eCitizen platform under scrutiny as audit reveals financial mismanagement, governance failures and system vulnerabilities
The eCitizen platform, considered a cornerstone of Kenya’s digital transformation in public service delivery, has come under the spotlight in a special audit that has uncovered alarming financial mismanagement, governance failures and system vulnerabilities.
According to the Auditor General, the platform—designed to simplify government revenue collection—has instead become a fertile ground for fund diversions, overcharging citizens and significant gaps in governance.
Fund Diversions and Financial Mismanagement
One of the key findings of the audit is irregular diversion of funds. The Kenya Revenue Authority (KRA) found that KSh 127.85 million was siphoned from the official government Paybill ‘222222’ and transferred to private entities without any documentation or approvals. Additionally, KSh 68.7 million and USD 48.1 million was funneled through an unapproved account, Pesaflow2, which shows serious lack of financial oversight.
As of June 2024, the platform’s collection and settlement accounts had KSh 7.05 billion in them with KSh 2.57 billion of that amount unaccounted for. The audit shows that these irregularities contravene public finance management principles and leave public funds exposed to abuse before they even reach government coffers.
Delays in Revenue Collection and Underfunding
The audit also found the manual settlement process used by eCitizen which causes an eight-day delay in transfer of revenue to ministries, departments and agencies (MDAs). This causes significant underfunding for public services as funds sit in commercial banks and intermediary accounts with no clear agreements in place to monitor or expedite movement of funds.
Unjustified Convenience Fees: A Costly Burden on Citizens
The most worrying finding in the audit is overcharging of convenience fees on transactions made through eCitizen. Instead of using government provided pro-rated charges, the platform implemented a flat KSh 50 fee per transaction. This resulted in KSh 30.73 million overcharges on the old payment gateway and KSh 319.03 million on the new one. This flat fee system punished low value transactions, making some services up to 250% more expensive. A KSh 20 product from the Kerio Valley Development Authority became unaffordable and patients were paying this fee multiple times in a single visit.
“The cumulative effect of this fee for each service a patient requires in a day becomes costly and may disproportionately affect low-income patients or those requiring regular healthcare services,” the audit noted.
Governance Issues and Vendor Control
Although the government owns the eCitizen platform, the audit shows state authorities have no control. The World Bank-IFC-backed initiative was launched in 2013, but the platform is still controlled by Webmasters Kenya Ltd, the private vendor that developed and maintains the platform.
2017 the IFC handed over the platform’s source code, contracts and business documentation to the National Treasury making it a public asset. By 2023 the government still didn’t have full administrative control over the platform. The vendor still held critical components like the source code and admin rights, so the government is still heavily reliant on the vendor for critical operations like onboarding and user management.
This creates a single point of failure for the platform which can collapse or experience significant disruptions if the vendor has technical or financial issues. The National Treasury also failed to provide access to critical security assessments so the government can’t monitor potential vulnerabilities and strengthen its defenses.
Cybersecurity Threats and Data Protection Risks
The audit also found that the eCitizen platform is exposed to serious cybersecurity risks. In July 2023 the platform was hit by a Distributed Denial of Service (DDoS) attack that disrupted government services. The audit warns that lack of IT governance and real-time security monitoring leaves the platform open to future attacks which can compromise sensitive data and hinder government services.
Also, the absence of a Data Protection Impact Assessment (DPIA) despite handling personal identity information and financial data of millions of citizens poses significant data privacy risks.
Audit Recommendations: A Call for Urgent Reforms
The Auditor General has recommended:
Immediate recovery of diverted funds and overcharged fees.
A formal investigation into the unapproved accounts and unauthorized payments.
Strengthening of vendor management and IT governance to avoid future disruptions.
Comprehensive security overhaul to prevent future cyberattacks and ensure data privacy.
Conclusion: A Wake-Up Call for eCitizen
This audit is a wake-up call that even the most advanced government systems can fail due to poor governance, financial mismanagement and lack of accountability. As Kenya digitizes its public services, eCitizen and other platforms must adhere to the highest standards of financial oversight, security and public accountability to serve the public efficiently and ethically.
The National Treasury must act fast to address these concerns and reform eCitizen into a tool that truly benefits Kenyan citizens—without compromising their trust or their personal data.
Highlights:
KSh 127.85 million was diverted to private entities through eCitizen.
KSh 1.8 billion and USD 3.3 million were overcharged as convenience fees.
Webmasters Kenya Ltd still controls critical parts of the platform; the government is still vulnerable.
Audit recommends urgent reforms to recover funds, improve security and data privacy.