Briefly

Cabinet Orders Mandatory Migration to Integrated Human Resource and Payroll System Across All MDAs and State Corporations, Backed by Government-Wide Payroll Audit

policyKenya·Briefly Editorial·Briefly Analysis

Abstract

The Cabinet has directed immediate migration of all MDAs and State Corporations to the revamped Integrated Human Resource and Payroll System, escalating from an earlier Public Service Cabinet Secretary directive that had given human resource managers a two-month deadline and threatened salary payment freezes for non-compliant agencies. The directive is accompanied by a government-wide payroll audit, mandatory data cleansing and validation, enhanced cybersecurity requirements, establishment of a disaster recovery site, and integration of the payroll system with other public financial management platforms. The reform follows a payroll audit that identified irregular record alterations and internal control gaps across several State Departments. For public sector HR officers, compliance and internal audit teams, and cybersecurity professionals in government institutions, this directive creates immediate operational obligations. For private sector entities contracting with or supplying services to government payroll systems, including technology vendors and financial institutions processing public sector payroll disbursements, the migration and integration exercise carries secondary operational implications.

Introduction

This directive is not the first move in this sequence. Public Service Cabinet Secretary Geoffrey Ruku had already issued a two-month migration deadline in May 2026, backed by a threat to freeze salary payments to non-compliant agencies, and noted at the time that only a fraction of government agencies had completed onboarding to the HRIS platform. Cabinet's directive on 30 June 2026 is an escalation, converting what was a ministerial instruction into a Cabinet-level mandate and expanding the scope of reform beyond mere system migration to include an audit, data cleanse, cybersecurity upgrade, and integration with the broader public financial management architecture.

The escalation from CS-level directive to Cabinet directive matters legally and practically. A Cabinet directive carries the weight of a collective executive decision rather than a departmental instruction, and non-compliance carries correspondingly higher institutional exposure for the accounting officers responsible for each MDA. The payroll audit component is the element that most directly affects individual agencies, because the audit's findings will identify not just technical gaps but potentially irregular payments, ghost workers, and record alterations that may have financial recovery and disciplinary consequences beyond the system migration itself.

Background

Kenya's public payroll has historically operated through fragmented systems across MDAs, with inconsistent data quality, limited central oversight, and documented vulnerability to irregularities including ghost workers and unauthorised alterations. The Public Finance Management Act, No. 18 of 2012, and the PFM Regulations impose accountability obligations on accounting officers for the accuracy and integrity of payroll expenditure, but enforcement has been constrained by the absence of centralised, real-time payroll visibility. The Integrated Human Resource and Payroll System, developed through the Public Service Commission and the National Treasury, is designed to address that fragmentation by centralising payroll processing, linking HR records to payment authorisation, and enabling real-time audit trails.

The Data Protection Act, 2019, applies to the processing of employee personal data within the new HMIS. A migration of this scale, involving the transfer and consolidation of payroll and HR records for the entire public service, requires compliance with data minimisation, accuracy, and security obligations under the Act. The integration of the payroll system with other public financial management platforms, including the Treasury Single Account system that all MDAs were simultaneously directed to adopt under the World Bank DPO conditions approved the same week, creates a consolidated public finance data architecture that carries both governance benefits and heightened data security obligations. The National Cybersecurity Authority, operating under the Computer Misuse and Cybercrimes Act, No. 5 of 2019, provides the regulatory framework within which the enhanced cybersecurity requirements ordered by Cabinet must be implemented.

Analysis

The sequencing of this directive alongside the World Bank DPO-linked Treasury Single Account requirement and the SHA HMIS directive, all issued within the same 48-hour window, reflects a deliberate government strategy to converge multiple digital infrastructure reforms simultaneously rather than sequentially. For compliance teams across the public sector, this convergence creates a real operational challenge: three separate mandatory system migrations and integrations, each with its own timeline and technical specification, running in parallel, without clear guidance on how they interact at the data exchange level. Accounting officers and HR managers who are already behind on the earlier CS-level HRIS deadline now face a Cabinet-escalated mandate with no grace period specified, a simultaneous payroll audit that may expose the very gaps their non-compliance has allowed to persist, and a data cleansing requirement that presupposes the existence of accurate baseline data that many agencies may not have.

The payroll audit component deserves specific attention from internal audit teams and legal counsel advising public institutions. The Cabinet dispatch references findings of "irregular record alterations and gaps in internal controls" across several State Departments. An audit of this nature, conducted government-wide rather than targeted at known problem agencies, is designed to surface similar irregularities elsewhere. Where the audit finds ghost workers, unauthorised payment alterations, or systematic control failures, the consequences extend beyond the HRIS migration itself into disciplinary action, financial recovery proceedings under the PFM Act, and potential criminal referrals under the Public Officer Ethics Act or the Anti-Corruption and Economic Crimes Act. Accounting officers and HR managers at agencies that have not yet completed payroll data cleansing should treat the audit as an imminent and real risk, not a background process.

The cybersecurity and disaster recovery components are the elements most likely to be deprioritised in the rush to meet migration timelines, and they are the most consequential to get right. Centralising the entire public service payroll into a single integrated system creates a high-value target. A successful cyberattack or system failure affecting the IHPS would disrupt salary payments across the entire public service simultaneously, which is an operational and political risk the Cabinet has explicitly acknowledged by ordering disaster recovery site establishment. For the National Cybersecurity Authority and the technology vendors operating or supporting the system, this directive creates a clear mandate for enhanced security architecture, but the three-month window within which SHA-linked health systems are simultaneously being integrated suggests a compressed timeframe across multiple high-stakes government digital platforms that would test any technology programme management function.

Conclusion

This directive moves public sector payroll reform from ministerial preference to Cabinet mandate, with an audit that will surface the irregularities that non-compliance has allowed to persist. Accounting officers and HR managers at institutions that have not completed the earlier migration directive are now carrying compound exposure: an escalated mandate, an imminent audit, and a data cleansing requirement that assumes accurate baseline records many agencies cannot currently provide. The window to self-correct before audit findings make the problem public is narrowing.

Citations

  1. 1.Public Finance Management Act, No. 18 of 2012
  2. 2.Public Finance Management (National Government) Regulations, 2015
  3. 3.Data Protection Act, No. 24 of 2019
  4. 4.Computer Misuse and Cybercrimes Act, No. 5 of 2019
  5. 5.Public Officer Ethics Act, Cap 183, Laws of Kenya
  6. 6.Anti-Corruption and Economic Crimes Act, No. 3 of 2003
  7. 7.Cabinet directive on IHPS migration, issued 30 June 2026
  8. 8.Public Service Cabinet Secretary Geoffrey Ruku, HRIS migration directive, May 2026