The Integrated Financial Management Information System (IFMIS) is the backbone of the Government of Kenya’s financial management system. It serves as the nerve centre through which financial transactions carried out by the government are carried out, producing receipts and records that are saved in lieu of a paper trail.
IFMIS was meant to enhance efficiency in planning, budgeting, procurement, expenditure and reporting in the national and county governments, and it cost the taxpayer more than KES 11 billion (US$105 million) to set up and re-engineer.
However, recent revelations related to corruption and mismanagement of funds have shown that the system has had a number of control weaknesses, making it vulnerable to fraud and misuse according to an official audit report by Auditor-General.
The audit reports on spending by the national and county governments reveal that the IFMIS system was routinely run without security policies, standards and procedures covering various aspects of security control, badly exposing government financial data. As a result, unidentified users were able to operate remotely and initiate transactions, while other users have more than one identity, meaning that they could initiate and authorise payments without any oversight.
“At the time of the audit, the configuration relating to password expiration on IFMIS indicated that the expiry period is set to ‘none’, which means the passwords never expire. This is a potential loophole that can be exploited by unauthorised persons gaining entry to sensitive government data as well as carrying out fraudulent activities. Auditor-General Edward Ouko
The reports, which broke down how and where the money was spent, reveal negligence on security measures to safeguard the access to the government’s main financial system, making it convenient to manipulate by fraudsters seeking to steal from the public purse.
IFMIS, the auditor-general further reveals, lacks basic financial security measures to prevent fraud. The system’s default setting, for example, requires a password reset within 90 days, but according to the report, the configuration was altered so that the expiry period is set to ‘none’, meaning the password never expires.
Due to the critical nature of password access, this and other loopholes can and have been exploited by unauthorized persons who may access sensitive government data or carry out fraudulent activities.
Another concern raised by the auditor-general is that some users have generated multiple IDs. More than 50 users reportedly have more than one user ID, for example.
Lack of trackable approval processes means that new user IDs can log in immediately after they are created. Transactions linked to these ghost IDs have been used to initiate and approve transactions remotely and without a trace, as was the case in the Ministry of Devolution, which saw the loss of more than KES1.6 billion (US$15 million) in the National Youth Service (NYS) scandal.
The auditor also found that the data transmitted through the system in plaintext without encryption was largely compromised and prone to interception and security breaches.
IFMIS, whose conception started in 1998, has different modules for accounting, revenue management and asset management, among others. The system was developed by Oracle, and is managed by the National Treasury, and is accessed through the Central Bank of Kenya payment information system. Other stakeholders include the Kenya Revenue Authority, and the Ministry of Labor, which uses the payroll and human resource management modules.
As such, it is paramount that an audit of the system be carried out so that the weaknesses identified by the Auditor-General and others that are as yet unknown can be rectified, so that the system through which Kenyan taxpayers' money is spent can safeguard this money from theft and improper use.