[kictanet] Auditing MPESA wont be easy

Tue Jan 6 12:03:52 EAT 2009

Meanwhile, check out today's Nation in the Business/Tech section:

~~~~

A lot of debate has been raised since the Minister in charge of Finance, Mr. J Michuki 'threatened' to audit the Safaricom MPESA service – predicting to the public that all may NOT end well.  This set the stage for a lot of speculation with most people interpreting this to mean that competition was motivating the closure of this innovative service. The chief suspects in such a conspiracy would obviously be the 48 commercial banks whose total and national customer base is only one- tenth of the 4 million MPESA customers that Safaricom controls.

Indeed the banks do have a right to feel offended.  The Banking Act which oversees their operations has costly licensing and rigorous requirements that define how their Management, Operations and Customer Relations should be.  As if this is not enough, the Central Bank of Kenya (CBK) is mandated to give additional regulations and guidelines on “as-is-needed” basis and indeed the so called Basel II – a stringent, international best practice Standard for Banks is on its way for adoption in Kenya.  All these however do not apply to Safaricom's MPESA service and it may appear as if the playing field is therefore tilted in favour of Safaricom.

Which brings us to the crux of the matter – is MPESA a banking or a telecommunication service? Defining the service is critical to establishing the auditing tools and  methodologies that would hence be applied during the audit exercise. Failure to understand and categorise the service would lead to auditors employing the wrong yardsticks during the measurement and evaluation process.  It will be equivalent to a doctor using a ruler to measure your temperature or a butcher using a clock to measure the weight of your meat – how erroneous and disastrous would the results be?

If CBK auditors landed at Safaricom  House loaded with Banking Audit tools, they will definitely find that Safaricom will NOT meet the compliance and other requirements that apply to regular banks.  And this is for the simple reason that Safaricom is NOT a Bank – at least not in the traditional sense of the term.  Traditional Banking Audit tools will therefore not apply during the audit exercise. Safaricom's MPESA service is actually a hybrid system that cuts across the Financial, Telecommunication and IT sectors - presenting a daunting auditing challenge.

A simplistic approach that aims to separately audit MPESA on these three accounts – Financial, Telecommunication and IT – would still fail to address the audit objective for an MPESA service.  This is because the MPESA service as a whole is bigger than the individual sum of its three aspects- the same way Tea tastes neither like water, milk nor the leaves it is made from. It would therefore be erroneous to judge the quality and status of a cup of tea based on how the water, milk or the tea-leaves  tasted in their finite and seperate states.  Clearly, there is a demand for an entirely new set of Audit tools, methodologies and philosophy to deal with this and other emerging services that are simoultaneously cross-cutting, disruptive and still evolving.

MPESA service is a first of its kind in the world.  It is an innovative service that is charting new frontiers in a dynamic and challenging environment.  It is also presenting threats and opportunities for competitors, consumers  and auditors.  It does present a momentous opportunity for Kenyan Information System Auditors to contribute to the global body of knowledge by providing the parameters that would define an Audit Standard for MPESA and similar services.

John  Walubengo, CISA, jwalubengo at kcct.ac.ke, jwalu at yahoo.com
Mr. Walubengo is an IT Lecturer, Multimedia University College of Kenya (formerly KCCT) and a Board Member,  ISACA -Kenya Chapter.