EN

Auditing the voter register: purpose, impact, and where we are at the moment

The purpose of the audit is to determine, on the basis of evidence, whether the Unified Voter Register can be trusted — and to correct the problems it finds. It does this by testing both the accuracy of the data and the resilience of the system that maintains it, proceeding in sequence from first indications, through deeper checks, to findings and conclusions.
08.06.2026.
1 MINUTE READ

Voter register audit: only 4 of 69 checks can be performed under current data access

CRTA's June 2026 assessment maps the full audit methodology against the data access actually granted to the Commission and finds that 95% of planned checks cannot be carried out. Full access, required by Article 22j of the UVR Law, has not been provided.

CRTA · June 2026 · crta.plus
Export

The four aims

AccuracyDo entries match the real, lawful situation?
ResilienceIs the system protected from error and abuse?
EfficiencyAre records kept and updated in time?
AccountabilityCan a fault be traced to its cause?

How the audit creates impact

Findings are not the end point. Each one feeds a step that changes the register and the system around it — and contributes to confidence-building in the UVR.

Findingserrors and weaknesses Correctfix, add, or remove entries Strengthenclose the gaps Accountwho, where, why Report to theAssembly & the public Confidence-buildingin the UVR enabled

The audit program at a glance

The structure of the methodology. Colours show whether the procedures in each phase/level can be performed with the current access granted; no part reaches full scope. Each box is clickable — select one to jump to that part of the detailed program below.

full scope — not reached by any partonly the legal review or individual complaint checksnone can run
Phase 1 · Find signals1 of 2 partly available Phase 2 · Cross-check0 of 3 procedures available Phase 3 · Legal validation0 of 2 procedures available Phase 4 · Field verification0 of 2 procedures available Level 1 · Central register1 of 3 procedures available Level 2 · Local updating1 of 6 procedures available Level 3 · Source registers1 of 3 procedures available Area 1Accuracy of data Area 2System resilience Audit of thevoter register
Phase 1 · Find signals2 of 2 available Phase 2 · Cross-check3 of 3 available Phase 3 · Legal validation2 of 2 available Phase 4 · Field verification2 of 2 available Level 1 · Central register3 of 3 available Level 2 · Local updating6 of 6 available Level 3 · Source registers3 of 3 available Area 1Accuracy of data Area 2System resilience Audit of thevoter register

The access story over time

Across 2026 the Commission’s access has never risen above very limited record-by-record queries. The full access the law provides has not been delivered, while the deadlines and the reporting obligation have continued to run. The graph shows the access actually provided against the full access the law mandates (dashed).

Click to enlarge Jan Feb Mar Apr May Jun Jul Aug Sep Oct today 28 Jan Commission established March 2 · work plan adopted 12 · individual UVR query 10 Apr · MDULS denies access 18 Apr · MUP/KITE assurances 29 Apr · civil-registry query 31 May deadline for full access 30 Sep audit wrap-up 28 Oct report due to the Assembly Data access provided Full None the gap — access never reached what the law requires full access granted by UVR law (Art. 22j) limited — individual queries only
Select a point on the timeline for detail.

How much of the audit can be performed

Data access
4% 1% 95%
3checks performable in full
1partially performable
65cannot be performed (of 69)
100%
69checks performable in full
0partially performable
0cannot be performed (of 69)

Select a bar segment or a figure above to list the checks it covers.

