Kenya’s 47 county governments collectively manage billions of shillings annually, operate critical citizen-facing services, and run increasingly complex ICT environments. Yet the IT audit lens on these institutions remains underdeveloped. This article maps what actually happens inside county ICT operations — process by process — and overlays the risk, control, and regulatory framework any serious IT audit engagement must apply.

47
County Governments in Kenya’s devolved system
KES 570B
Approximate annual county allocations (2024/25)
40%+
African governments with inadequate IT governance frameworks
3 Laws
Primary Kenyan statutes governing county ICT operations

The County ICT Landscape: Context for Auditors

Kenya’s devolution framework, established under the 2010 Constitution and operationalised by the County Governments Act (2012), created 47 semi-autonomous governments each responsible for delivering services ranging from health, agriculture, and early childhood education to roads and licensing. Over time, these governments have invested in ICT infrastructure to support service delivery — but the maturity of these investments varies dramatically from Nairobi and Mombasa, which run sophisticated integrated systems, to smaller counties where ICT governance remains nascent.

An IT auditor approaching a county government engagement must first understand that the ICT environment typically serves three functional clusters: revenue and financial management (supported by systems like the Integrated Financial Management Information System — IFMIS), service delivery platforms (health information systems, land registries, licensing portals), and internal operations (HR, payroll, procurement). Each cluster carries distinct risk profiles and sits within a patchwork of national and devolved regulatory obligations.

Auditor Alert — The Devolution ICT Gap

A 2023 report by the Controller of Budget Kenya found that a significant proportion of county governments lacked documented ICT policies, had no formal IT steering committees, and could not demonstrate adequate system access controls over IFMIS terminals. Across East Africa, the pattern repeats: Uganda’s local government digital systems, Tanzania’s district councils, and Rwanda’s decentralised units each face analogous governance gaps. IT auditors must approach county engagements with this baseline deficit firmly in mind.

Key ICT Operational Processes: What Actually Happens

The most valuable thing an IT auditor can do before fieldwork is understand what the process actually looks like in practice — not in the policy document, but on the ground. Below are the core ICT processes in a typical Kenyan county government, described as they operationally unfold.

Revenue Collection and IFMIS Integration

In practice, a revenue officer at a county business licensing desk opens the county revenue management system (where one exists) or a spreadsheet, records payment details, issues a receipt, and periodically reconciles with the county treasury. In more advanced counties, this connects to a point-of-sale terminal integrated with the National Treasury’s IFMIS. The end-of-day reconciliation is batched and uploaded. The audit reality: segregation of duties is often weak, system access is shared, and the reconciliation process is manual and prone to error or manipulation.

Payroll Processing

Payroll in county governments typically flows through the Integrated Payroll and Personnel Database (IPPD), administered centrally by the national government but with county HR officers holding input rights. A county HR officer creates a new employee record or processes a salary variation; this feeds into the monthly payroll run which disburses through the G-Pay system to individual bank accounts. The risk: ghost employees, duplicate entries, and unauthorised salary changes are all live threats. Audit fieldwork consistently surfaces cases where terminated employees remain on payroll for months after exit.

ICT Procurement and Asset Management

County ICT procurement runs through the Public Procurement and Asset Disposal Act (2015) framework. In practice, the ICT department raises a requisition, procurement committee convenes to evaluate bids, LPO is issued, equipment is received and (theoretically) logged into an asset register. The operational gap: asset registers are often incomplete or not updated after receipt. Hardware routinely disappears between procurement and deployment. Software licensing is tracked informally. An IT audit of the procurement cycle should map from the approved budget line through to physical asset verification.

Health Information Systems

County health departments operate the District Health Information Software 2 (DHIS2), Kenya Health Information System (KHIS), and in some counties, electronic medical record (EMR) systems at facility level. A facility health records officer enters patient visit data daily; this aggregates to the sub-county and county health department for reporting to the national Ministry of Health. The operational reality: data entry is often done in batches (not real-time), system downtime at facility level is common due to unreliable power and connectivity, and data quality checks are inconsistently applied.

