Kenya’s banking sector stands at a pivotal juncture. Digital transformation has accelerated the pace of financial services delivery — but it has equally expanded the attack surface, deepened technology dependencies, and introduced systemic risks that traditional audit frameworks were not designed to catch. Across institutions ranging from tier-one commercial banks to SACCOs and microfinance entities, the same control weaknesses resurface — year after year — in IT audit reports.

The IT Audit Context for Kenyan Banks

The Central Bank of Kenya (CBK) has progressively strengthened its technology risk supervisory framework, including the Prudential Guideline on Cybersecurity and associated circulars mandating minimum standards for access management, incident response, and business continuity. Despite these regulatory signals, IT audit engagements across the Kenyan banking sector continue to surface recurring and significant control deficiencies that expose institutions to financial loss, regulatory sanction, and reputational harm.

Across East Africa more broadly, the picture is similar. Institutions in Uganda, Tanzania, Rwanda, and Ethiopia face comparable challenges as they digitise at pace while audit and compliance capabilities lag behind. This article draws on patterns observed across IT audits in the Kenyan and East African banking context to identify the ten most pervasive findings — and to provide practical guidance on the controls and governance oversight needed to address them.

68%
Of Kenyan banks cited for IT control deficiencies by the CBK in the last three supervisory cycles
KES 2.4B
Estimated fraud and cyber losses reported by Kenya’s banking sector in 2023 — CBK Annual Report
72 hrs
Maximum incident notification window under CBK Cybersecurity Prudential Guidelines
41%
Of African financial institutions operating without a formally approved IT risk framework — KPMG Africa 2024

The Ten Critical Findings

1
Privileged Access Management Weaknesses

Risk & Impact: Privileged and administrative accounts — those with elevated rights over core banking systems, databases, and infrastructure — consistently represent the highest-impact exposure in Kenyan bank IT audits. Findings typically include shared administrator passwords, dormant privileged accounts for former staff, absence of multi-factor authentication (MFA) on system administration consoles, and insufficient logging of privileged user activity. In the East African threat landscape, insider fraud and social engineering of IT staff are the primary vectors through which privileged access is exploited, often resulting in unauthorised transactions, data exfiltration, or manipulation of system audit logs.

Controls That Should Be in Place: Institutions should implement a Privileged Access Management (PAM) solution that enforces just-in-time privilege elevation, session recording, and automatic credential rotation. All privileged access must be individually assigned, MFA-enforced, and subject to quarterly revalidation. Privileged session logs must be stored in a tamper-evident system separate from the environment being accessed.

Role of Management & Oversight: The CISO and IT Risk function should report privileged account metrics — including orphaned accounts, failed authentication attempts, and out-of-hours privileged access events — to the Board IT Risk Committee on a quarterly basis. Management should ensure the internal audit function conducts independent verification of privileged access controls at least annually.

2
Inadequate Patch and Vulnerability Management

Risk & Impact: Many Kenyan banks operate core banking systems, ATM networks, and endpoint environments with critical security patches months or years out of date. Vulnerability assessments routinely reveal unpatched operating systems, legacy database versions, and internet-facing applications carrying known exploits. The 2023 compromise of several East African financial institutions was directly linked to exploitation of unpatched vulnerabilities in widely-used banking middleware. Regulatory exposure is significant: the CBK Cybersecurity Guidelines require institutions to maintain a formal patch management programme with defined remediation SLAs.

Controls That Should Be in Place: A formal vulnerability management programme should mandate monthly authenticated vulnerability scans of all in-scope systems, with critical findings remediated within 14 days and high findings within 30 days. Exceptions must follow a risk-acceptance process approved by senior management. Legacy systems that cannot be patched should have compensating controls such as network segmentation and enhanced monitoring.

Role of Management & Oversight: Management should receive a monthly vulnerability posture dashboard. The IT Steering Committee should review exception trends and escalate persistent critical vulnerabilities to the Board Risk Committee. IT audit should validate patch compliance rates as part of every engagement.

3
Weak User Access Controls and Segregation of Duties Failures

Risk & Impact: Access control reviews across Kenyan banks repeatedly uncover users with excessive system rights, including the ability to both initiate and approve transactions, create and release payments, or modify system parameters and approve the resulting changes. These segregation of duties (SoD) failures create conditions for undetected fraud. In several documented cases across the East African region, SoD conflicts in core banking and trade finance systems enabled staff to conduct and conceal fraudulent transactions over extended periods before detection.

Controls That Should Be in Place: A formally documented access control matrix must define permissible role combinations for each critical system, with SoD conflict rules configured directly in the core banking and ERP platforms. User access reviews should be conducted quarterly by system owners, with results formally signed off and retained. Joiners, movers, and leavers processes must be automated and linked to HR systems to eliminate the persistent problem of active accounts for terminated employees.

