Kenya's public debt management system vulnerable to data breaches — Audit
By Maureen Kinyanjui |
The audit identified several IT control issues, including discrepancies between the closing balances reported in the Annual Debt Management Report and those reflected in the External Public Debt Register.
A recent audit of Kenya's public debt management system has revealed significant weaknesses that compromise the security and reliability of data related to the country's loans.
Auditor General Nancy Gathungu found that the National Treasury's system for monitoring debt disbursement from both local and foreign sources is unreliable, leading to potential risks including data breaches and financial losses.
Keep reading
The audit, which focused on the Treasury's debt management systems, identified several IT control issues, including discrepancies between the closing balances reported in the Annual Debt Management Report and those reflected in the External Public Debt Register.
Gathungu explained that these variances suggest that different sections within the Public Debt Management Office (PDMO) may be operating in isolation, further contributing to the system's lack of coordination.
"The variances are an indication that the sections within Public Debt Management Office might have been working in silos," she noted.
The Auditor General added that these inefficiencies expose the office to risks such as unauthorised access, operational disruptions, and data breaches, all of which could undermine the reliability of the public debt data maintained by the system.
"This might ultimately affect the reliability of data maintained by the debt management systems, reliability of reports generated from the systems and compliance with laws, regulations, directives and best practices," Gathungu added.
Unverifiable public debt
As a result of these issues, the Auditor General pointed out that her office was unable to determine the accurate balances of Kenya's public debt.
Gathungu stated that due to reporting inaccuracies and system unreliability, the completeness and accuracy of public debt could not be verified.
"Arising from inaccuracies in reporting, coupled with the unreliability of systems used in processing and management of public debt, the accuracy and completeness of public debt could not, therefore, be ascertained," she explained.
The audit also revealed that the PDMO does not test its backup plans, leaving the department vulnerable to major risks, including extended downtime, data loss, and loss of trust from lenders in the event of a disaster.
"This exposes PDMO to several risks, such as prolonged downtime in the event of a disaster, data loss, financial loss, and loss of trust from lenders, among other risks," Gathungu said.
Security concerns
Further investigation into the IT security controls revealed that sampled databases and servers had insufficient protection, meaning they could be easily accessed and tampered with.
This lack of security increases the potential for data breaches, unauthorised access, and significant financial and reputational damage.
"The lack of controls exposes PDMO to risks, including unauthorized access to sensitive data, data breaches and potential data loss, which can lead to significant financial losses, legal repercussions and reputation damage," the Auditor General stated.
The weaknesses were partially attributed to a lack of clear security policies and procedures, according to the report presented to Parliament.
The Auditor also raised concerns over the accuracy of the reported balances on public debt borrowings and repayments.
Gathungu noted that the Treasury's debt office did not provide sufficient evidence to support how these balance records were calculated.
"The management did not provide evidence to support how the balance records were arrived at," she said.
Beyond accounting concerns, Gathungu expressed worry that Kenyan taxpayers may not be receiving full value for the borrowed funds.
The audit highlighted instances where loan proceeds for public projects were not fully utilised due to delays or inefficiencies in project implementation.
"Value for money was not realised in some of the projects financed by proceeds from public debt," she said.
One such case involved a clinical waste disposal machine installed at Port Reits sub-county Hospital, which remained out of service due to persistent electricity cuts, preventing the project from delivering its intended benefits.
Reader comments
Follow Us and Stay Connected!
We'd love for you to join our community and stay updated with our latest stories and updates. Follow us on our social media channels and be part of the conversation!
Let's stay connected and keep the dialogue going!