SASRA has entered its most demanding regulatory cycle to date. With tightened audit standards, mandatory audited financial statement deadlines, auditor quality controls, and licence revocations for non-compliance, Kenya’s 176 deposit-taking SACCOs face a technology governance environment that demands professional, risk-based IT audit coverage — not just to satisfy the regulator, but to protect the deposits and trust of millions of members.

The SACCO Regulatory Landscape: SASRA’s 2026 Enforcement Posture

Kenya’s Savings and Credit Cooperative Organisation (SACCO) sector represents one of the most consequential financial ecosystems in East Africa. With 176 SASRA-regulated deposit-taking SACCOs managing billions of shillings in member deposits, the sector’s technology governance directly affects the financial wellbeing of millions of Kenyans. The Sacco Societies Regulatory Authority (SASRA) has responded to growing technology risk with significantly tightened audit requirements for the 2026 regulatory cycle.

The 2025–2026 regulatory cycle has been marked by strict enforcement: SASRA revoked licences from non-compliant SACCOs, imposed a mandatory 15 March 2026 deadline for audited financial statements, tightened external auditor quality controls, and published a detailed 10-point licensing renewal checklist. For IT auditors and risk professionals, this represents both a significant compliance obligation and a substantial market opportunity.

176
SASRA-regulated deposit-taking SACCOs licensed for the 2026 financial year
KES 10M
Minimum core capital requirement for deposit-taking SACCOs
24.3%
Year-on-year growth in sector reserves through September 2025
12.85%
Year-on-year growth in gross loans across the regulated SACCO sector

Core IT Audit Requirements for SACCOs

While SASRA’s primary regulatory focus has historically been on financial prudential ratios, the authority has progressively expanded its expectations around technology governance, information systems controls, and cybersecurity. SACCOs are now expected to demonstrate technology risk management capabilities that approximate, if proportionately, the standards applied to commercial banks.

IT Audit Coverage Areas

1
Core Banking System Controls (ITGC)

IT General Controls over the core banking or SACCO management system represent the foundation of IT audit coverage. This includes access management (user provisioning, de-provisioning, segregation of duties, privileged access controls), change management (system modifications, testing, approval workflows), computer operations (job scheduling, backup and recovery, incident management), and programme development controls.

2
Data Integrity & Financial Reporting Controls

IT audit must assess controls ensuring the accuracy, completeness, and validity of financial data processed through the SACCO’s information systems. This includes interface controls, reconciliation procedures for member transactions, loan processing controls, interest calculation accuracy, and dividend computation integrity.

3
Mobile Banking & Digital Channel Security

SACCOs increasingly offer mobile banking, USSD, and M-Pesa integration services. IT audit must evaluate the security of these digital channels, including authentication mechanisms, transaction authorisation controls, session management, API security, and mobile application vulnerability management.

4
Cybersecurity Controls

SACCOs must implement baseline cybersecurity controls proportionate to their risk profile. IT audit coverage should include network security architecture, endpoint protection, vulnerability management, security monitoring capabilities, and incident response procedures.

5
Business Continuity & Disaster Recovery

SASRA expects SACCOs to maintain tested business continuity plans and disaster recovery capabilities. IT audit must assess backup adequacy, recovery time objectives, offsite storage arrangements, and the results of the most recent DR test.

6
Data Protection & Privacy Compliance

SACCOs processing member personal data must comply with the Kenya Data Protection Act 2019. IT audit should assess ODPC registration status, consent mechanisms, data subject rights procedures, and the adequacy of technical security measures protecting member data.

IT Audit Methodology for SACCOs

Sentinel Assurance Partners recommends a risk-based IT audit methodology for SACCOs that balances comprehensive coverage with the practical constraints of cooperative sector resources. The methodology draws on ISACA IT Audit Standards, COBIT 2019, and NIST CSF, adapted for the Kenyan SACCO operating environment.

  • Phase 01 — Scoping
    Define audit scope and objectivesIdentify the SACCO’s critical information systems, data flows, and technology-dependent business processes. Align audit scope with SASRA requirements and the SACCO’s risk profile.
  • Phase 02 — Risk Assessment
    Identify and prioritise IT risksAssess inherent risks across IT governance, access management, change management, operations, cybersecurity, and data protection. Prioritise audit procedures based on risk significance.
  • Phase 03 — Control Testing
    Evaluate design and operating effectivenessTest IT general controls and application controls through inquiry, observation, inspection, and re-performance. Use CAATs for data analytics testing where volumes justify automated analysis.
  • Phase 04 — Reporting
    Communicate findings and recommendationsIssue a formal IT audit report to the SACCO’s board and management, documenting findings, risk ratings, and actionable remediation recommendations.

Approaches, Tools & Best Practices

COBIT 2019 Framework

COBIT provides a comprehensive IT governance and management framework directly applicable to SACCOs. Its process-level control objectives map cleanly to SASRA’s expectations around IT governance and control assurance.

CAATs: ACL / Python / SQL

Computer-Assisted Audit Techniques enable auditors to analyse complete transaction populations rather than sampling. For SACCOs, CAATs are particularly effective for testing loan interest calculations, membership fee processing, and dividend computations.

ISACA IT Audit Standards

ISACA’s professional standards provide the methodological foundation for IT audit engagements. CISA-certified auditors bring globally recognised expertise and credibility that SASRA increasingly values.

Nessus / OpenVAS

Vulnerability scanning tools that enable SACCOs to assess the security posture of their network infrastructure and web-facing applications at accessible price points.

Persistent Challenges for SACCOs

!
Limited IT Audit Budgets

Many SACCOs allocate minimal resources to IT audit, viewing it as a regulatory cost rather than a governance investment. This results in superficial audits that satisfy form but not substance.

!
Vendor Concentration Risk

The Kenyan SACCO sector relies heavily on a small number of core banking system vendors. When a vendor’s platform has systemic weaknesses, the exposure affects dozens of SACCOs simultaneously.

!
Board Technology Literacy

SACCO boards are typically elected from the membership and may lack technology governance expertise required to oversee IT risk effectively. Board training on technology risk is essential.

!
Dual Regulatory Burden

SACCOs offering payment services face dual regulation from SASRA and CBK, with overlapping IT audit and cybersecurity requirements needing careful compliance mapping.

Conclusion: IT Audit as a Strategic Investment for SACCOs

The message from SASRA’s 2026 enforcement posture is unambiguous: technology governance is no longer optional for deposit-taking SACCOs. Institutions that invest in robust IT audit programmes covering core system controls, cybersecurity, data protection, and business continuity will satisfy regulatory requirements, protect member deposits, and build the operational resilience necessary for sustainable growth.

In an era where SACCOs are processing billions of shillings through increasingly complex digital platforms, the cost of inadequate IT governance is measured not just in regulatory sanctions but in the erosion of member confidence. For Kenya’s cooperative sector, robust IT audit is an investment in institutional integrity.