The State’s e-Citizen payment platform.
Auditor-General Nancy Gathungu has revealed irregularities and weaknesses in the management of e-Citizen, the government’s digital payment platform, which may have led to the loss of at least Sh10 billion.
In a special report to the National Assembly, the Auditor-General said the vendor’s control of the platform poses a single point of failure and a strategic risk in public services.
This vulnerability increases the likelihood of system failures, data breaches and compliance issues, even as government agencies fail to intervene.
Deputy Auditor-General Isaac Ng’ang’a told the National Assembly Public Accounts Committee that the audit revealed the loss of billions of taxpayers’ shillings and showed Kenyans were overcharged by Sh2.6 billion while accessing public services.
As a result of the findings, the committee has summoned Principal Secretaries Chris Kiptoo (National Treasury), Dr Belio Kipsang (Immigration and Citizen Services) and Mr John Tanui (ICT) to shed light on the issue.
The revelations come just days after National Treasury Cabinet Secretary John Mbadi said free secondary education is not sustainable, citing a reduction in capitation from Sh22,244 to Sh16,900 per student.
Auditor-General Nancy Gathungu.
“What has been revealed by the Auditor-General is a disaster,” Aldai MP Marianne Kitany said yesterday.
Her Rarieda colleague Otiende Amolo called it “fraud”.
The special audit from the 2021/22 to 2023/24 financial years unearthed flaws in the system, including irregular support and maintenance payments, unaccounted receipts, unauthorised revenue diversions and illegal transfers from the M-Pesa paybill 222222
Originally a government programme, the e-Citizen platform was funded by the World Bank’s International Finance Corporation (IFC), which contracted Webmasters Kenya Ltd for development and support.
The IFC handed over all assets, including contracts and source code, to the Treasury in 2017.
However, it was discovered that the ICT Ministry signed a new handover agreement with Webmasters on January 13, 2023, suggesting that control had reverted to the vendor without explanation.
Protect public data
“It was not explained how the ownership and control of the platform ended up in the hands of the vendor after being handed over to the National Treasury in 2017,” the audit says.
Treasury failed to provide important documents and information, limiting the Auditor-General’s ability to assess the adequacy of IT controls meant to protect public data.
“This ... impacted the assessment of the adequacy and effectiveness of lT controls designed to protect information assets,” the audit reads.
It was also established that despite the transfer of ownership by Webmasters Kenya Ltd in January 2023, the government did not obtain full control of the systems, “resulting in continued reliance on the vendor”.
Audit objectives included assessing whether digital payments through e-Citizen had enhanced revenue collection for Ministries, Departments, Agencies (MDAs) and counties.
The audit involved system walkthroughs, document reviews and interviews.
The report cites additional concerns, including no legal framework governing the platform, lack of Service Level Agreements (SLAs), irregular convenience fee collections, delay in revenue remittance, no clear governance structure, suspicious payments and missing accounts.
Equity Bank statements, for instance, showed receipts of Sh6.3 billion from a mysterious account called “Pesaflow,” which is not listed among approved National Treasury collection accounts.
“The account was used to collect public funds irregularly,” the audit says.
“The total amount collected in this account could not be established as the bank statements were not provided for audit.”
The report adds that revenue accountability statements for the period ending June 30, 2024 showed Sh2.6 billion in payments could not be linked to any invoices on the platform and were attributed to duplicate and erroneous transactions.
“This indicates a lack of revenue traceability and accountability, which can lead to misappropriation, fraud or leakages. This may affect public services because not all revenue is remitted to MDAs,” the audit says.
Payments totalling Sh545.69 million were also made to Electronic Citizen Solutions Ltd “which was not a party to the agreement”.
“This arrangement exposes the government to potential disputes or diversion and loss of funds,” the report adds.
The valid contracts, according to the audit, were signed between the ICT Authority and a consortium comprising Webmasters Kenya Ltd, Pesaflow Ltd and Olive Tree Media Ltd.
Even Sh195.7 million for “payments gateway services” were flagged as irregular, since the government should not pay external parties to use its own platform.
President William Ruto during the unveiling of e-Citizen Services, GavaMkononi App and Gava Express on June 30, 2023 at KICC in Nairobi.
The audit revealed that paybill 222222, intended for auto-transfer to a settlement account at KCB Bank, was used to transfer Sh127.9 million to private entities on January 25, 2024, with no supporting files.
“No documentation was provided to support these transfers directly from the paybill,” the report reads.
Kenyans were irregularly charged Sh2.2 billion in convenience fees. A 2014 gazette notice allowed for a nominal prorated fee, but instead, a flat Sh50 or $1 per transaction was charged without Treasury establishing any prorating structure.
“This led to an overcharge to the public for collections made through the previous payment made through the unauthorised gateway,” the report says.
The National Treasury did not sign SLAs with companies engaged in the collection and settlement of revenue.
This means the Sh7.1 billion reflected in the collection and settlement accounts for the year ending June 30, 2024 may have been utilised by the financial service providers at the expense of services by the MDAs.
The audit says without a legal framework, the government digital payment platform faces risks of non-compliance, “leading to potential legal disputes and undermining public trust”.
“Without legal accountability, there is a likelihood of inefficiencies, which can compromise revenue collection, transparency and accountability.”
Executive order No.2 0f 2023 mandated the Directorate of Citizen Services under the Ministry of Interior to coordinate e-citizen functions and the GDP Unit of the Treasury to manage payments made through the platform.
However, no oversight body was created or mandated to coordinate the two ministries and provide leadership.
The audit also established that the ICT Authority was managing payments to the vendor – a role not provided in any legal instrument.
