[kictanet] State audit finds serious loopholes in Ifmis system

[S.M. Muraya]

Would a Data Protection Act not cause public officials to focus more on
digitizing + securing of digital systems?

As it is now, decent IT professionals are given a very hard time when
seeking to procure and secure automated processes.

http://www.nation.co.ke/news/State-audit-finds-serious-loopholes-in-Ifmis-system/1056-3509548-format-xhtml-7xl0jv/index.html

State audit finds serious loopholes in Ifmis system
SUNDAY JANUARY 8 2017

   - The audit report on the effectiveness of Ifmis reveals negligence on
   basic system security procedures and lack of data safeguards that makes the
   system easy to manipulate by fraudsters seeking to steal from the public
   purse.
   - Kakamega County Governor Wycliffe Oparanya said counties had been
   plunged into a financial crisis due to the hitch that affected payment of
   salaries and processing of urgent payments to suppliers and other service
   providers.
   - The Ifmis department cannot even monitor existence and sustenance of
   threats to Ifmis security.

By EDWIN  OKOTH
More by this Author
<http://www.nation.co.ke/authors/1959272-2557524-format-xhtml-view-asAuthor-9hgm4q/index.html>

The government’s main financial management system is marred by technology
loopholes, making it prone to abuse and possible loss of public funds, an
official audit has revealed.

An inquiry report by the Auditor- General reveals that the Integrated
Financial Management Information System (Ifmis) has numerous control
weaknesses that badly expose it to fraud and misuse, with unidentified
users capable of logging in remotely while others have multiple identities
in the government’s main financial nerve centre.

The audit report on the effectiveness of Ifmis that was released in
November reveals negligence on basic system security procedures and lack of
data safeguards that makes the system easy to manipulate by fraudsters
seeking to steal from the public purse.

“Good practice requires that passwords must be reset at least every 90
days. At the time of the audit, the configuration in Ifmis relating to
password expiration indicated the expiry period is set to ‘none’, which
means the passwords never expire. This is a potential loophole that can be
exploited and hence lead to unauthorised persons gaining entry to sensitive
government data as well as carrying out fraudulent activities,”
Auditor-General Edward Ouko writes in the report.

Ifmis — the nerve centre of finance that is meant to enhance efficiency in
planning, budgeting, procurement, expenditure and reporting in the national
and county governments — also runs on a poor network architecture badly
impacting its up time and causing financial inconveniences.

This is especially noted in counties where network downtime ranges anywhere
between two and four days. Just last month, the system broke down, delaying
payment and plunging thousands of public servants and suppliers into a
crisis ahead of the Christmas holidays.

Kakamega County Governor Wycliffe Oparanya — who is the chairman of the
Council of Governors (CoG) Finance, Planning and Economic Affairs Committee
— said counties had been plunged into a financial crisis due to the hitch
that affected payment of salaries and processing of urgent payments to
suppliers and other service providers.

CREATE MORE USER IDS

“On behalf of the CoG, I regret to bring to the attention of the county
government suppliers, staff and creditors the malfunction of the Ifmis used
in processing payments across the counties,” he said.

The audit points out that those behind the system, which relies heavily on
the overall network infrastructure of the government, failed to study and
establish the network specifications required to meet Ifmis standard
operations before its launch hence the frequent failures.

So exposed is the system that one can create more than one User ID. This
can lead to misuse of such additional User ID freely in committing fraud.
The audit reveals that almost 50 users had more than one User ID leaving
little accountability on the users.

The system also lacks a trackable approval process in the creation of new
User IDs, meaning it is possible to create ghost IDs and carry out
transactions including remotely without being noticed.

In fact, a list of authorised personnel provided with remote access was not
available for audit review meaning their identities remained anonymous.
There was no practice of approving the remote login requests; which means
even those not authorised would log in remotely.

Remote transactions were largely blamed for the theft at the Ministry of
Devolution which saw the loss of more than Sh1.6 billion in the infamous
National Youth Service (NYS) scandal.

Vendors were also duplicated in the system with a review of the supplier
master data showing the existence of almost 50 cases of duplication of the
same vendor, meaning the vendor may as well have been paid 50 times.

