Duplicate IFMIS user, vendor accounts led to loss of billions

Duplicate IFMIS user, vendor accounts led to loss of billions

More than 50 government officials held duplicate Integrated Financial Management and Information System (IFMIS) accounts between 2010 and 2014 leading to massive theft of public cash.

According to an Auditor General’s Report covering the period between July 2010 to June 2014, some government officials received more than one user account complicating the accountability process.

The report argues that the “creation of more than one ID for a single individual entails risk in terms of misuse of such additional User ID”.

“This creates accountability issues and also leads to ineffective utilization of user licences,” read the statement in part.

“A review of the users available in the IFMIS system indicated that almost 50 users had more than one User ID created.”

Additionally, the report raises questions on the lack of proper approval process for creation of new System IDs.

“For example, Administrator IDs created for managing Sun Solar Servers had no approval procedures. Without proper approval mechanisms, creation of ghost IDs may go unnoticed and thus putting government information assets into risk.”

The Auditor General also says that the IFMIS department had not established a comprehensive security policies, standards and procedures covering various aspects of security control which were essential for the IFMIS system to operate and for security for government financial data.

“These standards and policies would act as the baseline for IFMIS department to monitor existence and sustenance of such IFMIS security controls and promote good IT governance,” further read the report.

The report also pointed at anomalies in the names of suppliers in the system saying that some were entered more than once, raising accountability questions to that effect.

“A review of the supplier master data in IFMIS indicated the existence of almost 50 cases of duplication of the same vendor. Similarly, the current field status settings of supplier master data do not mandatorily allow certain information like tax PIN to be captured.”

“Presence of active duplicate supplier master records increases the possibility of potential duplicate payments, misuse of bank account information, reconciliation issues among others.”

The report also raises questions over the lack of regular maintenance, lack of data encryption, lack of regular anti-virus management and updates as well as weak remote access management control procedures.

The Auditor General now recommends that complex projects such as IFMIS get expertise to manage them.

This comes even as Kenyans come to terms with theft of billions of shillings through dubious tendering processes and payments.

The National Youth Service (NYS) scandal saw Kenya lose Ksh 1.8 billion that was irregularly paid to suppliers among them businesswoman Josephine Kabura.

Counties have also lost billions through similar payments.