3 checks that can be performed in full
2.1.1 Legal review — central-register framework
  • Full review of laws, by-laws, arrangements and controls governing the register
2.2.1 Legal review — local-update framework
  • Full review of competences, deadlines, remedies, decision trails and controls in updating
2.3.1 Legal review — source-register framework
  • Full review of the normative framework governing source registers
1 check that is partially possible
2.4.3 Handling citizen complaints
  • Preliminary examination of a complaint’s data
65 checks that cannot be performed
2.1.2 Whole-register quality scan
  • Aggregate profile of the register by category
  • Outlier number of voters per address / household
  • Outlier rate of changes per individual voter
  • Identification of missing data
  • Logical-consistency checks
  • Arithmetic-consistency checks
  • Field syntax and meaning checks
  • Referential-integrity checks
2.3.2 Quality scan of the source registers
  • Aggregate profile of civil, residence and other registers
  • Outlier permanent-residence changes
  • Outlier temporary-residence changes
  • Outlier passivisation changes
  • Outlier citizenship changes
  • Outlier border-police data
  • Outlier civil-registry data
2.3.5 Match register against source records
  • Consistency with residence records
  • Consistency with civil registries
  • Consistency with the citizenship register
  • Consistency with the IDP register
  • Consistency with legal-capacity, sanctions and military-service records
  • Consistency of changes, register vs source
  • Statistical analysis of mismatches
2.3.6 Verify against census, address and other registries
  • Consistency with census data (SORS)
  • Consistency with other central-registry data
  • Addresses vs the Address Register (RGA / Post)
  • Consistency with household data from other records
  • Consistency with other relevant registers
  • Spatial clustering of mismatches
2.2.3 Legality of entry and deletion decisions
  • Legal validity of the decisions underlying register changes
2.3.3 Legality of the residence basis
  • Legal basis for establishing residence, incl. naturalised citizens
2.4.1 Field check — register to citizens
  • Verify register entries against citizens’ real circumstances
2.4.2 Field check — citizens to register
  • Verify citizens’ real circumstances against the register
2.1.4 Security of the central IT environment
  • Access management
  • Change controls
  • Action logging and audit trail
  • Data integrity and quality
  • Stability, availability and continuity
  • Change and maintenance management
  • Legal and organisational maintenance framework
  • General security and data protection
2.1.3 Verify register extracts and historical displays
  • Process of public display by polling station
  • Pre-election closing of the register
  • Consistency of displayed data with the register
  • Consistency of extracts used with the register
  • All current and historical data, by period
2.2.2 Abuse risk in change authorisation
  • Map of entry / deletion / amendment rights by authorisation
  • Quality of access-log security during updating
2.2.5 Officials’ authority and training
  • Legal review of officials’ authorisations
  • Process of receiving changes, drafting and forwarding decisions
  • Quality of training vs required competences
2.2.6 Resources for updating
  • Material and financial resources for updating and how they are used
2.2.7 Integrity of hiring
  • Recruitment and engagement of officials who maintain the register
2.2.4 Review of inspection supervision
  • The inspection process and follow-up on ordered measures
2.3.7 Security of the source-register IT
  • Access management
  • Protection against unauthorised changes
  • Action logging and traceability
  • Data integrity and quality
  • Stability and continuity
  • Change and maintenance management
  • Legal and organisational maintenance framework
  • General security and data protection
2.3.4 Officials’ conduct in residence and civil changes
  • Recording life-fact changes into source registers
  • Recording residence changes
  • Dual-citizenship acquisition process
  • Data exchange with competent authorities
Only the three legal reviews can be carried out in full, and the first review of citizen complaints only partially — because the register shows a voter’s current data but no history of changes. That is 3+1 of the 69 checks the methodology defines. Every check that requires analysing the register as a whole, cross-referencing it against other registers, auditing changes in the registry, or examining the system’s security — where the great majority of the work lies — cannot be performed.
With the full access the law provides (Art. 22j), all 69 checks across the 21 procedures could be carried out — the audit could be completed as the methodology designed.

The audit program and its coverage

The methodology defines 69 individual checks under 21 procedures. Each row shows the evidence a procedure requires and whether that evidence has been made available. Select any row to see the checks within it.

