Senior government officials have multiple Ifmis IDs, a new audit report shows, lifting the lid on the controversial system that has been used to loot billions of shillings in taxpayer money.
The details emerged amid disclosures that Ifmis was installed at a cost of Sh5.5 billion and a further Sh5.6 billion had been allocated for its re-engineering between 2013 and 2018.
An audit report by Auditor General Edward Ouko states that almost 50 government officials who are users of the Ifmis system had more than one user ID.
Creation of more than one ID for a single individual, Ouko warns, opens the system to misuse and is a huge risk.
The system was manipulated to execute the Sh1.6 billion National Youth Service fraud as well as the Sh51 million Kilifi county theft.
It has also emerged that senior officials at the Health ministry tried to steal Sh30 million from the National Quality Control Laboratory through the system.
However, last week, Treasury CS Henry Rotich defended the system as foolproof and termed it “robust and internationally tested”.
But Ouko says the Ifmis department domiciled at Treasury has not established comprehensive security policies, standards and procedures.
“Without a proper approval mechanism, creation of ghost IDs may go unnoticed, thus putting government information assets at risk,” Ouko said in the 118-page report tabled in Parliament.
A review of the supplier master data, Ouko said, indicates the existence of almost 50 cases of duplication of the same supplier.
He warned that the presence of active duplicate supplier records in the Ifmis increases the possibility of double payment.
“Lack of adequate ICT policies and procedures, coupled with improper approval processes for creation of new system IDs, together with the capacity to create duplicate supplier names in the Ifmis system with passwords that don’t expire, may have led to security vulnerabilities that were exploited in the NYS saga,” the report reads.
According to the Auditor General, good practice requires that passwords be reset every 90 days.
However, the Ifmis passwords expiry period is set to none, which means the passwords do not expire at all.
“This is a potential loophole that can be exploited and, hence, lead to unauthorised persons gaining entry to sensitive government data as well as carrying out fraudulent activities,” the report states.
The audit also indicates that the Ministry of Defence, the National Intelligence Service and eight other agencies do not use Ifmis.
These include the Teachers’ Service Commission, the Ethics and Anti-Corruption Commission, the now-defunct Commission for the Implementation of the Constitution, Kenya National Commission on Human Rights and Commission on Revenue Allocation.
Others are the Witness Protection Agency, National Gender and Equality Commission and the Independent Policing Oversight Authority.
The report also indicates that Ifmis adoption levels in government stand at a paltry 22.1 per cent. Treasury, the champion of the system, has only achieved an 0.9 per cent adoption level. Despite poking holes into the multibillion-shilling financial management system, Ouko did not state the amount of money that could have been looted through it.
According to investigators of the NYS scam, perpetrators of the rip-off only needed to add a zero to their transaction amounts to claim figures 10 times the actual claim.
Where a supplier supplied goods worth Sh10,000, a zero would be added to make it Sh100,000. Where supplies totaled Sh1 million they would shoot to Sh10 million.
“It is clear that a zero has been added on each amount entered in the Ifmis, resulting in extra millions of shillings paid to the supplier. This is a case of manipulation of the Ifmis,” said an official of the Banking Fraud Investigations Unit.
![[PHOTOS] Calm prevails in Kisumu, Homa Bay](https://cdn.radioafrica.digital/image/2026/06/dff8923b-c99a-4f40-a4be-cc996653e4e0.jpg)