Network and Infrastructure Management

Most county governments maintain a mix of owned and leased infrastructure — fibre or wireless links between county headquarters and sub-county offices, a local area network at the headquarters, and increasingly cloud-hosted applications accessed via the internet. In practice, the county ICT officer manages this with limited staff, often a team of two to five people. Network monitoring tools are rare; most faults are discovered reactively when a system goes down. Firewall rules are rarely reviewed. Remote access for staff — accelerated by the COVID-19 era — was often set up without formal policy and remains unaudited.

1
User Provisioning and Access Control

New staff receive system access via an informal verbal request or email to the ICT helpdesk. There is rarely a formal access request form, approval workflow, or segregation between the person requesting access and the person granting it. Leavers’ accounts are frequently not disabled promptly. An auditor should trace a sample of current active accounts against the HR database to identify orphaned and excessive-privilege accounts.

2
Data Backup and Disaster Recovery

Backup configurations, where they exist, typically involve nightly backups to an external drive or a NAS device kept in the server room. Off-site backup is the exception rather than the rule. Disaster recovery plans are often undocumented or have never been tested. An auditor should request the most recent backup restoration test record — in most county engagements, none will exist.

3
Cybersecurity Incident Management

There is typically no formal incident response plan. When a malware infection, ransomware attack, or data breach occurs (and they do, with increasing frequency across East African public sector entities), the county ICT officer responds ad hoc — calling the system vendor, attempting to restore files, and informally notifying the County Executive Committee member responsible for ICT. Reportable incidents rarely flow upward through formal governance channels.

4
Change Management

System changes — including patches, configuration updates, and application upgrades — are applied by the ICT team without a formal change advisory process. In counties where IFMIS is deployed, national Treasury controls limit some changes, but the local county-managed systems have no such guardrails. Production changes are made directly, without test environment validation, creating significant risks of system instability and undetected manipulation.

IT Risk Profile: The Core Exposures

Mapping IT risks in county governments requires an auditor to think across financial integrity, service continuity, data quality, and regulatory compliance dimensions simultaneously. The risks below represent the consistently highest-priority exposures identified across East African public sector IT audit engagements.

Fraud via System Access Abuse

Shared user credentials, lack of role-based access controls, and absent audit trails in county financial systems create significant exposure to fraudulent transactions. The EACC and DCI have prosecuted multiple county officials for system-enabled fraud across Kenya’s devolved counties.

Ghost Workers and Payroll Manipulation

Weak controls over IPPD input rights and absent three-way matching between payroll, HR records, and physical headcounts create exposure to ghost employees — a persistent public sector audit finding across Kenya, Uganda, and Tanzania.

Data Loss and Unavailability

Inadequate backup regimes, absence of off-site replication, and untested disaster recovery plans mean that a single hardware failure or ransomware attack can destroy months of county operational data — including health records, land registrations, and revenue transactions.

Cybersecurity Threats

County governments are increasingly targeted by ransomware, phishing, and business email compromise attacks. Across East Africa, the Africa Cybersecurity Report 2023 noted a sharp rise in attacks on government entities, with public sector bodies often the least prepared to respond.

Uncontrolled Procurement Leakage

ICT procurement is a known vector for irregularity in county governments — overpriced equipment, fictitious deliveries, and vendor-related conflicts of interest are consistent audit findings. Weak asset management means losses are often not detected until the next audit cycle.

Health Data Integrity

Inaccurate or incomplete health data in DHIS2 and KHIS distorts resource allocation, undermines disease surveillance, and creates accountability gaps in county health spending — with downstream consequences for population health outcomes and donor reporting.

IT Controls: What Should Be in Place

The IT control framework for a county government engagement should be structured across preventive, detective, and corrective categories, mapped to each key process. Below are the priority controls an IT auditor should evaluate and that county ICT leadership should be implementing.

Access and Identity Controls

Role-Based Access Control (RBAC)

Each system user should have access rights tied to their job function only. IFMIS access profiles should be reviewed quarterly and updated immediately on role change or exit. No shared credentials.

