Why most frauds are discovered too late
Most fraud is not hidden behind complex code or secret accounts. It hides in plain sight inside expense claims, stock records, procurement paperwork, and a wink across the finance desk. The problem is not a lack of policies. It’s a lack of enforcement. Fraud is not a crime of intellect. It is a crime of opportunity, fueled by broken systems, blind trust, and boardroom denial.
Welcome to Fraud 360, the complete circle of deceit and detection. In this exposé, I walk you through the anatomy of fraud: how it starts, grows, festers, and finally explodes. Then I show you how to detect and destroy it before it destroys your institution.
This is not theory. It’s a lived experience. It’s the fieldwork of Summit Consulting Ltd and our forensic teams across Uganda and East Africa.
The seed of a fraud opportunity meets rationalization
Fraud does not begin with theft. It begins with entitlement.
It starts when the Procurement Officer sees the CEO’s relative awarded a contract without due process. It festers when the IT officer is told to “just pay the vendor; the boss knows them.” It flourishes when internal auditors raise flags and are ignored or worse, transferred.
In nearly every fraud we’ve investigated:
a) An opportunity existed due to weak internal controls.
b) Rationalization followed: “I’m underpaid,” “Everyone is doing it,” “I’ll pay it back.”
c) Pressure drove the act: loans, side hustles, or family demands.
This is the fraud triangle in motion. But to truly understand fraud, we go beyond triangles, to diamonds and more. We study cycles.
The Circle of Deceit: How Fraud Evolves
Fraud is not a single event. It is a cycle, a self-reinforcing system of cover-ups and complicity. Here is how the full Fraud 360 circle plays out:
a) The setup phase
(i) A staff member notices a loophole: double payment systems, poor segregation of duties, or an outdated approval hierarchy.
(ii) They test the system for small over-invoicing, delayed entries, and ghost workers. No one notices, and they grow bolder.
(iii) They recruit allies, finance staff, suppliers, or internal auditors who are naive, lazy, or compromised.
b) The harvest phase
(i) Funds begin to move, often through mobile money, disguised fuel payments, petty cash, or inflated per diem.
(ii) The scheme becomes organized: suppliers get kickbacks, reconciliations are doctored, and audit trails vanish.
(iii) Cover-ups are done by reversing transactions, misclassifying expenses, or forging documentation.
c) The tipping point
(i) Someone notices. A new auditor. A new boss. Or a whistleblower.
(ii) A supplier complains of non-payment for a job they never did.
(iii) Cashflows don’t add up, yet there’s no visible loss. The fraud has matured.
The Circle of Detection: How Summit Consulting cracks it
Fraud leaves fingerprints. The key is knowing where to look.
At Summit Consulting Ltd, our forensic audits follow a 6-point detection wheel
a) Lifestyle audits
We ask: Does the clerk’s lifestyle match their salary? If someone earning UGX 2 million per month is building a UGX 300 million flat in Buwate, we ask questions.
b) Data analytics
We use Benford’s Law, duplicate testing, and vendor trend analysis to identify suspicious patterns. A vendor winning 80% of contracts? A manager approving their own requisitions? The system tells the truth.
c) Digital forensics
We extract deleted emails, chat logs, and WhatsApp messages. We trace Momo codes, verify IPs, and retrieve audit trails from ERP systems. The digital trail never lies.
d) Control walk-throughs
We re-enact transactions literally. We sit in your office and request a payment, just to see who approves, who checks, and who looks away. Fraud thrives where processes are assumed, not followed.
e) Key informant interviews
We speak to everyone, security guards, tea ladies, and junior staff. Most of the time, they know what’s going on. They just haven’t been asked.
f) Surprise verifications
We visit warehouses, supplier addresses, and even staff residences. You’d be shocked how many companies pay “service providers” operating from a boda stage.
Case in point, the UGX 1.2 billion ghost consultancy scandal
In 2023, an agency in Central Uganda hired Summit Consulting Ltd to investigate “invisible expenses” in its ICT budget. The case was textbook.
A payment of UGX 230 million was made for a “network diagnostic assessment.” There was no report, no TOR, no contract. Just a requisition and approval.
When we traced the account, we found:
(i) The supplier had been incorporated 5 months prior by Suspect 1, a junior IT officer’s cousin.
(ii) The payment was split into 3 chunks to bypass approval thresholds.
(iii) The funds were withdrawn via ATM and mobile money within 48 hours.
(iv) Part of it was used to pay for Suspect 2’s wedding a procurement assistant.
The clincher? The network diagnostics allegedly “performed” had been copied word-for-word from a free online template.
We dug deeper.
Three other such consultancies. Total loss: UGX 1.2 billion. All siphoned through a small circle of insiders, aided by silence from those who knew but chose not to speak.
Red flags missed by the internal auditor
The internal auditor did submit a quarterly report, but it was cosmetic. Why?
a) They were using Excel sheets to reconcile transactions from a complex ERP.
b) They lacked forensic training and didn’t review mobile money logs.
c) Their reports were “reviewed” by the same department heads involved in the fraud.
This is the tragedy of most audits: process-focused, not outcome-driven. They check boxes, not behavior. They verify documents, not facts.
How internal controls were bypassed
The system had policies. But policies are useless if people ignore them.
Here’s how the suspects beat the system:
a) No segregation of duties: The same officer initiated, approved, and verified payments.
b) No due diligence on suppliers: The supplier vetting form was a mere formality. No background check was done.
c) Poor documentation: Invoices were paid without delivery notes, signed contracts, or inspection reports.
d) Mobile money misuse: Over UGX 400 million was paid via mobile money for “emergency logistics” without any justification or audit trail.
The real loss and lessons for leaders
The final tally?
UGX 1,247,612,800.
Wasted. Lost to invisible consultancies, fictitious vendors, and internal collusion.
But the real loss was not just financial. It was reputational. That agency’s development partner froze funding. Staff morale collapsed. Two departments were reshuffled. One suspect fled the country.
You don’t prevent fraud with trust. You prevent it with systems.
My grandfather always told me: trust after controls. If you are a CEO, board chair, or director reading this, know this: your organization is only as strong as your weakest control.
Fraud 360 teaches us that fraud is never accidental. It is orchestrated. Covered. Justified. And eventually exposed.
To stop it:
a) Build systems that detect anomalies before they become scandals.
b) Hire internal auditors who question everything and train them in forensic techniques.
c) Outsource your fraud detection. Bring in neutral eyes. Summit Consulting Ltd does not play politics. We follow facts.
Fraud is not just an event. It is a culture. And like all cultures, it must be designed or it will default to deceit.
