IT.


2012 Annual report - spring report - No. 01 - Unresolved software security problems of new electronic identity card

More than two years after the introduction of a new identity card with electronic identification function, the Federal Office for Information Security still leaves the holders of identity cards in doubt about whether they can use the pertinent software without risks.

Since 1 November 2010, the authorities responsible for issuing the new identity cards have issued these with electronic identification functions. The new identity cards enable their holders to identify themselves in dealings with public authorities or third parties. To do so, they have to use the identity card application and other software, e.g. administration software and internet browser. Citizens are to make sure that they only use software for the electronic identification function which has been certified by the Federal Office. The Federal Office must classify the software as safe for identification purposes.

The Federal Office only offers the non-certified software for electronic identification. The Federal Office provides advice to potential users on the fact that the software is not certified as safe. Moreover, the Office has not published any security evaluation for the further software. If citizens use the non-certified identification application and the other software without security evaluation, they may incur liability risks.

They must have the assurance that software provided by the Federal Government meets legal requirements and can be used without the risk of incurring liabilities. If the Federal Office omits certification, the Office must draw attention to this fact.

The Federal Interior Ministry holds the opinion that the certification called for by the Ordinance on Identity Cards and Electronic Identification permits that “derogation” was possible “in certain exceptional circumstances”. The Ministry argued that certification was not necessary in this special case, because the Federal Office was developing the software under its own responsibility.

We demanded that the Federal Office certify the software for the electronic identification function and evaluate the safety of the other software.


2012 Annual report No. 84 - Procedure for the refund of input VAT to foreign traders must be improved

Foreign traders may claim refund of VAT which they paid in Germany. The procedure for such refund is error-prone and involves a large administrative burden. This resulted in processing backlog and interest payable. The Federal Finance Ministry should make good its announcement to implement organisational improvements and should upgrade the IT system.

Subject to certain conditions, traders domiciled abroad may claim the refund of VAT paid in Germany. The claims are processed by the Federal Central Tax Office by means of a largely computerised procedure.

In the course of our audit, we found that staff had to use four different special IT programmes and databases in order to consider a claim. The procedure thus was error-prone. There were large processing backblocks. The numbers of claims assigned to individual staff members were unequal. In many cases, interest was payable on the claims to be refunded because the Office was not able to process the claims within the prescribed deadline. In the IT system, staff was not able to identify the total amount of all interest payments. From January 2010 to June 2011, the Office paid a total amount in excess of €8 million only for cases in which it had to change its administrative ruling concerning the claims. The cases detected so far have shown that the procedure for the refund of input VAT involved a large risk of fraud. The causes were electronic processing and the large number of claims. The IT system did not allow for risk-oriented processing.

We recommended that the Federal Finance Ministry improve the IT system and reallocate responsibilities among staff. Thus, the Office is able to reduce the large processing backblocks, to avoid interest payments and to reduce the risk of fraud.

The Federal Finance Ministry should speedily implement the organisational and IT improvements. To this end, it should without delay make sure that the staff can identify the total amount of all interest payments by means of the IT system.


2012 Annual report No. 60 - Urgent need for regulations on IT security in the Federal Armed Forces

Contrary to a commitment made to Parliament, the IT security regulations of the Federal Defence Ministry are not up to date. It has not taken regard to changes resulting from cooperation with an IT company and has not included cross-departmental standards.

The Federal Defence Ministry has issued a service regulation on IT security for the Ministry and the military and civilian entities of the Federal Armed Forces. The Federal Office for Information Security develops cross-departmental standards on the security of information technology and regularly updates these in line with the state of the art in IT security. In 2006, the Federal Defence Ministry had committed itself vis-à-vis the Public Accounts Committee to applying the standards of the Federal Office for Information Security. Nevertheless, it did not incorporate these standards into its regulations.

Since March 2007, an IT company has modernised and operated the administrative and logistic IT of the Federal Armed Forces. While this entailed changes in the processes and responsibilities for IT security, the Ministry failed to adapt its IT security regulations accordingly. This resulted in an unclear allocation of responsibilities between the IT security officers and the IT company and impedes IT security officers in the discharge of their functions, e.g. security inspections and checks of cases in which a breach of the security regulations was suspected. No guidance was issued to describe the modified functions and procedures.

The Ministry stated that it had drafted a new service regulation into which the IT security standards promulgated by the Federal Office for Information Security were to be incorporated and made obligatory for the Armed Forces. In this draft service regulation, the Ministry would also more clearly define the functions of security officers and issue relevant guidance. However, the Ministry added, the IT security officers could carry out security inspections or investigate potential infringements of the security regulations only in conjunction with the IT company.

We expect the Ministry to honour its commitment to the Public Accounts Committee and to adopt the cross-departmental standards of the Federal Office for Information Security as obligatory. Furthermore, the Ministry should accurately define the remits of IT security officers and develop relevant guidance. Furthermore, we consider it necessary to ensure that IT security officers can discharge their functions without lengthy coordination with the IT company.