Privileged Access Management

Administrator-level accounts should be inventoried, individually assigned, and subject to enhanced authentication. Privileged sessions should be logged and periodically reviewed by an independent party.

User Access Reviews

Quarterly reconciliation of active system accounts against the HR leavers list. Automated account disablement triggers upon termination. Access provisioning forms signed by line manager and ICT head.

Multi-Factor Authentication

All remote access, administrator accounts, and finance system access should require MFA. This is a minimum standard increasingly mandated by CBK and national government digital guidelines for public sector systems.

Financial System Controls

  • Control 01 — Segregation
    Initiation, Approval, and Posting SeparationNo single user should be able to initiate, approve, and post a financial transaction in IFMIS or any county revenue system. This segregation is the foundational control against financial fraud and should be verified through user role matrix review during audit fieldwork.
  • Control 02 — Audit Trails
    Immutable Transaction LogsAll financial system transactions should generate timestamped, user-attributed audit logs that cannot be modified or deleted by operational staff. Auditors should test whether logs are complete, retained for the required period, and reviewed by a responsible officer.
  • Control 03 — Reconciliation
    Daily System-to-Bank ReconciliationCounty treasury should perform daily reconciliation between system-generated revenue and expenditure figures and actual bank statements. Reconciling items should be reviewed and signed off by a senior officer within 24 hours.
  • Control 04 — Payroll Validation
    Three-Way Payroll MatchMonthly payroll should be validated against the approved establishment register and HR system before disbursement. Any variance — new names, salary changes, or deletions — should require documented approval from both HR and Finance leadership.

Infrastructure and Cybersecurity Controls

Patch Management

A documented patch management schedule should ensure operating systems and critical applications receive security patches within 30 days of release. Unpatched systems are a primary entry point for ransomware attacks targeting East African public sector entities.

Backup and Recovery Testing

Backups should be tested for restorability at least quarterly. Off-site or cloud backup copies should be maintained. Recovery Time Objectives (RTOs) should be defined and tested annually against documented scenarios.

Network Segmentation

Financial systems, health information systems, and general office networks should operate on segmented network zones. This limits lateral movement in the event of a breach and contains the impact of a compromised endpoint.

Incident Response Plan

A documented and tested incident response plan should define roles, escalation paths, containment procedures, and regulatory notification timelines. The CA (Communications Authority of Kenya) requires reportable cyber incidents to be notified within 24 hours.

Regulatory & Framework Mapping

A credible IT audit of a county government must situate its findings within the applicable regulatory and standards landscape. Kenya has a relatively developed legal and policy framework governing public sector ICT, and auditors should map each finding to a specific regulatory or framework obligation. Below is the essential landscape.

Applicable Regulatory & Standards Frameworks — County Government ICT

  • Kenya Constitution 2010 — Devolution principles and public accountability
  • County Governments Act, 2012 — County governance obligations
  • Public Finance Management Act (PFMA), 2012 — Financial system and reporting controls
  • Public Procurement & Asset Disposal Act, 2015 — ICT procurement governance
  • Data Protection Act, 2019 — Personal data processing obligations
  • Computer Misuse and Cybercrimes Act, 2018 — Cyber incident obligations
  • Kenya National ICT Policy, 2019 — Public sector ICT governance principles
  • ISACA COBIT 2019 — IT governance and management framework
  • ISO/IEC 27001:2022 — Information security management baseline
  • NIST Cybersecurity Framework 2.0 — Risk-based cybersecurity governance
  • Communications Authority of Kenya — Cyber incident reporting requirements
  • National Treasury IFMIS Circulars — Financial system access and controls

The Data Protection Act 2019 — A Rising Priority

County governments process substantial volumes of personal data — patient health records, property ownership records, business registration data, and employee information. The Data Protection Act 2019 (DPA) requires that all data processors and controllers implement appropriate technical and organisational measures to protect personal data. For IT auditors, this translates into specific testable controls: data classification registers, privacy impact assessments for new systems, data sharing agreements with third parties, and breach notification procedures. The Office of the Data Protection Commissioner (ODPC) has signalled increasing enforcement activity, and county governments are not exempt.

