It seemed more believable that manual processes, outside of the Epicor system in use by the Government of Malawi, was used to enable massive corruption. The original storify took this view, but the latest information suggests that transactions could be deleted and the deletion was not captured by an audit trail. These are very poor practices.
An audit report for a 6 month period was completed by Baker Tilly for UK DFID. The report (link below), made the following claim "the deletion of any accounting entries and any subsequent payment of government funds is not a fault within IFMIS. It stems, instead from weak application of the controls by the individual users and by staff circumventing the controls designed to ensure that the system works effectively e.g. sharing user IDs."
Weak application of controls and sharing user IDs can happen in any system. However, the "deletion of any accounting entries" sounds outside of the capabilities of any commercially produced accounting software.
Baker Tilly points out: "transactions were also deleted from the EPICOR system by users with access to the databases in which the transactions are stored. Users had system administrator access to the databases as well as to the entire EPICOR system which allowed them to process any transaction. Access to the databases should be restricted to database administrators only." This is an odd assessment. There ought to be no way for database manipulation within the system, only by database administrators. The data model should be able to trap any database manipulation through database integrity.
2. IFMIS is more than payments
There may have been some misunderstanding about the role of the financial management system used by the Government of Malawi by the press. IFMIS software covers a much broader footprint than payments. It appears that the following modules were implemented:
· General Ledger
· Accounts Payables
· Accounts Receivable
· Cash Management
· Commitments Planning and Control
· Electronic Funds Transfer
· Inventory Control
The IFMIS software used by the Government of Malawi is from a commercial vendor and was implemented by a systems integration firm. The previous IFMIS software was replaced.
3. Was the system hacked?
This article from the Economist suggests that the system was hacked into and budget allocations for line items were maxed out in favour of something else. It's unclear how the "segregation of duties" was set up or whether internal hackers had systems administration capabilities to get around these controls.
Baker Tilly was not able to penetrate the system, suggesting "internal" hacking. Baker Tilly found that "a user’s access profile should be set up without segregation of duty conflicts. Segregation of duties is a key control process with the objective of preventing fraud and errors."