When KRA's audit notice lands in your inbox, most Kenyan SMEs feel a familiar knot in the stomach — not necessarily because anything is wrong, but because they genuinely don't know whether their records can back up what they've filed. After years of records audits across Nairobi's SME sector, we see the same failures again and again. Here is what auditors are really looking for, and how to fix your records before the letter arrives.

What KRA Auditors Actually Look For

KRA audits are not fishing expeditions. Auditors work through a fairly predictable checklist tied directly to what your organisation has declared in its returns. Their job is to verify that every figure in your accounts is backed by a genuine, traceable document. In practice, that means they will ask for:

  • Source documents supporting every declared expense — invoices, receipts, delivery notes, and LPOs, not just the ledger entry that references them
  • Bank statements reconciled against your cashbook for the full audit period, with variances explained
  • Payroll records, including PAYE computations and NSSF/SHA remittance proof for every employee
  • VAT records — output and input VAT schedules that reconcile against your iTax filings
  • Fixed asset registers supporting any capital allowance or depreciation claims
  • Board resolutions or management approvals for major transactions, loans, or asset disposals

If any of these cannot be produced quickly and completely, the audit stops being routine and starts becoming an investigation.

The 5 Most Common Records Failures We See in Kenyan SMEs

Across dozens of records audits, the same weaknesses show up regardless of sector or size. If any of these sound familiar, your organisation is at real risk during a KRA review.

1. No Systematic Filing Structure

Documents exist, but nobody can agree on where they live. Invoices are split between a filing cabinet, an accountant's laptop, and a WhatsApp group. When an auditor asks for a specific transaction, staff spend hours — sometimes days — hunting for one piece of paper.

2. Missing or Incomplete Source Documents

A ledger entry exists, but the invoice behind it does not, or it is illegible after years in a damp store. Without the source document, KRA can disallow the expense entirely, triggering additional tax, penalties, and interest.

3. Inconsistent Retention — Some Years Missing Entirely

Records from two or three years ago survive; records from five years ago were thrown out during an office move, or never kept in the first place. Since KRA can review any year within the statutory window, a single missing year can expose the whole audit.

4. No Digital Backup of Physical Records

A single office fire, flood, or termite infestation can destroy years of financial history overnight, with no way to reconstruct it. We have seen this happen to real Nairobi businesses — and KRA does not treat "the documents were destroyed" as a valid excuse for missing evidence.

5. Institutional Knowledge Lives in One Person's Head

Often, only the finance officer or a long-serving admin assistant actually knows where things are filed and why certain entries were made. When that person is on leave, resigns, or leaves suddenly, the organisation's ability to respond to an audit collapses with them.

What the KRA 5-Year Rule Actually Means in Practice

Under the Tax Procedures Act, taxpayers are required to keep records for a minimum of five years from the end of the reporting period they relate to. In practice, this is a rolling window: at any given point, you should be able to produce complete supporting documentation for the current year plus the five years before it — not just your filed returns, but every invoice, receipt, and reconciliation behind them.

💡 Practical Tip

Do not calculate your five years from when you filed a return — calculate it from the transaction date itself. A December 2020 invoice is only safe to dispose of after December 2025, regardless of when the related return was submitted. When in doubt, keep records a little longer rather than a little less.

How Digital Records Make KRA Audits Faster and Less Stressful

The organisations that sail through KRA audits share one trait: they can produce exactly what is requested, in minutes, without disrupting daily operations. That is what a properly configured digital registry gives you. Every invoice, receipt, and statement is OCR-processed and full-text searchable, so a request for "all fuel expenses in March 2023" becomes a keyword search rather than a physical archaeology project.

Just as importantly, a digital system gives you an audit trail of its own — a record of who uploaded, viewed, or modified a document and when. That transparency works in your favour when auditors are assessing the credibility of your records.

"An audit-ready organisation isn't one with more paperwork — it's one that can produce the right document in under two minutes."

— Digi Records Consulting Ltd

Your KRA Audit-Readiness Checklist

Before the audit letter arrives, make sure you can tick off every item below

Five complete years of source documents, organised by financial year and transaction type
Bank statements reconciled monthly against your cashbook, with variances explained in writing
Payroll files complete with PAYE workings and NSSF/SHA remittance proof for every staff member
VAT schedules that reconcile line-by-line against your iTax filings
A fixed asset register supporting every depreciation and capital allowance claim
All of the above digitised, OCR-searchable, and backed up offsite
More than one staff member who knows how to retrieve any document on request

If you cannot confidently tick every box above, the good news is that fixing it is a defined, bounded project — not an open-ended one. A records audit identifies exactly which years and document types are at risk, and a digitisation and registry setup closes the gap permanently.

DR
Written by the Digi Records Consulting team — records management professionals serving SMEs, NGOs, and government offices across Nairobi, Kenya.