Auditor General Nancy Gathungu has called on the government to urgently assume full control of the eCitizen platform, warning that the current arrangement leaves the system exposed to operational risks and continued dependence on a private vendor.
In a special audit report dated March 2025, Gathungu said the platform should be handed over immediately by Webmasters Kenya Ltd and placed fully under government management. She said stronger internal oversight is needed to safeguard public revenue and improve delivery of government services.
“Webmasters Kenya Ltd should unconditionally hand over the eCitizen Platform as spelt out in paragraph 7 of the handover agreement. Further, a robust Change Management Process that requires all system changes to be formally documented, reviewed and approved by authorised personnel should be implemented,” reads the report.
The audit established that although the platform was designed to digitise government revenue collection and service delivery, it is still not fully controlled by the state despite government ownership.
According to the report, development of the platform was financed by the World Bank and the International Finance Corporation (IFC), which hired Webmasters Kenya Ltd to handle software development and maintenance.
In 2017, the IFC transferred ownership of the platform to the National Treasury, handing over the source code, contracts, business case and other operational documents.
However, the audit shows that on January 13, 2023, the Ministry of Information, Communications and Digital Economy and Webmasters Kenya Ltd signed another agreement in which the vendor committed to unconditionally transfer the platform to the government.
Gathungu said the audit could not establish how the system reverted to the vendor after it had already been handed over to the government years earlier.
“It was not explained how the ownership and control of the eCitizen Platform ended up in the hands of the vendor after having been handed over to the National Treasury by IFC in 2017. Further, it was established that after the transfer of ownership by Webmasters Ltd in January 2023, the government did not obtain full control of the systems, resulting in continued over-reliance on the vendor. Noting that the majority of government services are provided through the Platform, the control of the system by the vendor creates a single point of failure,” reads the audit.
The report also raised concerns about security and data privacy on the platform. Gathungu said the National Treasury did not give auditors full access needed to assess data protection controls.
Even so, reviews of system logs and IT controls revealed weaknesses that could expose the platform to risks affecting the confidentiality, availability and integrity of information.
The audit further pointed to business continuity concerns, saying weaknesses in both general and platform-specific systems could interrupt revenue collection and service delivery if not addressed.
Past downtimes have already shown how service disruptions affect efficiency, and the platform has now been classified as a high-risk project due to its central role in government operations.
“The Platform is significant to service delivery and should be handled as a high-risk project. Some of the services are by persons outside the country, whereas others are time-based,” reads the report.
The report also examined the Government Digital Payments Platform, which is meant to automate real-time revenue collection and remove human interaction in the payment process.
However, the system is still not fully operational. The audit found that payments are first routed through several collection accounts before being transferred to a central Settlement Account managed by the National Treasury.
After this, Treasury issues manual instructions for funds to be transferred in bulk to the bank accounts of various Ministries, Departments and Agencies, a process that the audit says creates inefficiencies and delays.
To address these challenges, Gathungu recommended major reforms to strengthen governance, financial accountability and operations within the digital payment platform.
“To reduce over-reliance on external vendors, the report recommends that the government build internal technical capacity by training staff in system administration, operations, and maintenance,” Gathungu said.
She also called for the establishment of a clear legal framework to guide data protection, information security standards and compliance requirements.
To improve coordination between agencies involved in the platform, the audit recommends setting up an oversight body or steering committee bringing together representatives from the Directorate of eCitizen Services, the Government Digital Payments Unit and the ICT Authority.
“The body would provide leadership, align strategy, set shared objectives and resolve operational conflicts,” Gathungu said.
The report also stresses the need for detailed Standard Operating Procedures to guide routine operations, response to system failures and management of exceptions.
“These procedures would guide consistency and efficiency,” she added.
Other recommendations include formal Service Level Agreements with financial service providers and regular independent audits to maintain operational integrity.
On improving the platform itself, the Auditor General advised that net collections for Ministries, Departments, Agencies and counties should be sent directly to their bank accounts. She also called for full automation of payment settlements and unique identification of services to avoid duplication.
The report further proposes that convenience fees charged through the platform should reflect the operations of each agency, and bundled services such as hospital visits should attract a single charge.
To ensure smooth operations, Gathungu also recommended the establishment of a centralised helpdesk staffed by trained personnel and supported by a ticketing system to handle and prioritise technical issues.
“Payments to the vendor for provision of gateway services are to be discontinued, and all previous payments recovered. All funds irregularly diverted or transferred should be recovered and properly accounted for,” reads the report.
Gathungu further called for investigative agencies to examine the irregularities raised in the audit, saying urgent action is necessary to secure the platform, protect public funds and strengthen service delivery.