An audit of the electoral commission's register discovered 14 mysterious Returning Officers (ROs) who had been running the IEBC Integrated Database Management System (IDMS).
According to the detailed audit report by KPMG, the IEBC digital voters register had more than 2 million mysterious voters who used duplicate or fake documents to register. Some were registered twice in past elections.
"The mysterious ROs are referred to as 'Embakasi South clerks' and 'IT users' in the IEBC official Integrated Database Management System," the KPMG said.
However, in a detailed response in the dailies on August 3, 2022, IEBC Chair Wafula Chebukati said there were no ungazetted polling stations. Mr Chebukati said the commission published all polling stations on the Kenya Gazette number 7,996 dated July 1 and July 26.
He said they addressed all issues raised in the audit report before certification of the voters register. KPMG had reported that the 14 ROs are not gazetted but have been working alongside the 290 officials manning the constituencies in previous elections. "Two RO accounts named Balambala-ro and mbalambala-ro existed in the system. Only one Balambala is gazetted," the audit said.
The mysterious ROs had privileges to "transfer, delete, insert, trigger, truncate and update the voters register at will," the report disclosed, adding that "One user, Postgress, had superuser access privileges."
The 'digital' ROs are supported by 513 generic accounts in the IDMS against nine genuine accounts. They had privileges to access the voters' register in the IDMS. "The officers had the elevated privileges in IEBC IDMs to transfer, change voter particulars and deactivate deceased voters and the constituency," the report said.
The Constituency ROs user accounts in IDMs had not been allocated to the named users, but after the constituency so that they don't reveal the details of the users.
"Generic user accounts cannot be attributed to an individual with a reasonable level of assurance. This increases the risk of sharing credentials and reduces the accountability for user activities," KPMG said.
This complicated the cleaning of the voters' register audit, where some new voters were re-registered mysteriously. The IDMS database was not configured to disable inactive accounts in 90 days, as per IEBC policy, which made it easier for those who had left the electoral agency to gain access. "The commission should ensure all users accessing the IDMS and Automated Biometric system (ABIS) have the relevant approvals before being granted access to the systems to safeguard the integrity and confidentiality of the data processed in those systems," the report said.
At the same time, the auditors discovered that Smartmatic, which provided the technology to run polls, established 259,869 ghost voters in the voters' register given to KPMG.
"The total records within the Smartmatic register of voters that were provided to KPMG on May 5 was 21,970 597, including all biographic and biometric details. Smartmatic undertook duplication of the 2,184,472 records against the 21,970,597 records to generate a fully deduplicated register containing 21,710,728 voters, which was given to KPMG on May 18," the report said.
In the first register, 481,7111 people registered using duplicated ID/passport while 4,757 had registered twice using the ID and passport number.
About 164,269 used fake documents, 226,143 registered twice, while 246,465 people were dead. A total 970,351 people, or 4.29 per cent, were deleted from the first register baptised (RoV1).
KPMG later established 323,715 fake voters while 323,715 people were mysteriously missing from the RoV1.
During the second audit, KPMG said there was tempering with the voters' register. The RoV2 had 144,674 voters who used duplicated IDs and passports while 164,266 used invalid documents to register.
About 1,928 registered with ID and passport numbers, the IDs and names of 226,143 people failed to match and 246,465 are dead. Another audit established 325,715 fake voters and new 931,505 people in the voters' register.
They noted 931,505 new records, 325,715 which had been previously identified for adjudication and were missing in the second list, but were now included in the RoV 3.
There were 638,814 voters who had no IDs, IDs with alphabets and duplicate IDs in RoV 3.
There were also 564,364 questionable voter transfers in 22 counties. About 478,248 voters had matched with IDs and 86,116 voters' IDs did not match their names.
Of the 478,248 records that matched their ID, KPMG noted 460,546 had identical IDs and names. KPMG then compared the county, constituency ward and polling station for the 460,546 records and noted 429,784 records had identical details.
"This represents 76.15 per cent match. We have made recommendations to IEBC to review transfers in the register and confirm they are accurate and supported by validly completed source documents," the report said.
KPMG said there had been weaknesses in the control of the voters' register, but insisted IEBC should implement its recommendations and use the digital voters' register.
"Applications for transfers require completion of the statutory Form C attaching a copy of ID of the applicant and fixing of the official IEBC stamp by the RO before the voter transfer can be processed in the Register by the RO in the location in which the voter wishes to transfer."
The state also failed to provide the lists of the dead, unsound and prisoners, which made it hard to effectively weed out all ghost voters.