“Presence of active duplicate supplier master records increases the
possibility of potential duplicate payments, misuse of bank account
information, reconciliation issues among others,” the audit states.

Former NYS Director-General Adan Harakhe
<http://www.nation.co.ke/news/Harakhe-Noor-to-face-charges-over-illegal-procurement-at-NYS/1056-3450440-7c4s9/index.html>claimed
his password was stolen and used in the fraudulent transactions.

Entries were allegedly made into Ifmis using Mr Harakhe’s password and
username, in which zeroes were added to figures, converting them into
hundreds of millions of shillings.

For instance, an audit of the cost of a road in the Kibera slums in
Nairobi, by the Ministry of Public Works, indicated that it cost Sh78
million, but three companies owned by one of the key suspects, Ms Josephine
Kabura, were paid Sh791 million, with investigations by the Directorate of
Criminal Investigations (DCI) indicating zeroes were added to inflate the
figures.

EXPOSING FINANCIAL DATA

The system, which cost the tax payer more Sh11 billion to set up and
re-engineer, is left to run without security policies, standards and
procedures covering various aspects of security control, badly exposing
government financial data, the auditor found.

This means the Ifmis department cannot even monitor existence and
sustenance of threats to Ifmis security.

The auditor also found that the data transmitted through the system in
plain text without encryption was largely compromised and prone to
interception and security breach.

Basic quality assurance such as the hardware acquisition was not verified
with end user equipment such as personal computers, printers, flatbed
scanners and uninterrupted power supply units procured without need
assessment and analysis substantiating the hardware configuration required
to support the system.

Other basics, including the physical security practices at the data centre,
were neglected with malfunctional CCTV cameras, untested smoke detectors
and fire suppression systems (for two years) and no maintenance contract
for the data centre equipment had been renewed.

This means there would not be an assured prompt maintenance should the
system develop hitches. One of the two available UPS systems was not in
working condition while the computers were left prone to virus attacks, the
auditor states.

“There was no evidence for regular anti-virus installation and regular
signature updates. In the absence of an effective anti-virus management,
the servers, PCs, laptops, computer networks and other technology equipment
were at the risk of virus attack,”  the auditor pointed out, exposing deep
negligence on the country’s core financial management tool.

POOR BACK-UP SYSTEMS

The data stored in the system had poor back-up systems threatening to throw
government financial processes into disarray should any disruptive events
strike.
It was found that the government did not have a business continuity plan
and a disaster recovery plan in place. For a sensitive system like Ifmis,
there was no disaster recovery site in operation while Business Continuity
Plans or Disaster Recovery drills were not carried out. A dedicated
emergency response team in the event of disaster was yet to be identified,
according to the auditor.

Another serious security breach was found in the Assets Register. It only
had listed servers, desktops, laptops and network equipment (routers,
switches, modems).

“However, important information regarding IT assets such as asset ID,
location of the asset, the person to whom the asset is allocated and
warranty period particulars were not recorded. Also, details on software
and hardware licences were not captured in the asset register for tracking
and control purposes. In the absence of a formal accounting of software
installations, unauthorised installations and use may go unnoticed,” the
auditor writes.

A poor assets register means one could easily install another equipment and
take away crucial data for a long time without being noticed, an indication
of how badly the system is exposed to fraud.

Ifmis, whose conception started in 1998, was expected to have different
modules comprising accounting, revenue management and asset management,
among others, developed as well as the establishment of interfaces with the
Central Bank of Kenya payment information system, Kenya Revenue Authority
and the Ministry of Labour for the payroll and human resource management
modules.

The entire network is managed by three entities – two being government
departments and a third party entity. Ifmis department provides and manages
the network connectivity within the Treasury premises.

The network infrastructure from Treasury (data centre) to various
ministries, departments and agencies is managed by Government Information
Technology Services/Information and Communication Technology Authority,
through the infrastructure provided under the Government Communication Core
Network.

Further, network is extended to all 47 counties by Telkom Kenya who manages
the end user connectivity through wireless connectivity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170109/1bfbe311/attachment.htm>