Treasury moves to clean up Ifmis as audit reveals system has weak checks

The National Treasury has finally started the process of cleaning up the government’s controversial payment system, popularly known as the Integrated Financial Management Information System (Ifmis).

Ifmis has been at the centre of loss of billions of shillings to fictitious companies and individuals, who purportedly do business with government.

Ifmis, whose introduction in 2013 was heralded as the answer to entrenched corruption in government procurement system, has offered opposite results. It has faced criticism from experts who argue that it has weak controls while governors have termed it a ploy by the national government to control disbursement and use of devolved funds.

Now, from July 1, the Treasury says it will deactivate all the existing users in the system in what it notes is one of the ways of providing effective management and safeguard the integrity of the system.

In a letter to all accounting officers in government ministries, Principal Secretary Kamau Thugge says the clean-up will ensure that only users validated by accounting officers in both national and county governments are defined and assigned responsibilities in the system as part of the process of enhancing operations.

CLEAN UP

“To effectively manage Ifmis users and safeguard the integrity of the system, the National Treasury is carrying out a clean- up of Ifmis users to ensure that only those validated by accounting officers are defined and assigned responsibilities in the system,” Mr Thugge said in the letter, dated May 21.

The letter is copied to all accounting officers in government ministries, departments and agencies. Also, all county executive members in charge of finance in the 47 counties and all the clerks of the 47 county assemblies are copied.

The letter is further copied to all Cabinet Secretaries and governors. An audit of the Ifmis by the Auditor- General Edward Ouko, which was released in November 2016, revealed that the system has numerous control weaknesses that badly expose it to fraud and misuse. The audit established that unidentified users are capable of logging in remotely while others have multiple identities in the government’s main financial nerve centre.

The audit, on the effectiveness of Ifmis, further revealed negligence on basic system security procedures and lack of data safeguards which makes the system easy to manipulate by fraudsters seeking to steal from the public purse.

MONSTER

Governor Wycliffe Oparanya of Kakamega County has in the past termed the system a monster that has seen delays in implementation of development projects, provision of services and payment of salaries.

“The auditor did an analysis of the system and found it inefficient and made a range of recommendations which we believe should be implemented,” said Mr Oparanya. “Ifmis is an obstacle to development. Additionally, the system experiences central control shutdowns.”

According to the letter, the clean-up will include Ifmis users being given specific system responsibilities in line with their roles while ensuring segregation of duties for responsibility and accountability.

In addition, new Ifmis users will be required to undergo training  at the Kenya School of Government before being granted system access rights.

Once any Ifmis user ceases to be an employee of the government, the accounting officer will  be required to promptly notify the Treasury or Ifmis department. “This will enable the department to deactivate the user from the system to ensure system access is restricted to legitimate users and safeguard the entity from unauthorised access,” Mr Thugge said.

RESPONSIBLE OFFICERS

With the letter, the Treasury has attached a form and schedule of Ifmis responsibilities and the corresponding responsible officers. The form is to be completed by the chief finance officers, head of supply chains and head of accounting unit and forwarded with a covering letter signed by the accounting officer. They must reach the Treasury by June 15, ready for July 1 roll-out.

Those accounting officers who want their current Ifmis users retained must formally write to the Director of Ifmis in the National Treasury to authenticate their continued use of the system or face the risk of being deactivated.

“You may take note that users not authenticated through your formal correspondence will automatically be deactivated in the system with effect from the beginning financial year 2018/19,” Mr Thugge said.

Ifmis — the nerve centre of finance that is meant to enhance efficiency in planning, budgeting, procurement, expenditure and reporting in the national and county governments — also runs on a poor network architecture badly impacting its up time and causing financial inconveniences.

The system, which cost the taxpayer more than Sh11 billion to set up and re-engineer, is left to run without security policies, standards and procedures covering various aspects of security control, badly exposing government financial data, the auditor found.