Role of Management & Oversight: The Head of Operations and the CISO should jointly own the access control framework. Board-level reporting should include the number of active SoD conflicts, the status of remediation, and the percentage of accounts reviewed in the last cycle. HR and IT must have a formally documented joiner-mover-leaver protocol reviewed by internal audit annually.

4
Business Continuity and IT Disaster Recovery Gaps

Risk & Impact: Despite CBK requirements mandating documented and tested Business Continuity Plans (BCPs) and IT Disaster Recovery Plans (DRPs), IT audits frequently find that Kenyan banks either have not tested their recovery plans in over 12 months, have recovery time objectives (RTOs) that bear no relationship to actual recovery capabilities, or maintain disaster recovery sites that are inadequately resourced. The reputational and regulatory consequences of service disruption — especially for mobile banking and RTGS-connected systems — are severe. The 2022 disruption at a mid-tier Kenyan bank demonstrated how an untested DRP can turn a manageable system failure into a days-long outage affecting thousands of customers.

Controls That Should Be in Place: Every critical system must have a documented, tested, and board-approved DRP with validated RTOs and recovery point objectives (RPOs). Full failover tests should be conducted at least annually, with tabletop exercises semi-annually. Recovery test results must be formally documented, deficiencies logged, and remediation tracked to closure.

Role of Management & Oversight: The Board should receive an annual attestation from management on the adequacy of BCP/DRP coverage. The IT Steering Committee should review test results and remediation plans. Management must ensure DRP documentation is reviewed after any significant infrastructure change, acquisition, or system migration.

5
Insufficient IT Change Management Controls

Risk & Impact: IT change management weaknesses are a persistent finding in Kenyan bank audits, manifesting as emergency changes made without approval, developers retaining production access enabling direct system changes, and inadequate testing prior to deployment. Unauthorised or poorly tested changes to core banking systems have been the root cause of several significant financial reporting errors and operational failures across the continent. Beyond operational risk, poor change management undermines the integrity of financial data and creates audit trail gaps that complicate fraud investigations.

Controls That Should Be in Place: A formally documented change management policy must define change categories, approval authorities, and testing requirements for each. Development, testing, and production environments must be strictly separated, with developer access to production revoked except under controlled emergency procedures. All changes should be logged in a change management system with pre- and post-implementation review documentation retained.

Role of Management & Oversight: The IT Change Advisory Board (CAB) — chaired by the CIO or Head of IT Operations — should review and approve all significant changes. Management reporting to the Board should include emergency change volumes as a risk indicator. Internal audit should independently sample change records and validate compliance with the change management policy quarterly.

6
Third-Party and Vendor Risk Management Deficiencies

Risk & Impact: Kenyan banks rely heavily on third-party technology providers for core banking platforms, payment switching, mobile banking, ATM management, cloud infrastructure, and network services. IT audits consistently find that vendor due diligence is superficial, contractual security obligations are undefined, and ongoing monitoring of third-party performance and security posture is absent. Across East Africa, several significant incidents — including data breaches and system outages — have originated from inadequately managed third parties. This risk is amplified by the Kenya Data Protection Act 2019, which places data processor obligations on vendors handling customer information and creates liability exposure for the bank as data controller.

Controls That Should Be in Place: A third-party risk management (TPRM) framework must classify vendors by criticality and mandate proportionate due diligence: security questionnaires, on-site assessments, and review of penetration test and audit reports for critical vendors. Contracts must include mandatory security obligations, right-to-audit clauses, breach notification timelines, and data protection compliance requirements aligned to the Kenya Data Protection Act.

Role of Management & Oversight: The Board should receive an annual report on the bank’s critical vendor landscape, including concentration risks and the status of assessments. Procurement must not onboard critical technology vendors without sign-off from the CISO and Risk function. Management should ensure vendor contracts are reviewed by legal and IT risk before execution.

7
Inadequate Security Monitoring and Incident Response Capability

Risk & Impact: The absence of mature Security Operations Centre (SOC) capability and formal incident response plans is a frequent and high-severity finding in Kenyan bank IT audits. Without centralised log aggregation, real-time alerting, and defined incident response procedures, banks are unable to detect intrusions, data breaches, or fraud in a timely manner. The CBK Cybersecurity Guidelines mandate formal incident response frameworks and 72-hour breach notification — obligations that cannot be met without the underlying detection capability. In the East African context, where mobile banking fraud and social engineering attacks are increasingly sophisticated, detection latency translates directly into financial loss.

Controls That Should Be in Place: Banks should implement a SIEM solution aggregating logs from core banking, network devices, endpoints, and authentication systems, with detection rules tuned to the institution’s specific risk profile. A formally documented Incident Response Plan must define roles, escalation paths, communication protocols, and regulatory notification procedures. IR plans should be tested through tabletop exercises at least annually.

