Questions over claims of stolen Integrated Financial Management Information System passwords

Is it possible that the Integrated Financial Management Information System (IFMIS) was hacked into and passwords stolen?

Is IFMIS a fool-proof system and can it be manipulated as some claim amid allegations that it produces financial statements with many errors? Could it also be true that most statements are done manually because the system has inherent problems?

National Youth Service Deputy Director Adan Harakhe told police and the media last week that his password had been stolen by unknown people, an allegation supported by Devolution CS Anne Waiguru leading to both of them seeking assistance from CID officers to probe the fraud.

Our investigations have revealed that IFMIS remains largely impregnable to massive fraud, as frequent users of the system attested unless it is done through collusion by high ranking officers.

Introduced in 2011 to improve transparency by tracking government financial transactions, the system has been embraced fully by all government agencies, including county governments who get money from the Treasury. According to multiple sources we interviewed in confidence for this story, it is almost impossible to perpetrate large scale fraud using the system unless there is high level connivance involving senior officers.

The system is credited by auditors for entrenching a treacherous and almost torturous system of checks and balances to ensure payments which go through are fully accounted for.

It is not surprising therefore, they say, that several high profile “attempted frauds” have been nipped in the bud. “You can do all sorts of crazy things in IFMIS including stealing passwords or changing passwords for existing users but you need a high level connivance of the Central Bank of Kenya to pull through. You will remember there is more or less similar attempted fraud at Judiciary which was stopped in similar circumstances as the NYS one through CBK inquiries,” an auditor who frequently uses the system explained.

He said 90 per cent of improprieties done within the IFMIS system have to do with inflation of prices although it is limited, to some measure, by the capping of particular vote heads and budget lines. He says approval processes for payments is quite elaborate and increases probability of figuring out fraud.

Another frequent user working with the Treasury says IFMIS cannot be hacked into as it is not a web-based system. And even if it were to be hacked into, nothing much would be compromised as “whatever is in it largely is invoice processes.”

“You can play all sorts of games but the checks and controls in approval stages especially on payments will, at the very least, expose you.

The issuance of passwords and their use is also regulated to reduce fraud instances. The auditor says passwords can be stolen from issuance or change request, unauthorised exchange, sharing and misplacement.

“It is possible that several officers could have their passwords stolen at the same time. It is also possible that people could be sharing passwords against the regulations,” he said.

And although IFMIS was intended to automate and integrate financial system, a number of key activities essential in its working remain outside the system. These include among others the budget supply function, manual payment approvals, manual vouchers, purchase orders and keying of the same into the system.

At worst, and more often, the combination of manual processes with digital ones leads to errors and not significant fraud, the users attest.

Diverse modules

“IFMIS being an oracle-based Enterprise Resource Planning (ERP) software has diverse modules some which have not been fully activated. It is not surprising therefore that some activities are manual. One can say the system is half manual and half automated,” the Treasury user explains.

Once a “procure to pay” system is fully in place within IFMIS, the auditor explains, most of the IFMIS-related frauds involving inflation of costs will disappear.

On March 6, 2015, President Uhuru Kenyatta issued an executive order requiring all state agencies to “immediately” migrate to e-procurement platform. In the new system, suppliers will have an account in IFMIS and the system will have market costing and rates for various supplies.

Incidentally, three of the twenty one suspect payment approvals in the NYS matter were procured through the e-system. The three, given the IFMIS numbers 4636, 4633 and 4632 amounted to Sh133 million.

“The processing of supply orders in respect of these transaction numbers went through the laid down e-procurement procedure and were eventually awarded through a letter signed by the PS Ministry of Devolution and Planning,” the CID report signed by Joseph Mugwanja reads. Devolution CS Ann Waiguru is a former director of IFMIS at its inception in 2011.