Donor trust is currency. Lose it, and the organisation bleeds quietly, long before the scandal reaches the papers. What happened was not dramatic. No midnight raids, no handcuffs. Just a routine donor review in Kampala that asked for transaction support behind a “capacity-building” line item. The documents arrived late. The numbers reconciled; barely. The underlying evidence did not. Mobile money confirmations without counterpart invoices. Shared email accounts approving payments. A finance officer who “kept passwords to help the team.” By the time lawyers were called, the house was not in order. Management was on alert; transactions were not balancing.
This is how NGO fraud usually begins in Uganda. Not with villains, but with convenience. I have investigated NGOs long enough to tell you this. Donors do not lose trust because money disappears; they lose trust because leaders cannot explain, provide evidence, or control how money moves. Fraud is a governance failure first. Theft is the last chapter. People steal because they know they will not be caught, and if caught, will not be prosecuted, and if prosecuted, the punishment will be lighter than the benefits. If you defraud, say Ugx 100m, the punishment is worth say Ugx 20m, and the net benefit of the fraud is Ugx. 80m! That is a huge ROI. That is what I mean by governance failure – where fraud pays more than integrity.
Let’s be precise. The legal frame you are operating in is not vague. The Penal Code Act criminalises false accounting and theft. The Anti-Money Laundering Act imposes duties on suspicious transaction monitoring. The NGO Act places fiduciary responsibility squarely on directors and senior management. When donor funds are involved, contractual obligations tighten the noose. Breach is not academic; it is actionable. Once a red flag is raised, preservation of evidence becomes a legal duty, not an IT chore. This is where many NGOs step on the rake.
Evidence is perishable. Emails auto-delete. WhatsApp chats vanish with phone upgrades. Cloud logs roll over. The moment suspicion arises, litigation readiness matters. In the language of digital forensics, made practical by forensic experts like yours truly, you must preserve, collect, and review defensibly. Delay is spoliation. Spoliation turns a manageable investigation into an adverse inference. Courts do not reward organisations that meant well.
Here is the reality of how the money moved in the cases I see most. A program manager fronts field expenses in cash because the area is remote. Reimbursements follow on mobile money, approved by a supervisor who shares an inbox with finance. Receipts are photographed, not originals. The vendor is a cousin’s trading name. Splits keep transactions under approval thresholds. Month-end journals “true up” variances. The audit trail looks tidy. The substance is rotten.
Technology did not cause this. Weak design did. Winning NGOs design controls around behaviour, not policy binders. Start with segregation that survives staff shortages. No single person should initiate, approve, and reconcile ever. Where teams are lean, use system controls, not trust. Maker-checker enforced by software. Time-stamped approvals tied to individual credentials. Two-factor authentication for finance platforms. Read-only donor dashboards. These are not luxuries, but they are hygiene.
Data analytics is not a buzzword here; it is a flashlight. Simple tests catch most schemes: round-amount analysis, weekend and after-hours payments, duplicate vendors with shared phone numbers, split transactions just below limits, reimbursements without GPS-consistent field reports. These are not PhD tools; they are a discipline. They are simple tests that an experienced eye focuses on.
Culture matters, but not in the way posters suggest. Staff copy what leaders tolerate. If executives override controls to move faster, you have trained the organisation to cheat politely. Tone at the top is not a speech. It is whether exceptions are documented, reviewed, and rare.
When suspicion surfaces, the sequence matters. Freeze changes, preserve data, appoint independent counsel, define scope, and interview quietly. Do not broadcast, threaten, or promise outcomes. Keep a clean chain of custody. Remember: once you investigate, you own the findings. If you bury them, they will resurface, usually in a donor report written by someone else.
A metaphor I use with boards is the water meter. You do not wait for drought to check consumption. You watch flow daily. Spikes tell stories. Silence tells lies. Donor funds are no different. Visibility beats virtue.
Boards should ask only three questions, repeatedly. Where does the money enter? Who touches it, and when? How do we know: today, not at year-end, that controls worked? If management cannot answer without adjectives, you have a problem.
The hardest truth for NGOs is that intent does not mitigate risk. Impact does not excuse weak controls. Courts and donors care about evidence. The ball is in your court to design systems that make wrongdoing hard, detection fast, and explanations boring.
Trust is currency. Spend it on controls. Earn it with proof.
Copyright Institute of Forensics & ICT Security, 2026. All rights reserved.