Role of Management & Oversight: The Board Risk Committee should receive quarterly reporting on incident volumes, response times, and significant near-misses. Management must ensure the IR plan is approved at executive level, communicated to all relevant staff, and updated following any significant incident or exercise. The CBK and other relevant regulators must be notified within stipulated timelines, a process that requires prior Board-level awareness of notification obligations.

8
Data Protection and Privacy Control Failures

Risk & Impact: Since the commencement of the Kenya Data Protection Act 2019 and the operationalisation of the Office of the Data Protection Commissioner (ODPC), IT audits in banking have increasingly scrutinised data governance controls. Common findings include the absence of a formal data classification framework, unencrypted storage of sensitive customer data, inadequate access controls over customer PII in data warehouses and analytics platforms, and the absence of data retention and disposal policies. Financial penalties, regulatory action, and reputational damage — including mandatory breach disclosure to affected customers — are the primary consequences. Similar data protection legislation is in force or in development across Uganda, Tanzania, Rwanda, and South Africa, creating a pan-African compliance imperative.

Controls That Should Be in Place: A formal data classification policy must define sensitivity tiers and mandatory handling requirements for each tier. Sensitive customer data must be encrypted at rest and in transit using current cryptographic standards. Access to PII in analytics and reporting environments must be role-based and subject to the same joiner-mover-leaver controls applied to transactional systems. Data retention schedules must be documented and technically enforced.

Role of Management & Oversight: Management must appoint a Data Protection Officer (DPO) as required under the Kenya Data Protection Act and ensure the DPO has reporting lines to both the CEO and the Board. The Board should receive annual reporting on the bank’s data protection compliance posture and any regulatory interactions with the ODPC. Privacy impact assessments should be mandatory for all new data processing initiatives.

9
Network Security Architecture and Segmentation Weaknesses

Risk & Impact: Network architecture reviews in Kenyan banks frequently reveal flat or poorly segmented networks where core banking systems, ATM networks, internet-facing applications, and user workstations share insufficient network boundaries. This architecture allows attackers who compromise a single endpoint or external-facing system to move laterally across the environment with limited resistance. The threat is not theoretical: several East African bank compromises in recent years involved lateral movement from a phishing-compromised workstation to core banking infrastructure due to inadequate network segmentation. Regulators, including the CBK, expect banks to apply a defence-in-depth architecture, but audits consistently find otherwise.

Controls That Should Be in Place: Network architecture should implement strict segmentation using firewalls and VLANs to isolate core banking, payment, ATM, internet-facing, and user environments. Inter-segment traffic must be permitted only on an explicit allow-list basis, with all traffic logged and monitored. Remote access to critical systems must route through jump hosts with full session logging and MFA enforcement. Annual network penetration testing must validate the effectiveness of segmentation controls.

Role of Management & Oversight: The CIO and CISO must jointly own the network security architecture, with any significant architectural changes subject to security review and Board IT Risk Committee awareness. Management should commission an independent network penetration test at least annually, with results and remediation plans reported to the Board.

10
IT Governance Framework and Policy Gaps

Risk & Impact: Perhaps the most foundational finding — and one that underlies many of the issues above — is the absence of a comprehensive, board-approved IT governance framework in many Kenyan banks. Where IT policies exist, they are often outdated, not formally reviewed, unapproved at the appropriate level, or unknown to the staff responsible for implementing them. Without a coherent governance architecture — including an IT risk framework, clearly defined roles and responsibilities, a policy hierarchy, and formal IT risk reporting to the Board — individual control gaps are inevitable and systematic failure becomes probable. The CBK and the Basel Committee on Banking Supervision both require banks to demonstrate active Board and senior management engagement with technology risk.

Controls That Should Be in Place: An IT Governance Framework, aligned to COBIT 2019 or an equivalent standard, should define the bank’s IT risk appetite, the structure of IT governance committees, policy ownership, and the IT risk reporting architecture. All IT policies must be reviewed at least annually, approved by appropriate authority, and communicated to relevant staff. An IT risk register must be maintained, updated at least quarterly, and reported to the Board Risk Committee.

Role of Management & Oversight: The Board must formally approve the IT Governance Framework and IT risk appetite. The CEO is accountable for ensuring the framework is operationalised. The Board IT Risk Committee (or equivalent) must meet at least quarterly and include items covering IT risk, cybersecurity, major technology projects, and audit findings. Management must ensure that IT audit findings are tracked to closure with defined owners and timelines, with overdue items escalated to Board level.

