Skip to main content
Guides

M-Pesa, KRA and Compliance: A Finance Team Primer

The Kenyan finance stack — M-Pesa for payments, KRA for tax compliance, eTIMS for invoicing. How they intersect with document management.

Papyrus Team 4 min read Updated April 18, 2026

M-Pesa, KRA and Compliance: A Finance Team Primer

If you're a finance leader in a Kenyan organisation, three external systems will shape your daily work: M-Pesa for retail and corporate payments, KRA for tax compliance, and eTIMS for the electronic tax invoice mandate. This guide is how they intersect with your document management practice.

M-Pesa: the documentation side

Most finance teams treat M-Pesa as a payment channel. It's also a documentary one.

Receipt of M-Pesa payments

Every M-Pesa transaction generates a confirmation SMS/notification with a transaction reference. From an audit perspective, you need to:

  • Capture the confirmation (typically via the M-Pesa API webhook, less reliably via screenshots)
  • Link it to the underlying invoice or sale record
  • Generate an eTIMS-compliant receipt to the customer

Papyrus's Daraja integration handles the receipt-side automatically: customer pays via STK Push, the callback creates a Payment record linked to the invoice, eTIMS receipt is generated and emailed.

Outbound payments via M-Pesa

Outbound (Business-to-Customer or Business-to-Business) M-Pesa payments need:

  • A payment authorisation document (typically a workflow-approved memo)
  • The Daraja transaction reference returned by the API
  • Reconciliation to the supplier ledger

Treat each outbound payment as a finance workflow with the supporting documents linked.

M-Pesa reconciliation

The reconciliation pain in many Kenyan finance teams is matching:

  • M-Pesa statement entries
  • Sales ledger entries
  • eTIMS submissions
  • Bank statement (when M-Pesa settles to your bank)

Papyrus links all four through the Payment record. Reconciliation becomes a query, not a manual exercise.

KRA: the documentary footprint

KRA's documentary requirements form the spine of your retention schedule:

  • Tax invoices issued: 5 years
  • Tax invoices received: 5 years
  • VAT returns: 5 years
  • Tax decisions and objections: 5 years
  • Audit trail (KRA visits, queries, responses): 5 years
  • Books of account: 7 years (Companies Act)

Set these as Retention Policies. Don't dispose early; the KRA can re-open historical periods.

eTIMS: the new normal

eTIMS (electronic Tax Invoice Management System) mandates that every tax invoice be transmitted to KRA at issuance, with a CU (Control Unit) number and QR code embedded. From 2024:

  • All VAT-registered persons must issue eTIMS invoices
  • Non-compliant invoices may not be claimed as input VAT by the recipient
  • Receipts above KES 5,000 require eTIMS even for non-VAT-registered persons in many cases

What this means for Papyrus tenants

When you issue an invoice in Papyrus:

  1. The invoice template gathers the mandatory fields (your PIN, customer PIN, line items, tax components)
  2. On finalisation, the EtimsService submits to KRA
  3. KRA returns the CU invoice number and QR code
  4. Both are embedded into the PDF
  5. The compliant PDF is emailed to the customer
  6. The eTIMS reference is stored as searchable metadata

For received invoices

Inbound invoices from VAT-registered suppliers should have eTIMS references. Papyrus validates:

  • Vendor PIN is present and well-formed (Kenyan format: A\d{9}[A-Z])
  • eTIMS reference is present (or noted as exempt)
  • CU number cross-references KRA's lookup if you've enabled the validation feature

Invoices failing validation route to a “Compliance Hold” queue, not into the regular AP workflow.

Common compliance pitfalls

Invoicing before activation

VAT-registered? Then every invoice must be eTIMS-submitted, including invoices issued during weekends or system outages. Papyrus queues during outages and submits when KRA's endpoint recovers; manual processes typically forget.

Mixing personal and corporate accounts

Some small businesses still use a personal M-Pesa for corporate payments. KRA's view: if it relates to the business, it's business income, period. Maintain corporate paybill/till exclusively for business.

Forgetting to register for eTIMS in advance

eTIMS registration requires application and approval. Don't wait until your first invoice. Register, test, then go live.

Cash sales below the threshold

Even small cash sales should produce a receipt. The KRA's enforcement on this has tightened; assume eTIMS for everything if you're VAT-registered.

Treating M-Pesa as “off-book” cash

Old habit: cash receipt, no document trail. M-Pesa receipts are more traceable than cash, not less. KRA can request your M-Pesa statements. Account for everything.

What good looks like

After 90 days on a properly-configured Papyrus tenant:

  • Every invoice issued: eTIMS-compliant, in customer's hands within minutes
  • Every supplier invoice received: validated for eTIMS reference; non-compliant ones held for resolution
  • Every M-Pesa payment: linked to the invoice or expense it relates to
  • Every reconciliation: same-day rather than month-end fire drill
  • Every KRA query: answered with documents in 24 hours

This is the table-stakes finance posture for a 2026 Kenyan organisation.

#finance#mpesa#kra#etims#kenya#guides

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please retry or reload the page.