2012 Annual report No. 35 - Inadequate management of electronic archiving of pension files causes millions of euros in extra cost to the German Federal Pension Insurance

The German Federal Pension Insurance determined procedures and responsibilities for the electronic archiving of part of its pension files either not at all or belatedly. In October 2006, the governing board of the Federal Pension Insurance decided to have four million pension files archived electronically because the files were stored in an archived building on premises which the Federal Pension Insurance intended to use for other purposes. Due to delayed project inception and since the archive building was no longer fit for use, it became necessary to lease another building in order to store the pension files for a longer period of time. This causes additional expenditure of €1.7 million annually.

In October 2006, the governing board of the German Federal Pension Insurance opted for the electronic archiving of four million pension files, equivalent to one third of the total number of files held. The reason was that the archive building required renovation and that the Federal Pension Insurance intended to use the premises for other purposes. Electronic archiving was to be performed by redundant staff of the Federal Pension Insurance, whose employment could not be terminated at short notice. Therefore, the Federal Pension Insurance assumed that the project could be carried out without any additional burden on its budget.

At the same time, the Federal Pension Insurance intended to introduce electronic case processing. This was later to be extended to the processing of pension claims. Therefore, it had to take numerous fundamental decisions, delaying the start of electronic archiving of pension files. Meanwhile, it nearly terminated the employment of nearly all redundant staff. Therefore, electronic archiving was not done to the extent originally planned. As a result, the Federal Pension Insurance leased a new archive building in August 2010. The annual rent for these premises is €1.7 million and they are expected to be used for about ten years.

We pointed out that neither the executive directors, who are responsible for the day-to-day management of the Federal Pension Insurance nor the governing board paid adequate attention to electronic archiving. They determined procedures and responsibilities for this project either not at all or belatedly. They did not effectively intervene when delays occurred. Had they done so, the lease of another building for the storage of pension files could have been avoided.

The Federal Pension Insurance should without delay develop an overarching strategy assigning responsibilities for the electronic recording and processing of its pension files and imposing deadlines and reporting duties vis-à-vis the governing bodies.


2012 Annual report No. 27 - Grave shortcomings in procurements and management of IT assets of the Federal Insurance Office

The Federal Insurance Office repeatedly infringed procurement rules when purchasing IT assets. It could account for only part of its IT assets. Many items of IT equipment could not be located. In an audit carried out in 2005, we had found similar deficiencies. The Federal Insurance Office did not honour its promise then made that it would remedy these deficiencies.

Assisted by our Koblenz regional audit office, we audited the procurement and management of the IT assets of the Federal Insurance Office in 2010.

We found that its accounting for IT assets continued to be inadequate. For instance, the whereabouts of 94 laptops recorded in the inventory were not known. The Federal Insurance Office frequently infringed procurement rules. From 2004 to 2010, it awarded contracts worth more than €1.8 million to a single contractor without inviting competitive tenders. No justification was given for this practice. In a number of cases, it awarded contracts to individual permanent suppliers at excess costs. Furthermore, the Federal Insurance Office frequently procured unnecessary IT equipment. For instance, ten staff members of the IT section had 27 mobile phone contracts and radio data transmission contracts at their disposal. In addition, each of them used between one and three notebooks.

We pointed out that the Federal Insurance Office did not honour its promise to remedy the deficiencies which were known since 2005.

We expect the Federal Ministry of Social Affairs to tighten its administrative and technical oversight, e.g. by conducting administrative audits of the Federal Insurance Office. The Ministry needs to ensure that the Federal Insurance Office remedies the deficiencies stated.


2012 Annual report No. 23 - National Metrology Institute of Germany does not comply with requirements for the use of information technology

The National Metrology Institute has failed to comply with requirements for the cost-effective and secure operation of its IT assets, although these requirements are binding on all federal departments and agencies.

The National Metrology Institute did not use the WiBeKalkulatorsoftware for its investments appraisals, although this software has been recommended for the federal administration and is available free of charge. Instead, it used a standard of its own to appraise the cost-effectiveness of projects. Its investments appraisals were poorly documented and did not give adequate prove of cost-effectiveness. No retrospective evaluations were carried out.

Staff of the Institute were able to access their official e-mail accounts by means of official and private smart phones via mobile communications networks. The Institute did not obtain the required approval of the Federal Office for Information Security either for the mobile communications network or for the smart phones.

While the Institute had a workforce of 1,800, it had more than 4,350 work station computers. It was not able to explain this excess of 2,550 computers. The Institute’s management of software licences was incomplete and flawed.

The Institute believes that its self-developed standard for IT investment appraisals is methodologically sound and cost-effective. It denied that its IT security was at risk through the use of the smart phones. It argued that the surplus of workstation computers was attributable to its mission as a research institution and that a comprehensive management of its software licences was impossible.

