dzr
STATE AUDIT OFFICE
GUARDIAN OF PUBLIC FUNDS

The Integrated Resource Planning System Used by 40 Public Sector Institutions Lacks Full Module Integration and Adequate Data Protection

25.08.2025

STATE AUDIT OFFICE
Press Release
-

Skopje, 25.08.2025

The Integrated Resource Planning System Used by 40 Public Sector Institutions Lacks Full Module Integration and Adequate Data Protection

 

Undefined data ownership, lack of security policies, use of outdated operating systems, VPN access with shared passwords and no two-factor authentication, non-updated backups and insufficient module integration – are just some of the identified weaknesses that undermine the security, availability, and accuracy of financial data. The absence of system controls and human resources with adequate skills increases the risk of unauthorized access, technical failures and dysfunctional processes within the institutions that use the system.

 

 

The State Audit Office conducted a performance audit of information systems on topic “Integrated Resource Planning System – IPR system” to answer the question “Have measures been established and implemented for efficient and comprehensive data protection in the Integrated Resource Planning System?”

The Integrated Resource Planning (IPR) System is used by The General and Common Affairs Service of the Government of the Republic of North Macedonia to perform accounting and financial services efficiently and modernly for multiple state insitutions. Although the IPR system has been implemented since 2016, a legal act that regulates the rights and obligations of the Ministry as the system owner and the Service as the user is still lacking, which creates a risk of improper data management.

Due to inadequate planning and delays in carrying out the procedures for system maintenance, no contract was signed to regulate the rights and obligations for its maintenance for a  period of 522 days.

A screenshot of a computer program

Description automatically generated

This situation affects the security, availability and accuracy of the data, and causes difficulties in the preparation of financial reports for the relevant reporting periods.

During the maintenance period, no activities were undertaken to regularly check the data backup, therby incrasing the risk of data recovery failiure.

In the contracts that regulate the rights and obligations between the provider and the users of the accounting and financial services, the Service does not define data ownership and lacks a clear allocation of responsibilities.

The Integrated Resource Planning (IRP) System is recorded in the Ministry’s accounting records at a value 1,294,000 denars lower than its purchase value, and it has not been increased by 18,065,000 denars (293,000 euros), which represents the value of the system’s adaptive maintenance. This situation affects the accuracy of the financial reports and may lead to problems in planning future activities and service delivery, as well as impact the quality of data and information presented in the financial reports. The Service, as the user of the Integrated Resource Planning System that provides services to legal entities, has not taken any actions to record the system and its upgrades in the off-balance sheet records.

The Service lacks strategic documents that clearly define the guidelines for the development, maintenance and upgrading of information systems, as well as policies and procedures for data management, which may lead to ineffective management and vulnerability to security threats. The Service also lacks an updated system documentation, including the configuration of data bases.

Access to the IPR system is carried out from multiple locations through VPN connections. Passwords are not time-limited and are not changed at all, while administrators use generic usernames.

The configured event logging in the system results in automatic deletion of the oldest records. There is no designated location for storing the audit trail, and the system does not save information about all events, which prevents effective access control and identificattion of unauthorized activities.

Backup copies are not encrypted, are not stored at an external location, and there are no  formal policies and procedures for their regular testing and restoration.

Workstations run outdated operating systems that no longer receive security updates or vendor support, increasing the risk of security breaches and unauthorized access. Additionally, VPN access is configured without multi-factor authentication (i.e., identity verification through two or more independent factors) relying instead on shared passwords, which increases the likelihood of system compromise.

A shortage of human resources hinders the timely and efficient performance of tasks, exacerbated by the ongoing departure of staff due to retirement and the lack of employees with appropriate skills and knowledge, as outlined below:

A number and numbers on a blue background

Description automatically generated

The IPR system lacks integration among its modules, and the existing system functionalities are not fully utilized, which results in an inability to automate processes. This creates the need for duplicate data entry, which increases the risk of erros and inefficiency.

Additionally, two of the modules for monitoring contract implementation and budget operations are not used at all. Moreover, the following issues were identified:

A screenshot of a computer program

Description automatically generated

The untimely recording of liabilities at the moment they are incurred – that is, invoices and their supporting documentation are recorded in the system only after payment approval – does not allow for the chronological entry of financial changes. This approach increases the risk of incomplete recording of liabilities and affects the accuracy of financial statements and reports on the financial position, as well as the quality of the data and information they provide.

To address the identified issues, recommendations were provided with the aim of taking actions that would establish conditions for data protection. These include clearly defining the rights and obligations of institutions using the system, implementing appropriate and secure access configurations and integrating application-level security controls, as well as investing in human resources to ensure effective task execution, and continuous protection of data and access to the resources of the Integrated Resource Planning System.

 

Press Contact:

Albiona Mustafa Muhaxhiri  +389 72228 203 [email protected]
Mijalche Durgutov  +389 70 358 486 [email protected] 
Martin Duvnjak    +389 75 268 517 [email protected]