Private firms running e-Citizen, Auditor-General Nancy Gathungu says
What you need to know:
- Collections average Sh350 million daily, up from Sh50 million in the financial year ended June 2023.
- Significant control of the system by the vendor has made it difficult for the State to on-board some services.
The State has little control over the e-Citizen self-service and payment portal, Auditor-General Nancy Gathungu has said, warning that this could compromise accountability of the billions of shillings processed through the platform.
Collections through the platform average Sh350 million daily, up from Sh50 million in the financial year ended June 2023.
More than 19,000 public services are currently available on e-Citizen, out of which 15,440 have been fully on-boarded.
“Preliminary review of operations of the e-Citizen Government Digital Payments (GDP) platform indicate that, despite the strategic importance of e-Citizen, the government does not have full control of the system and [relies] significantly on the vendor for some critical functions,” Ms Gathungu said in a newly released audit report.
The Auditor-General pointed out that significant control of the system by the vendor has made it difficult for the Government Digital Payments Unit (GDPU) to on-board some services.
“Lack of full control of the system exposes the government to the risk of revenue leakage, lack of full accountability, system unavailability or downtime, security vulnerabilities and threats including lack of business continuity,” the Auditor-General warns.
Ms Gathungu’s verdict on e-Citizen is that its “current IT controls may not guarantee the integrity of the data processed through the system”.
The revelations are contained in the audit report on the national government for the financial year ended June 2023, which also notes that the Office of the Auditor-General is currently undertaking a special audit of e-Citizen to establish the credibility and reliability of the system.
“This special audit is informed by the current strategic importance of e-Citizen in the financial architecture of the government. The special audit is expected to provide highlights on the credibility and reliability of the e-Citizen system, including assurance on whether data processed through the system is accurate and complete,” the Auditor-General said.
In the report documenting preliminary weaknesses identified on e-Citizen, the Auditor-General also revealed that, despite the shift to the digital platform, the National Treasury is handling reconciliations and settlement of payments manually, which run the risk of human error.
“Review of financial operations of the GDPU indicates that reconciliations and settlements ... were done manually ... on two days a week. The procedures are tedious and entail the physical transfer of documents for approvals. Further, manual processes introduce the risk of human errors and delays in the transfer of payments,” Ms Gathungu said.
In view of the new policy requiring all payments for services to be done through e-Citizen, she added, the manual system of reconciliation and settlement might not be sustainable. She urged the Treasury to ensure that reconciliation and settlements are done in real-time.
The Auditor-General could not confirm the adequacy of internal controls over reconciliations and settlements through e-Citizen.
Ms Gathungu further revealed that the Treasury declined to provide the consultancy agreement entered between it and the vendor operating the e-Citizen system.
“It was, therefore, not possible to establish the terms of the consultancy and the responsibilities of each party in the management of the e-Citizen Government Digital Payments System,” Ms Gathungu revealed.
She said e-Citizen continues to operate without an approved IT policy for governance and management of its ICT resources and lacks an ICT Steering Committee that could assist in the development of the ICT Policy Framework.
“Lack of an approved IT Policy may result in an unclear direction regarding maintenance of information security across the Unit and safeguarding the Unit’s ICT assets. In these circumstances, users may not have any rules and procedures to follow in order to minimise risk of errors, fraud, and the loss of data confidentiality, integrity, and availability,” Ms Gathungu said.
“In addition, the system lacks an approved Business Continuity Plan and a secondary backup site,” she added.