The Kenyan Regulatory Landscape

Kenyan banks operate under one of Africa’s most active regulatory environments for technology risk. The Central Bank of Kenya has progressively built a supervisory framework that creates enforceable obligations across all ten finding areas discussed in this article. Understanding the regulatory architecture is essential for audit committees and boards seeking to contextualise the findings above.

CBK Prudential Guidelines on Cybersecurity

Mandate minimum standards for access management, vulnerability management, incident response, and reporting. Non-compliance can result in supervisory action, fines, and remediation directives.

Kenya Data Protection Act 2019

Creates enforceable data processing obligations for banks as data controllers, including mandatory breach notification to the ODPC and affected data subjects within defined timelines.

CBK Business Continuity Guidelines

Require documented, tested, and board-approved BCP and DRP frameworks with annual testing obligations and defined RTO/RPO standards for systemically important functions.

National Payment System Act & Regulations

Impose technology control requirements on banks participating in payment infrastructure, including security standards for payment systems, ATMs, and mobile money platforms.

Communications Authority Directives

Extend cybersecurity obligations to banks’ digital infrastructure, including internet-facing systems, cloud services, and telecommunications-dependent banking channels.

Basel Committee BCBS 239 & Principles for Operational Resilience

International standards increasingly referenced by CBK, requiring banks to demonstrate effective risk data aggregation, IT governance, and operational resilience aligned to global best practice.

Board and Management Oversight: A Framework for Action

The ten findings described above share a common root cause: the absence of sustained, informed, and structured oversight from boards and senior management. Across the Kenyan and East African banking sector, technology risk has historically been treated as an operational matter delegated entirely to the IT function. This is no longer tenable — either from a regulatory perspective or in light of the materiality of technology risk to the institution’s commercial viability.

CBK Supervisory Expectation — Board Accountability

The CBK has made clear in its Prudential Guidelines and supervisory engagement that Boards of Directors are expected to demonstrate active, informed oversight of technology and cybersecurity risk. This includes approving IT risk appetite statements, receiving regular reporting on the institution’s technology risk posture, and ensuring that material IT audit findings are tracked to resolution. Boards that cannot demonstrate this oversight face increasing scrutiny during supervisory examinations.

Recommended Oversight Architecture

  • Board Level
    Board IT Risk Committee Approve IT risk appetite, IT governance framework, and DRP/BCP. Receive quarterly technology risk reporting, annual IT audit results, and significant incident briefings. Ensure CIO and CISO have adequate standing and resources.
  • Executive Level
    IT Steering Committee Chaired by CEO or COO. Approve significant technology investments and architectural changes. Review and action IT audit findings. Ensure cross-functional accountability for IT risk (Finance, Operations, Risk, Legal, IT).
  • Management Level
    CISO & IT Risk Function Own and maintain the IT risk register. Report monthly to the CISO and CIO on control metrics: patch compliance, access reviews completed, open audit findings, incident volumes, and SoD conflicts.
  • Assurance Level
    Internal Audit Conduct risk-based IT audit plan approved by the Audit Committee. Validate control design and operating effectiveness independently of management. Report directly to Audit Committee, not through the CIO or CISO.
  • External Assurance
    Third-Line Validation Commission annual independent IT health assessments, penetration tests, and CBK regulatory compliance reviews to provide assurance to the Board beyond what internal audit alone can provide.

Questions the Board IT Risk Committee Should Be Asking Management

  1. What is the current status of all open IT audit findings, and which have been open for more than 90 days?
  2. When did we last conduct a full disaster recovery test, and what gaps did it identify?
  3. How many privileged accounts exist in our environment, and how many have not been revalidated in the last quarter?
  4. What is the status of our most critical vendor relationships, and when did we last assess their security posture?
  5. Have we received any regulatory findings or enquiries related to IT or cybersecurity in the last 12 months?
  6. What is our current patch compliance rate for critical vulnerabilities, and which systems remain unpatched beyond their remediation SLA?
  7. Have we appointed a Data Protection Officer, and has our data processing register been reviewed in the last 12 months?

Closing Perspective: Turning Findings into Competitive Advantage

The ten findings documented in this article are not simply compliance failures. They represent material risks to capital, reputation, and the licence to operate — risks are increasingly visible to regulators, rating agencies, and sophisticated banking customers across Kenya and East Africa.

Banks that invest in robust IT governance, access management, vulnerability programmes, and third-party risk frameworks do not merely satisfy regulators — they build the operational resilience and stakeholder trust that differentiate sustainable financial institutions from fragile ones. In an era where digital banking penetration in Kenya exceeds 80% and mobile money transactions top KES 8 trillion annually, the integrity of technology controls is inseparable from the integrity of the institution itself.

Sentinel Assurance Partners works with banks and financial institutions across East Africa to identify, quantify, and remediate technology control gaps — translating audit findings into risk intelligence that boards and management can act on with confidence.