A special audit report by the Auditor-General on the Government Digital Payments Platform (eCitizen) has exposed significant weaknesses and irregularities in the system designed to streamline revenue collection for government services.
The report highlights concerns over financial accountability, governance, system ownership, and data security, calling for urgent reforms to safeguard public funds and restore trust.
The audit uncovered several financial irregularities that directly impact revenue collection and accountability. The Revenue Accountability Statements for the period ending June 30, 2024, showed a balance of Sh2.57 billion in a Settlement Account.
These receipts could not be linked to any invoices from the Pesaflow System and were attributed to partial, erroneous, and duplicate payments. The report states that this “indicates lack of revenue traceability and accountability, which can lead to misappropriation, fraud or revenue leakages”.
The audit also found that The National Treasury irregularly collected a convenience fee of Sh50 per transaction, contrary to a 2014 Gazette Notice that stipulated a prorated percentage fee.
As a result, Sh1.80 billion were “irregularly collected from the public”. Furthermore, the audit revealed delays of an average of eight days between the collection of funds by The National Treasury and their remittance to Ministries, Departments, and Agencies (MDAs) and counties.
In some cases, the delay was up to seven months. This was caused by manual settlement processes and negatively impacted the cash flow of the affected entities.
More Red Flags
The report also notes inconsistencies in the reporting of settlement reports where for instance an analysis of the Tourism Fund shows a variance of Sh515 million for the period ending June 30, 2024.
The settlement report from eCitizen indicated that Sh2.23 billion was due for settlement yet a summation of weekly reports showed that MDAs and Counties receivedSh1.74 billion.
“This discrepancy highlights inadequacies in the eCitizen reporting module, raising concerns about the reliability and accuracy of the settlement reports generated by the system,” the report states.
The audit notes that he ICT Authority paid Sh492.16 million to Electronic Citizen Solutions Ltd, a company not party to the support and maintenance contract with Webmasters Kenya Limited, Pesaflow Limited, and Olive Tree Media Limited. Payments for payment gateway services, totalling Sh142.16 million were deemed irregular, as the government should not pay for using its own platform.
The reports also notes that an analysis of Equity Bank statements revealed Sh68.72 million million collected through an unapproved “Pesaflow” account, not listed among the National Treasury’s authorised collection accounts. The total amount diverted remains unknown due to missing bank statements.
It also says that on January 25, 2024, four transactions totalling Sh127.85 million were made from Paybill 222222 to private entities, bypassing the designated settlement account at KCB Bank. No approval or documentation was provided, violating principles of prudent public finance management under Article 201 of the Constitution.
The report also notes that four bank accounts configured in the eCitizen platform lacked authorisation, contravening Section 28(1) of the Public Finance Management Act, 2015. This exposes the government to potential revenue losses or fund diversions.
A Platform Without a Foundation
The audit found that the eCitizen platform is operating without a proper legal framework or a clear governance structure. The committee responsible for developing this framework ended its term in 2021, and a replacement was not established.
This absence of a legal basis creates a risk of non-compliance, legal disputes, and compromises revenue collection. Furthermore, the audit revealed a lack of a clear governance structure.
While an Executive Order mandated the Directorate of eCitizen Services and The National Treasury to coordinate platform functions, no oversight body was created to provide strategic leadership.
The report also notes that the ICT Authority, without any legal mandate, was managing payments to the vendor. These issues create a risk of “misalignment in responsibilities” and “uncoordinated decision-making”.
The daily operations of the eCitizen platform also suffered from a lack of documented Standard Operating Procedures (SOPs).
Key processes like user access management and revenue collection and settlement lacked standardised procedures, creating an “informal operational environment” that could lead to errors, inconsistencies, and the exposure of sensitive citizen information.
Questions of Ownership and Control
Despite a 2017 handover of the platform’s instruments, including source code and contracts, from the International Finance Corporation (IFC) to The National Treasury, the audit raises serious questions about who truly controls the eCitizen platform.
The report states that it was “not explained how the ownership and control of the eCitizen Platform ended up in the hands of the vendor” after the 2017 handover.
A subsequent handover agreement in January 2023 between the Ministry of Information Communications and Digital Economy and the vendor, Webmasters Kenya Limited, was meant to transfer control to the government.
However, the audit established that the government did not obtain full control of the system and remained “over-reliant on the vendor”. The report warns that this vendor control of a system providing the majority of government services “creates a single point of failure”.
The lack of government control also poses risks to data security, operational independence, and service continuity.
The audit also details how the platform’s shortcomings negatively affect citizens and the competitiveness of local goods.
The standardised Sh50 convenience fee on low-priced goods and services, such as a Sh20 honey product from the Kerio Valley Development Authority (KVDA), resulted in a 250 per cent increase in the product’s cost, making it uncompetitive.
For healthcare services, the fee was charged “at every service point a patient accessed during a single hospital visit,” which could disproportionately affect low-income patients.
Furthermore, the lack of an established and structured help desk system makes it difficult to resolve reported incidents, leading to prolonged delays in service delivery and frustration for citizens.
The audit notes that some entities relied on informal communication channels, like social media, for support requests. This informal approach, combined with the lack of data sharing agreements, could lead to personal data breaches.
