Experts: Password holders can only collude to steal funds through IFMIS

In early October, unknown officials entered the government finance system at night and transferred millions of shillings in quick succession.

More than Sh51 million belonging to Kilifi County was stolen and transferred to private companies within minutes, in the biggest flaw of the Integrated Financial Management System (IFMIS).

It was one of a string of thefts executed through collusion among holders of passwords – according to information technology experts who have ruled out any possibility that the system could be hacked.

“Any payment of invoices pass through several validation and approval stages involving different officers,” says John Opiyo, who has consulted on the payments system at the National Treasury.

In his assessment, the officials could be deliberately sharing their passwords to execute the looting. “All current thefts are purely collusion between the officers and suppliers,” he says.

The infamous National Youth Service (NYS) scandal where nearly Sh2 billion is feared to have been looted was executed in the same way as the theft in Kilifi County.

Suspects in the Kilifi theft told a preliminary probe they could not be interrogated in public as the information they had could incriminate their bosses.

Their request to have the questioning done in camera could be a pointer that the officials may have been transferring the funds at the behest of their seniors. The Ethics and Anti-Corruption Commission (EACC) has taken over the investigations after the preliminary questioning by Members of the County Assembly (MCAs).

Security requirement

Before any payments for supplies are made, six different officers must give their individual approvals, and in a systematic fashion. What this means is that the sequence of approvals must be followed until the final user, usually the senior-most accounting officer.

It is also the same accounting officer who logs into the internet banking system to sign off the payment from the accounts held in the Central Bank of Kenya (CBK). None of the approvers have the credentials to sign for any other party along the procurement chain.

Osano Kute, an information technology consultant, says IFMIS users claiming that their passwords were stolen is akin to a bank manager claiming that they have lost keys to the vault.

“Anyone claiming that their password was stolen should also explain how the loss happened. Can you imagine a banker saying he lost the keys to the safe?” poses Mr Kute, who is also the chief executive of Osano and Associates, a Nairobi-based consultancy firm.

He said users who granted passwords should be educated that it is a major security requirement to keep them secret and regularly change them so that they are not on the same credentials from “January to December”.

Moses Gesami, an Enterprise Resource Planning (ERP) consultant at Total Solutions Limited, discounts the claim that all the requisite passwords could be stolen so easily and conveniently.

“Unless all holders stored their passwords so carelessly, I do not see how this theft could happen,” Mr Gesami says of IFMIS which can only be accessed from designated desktop computers.

Users are granted passwords after their accounts are created, but are prompted to change them at the first log in to a secret combination of letters, numbers and special characters. In this way, the issuer of the password cannot tell what the revised one is.

ERP is a business process management software that integrates operations through automation of back office functions including budgeting. IFMIS is one, and is built on Oracle whose first customer was the US Central Intelligence Agency (CIA).

A technical official at Oracle Kenya said the core systems used by most high-security institutions including all commercial banks in the region are built on the Oracle database.

The Oracle country director was yet to respond to a requests lodged by The Standard on Sunday relating to the alleged breach of IFMIS or on any other Oracle-based application.

Secure and solid

Last month, Ndegwa Muhoro, the Director of Criminal Investigations, ruled out the possibility of a hack on the password of former NYS boss Adan Harakhe. In the specific response, Muhoro told MPs probing the NYS scam that Harakhe’s password could only have been shared.

“IFMIS is a secure and solid system. It is not prone to hacking unless users share their confidential passwords,” Muhoro said, citing findings from the Cyber Crime Unit.

Some of the controversial payments among the Sh791 million were actually approved by Mr Harakhe in person, a forensic audit on his computer revealed.

Independent audits of the IFMIS system done by the Office of the Auditor General and private auditing firms have in the past highlighted the speed with which a cycle of transaction can be completed as a major flaw of the system.

An insider at the Treasury, who has been privy to a previous audit, says the private firms had actually recommended a minimum turnaround time, which could mean that the procurement of any item can only be completed after a specific number of days or weeks.

But in the Kilifi and NYS cases, the fraud done through fake procurement of goods was completed within minutes. The process should begin with a request for the item to be acquired, before the specific approval is granted by the line manager. The procurement department is then asked to start the buying process.

A call for interested bidders is then published and sent out to pre-qualified suppliers for the required items, before their bids are received and evaluated by a tendering committee. The quotes received from the different bidders should also be captured in the system and the input of the tendering committee in selecting the winning supplier.

Typically, the tendering committee can reject all the received bids if it feels that the prices quoted were too high compared to the recommended pricing guidelines, which is also in the system.

An approval in IFMIS would be required at this level to allow for the notification of the successful bidder, and the expected delivery dates. After delivery of the goods or services, a note is lodged in the system confirming that the supplier had completed their work and that the supplied commodities meet the required standards.

It is after the delivery that the supplier is expected to send an electronic invoice, detailing the amounts owed and confirmation of delivery.

Often, a junior accounting clerk will take up the invoice to check its authenticity, before escalating it to a more senior officer who could raise a local purchase order (LPO) to process the payment.

The LPO is approved by the senior-most accounting officer, commonly known as the person with Authority to Incur Expenditure (AIE).

Upon approval of the purchase order and initiation of the payment, the AIE will then log into the internet banking portal using their password to make the actual funds transfer – in a fashion similar to the ordinary online banking commercial banks offer their customers. It was designed to be a thorough, laborious but secure cycle that has however been reduced to a simple few computer mouse clicks – done within a minute, and in the dead of the night.

Most of Kenya’s budget, worth over Sh 2 trillion in the current financial year, is planned, managed and executed through IFMIS.

It is only sensitive expenditures such as budgets for the military that are not transacted through the platform in a deliberate undertaking to conceal acquisition of arms from possible territorial enemies. The waiver makes it nearly impossible to audit military spending – which has in previous years raised concerns from independent institutions of widespread wastage.

IFMIS, which was first used in 2003, has made it easier to carry out audits and monitor spending effectively enabling suspicious transactions to be flagged.

In the newer of the many cases of fraud and system manipulation, an internal auditor was able to point out massive reallocations and possible theft at the Ministry of Health in a scam said to involve Sh5.3 billion – within weeks.

Several top officials in counties, ministries and departments such as Harakhe have heaped the blame on supposed identity theft by criminals. But the experts have deflated the claims, saying IFMIS can only be accessed from known computers and via a specific internet network – technically known as a Virtual Private Network (VPN).

Special modems were granted to the IFMIS users to enable secure access. Outsiders cannot see information sent on the VPN, aiding to increase security while preventing unauthorised access.

A manager (who is not authorised to speak to media) said users are required to log on to the government network using their passwords, before signing into ifmis.