DELAYING PAYMENT

This is especially noted in counties where network downtime ranges anywhere between two and four days. In December 2016, the system broke down, delaying payment and plunging thousands of public servants and suppliers into a crisis ahead of the Christmas holidays.

The audit points out that those behind the system, which relies heavily on the overall network infrastructure of the government, failed to study and establish the network specifications required to meet Ifmis standard operations before its launch, hence the frequent failures.

So exposed is the system that one can create more than one user ID. This can lead to misuse of such additional identities freely in committing fraud. The audit reveals that almost 50 users had more than one User ID leaving little accountability.

The system also lacks a trackable approval process in the creation of new User IDs, meaning it is possible to create ghost IDs and carry out transactions, including remotely, without being noticed.

REMOTE ACCESS

In fact, a list of authorised personnel provided with remote access was not available for audit review meaning their identities remained anonymous. There was no practice of approving the remote login requests; which means even those not authorised would log in remotely.

Remote transactions were largely blamed for the theft at the Ministry of Devolution which saw the loss of more than Sh1.6 billion in the first National Youth Service (NYS) scandal.

Vendors were also duplicated in the system with a review of the supplier master data showing the existence of almost 50 cases of duplication of the same vendor, meaning the vendor may as well have been paid 50 times.

“Presence of active duplicate supplier master records increases the possibility of potential duplicate payments, misuse of bank account information, reconciliation issues among others,” the audit states.

Former NYS Deputy Director-General Adan Halake claimed his password was stolen and used in the fraudulent transactions.

KEY SUSPECTS

Entries were allegedly made into Ifmis using Mr Halake’s password and username, in which zeroes were added to figures, converting them into hundreds of millions of shillings.

For instance, an audit of the cost of a road in the Kibera slums in Nairobi, by the Ministry of Public Works, indicated that it cost Sh78 million, but three companies owned by one of the key suspects, Ms Josephine Kabura, were paid Sh791 million, with investigations by the Directorate of Criminal Investigations (DCI) indicating zeroes were added to inflate the figures.

This means the Ifmis department cannot even monitor existence and sustenance of threats to Ifmis security.

The auditor also found that the data transmitted through the system in plain text without encryption was largely compromised and prone to interception and security breach.

Basic quality assurance such as the hardware acquisition was not verified with end user equipment such as personal computers, printers, flatbed scanners and uninterrupted power supply units procured without need assessment and analysis substantiating the hardware configuration required to support the system.

SECURITY PRACTICES

Other basics, including the physical security practices at the data centre, were neglected with malfunctional CCTV cameras, untested smoke detectors and fire suppression systems (for two years) and no maintenance contract for the data centre equipment had been renewed.

This means there would not be an assured prompt maintenance should the system develop hitches. One of the two available UPS systems was not in working condition while the computers were left prone to virus attacks, the auditor states.

“There was no evidence for regular anti-virus installation and regular signature updates. In the absence of an effective anti-virus management, the servers, PCs, laptops, computer networks and other technology equipment were at the risk of virus attack,”  the auditor pointed out, exposing deep negligence on the country’s core financial management tool.

The data stored in the system had poor back-up systems threatening to throw government financial processes into disarray should any disruptive events strike.

BUSINESS CONTINUITY
It was found that the government did not have a business continuity plan and a disaster recovery plan in place. For a sensitive system like Ifmis, there was no disaster recovery site in operation while Business Continuity Plans or Disaster Recovery drills were not carried out. A dedicated emergency response team in the event of disaster was yet to be identified, according to the auditor.

Another serious security breach was found in the Assets Register. It only had listed servers, desktop, laptop and network equipment (routers, switches, modems).

“However, important information regarding IT assets such as asset ID, location of the asset, the person to whom the asset is allocated and warranty period particulars were not recorded. Also, details on software and hardware licences were not captured in the asset register for tracking and control purposes,” the auditor writes.

A poor assets register means one could easily install another equipment and take away crucial data for a long time without being noticed, an indication of how badly the system is exposed to fraud.