Complete the IFMIS audit first, but don't stop there

What you need to know:

  • A good information system should have minimum standards at the policy, procedural and technical levels, but the risks brought about by automation go beyond fraud.
  • IFMIS plays a similarly critical role within national and county governments, so the audit must establish to what extent this system has been protected against interruptions.
  • Two-part authentication processes should be enforced, in which a critical transaction cannot be executed without both a primary password and a secondary password.

The recent move by the Treasury to commission an audit of their Integrated Financial Information System (IFMIS) is commendable.

Information Systems (IS) audit is an emerging practice in this part of the world, compared to financial audits that are not only common but also legally mandatory.

Hopefully, the audits will be regular, done annually at least, rather than as a one-off exercise triggered by recent concerns about the lost National Youth Service (NYS) funds.

Such annual audits should also be extended to all other national and county government systems to assure that they perform and deliver on their objectives.

Contrary to popular misconceptions, the auditor’s role is not to catch thieves, but to ensure that systems in operation have inbuilt controls to prevent, detect and correct incidents that could compromise the system. Of course, theft or fraud quickly come to mind.

A good information system should have minimum standards at the policy, procedural and technical levels, but the risks brought about by automation go beyond fraud.

The more one automates, for example, the more intricately ‘enslaved’ one gets to the digital service, to the point where failure is not an option. Availability of the service on a “24/7” basis becomes an issue. 

M-Pesa, for example, has become a way of life in Kenya, to the point where any interruption leads to complications in other sectors of the economy.

ONE-TIME PASSWORD

IFMIS plays a similarly critical role within national and county governments, so the audit must establish to what extent this system has been protected against interruptions.

Audit processes must extend beyond regular backups or real-time replication services, to worst-case scenarios like natural disasters such as floods and earthquakes, or terrorist attacks on data centres.

The auditor must also investigate business continuity to ensure, for example, that IFMIS remains available to counties outside Nairobi in the event that such unfortunate events happen.

It should not be possible to say that “passwords were stolen” of a critical system like IFMIS. Procedures and tools must exist to protect the confidentiality and integrity of the information IFMIS collects and stores.

Two-part authentication processes should be enforced, in which a critical transaction cannot be executed without both a primary password and a secondary password.

This is widely practiced in online banking, where payment transactions require additional ‘one-time’ passwords sent to account owners via personal mobile phones before they can be completed.

Even if someone were to steal your password, they would not be able to complete the transaction without your mobile phone,

All these issues are important and not limited to IFMIS. IS audit should therefore be made mandatory through ministerial policy or directive – even as we await legislation to set rules over the long term.

Mr Walubengo is a lecturer at the Multimedia University of Kenya, Faculty of Computing and IT. Email: [email protected], Twitter: @jwalu