We demanded that, in future, the Institute make use of the WiBeKalkulator software that is free of charge for all federal departments and agencies. We recommend that the configuration chosen for the smart phones be submitted to the Federal Office for Information Security for checking and approval. We call upon the Institute to make a robust assessment of its needs for workstation computers and to put a comprehensive software licence management system into place.

On the whole, we expect the Federal Economics Ministry to ensure that the Institute complies with the requirements for the use of information technology in the federal administration. It must not tolerate that the Institute claims a special role by invoking its techno-scientific orientation.


2012 Annual report No. 22 - Deficiencies in inventory accounting for IT assets

Contrary to its promise, the Federal Office of Economics and Export Control has failed for seven years to implement our recommendations for the inventory accounting of its IT assets. Thus, it continues to render an incomplete and unauditable account on its IT assets. The Federal Economics Ministry failed to take the necessary steps to ensure that the Office honours its promise.

In 2005, our audit had revealed that the Federal Office of Economics and Export Control was not able to account for all of its IT assets. The Federal Economics Ministry and the Office then promised to remedy the problems stated.

When we carried out another audit of the Office’s IT in 2011 with the assistance of our Koblenz regional audit office, we found that accounting for IT assets was still inadequate. In many cases, an ID number for the items was missing. Locations of equipment were not accurately recorded. Costly search efforts were needed to locate hundreds of equipment items.

We pointed out that the Office failed to remedy deficiencies that were already known for seven years. We had expected the Federal Economics Ministry to take leadership to ensure that the Office complies with its promises.

Now, the Office has promised to use only one existing system for auditable assets accounting. The IT assets would be inventoried anew and the records would be passed on to the future asset-recording system. The Office stated that it had the data of one system printed out and arranged for them to be manually entered into the other system.

We consider the action taken by the Office as inefficient. We asked the Federal Economics Ministry to urge the Office to opt for a cost-effective way to manage its IT assets. Moreover, the Ministry has to reinforce oversight over the activities of the Office.


2012 Annual report No. 21 - Costs of IT-project doubled although range of functions was halved

From 2002 to 2010, the Federal Economics Ministry spent €3 million on an electronic archiving and document management system without using the system as provided for. Although the range of software functions was halved, costs have doubled.

The Federal Economics Ministry planned to adapt and use standard software by year-end 2005 for archiving and document management at a cost of €1.5 million. Thus, it intended to save about €16.5 million up to 2007.

Up to 2010, the Ministry spent €3 million on the project. In addition, further costs were incurred including costs of own personnel which the Ministry did not record. In the course of implementing the project, it halved the system’s range of functions and abandoned the goal of computerised sub-file processing. Thus, it can only achieve a small portion of the savings hoped for. The Ministry used even the reduced software only in some areas of activity in a pilot. Since 2006, it spent €600,000 on licences that it has not used to date. We believe that these deficiencies are attributable, among other factors, to inadequate project planning and steering.

The Federal Economics Ministry pointed out that its project planning became obsolete due to organisational changes in 2002. It said it continued to use the software in some areas of activity as a pilot and that the spare licences would be used when the system would be commissioned later on.

We expect the Federal Economics Ministry to carefully plan the next project stages. On this basis, it will have to consider whether and how to conclude the project with a reasonable result. If a continuation of the project is no longer economically viable, the Ministry must terminate it.


2012 Annual report No. 18 - Delays in the modernisation of the taxation software used by the local tax offices

There have been repeated delays in the modernisation and harmonisation of important software for the local tax offices. Under the KONSENS project, the Federal Government and the German states committed themselves in 2005 to jointly develop, procure and use uniform taxation software for the local tax offices. The Federal Finance Ministry must take rigorous leadership in the relevant bodies to prevent further delays.

As early as in 1989, the Federal Government and the states agreed to introduce uniform taxation software nationwide. The project FISCUS, which was launched in 1992, failed 13 years later. It had cost nearly €400 million and did not generate any serviceable products. As a result, the Federal Government and the states agreed in June 2005 on the KONSENS project. Under this project, all German states and the Federal Government committed themselves to jointly developing, procuring and using uniform software for the taxation process, for the prosecution of tax-related offences and penalty proceedings.

A central purpose of the KONSENS project is harmonising and modernising three key taxation procedures. We found that there were repeated delays in accomplishing this purpose. The Federal Finance Ministry was not able to submit a plan showing all work necessary to conclude the project.

We reminded the Federal Finance Ministry of the negative experience with the FISCUS project. We called upon the Ministry to exert pressure in the joint bodies formed to manage the project. The Federal Government and the states should focus more strongly on harmonising and modernising the three key procedures. To this end, the Federal Government and the states should get an overview of what work has still to be done and by when it has to be completed.

© 2019 Bundesrechnungshof