(26 February 2026 | Source: Audit Opinion of the Supreme Audit Chamber of the Republic of Kazakhstan dated 12.01.2026; Working Audit Report dated 06.11.2025)
The company, to which the state entrusted the digitisation of the entire budget process of the country — from public procurement to treasury and tax administration — has itself turned out to be a model of systemic management failures. The state received systems that have existed for years in a legal vacuum, investment projects with zero results, and vulnerabilities in the code of the platform through which purchases worth trillions of tenge are processed. The Supreme Audit Chamber (SAC) of the Republic of Kazakhstan published the results of its inspection of JSC "Centre for Electronic Finance" (CEF) for 2020–2024, recording financial violations amounting to 566 million tenge, ineffective use of funds totalling 764 million tenge, and ineffective planning worth 12.7 billion tenge.
This is the first part of the article: about how the system is structured and why it does not work.
FACTUAL BASIS
JSC "Centre for Electronic Finance" (JSC "CEF") is a company with 100% state ownership, under the jurisdiction of the Ministry of Finance of the Republic of Kazakhstan. It is designated as the integrator in the field of the budget process and the subject of a special (effectively monopoly) right in the areas of public procurement, procurement of medical devices, and electronic procurement of the quasi-public sector. Under its management are AIS "Electronic Public Procurement" (EPP), IAIS "e-Minfin", the Integrated Tax Administration System (ITAS), the Integrated Information System of the Treasury (IIS Treasury), the Information System for State Planning (ISSP), and over a dozen other platforms. Budget flows, the tax reports of millions of citizens, and the procurement procedures of state bodies pass through these systems daily.
The audit covered the period from 1 January 2020 to 31 December 2024, and for certain contracts with LLP "Q19", it also covered eight months of 2025. The objects of the inspection were the Ministry of Finance, JSC "CEF", and LLP "Q19".
CONTEXT AND BACKGROUND
JSC "CEF" is not an ordinary IT contractor. It is a legally established monopolist, without which no single operation in the country's state finance system is possible. By order of the Agency for the Protection and Development of Competition of the Republic of Kazakhstan dated 11 October 2022, the company was entered into the register of subjects of state monopoly and special right in four areas simultaneously. This means its services are not subject to market scrutiny through competition — the state is obliged to pay whatever JSC "CEF" says. At the same time, the price expert review, mandatory for subjects of special right under the Entrepreneurial Code of the Republic of Kazakhstan, has not been completed: the first application was submitted in December 2022, with the last return for revision in December 2023.
ANALYSIS AND INTERPRETATION
One of the most telling conclusions of the audit concerns the life cycle of information systems (IS). Of the 28 IS of the Ministry of Finance and its departments, 8 systems are still in trial operation, even though the Law "On Informatisation" directly prohibits keeping a system in this status for more than one year.
And despite this, the web portal of the State Revenue Committee (SRC), for example, has been in trial operation since 26 December 2013, i.e., over 12 years. The Integration Bus of the Tax Committee has been in place since 22 December 2008, over 16 years. And the "Taxpayer's Personal Account" has been operational since 2009.
The legal consequences of this are not only technical but also financial: maintaining systems that are legally not yet in industrial operation cost 6.487 billion tenge over five years — and this is a violation of the Law "On Informatisation", committed with the tacit consent of the authorised body in the field of informatisation. Remarkably, the same authorised body annually assigned the Ministry of Finance a high degree of effectiveness in the application of information technologies — right up until August 2025.
Three state investment projects (SIPs) implemented during the audited period became a vivid illustration of how budget funds are spent without achieving the stated result.
SIP "Development and Modernisation of Treasury Information Systems", costing 7.2 billion tenge, implemented only 3 of 8 critical activities, which were secondary. The key tasks — developing information systems, acquiring server capacity, data migration, and information security measures — were not carried out. 5.798 billion tenge were returned to the budget. The auditors were unable to assess the achievement of the SIP's direct targets due to the absence of specific numerical values in the project itself.
The SIP for creating the Integrated Tax Administration System (ITAS), a system intended to replace seven outdated IS of the State Revenue Committee (SRC), revealed a failure of project management. JSC "CEF" as the integrator had completed only 25% of the third phase's tasks by the end of 2021, yet received payment amounting to 358 million tenge — 53.5% of the annual budget. Moreover, 92.3 out of 115.2 million tenge (80%) was spent on project management in 2021, notwithstanding the actual failure. The two-year schedule delay forced the state to continue paying for the maintenance of the seven old systems that ITAS was meant to replace. Additional costs amounted to 2.756 billion tenge in 2022–2023.
VULNERABILITIES IN THE CODE OF THE PUBLIC PROCUREMENT SYSTEM
The most acute episode of the audit concerns the AIS "Electronic Public Procurement" (EPP) — the system through which purchases worth trillions of tenge are processed. IT specialists checked over 75,000 changes in the system's software code (so-called commits — these are saved changes that developers make to the code). Out of all these changes, they found 621 cases that could have affected the system's operation. For example, altering its functions, behaviour, or stability.
Among the specific documented episodes:
- 11 March 2022 — a change was introduced into the main branch of the system that bypasses the logic check for a specific contract with a specific identification number. That is, an exception to the rules was effectively created for one contract;
- 28 November 2022 — identifiers of specific users were added to the configuration file, for whom the electronic digital signature (EDS) check was disabled. This creates the possibility of carrying out operations without mandatory authentication;
- 31 August 2023 — the check for the correctness of payment amounts for two specific contracts was disabled, thereby opening the possibility of conducting financial transactions bypassing the stipulated restrictions.
Added to this is another documented fact: price information in the system was not encrypted until July 2025, and the logging system for transactions involving price data was deemed insufficient by experts. This means that throughout the audited period, bidders could potentially have had unauthorised access to the price information of their competitors.
A failure in the algorithm for calculating scores in competitions using a rating and scoring system was active from 21 October 2023 to 14 February 2024. During this period, for 29 competitions, public procurement procedures were carried out for a total of 2.23 billion tenge with incorrect calculation of discounts and scores. 16 out of 29 contracts have already been fulfilled. The working report characterises this error as a critical error in business logic: it was identified by a tester, ignored, and nevertheless implemented into industrial operation. The business analyst subsequently refused to provide explanations to the auditors.
Read the second part of this major article — about how specific contractual schemes were structured within this system.