(26 February 2026 | Source: Audit Opinion of the SAC RK dated 12.01.2026; Working Audit Report dated 06.11.2025)
The editorial board of the FB RK continues its analysis of the audit of JSC "Centre for Electronic Finance" (CEF), conducted by the Supreme Audit Chamber (SAC). In the first part, we reported on systemic failures in the management of state information systems. Now we will discuss how contractual relations within JSC "CEF" were actually structured: how services are provided before a contract is signed, the auditor checks its own work, the sole bidder begins development six months before the tender is announced, and an asset worth over 110 million tenge is listed on the balance sheet despite not existing in any tangible form. The picture is topped off by an incident involving the transfer of access to state servers to third parties from foreign countries.
We remind you that JSC "CEF" is a subject of special rights—a monopolist in its field. This means not only the absence of competitive price checks but also a particular degree of responsibility when concluding contracts: every procurement by the company must strictly comply with the Law "On Public Procurement," and every audit of its activities must be independent. As the inspection showed, these two requirements were systematically violated.
SOLE TRADER "NESIPKHANOV": SERVICE BEFORE CONTRACT
Among the episodes referred to the criminal prosecution authorities, the story with Sole Trader "Nesipkhanov" looks particularly interesting. On 18 August 2024, this sole trader conducted a seminar "Effective Team Building" for JSC "CEF". The contract for the services was only concluded on 2 September 2024 — that is, 15 days after the service had actually been provided. The cost was 17 million tenge. The contract was concluded without competitive procedures — from a single source.
Payment for a service that had not yet been legally formalised, and the complete absence of a tender when procuring from a sole supplier — it was this combination of circumstances that became the basis for referring the materials to law enforcement agencies.
PROCUREMENT FROM "PHANTOM" COMPANIES AND CONFLICT OF INTEREST
The audit established that when forming its budget, JSC "CEF" used commercial proposals from companies with no employees, not paying taxes, and whose activity codes did not match the NACE (OKVED) classification. In essence, the cost of public procurement was justified by the "prices" of organisations that were not actually conducting any activity.
In 2024, JSC "CEF" concluded two contracts with LLP "Alma Audit" — for a financial audit amounting to 4.256 million tenge and a special purpose audit for 2.016 million tenge. At the same time, in 2023–2024, the head of the company personally provided JSC "CEF" with services for building the architecture of a Unified Data Repository for accounting transactions with a 12-month warranty. In other words, the auditor was checking work in whose creation it had itself participated.
Furthermore, LLP "Q19" was the sole bidder in the tender for the development of the "Unified Personal Account for Entrepreneurs" subsystem worth 348.7 million tenge. The audit established that employees of LLP "Q19" began actual development in October 2024 — six months before the official conclusion of the contract on 30 May 2025. The materials have been referred to the criminal prosecution authorities.
The "Information System for Budget Planning" is listed on the balance sheet of JSC "CEF" — costs for it amounted to 110.9 million tenge. Based on the results of the inventory, neither source codes, nor technical documentation, nor any tangible media were found. The company never used this asset, received no economic benefit from it, and has no information about the date the system was actually lost. The asset is on the balance sheet, but the system does not exist.
DATA FROM STATE SERVERS WAS TRANSFERRED ABROAD
Finally, the working report records a fact that goes beyond financial violations. In JSC "CEF" there is a lack of proper control over compliance with the confidentiality regime. Moreover, an incident has been recorded where access was given to third parties from foreign countries to servers containing confidential data. The materials have been sent to law enforcement agencies for procedural assessment. Considering that under the management of JSC "CEF" there are tax data, budgetary information, and information about public procurement, the audit does not assess the scale of potential damage from this incident — and this in itself is a question requiring a separate answer.
POSSIBLE CONSEQUENCES
Some measures have already been taken. 34 sets of materials containing signs of administrative offences have been transferred to the authorised bodies. Materials have been sent to the criminal prosecution authorities regarding three episodes: granting preferences to Sole Trader "Nesipkhanov" when concluding a contract after the fact, granting preferences to LLP "Q19" in the procurement of the Unified Personal Account for Entrepreneurs subsystem, and incorrect updates to the AIMS PFSS that affected the results of public procurement. During the audit itself, a protocol on administrative liability was drawn up against an official of JSC "CEF".
The Ministry of Finance has been instructed to ensure the reimbursement of 457.8 million tenge to the budget by 31 December 2026, and JSC "CEF" to reimburse 108.292 million tenge. Separate directives have set deadlines for connecting information systems to the operational centre for information security, launching the Unified Personal Account for Entrepreneurs subsystem into commercial operation, and completing the price expertise.
This whole constellation of violations leads us to only one question: how sustainable, in general, is the model in which the state's critical digital infrastructure is concentrated in the hands of a single company without effective independent control? We want to believe that the materials referred to law enforcement agencies will allow the degree of responsibility of specific individuals to be determined. However, the very fact of years of experimental operation without legal status, vulnerabilities in the code of state procurement systems, the lack of encryption for pricing information, and the incident involving the transfer of data abroad, undoubtedly require a response regardless of the outcome of the criminal investigations.