Saccos regulator censured for weak IT controls

The Auditor General’s report on the regulator’s financial statements in the year through to June 2020 reveals that the management of SASRA has not put in place Information Technology governance controls including the creation of the Strategic IT Committee and the IT Steering Committee.

At the same time, the audit has pointed to weak IT continuity where backups are not stored in a secure offsite storage facility as was the case with copies of the IT Continuity Plan and the Disaster Recovery Plan.

The lack of adequate IT controls is against Public Finance Management (PFM) regulations which require the accounting officer of a national government entity to institute appropriate access controls needed to minimize breaches of information confidentiality, data integrity and loss of business continuity.

“The non-establishment of an IT Strategic Committee at the board level could result in gaps regarding IT governance, as part of enterprise governance, not being adequate,” stated the audit report.

Incidentally, Saccos have themselves been indicted by cyber securities experts for IT controls which have allowed the financial units to be the new hotspot for cyber criminals as banks tighten up on their cyber/IT controls.

The regulatory slip by SASRA may likely weaken its own oversight role in ensuring Saccos have adequate IT control putting at risk assets held by the entities which include customer deposits.

According to data from SASRA’s annual report, Saccos held deposits of Ksh.380.4 billion as of the end of 2019.

The deposit taking segment of the Sacco subsector is represented by 173 entities who were licensed as at December 2019.