Detail Show
Area 1 — Is the data accurate?From the first signal of an inaccuracy to a confirmed or dismissed conclusion.
Phase 1 · Find the signals
2.1.2Whole-register quality scanThe register analysed as a whole (aggregate access)Cannot be performed 8
2.4.3Handling citizen complaintsIndividual look-up of present data only — no history of changes per voterPartially 1
Phase 2 · Cross-check the registers
2.3.2Quality scan of the source registersAggregate view and change history of source registersCannot be performed 7
2.3.5Match register against source recordsCross-referencing at scale; citizenship, IDP, legal-capacity, sanctions recordsCannot be performed 7
2.3.6Verify against census, address and other registriesCensus (SORS), Address Register, other datasetsCannot be performed 6
Phase 3 · Legal validation
2.2.3Legality of entry and deletion decisionsDecision records and supporting documentsCannot be performed 1
2.3.3Legality of the residence basisPrevious addresses and basis documentsCannot be performed 1
Phase 4 · Field verification (the final step)
2.4.1Field check — register to citizensA representative sample drawn from the full register; field accessCannot be performed 1
2.4.2Field check — citizens to registerA representative sample; field accessCannot be performed 1
Area 2 — Is the system resilient?Whether the legal, organisational and IT framework prevents, detects and corrects error and abuse.
Level 1 · The central register
2.1.1Legal review — central-register frameworkPublicly available legal normsCan be performed 1
2.1.4Security of the central IT environmentICT access logs, configuration and change controlsCannot be performed 8
2.1.3Verify register extracts and historical displaysHistorical and change recordsCannot be performed 5
Level 2 · Local updating
2.2.1Legal review — local-update frameworkPublicly available legal normsCan be performed 1
2.2.2Abuse risk in change authorisationAccess logs and change recordsCannot be performed 2
2.2.5Officials’ authority and trainingInternal change records and training documents, held by the authoritiesCannot be performed 3
2.2.6Resources for updatingInternal resource records, held by the authoritiesCannot be performed 1
2.2.7Integrity of hiringRecruitment / HR records, held by the authoritiesCannot be performed 1
2.2.4Review of inspection supervisionInspection-supervision reportsCannot be performed 1
Level 3 · The source registers
2.3.1Legal review — source-register frameworkPublicly available legal normsCan be performed 1
2.3.7Security of the source-register ITAccess logs and controls of the source systemsCannot be performed 8
2.3.4Officials’ conduct in residence and civil changesChange records and records of officials’ actionsCannot be performed 4

What this means

A limitation of scope

On the evidence made available, the audit cannot reach a conclusion on the accuracy or integrity of the register. This is a limitation of scope — not a finding that the register is sound, nor that it is flawed, but a record that the checks could not be carried out.

What can be done now

  • Legal review of the rules governing the register, at all three levels
  • First intake and preliminary review of citizen complaints, one at a time
  • Looking up individual records in the register, civil registries and residence records

What is missing

  • Any analysis of the register as a whole (no aggregate access)
  • The history of changes — basis, date, official, decision number
  • Cross-referencing against source and check registers
  • System logs and security configuration
  • A statistically representative field sample
The methodology’s own threshold. Data from any single register are not sufficient grounds for a conclusion where cross-checking with another register is technically possible. The individual look-ups now available therefore cannot, on their own, meet the standard the Commission set for a finding — they can frame the work, not complete it.

Annex — data access on record

View = can be seen, one record at a time. Aggregate = can be analysed across the register. Verify = can be independently confirmed. No aggregate or verification access has been granted for any category.

Data / recordViewAggregateVerify
Unified Voter Register
Individual current voter data (name, JMBG, residence, polling station, passivisation, IDP)YesNoNo
Record of changes (basis, date, official, decision number)NoNoNo
Legacy reporting module (missing / incorrect data)NoNoNo
ICT system logs (traces of unauthorised access)NoNoNo
Source registers
Current residence — permanent and temporaryYesNoNo
Previous residence; passivisation of addressesNoNoNo
Civil registries — births, deaths, marriagesYesNoNo
Citizenship — yes/no search by JMBGYesNoNo
Citizenship — full records; IDP; legal capacity; prison sanctionsNoNoNo
Cross-check registers
Inspection reports; statistics (SORS); address register; pension; health; tax; ID and passportNoNoNo

Sources. Adopted Act on the Audit Procedure (methodology of the Commission for the Revision, Verification and Control of the Accuracy and Updating of the Voter Register); Commission data-access record. The 69 checks counted here are the sub-procedures enumerated in the methodology, grouped under 21 procedures. Access status reflects Article 22j of the Law on the Unified Voter Register and the Commission’s recorded access as provided.

Export

Last updated: 8 June 2026 

Related Articles

CRTA+ is part of CRTA’s work to document developments related to democracy, the rule of law, and accountability in Serbia.
Crta @ 2025. All rights reserved.
Key Issues
Slučajevi Elections & Voting Integrity Civil Society Resilience Protests in Serbia Institutions & Oversight Media & Information Space
Other pages
Slučajevi Public Sentiment Serbia in Reports Reform Agenda Updates