The audit by KPMG says the unauthorised users updated the voter register, raising concerns about whether the voters' roll was manipulated.
“Audit trails indicated that there were users who were not gazetted as returning officers or assistant returning officers who made updates to voter data,” the KPMG report read.
Additionally, the auditors said, password settings in the application layer and data base layer were inconsistent with the IEBC policy.
Further, registration officers also had elevated privileges that allowed them to effect transfers, change voter particulars and deactivate deceased voters at the constituency level.
With this, the auditor says some of the users applied the privileges to irregularly transfer voters, and change particulars.
“There is a risk that users who are not authorised by law may process transfers, change particulars or deactivate voters in the system,” KPMG said.
The KPMG audit identified 246,465 dead voters in the register, more than 481,000 duplicate entries, 226,143 registered with wrong IDs, and 164,269 with unrecognised records.
The weaknesses, KPMG said, were identified in the IEBC’s Identity Management System (IDMS) and the Automatic Biometric Identification Systems (Abis).
KPMG said, however, they were unable to report on the nature of activities by the users — including the said strangers — in the two systems.
This, they said, was after the IEBC failed to provide an extract of the log of user activities, amid findings the changes made to the register could not be traced.
The Wafula Chebukati-led commission, however, has denied strangers accessed the system, saying its investigations established that the users were duly authorised.
“Investigations were carried out and the results showed that the voter update activities were performed by duly authorised registration officers,” IEBC said in its response to the KPMG query.
Recently, Deputy President and UDA presidential hopeful William Ruto raised concerns that about one million voters allegedly were irregularly transferred.
"How did close to a million names disappear from the register? And many of those names are from what we consider our stronghold. It is a clear attempt to try some monkey games," Ruto said in a meeting with EU envoys.
Chebukati told journalists that three officers were suspended, awaiting the direction of DPP Noordin Haji on actions the commission recommended.
But KPMG said its review established the database was exposed to such manipulative forces.
This, the auditor said, is since the IEBC has not set up an access recertification and user activity review process.
“Audit trails on the IDMS database had not been activated,” the auditor said. Trails of the biometric system were provided two months after users were created."
The audit report also revealed there were users who had access to applications without the requisite access.
In respect of the data transferred from the 2017 technology supplier IDEMIA, it was established that some users were granted excessive access rights at the database level.
“Users with direct access to the database are privileged users and they pose the highest risk to the integrity of the register of voters,” KPMG said.
It was also established there were seven generic active accounts in the identity management system, five of which were used between May 24 and June 9.
The electoral commission has, however, committed to providing the logs of the said updates and activities "for independent review".
On the queries about the integrity of the system, the IEBC said all the access rights for system administrators have been withdrawn.
“The principle of least privilege is now used to grant new access rights,” the commission said. It added that in the future, no changes would be allowed in the voter register without the approval of the commission.
“From the time of certification of the register of voters, no change is allowed without the commission plenary' approval,” the IEBC said.
The Chebukati-led team further said that audit trails are in place and that all user access rights were disabled after the certification of the voters' register.
“User profiles will be granted on a 'need to know/have' basis in line with their specific roles and responsibilities,” the IEBC said, adding that ICT security staff members now have clearance to review privileged users.
KPMG also pointed out troubles with the lack of forms to support voter details, gaps in the transfer of voters, duplicates and lack of continuous updates of the voter roll.
Constituency Returning Officer users' accounts in the database were also found to have names of constituencies and not the officers.
KPMG also raised concerns that most of the user accounts in the system were generic — at least 513 of 522 — and as such cannot be attributed to an individual.
“Generic user accounts cannot be attributed to an individual with a reasonable level of assurance. This increases the risk of sharing credentials and reduces the accountability of user activities,” the auditors said.
The audit further revealed that multiple accounts existed for some constituencies, citing the case of two accounts named Balambala and Mbalambala.
At least 14 non-registration officer user accounts were granted voter update privileges in the identity management system. Of these 14, 10 were named Embakasi South Clerks while four were IT users.
Eleven active generic accounts — six with super access — were also unearthed in the Automatic Biometric Identification Systems (ABIS) application, while two users were found with the same login ID.
“User accounts in the ABIS application were created before the date of approval of the user access request form,” KPMG said. Accounts should be approved by a supervisor and the ICT director.
Where the requested forms existed, they were neither approved nor did they capture the approval date of the supervisor and ICT director.
IEBC also failed to deactivate accounts that had since expired in line with its policy that says they should be down after 90 days of the last activity.
The auditors said it was crucial that access to the database is controlled and monitored in line with IEBC information security policies.
The team asked IEBC to conduct a comprehensive review of the user access in the two systems and assign user accounts to specific IEBC staff for accountability.
“The IEBC should regularly review access rights to ensure access is granted for specific functions, and check activities of powerful users for appropriateness.”
On forms, KPMG directed that users be assigned new approvals — new access forms and appropriate sign-offs — prior to the certification of the voter register.
Among concerns by the auditor was that there were no mechanisms for automatically updating records of dead voters, as well as those of unsound mind.
(Edited by V. Graham)
“WATCH: The latest videos from the Star”
