MyDigital ID is meant to be the government's "trusted login" for the digital world, a way for people to prove who they are online for public services and (eventually) private-sector transactions too. So when the Auditor-General's Report 1/2026 points out unapproved spending and weak controls during its early implementation, it is not just a finance story. It is also a confidence story.

Quick refresher: What MyDigital ID is and who runs it

The project is positioned as a national digital self-identification and authentication platform. MIMOS Berhad was appointed as the implementing agency, with oversight linked to the Home Ministry and the National Registration Department, and the project received development allocations reported at RM80 million.

The headline finding: RM28.13 million spent without approval

According to the Auditor-General's findings, MIMOS spent RM28.13 million without approval from the designated committee(s) during the early phase of implementation. The report frames this as a weakness in expenditure management and internal controls.

What makes the number more concerning is the "how" behind it: the spending spanned multiple sub-scopes, including items that exceeded approved allocations or had no allocation at all, plus cases where spending proceeded despite insufficient or absent disbursement for certain sub-scopes.

Where the spending went: sub-scopes, overshoots, and funding gaps

The audit describes the RM28.13 million as being spread across 11 project sub-scopes, with issues like:

The bigger takeaway here is not just "a project overspent." It is that approvals and cost structure were not being followed consistently, which is exactly what internal controls are supposed to prevent.

Another major issue: development funds used for operating expenses

The report also flags that MIMOS used development allocations to cover operating expenses, including items such as emoluments and resource-related costs. The Auditor-General notes this goes against 12th Malaysia Plan guidelines, which generally restrict development allocations from being used for operating-type spending.

Why does this matter? Because once a project starts blurring the line between "building the system" and "running the organisation," it becomes harder to track true delivery costs, compare value-for-money, and enforce accountability.

Governance problems: meetings happened, but oversight did not land

A particularly uncomfortable part of the audit is the governance angle. The report indicates the governance structure did not function as intended, with monitoring meetings not being supported by formal presentations on expenditure approvals or implementation status. In plain terms, oversight existed on paper, but the process did not appear to produce the kind of visibility that prevents problems early.

For a national digital identity initiative, governance is not "nice to have." It is the backbone that protects trust, because identity systems affect security, privacy, and adoption.

Procurement and assets: buying security equipment that went unused

The audit also highlights procurement weaknesses, including purchases (such as security cages and door access systems) made without the required Value Assessment Lab approval, and the report says the equipment remained unused, raising concerns about wastage and asset control.

This point matters because digital ID programmes usually come with heavy security expectations. If security-related procurement is not tightly governed, it creates the wrong kind of headline for a system that depends on public trust.

What the Auditor-General wants next

Overall, the Auditor-General concludes that the project showed weaknesses in expenditure management and internal controls during its early phase, and recommends stronger oversight so that:

Final thoughts 

MyDigital ID is the sort of project that needs two things at the same time: solid technology and solid governance. Even if the platform itself can be built well, weak approvals, blurred use of development funds, and sloppy asset controls can erode trust quickly. The Auditor-General's report is basically a warning sign: fix the control framework early, or the rollout will keep paying a "trust tax" later, no matter how good the tech is.