COBIT 2019 as the Primary Governance Framework

COBIT 2019 remains the most practically applicable governance framework for structuring a county government IT audit. Its governance objectives — covering strategy alignment, risk management, resource management, performance measurement, and stakeholder value delivery — map cleanly onto the audit objectives applicable to county ICT operations. Sentinel Assurance Partners recommends structuring county IT audit programmes around COBIT 2019 management objectives, supplemented by ISO 27001 controls for cybersecurity-specific domains and NIST CSF for risk assessment methodology.

Questions an IT Audit Committee or County Assembly Should Be Asking

  1. Does the county have a current, board-approved ICT strategy aligned to its service delivery mandate?
  2. When did the county last conduct an independent IT audit, and what were the key findings and their remediation status?
  3. Can the county demonstrate that IFMIS and IPPD access rights are reviewed at least quarterly and reconciled against the HR establishment?
  4. Has the county tested its disaster recovery plan in the last 12 months? What is the documented Recovery Time Objective for critical systems?
  5. Has the county registered as a data controller under the Data Protection Act 2019, and does it have a Data Protection Officer?
  6. What is the county’s cybersecurity incident history in the last two years, and how were incidents escalated and reported?

Emerging Themes Across East and Wider Africa

The county government ICT audit challenge is not unique to Kenya. Across East Africa and the wider continent, devolved and local government structures face structurally similar ICT governance deficits, amplified by rapid digital transformation, rising cyber threats, and increasing regulatory expectations.

Digital Revenue Systems — Opportunity and Risk

Across Africa, counties and municipalities are deploying digital revenue collection platforms to reduce cash handling and leakage. Ghana’s GhanaPost GPS addressing system, Rwanda’s Irembo e-government platform, and Kenya’s county e-payment portals all demonstrate the direction of travel. But each new digital system introduces new access control, integration, and fraud risks that IT auditors must be equipped to assess.

Ransomware Targeting Public Sector Entities

East African public sector organisations are increasingly targeted by ransomware groups, attracted by weak defences and the critical nature of government services. The 2023 ransomware attack on a Kenyan government agency demonstrated the systemic exposure. County governments, with limited ICT staff and no dedicated security operations capability, are particularly vulnerable. IT auditors should include a ransomware readiness assessment as a standard component of county ICT audit engagements.

Cloud Migration Without Governance

Many county governments are migrating workloads to cloud platforms — often driven by vendor sales rather than strategic planning. This creates shadow IT risks, data residency questions under the Data Protection Act, and access control complexities that county ICT teams are not always equipped to manage. Cloud governance is rapidly becoming a core IT audit domain for East African public sector engagements.

Third-Party and Vendor Risk

County ICT operations rely heavily on third-party vendors — system integrators, managed service providers, telecoms providers, and cloud vendors. Across the continent, third-party risk management in public sector entities is essentially absent. Vendors with privileged access to county systems are rarely subjected to security assessments, and contractual obligations around data protection and security are frequently absent or unenforced.

The Audit Imperative for County ICT

Kenya’s devolved governments represent one of the most consequential — and most under-audited — ICT environments in East Africa. The stakes are high: county systems process revenue that funds health facilities, schools, and roads; they hold personal data on millions of citizens; and they are increasingly targeted by sophisticated threat actors. The gap between the ICT governance obligation and the operational reality is, in most counties, significant.

IT auditors approaching county government engagements must combine technical rigour with an understanding of the devolved governance context, the applicable Kenyan legal framework, and the real-world operational constraints that shape how ICT actually functions in these institutions. The frameworks exist — COBIT 2019, ISO 27001, the NIST CSF, and Kenya’s own statutory obligations. The audit challenge is to apply them with intelligence, contextual judgment, and a clear eye on what matters most for accountability and service delivery.

Sentinel Assurance Partners works with county governments, county assemblies, national oversight bodies, and development partners across East Africa to build ICT audit programmes that deliver real accountability insight — not just compliance checkboxes.