It started with a reconciliation difference that was too small to trigger escalation and too persistent to ignore. A financial institution closed its weekly books with a variance of just under UGX 18 million spread across mobile money collections and internal postings. No alarms fired, no system failed. Management signed off, and therefore, the board never saw it.
Three weeks later, the cumulative exposure crossed UGX 420 million. By the time the issue reached the audit committee, the question was not what happened; it was why no one saw it coming.
My firm was brought in when the tension had already shifted from operational discomfort to legal exposure. The room was quiet because the facts were beginning to form a pattern that no one had prepared for. I will walk you through it the way I presented it to the board.
The illusion of oversight
The board believed it had oversight. Reports were presented, dashboards were circulated, and risk registers were updated. Everything looked structured.
The problem was not absence of governance but misplaced confidence in the form of governance. The fraud exploited a gap between what the board reviewed and how the business actually operated. Mobile money collections were reconciled at aggregate level, while adjustments were processed at transaction level. That separation created a narrow corridor where manipulation could occur without breaching reporting thresholds.
In one High Court decision in Uganda involving electronic financial evidence, the judge emphasised that the integrity of records is not determined by their existence but by their traceability and consistency across systems. That distinction is often lost in boardrooms. Having reports is not the same as having verifiable truth. Here, the reports were accurate within their design. The design itself was the weakness. The board never asked at what level fraud becomes invisible in our system
How the scheme actually worked
The individual at the centre of the scheme, a quiet operations officer known for long hours and minimal interaction, did not create fictitious transactions. That would have been detected.
He exploited timing. Collections received through mobile money were logged in real time, but internal ledger postings occurred in batches. Between those two points, adjustments could be introduced under the guise of corrections.
He would slightly alter transaction values during the batching process, redirecting small amounts to a shadow account configured within the system as a temporary holding account. That account existed legitimately for reversals and corrections. It was never designed to be abused.
Amounts were deliberately kept below internal review thresholds. Patterns were dispersed across multiple days and channels. No single transaction raised suspicion.
What makes this case instructive is not the method. Variations of this have appeared in several East African rulings involving electronic fraud. What matters is the discipline behind it.
The individual studied internal controls over time. He understood which reports were reviewed, which exceptions triggered queries, and which anomalies were routinely explained away. Fraud here was not an event but a process.
How it was noticed
Detection did not come from systems but discomfort. A junior auditor, reviewing reconciliation notes, noticed that explanations for minor variances were becoming repetitive. The language changed slightly, but the logic did not. Corrections attributed to timing differences appeared too frequently for comfort, she escalated.
That decision deserves attention. In many organisations, such escalation would be dismissed as over-analysis. In this case, it triggered a deeper review. We reconstructed transaction flows over a thirty-day period, aligning mobile money logs, system postings, and adjustment entries. What emerged was a pattern of micro-adjustments converging on a single internal account.
At that point, the issue moved from audit concern to potential criminal conduct. Courts in Uganda have consistently held that patterns of behaviour, when supported by system logs and corroborating evidence, can establish intent even where individual transactions appear legitimate. That principle guided our approach.
Where the board failed
The failure was not technical but conceptual. The board focused on outcomes rather than pathways. Financial results were reviewed, variances were explained, and controls were documented. What was missing was interrogation of process integrity.
No one asked how transactions moved from initiation to reporting. No one challenged whether controls operated in real time or only at reporting points. No one tested the system from the perspective of someone trying to bypass it.
In legal terms, the duty of care extends beyond passive review. It requires active inquiry where risks are foreseeable. In this case, digital transaction environments and mobile money integration were known risk areas. The absence of targeted oversight in those areas created exposure. The board did not fail because it was negligent, but it relied on structures that were no longer sufficient for the environment in which it operated.
The investigation approach
We approached the investigation with the assumption that every conclusion would be challenged in court. That changes how you work as you focus on court-admissible evidence. System logs were preserved immediately to maintain evidential integrity. Access rights were reviewed to establish who could perform specific actions. Device histories were analysed to link user activity to physical endpoints.
We did not rely on a single source of truth. Mobile money records, internal system logs, and user activity trails were cross-referenced. Where discrepancies existed, we resolved them before forming conclusions.
Interviews were conducted with a strategy. Questions were framed to test consistency rather than elicit admissions. The individual initially attributed discrepancies to system errors. That position collapsed when confronted with timestamped logs showing deliberate sequencing of actions.
One detail often missed by investigators is the importance of context. We established not only what actions were taken, but when and under what conditions. Activity consistently occurred during peak operational hours, when oversight was lowest. That pattern reinforced intent. By the time the matter reached legal review, the evidence was not a narrative but a structure. Each element supported the next.
Anticipating the defence
Any competent defence will attack three areas. Authenticity of electronic evidence, possibility of system error, and absence of direct proof of intent. We addressed these from the start. Authenticity was supported through system integrity checks and chain of custody documentation. Logs were extracted using standard forensic procedures, with hash values recorded to prevent alteration claims.
System error was tested by replicating the transaction process under controlled conditions. The system did not produce the observed discrepancies without manual intervention.
Intent was established through pattern analysis; repeated actions, consistent timing, and targeted use of specific system features created a narrative that could not be explained by accident.
Our local courts have accepted such structured evidence in cyber-related cases, particularly where multiple independent data points converge. The key is consistency. One weak element can undermine the entire case.
Technology blind spots
Boards often treat technology as a black box. Reports are accepted because they are generated by systems assumed to be reliable. That assumption is dangerous. In this case, the system functioned exactly as designed. The weakness lay in configuration and monitoring.
Temporary accounts were not subject to the same scrutiny as permanent accounts. Thresholds for review were static, not adaptive. Real-time monitoring focused on large transactions, ignoring cumulative small adjustments. Modern fraud does not always break systems but operates within them. Future-ready oversight requires understanding not just what systems do, but how they can be used in unintended ways. That requires a different level of engagement from boards.
Closing the case
The individual was suspended, evidence was handed to authorities, and recovery processes were initiated. Not all funds were recovered, which is often the reality.
More importantly, the organisation redesigned its controls. Reconciliation moved closer to real time. Adjustment accounts were subjected to enhanced monitoring. Thresholds were reviewed and made dynamic. Escalation protocols were strengthened to protect those who raise concerns. The board changed how it asked questions. Not what happened but how could this happen without us seeing it?
What this means for you
Fraud prevention at the board level is not about more reports, it is about better questions.
- Where can small irregularities accumulate without visibility?
- Which processes rely on timing gaps?
- What assumptions exist about system integrity that have never been tested?
- How would someone with internal knowledge exploit current controls?
These questions expose gaps that formal structures tend to hide. But that is where the real work lies. Fraud does not wait for governance frameworks to catch up, it evolves within them. The organisations that survive are not those with the most policies but those that continuously test their own blind spots before someone else does it for them.
