State audit finds serious loopholes in Ifmis system

The government’s main financial management system is marred by technology loopholes, making it prone to abuse and possible loss of public funds, an official audit has revealed.

An inquiry report by the Auditor- General reveals that the Integrated Financial Management Information System (Ifmis) has numerous control weaknesses that badly expose it to fraud and misuse, with unidentified users capable of logging in remotely while others have multiple identities in the government’s main financial nerve centre.

The audit report on the effectiveness of Ifmis that was released in November reveals negligence on basic system security procedures and lack of data safeguards that makes the system easy to manipulate by fraudsters seeking to steal from the public purse.

“Good practice requires that passwords must be reset at least every 90 days. At the time of the audit, the configuration in Ifmis relating to password expiration indicated the expiry period is set to ‘none’, which means the passwords never expire. This is a potential loophole that can be exploited and hence lead to unauthorised persons gaining entry to sensitive government data as well as carrying out fraudulent activities,” Auditor-General Edward Ouko writes in the report.

Ifmis — the nerve centre of finance that is meant to enhance efficiency in planning, budgeting, procurement, expenditure and reporting in the national and county governments — also runs on a poor network architecture badly impacting its up time and causing financial inconveniences.

This is especially noted in counties where network downtime ranges anywhere between two and four days. Just last month, the system broke down, delaying payment and plunging thousands of public servants and suppliers into a crisis ahead of the Christmas holidays.

Kakamega County Governor Wycliffe Oparanya — who is the chairman of the Council of Governors (CoG) Finance, Planning and Economic Affairs Committee — said counties had been plunged into a financial crisis due to the hitch that affected payment of salaries and processing of urgent payments to suppliers and other service providers.

CREATE MORE USER IDS

“On behalf of the CoG, I regret to bring to the attention of the county government suppliers, staff and creditors the malfunction of the Ifmis used in processing payments across the counties,” he said.

The audit points out that those behind the system, which relies heavily on the overall network infrastructure of the government, failed to study and establish the network specifications required to meet Ifmis standard operations before its launch hence the frequent failures.

So exposed is the system that one can create more than one User ID. This can lead to misuse of such additional User ID freely in committing fraud. The audit reveals that almost 50 users had more than one User ID leaving little accountability on the users.

The system also lacks a trackable approval process in the creation of new User IDs, meaning it is possible to create ghost IDs and carry out transactions including remotely without being noticed.

In fact, a list of authorised personnel provided with remote access was not available for audit review meaning their identities remained anonymous. There was no practice of approving the remote login requests; which means even those not authorised would log in remotely.

Remote transactions were largely blamed for the theft at the Ministry of Devolution which saw the loss of more than Sh1.6 billion in the infamous National Youth Service (NYS) scandal.

Vendors were also duplicated in the system with a review of the supplier master data showing the existence of almost 50 cases of duplication of the same vendor, meaning the vendor may as well have been paid 50 times.

“Presence of active duplicate supplier master records increases the possibility of potential duplicate payments, misuse of bank account information, reconciliation issues among others,” the audit states.

Former NYS Director-General Adan Harakhe claimed his password was stolen and used in the fraudulent transactions.

Entries were allegedly made into Ifmis using Mr Harakhe’s password and username, in which zeroes were added to figures, converting them into hundreds of millions of shillings.

For instance, an audit of the cost of a road in the Kibera slums in Nairobi, by the Ministry of Public Works, indicated that it cost Sh78 million, but three companies owned by one of the key suspects, Ms Josephine Kabura, were paid Sh791 million, with investigations by the Directorate of Criminal Investigations (DCI) indicating zeroes were added to inflate the figures.

EXPOSING FINANCIAL DATA

The system, which cost the tax payer more Sh11 billion to set up and re-engineer, is left to run without security policies, standards and procedures covering various aspects of security control, badly exposing government financial data, the auditor found.

This means the Ifmis department cannot even monitor existence and sustenance of threats to Ifmis security.

The auditor also found that the data transmitted through the system in plain text without encryption was largely compromised and prone to interception and security breach.

Basic quality assurance such as the hardware acquisition was not verified with end user equipment such as personal computers, printers, flatbed scanners and uninterrupted power supply units procured without need assessment and analysis substantiating the hardware configuration required to support the system.

Other basics, including the physical security practices at the data centre, were neglected with malfunctional CCTV cameras, untested smoke detectors and fire suppression systems (for two years) and no maintenance contract for the data centre equipment had been renewed.

This means there would not be an assured prompt maintenance should the system develop hitches. One of the two available UPS systems was not in working condition while the computers were left prone to virus attacks, the auditor states.

“There was no evidence for regular anti-virus installation and regular signature updates. In the absence of an effective anti-virus management, the servers, PCs, laptops, computer networks and other technology equipment were at the risk of virus attack,”  the auditor pointed out, exposing deep negligence on the country’s core financial management tool.

POOR BACK-UP SYSTEMS

The data stored in the system had poor back-up systems threatening to throw government financial processes into disarray should any disruptive events strike.
It was found that the government did not have a business continuity plan and a disaster recovery plan in place. For a sensitive system like Ifmis, there was no disaster recovery site in operation while Business Continuity Plans or Disaster Recovery drills were not carried out. A dedicated emergency response team in the event of disaster was yet to be identified, according to the auditor.

Another serious security breach was found in the Assets Register. It only had listed servers, desktops, laptops and network equipment (routers, switches, modems).

“However, important information regarding IT assets such as asset ID, location of the asset, the person to whom the asset is allocated and warranty period particulars were not recorded. Also, details on software and hardware licences were not captured in the asset register for tracking and control purposes. In the absence of a formal accounting of software installations, unauthorised installations and use may go unnoticed,” the auditor writes.

A poor assets register means one could easily install another equipment and take away crucial data for a long time without being noticed, an indication of how badly the system is exposed to fraud.

Ifmis, whose conception started in 1998, was expected to have different modules comprising accounting, revenue management and asset management, among others, developed as well as the establishment of interfaces with the Central Bank of Kenya payment information system, Kenya Revenue Authority and the Ministry of Labour for the payroll and human resource management modules.

The entire network is managed by three entities – two being government departments and a third party entity. Ifmis department provides and manages the network connectivity within the Treasury premises.

The network infrastructure from Treasury (data centre) to various ministries, departments and agencies is managed by Government Information Technology Services/Information and Communication Technology Authority, through the infrastructure provided under the Government Communication Core Network.

Further, network is extended to all 47 counties by Telkom Kenya who manages the end user connectivity through wireless connectivity.