A technical and forensic audit conducted by the Auditor-General has revealed that the management of the National Service Authority (NSA) disproportionately relied on Protocol-Based and Manual Override Postings, bypassing automated controls and weakening the integrity of the National Service posting system between 2018 and 2024.

According to the report titled Technical and Forensic Audit of the CSMP and Metric App of the National Service Authority, the manual and protocol override methods, which were intended only for exceptional or exigent circumstances, became the dominant posting mechanism.

Data reviewed by auditors showed that out of 935,375 total postings made within the seven years, 733,139 were executed through protocol or manual override routes, representing an alarming 78% of all postings. Except for 2018 and 2022, five of the seven years recorded an average of 83% of postings without standard verification controls.

The audit found that these override postings bypassed the CSMP’s automated verification workflows, meaning they lacked audit trails, biometric checks, and oversight documentation. This loophole created opportunities for ghost names, collusion, and unauthorised beneficiaries to infiltrate the National Service payroll.

The report warned that the widespread misuse of these methods compromised the transparency and fairness of the posting process and exposed the state to significant financial losses from unearned allowances paid to ineligible or non-existent personnel.

“The overuse of discretionary posting methods compromised the integrity of CSMP controls, leading to insertion of ghost names, circumvention of biometric verification, and concealment of unauthorized beneficiaries,” the report stated.

The Auditor-General recommended that the NSA should limit the use of protocol and manual override postings to truly exceptional cases, and ensure written justifications, prior approvals, and audit trails support such actions.

Additionally, the report called for an immediate review of all 2024 postings made via manual or protocol overrides to identify and remove ghost names, and urged the NSA to configure the CSMP to trigger alerts for excessive or unjustified overrides requiring dual-level authorization.

The audit further emphasised the need to enforce the “Blocked from Re-posting Management” function to prevent disqualified personnel from being re-enrolled through administrative manipulation.