Every company loves the idea of having strong investigators. Few appreciate what that means. They imagine trench-coat detectives with sharp instincts and thicker files, things they have watched on the Investigation Discovery (ID) channel. But in the real corporate world, the most powerful tool an investigator wields is not instinct, not authority, not software. It is the pen. And contrary to popular belief, the investigator’s pen does not record events. It reveals culture. Habits and red flags. I learnt this early in my career. I walked into an organization where every complaint began with the same refrain. “I reported this before, but nothing happened.” That line told me the investigation was already compromised. Where staff feel unheard, fraud flourishes by default. Not because people are inherently dishonest, but because silence becomes policy. And any investigator who ignores these frustrations is merely tracing shadows. A good investigator begins by reading the organization, not the evidence. In one bank, I advised, junior staff avoided eye contact. Not out of guilt, but fatigue. They had seen countless investigations launched, only to be quietly buried when the names involved were too politically expensive. Their behaviour, slow responses, guarded language, and selective memory were not an obstruction. It was survival. The investigator’s pen must capture these cultural fractures. If the culture is broken, the evidence will lie. Boards rarely hear this truth. Weak report writing destroys more cases than poor investigation technique. I have reviewed hundreds of internal investigation reports. Most are written like diary entries. Long paragraphs, emotional statements, shortcuts, and assumptions. They read like the investigator wanted to prove they were busy. But effective report writing demands the opposite. It requires discipline, neutrality, and precision. A case can be airtight, yet one ambiguous sentence can collapse it. A regulator asked me to review a report on licensing fraud. The officer had written, Subject 1 manipulated the system to benefit an external party. On the surface, the statement looked clear. In reality, it was useless. What system? Which part? What action constituted manipulation? And what control deficiency made it possible? When I pressed the investigator, he simply said, “Everyone here knows what happened.” That casual comment exposed the real failure: an organization where shared assumptions replace documented facts. When assumptions enter an investigation, the truth bleeds out silently. The investigator’s pen exists to prevent such bleeding. Good investigators write as if every sentence must withstand courtroom pressure, opposing counsel scrutiny and boardroom fatigue. They know leaders are busy. They know executives skim. They know the legal department will interrogate every comma. So, they write with surgical restraint: fact, source, analysis. No gossip. No drama. No decorative English. Just the story the evidence tells. The quality of an investigator’s report is a reflection of the organization’s integrity. Poor reporting always signals deeper cultural rot. One time, I engaged with an insurance company where staff kept saying, “We do not want trouble.” They avoided giving statements. They avoided details. They avoided involvement. Their fear was not of the fraudster, it was of management retaliation. When investigators operate in such environments, their pens become timid. Reports become vague. Findings become diluted. And boards wonder why accountability never sticks. Investigators thrive where leadership is courageous. In one manufacturing firm, the CEO made a bold declaration before an investigation began, “No name is too big to be examined.” Staff relaxed. Evidence flowed. Interviews became honest. The final report was crisp, factual, and unambiguous. Why? Because the investigator’s pen could move without fear. And that is what most organizations lack: freedom for truth to breathe. Another example. A procurement officer in a public agency kept repeating, “I did what I was told.” That phrase became the skeleton key that unlocked a multi-layered collusion scheme. On paper, his actions were procedural. In practice, he was the perfect pawn. His repeated phrase was not a defence; it was a symptom. Good investigators hear these symptoms. They know behaviour talks long before evidence does. They follow discomfort. They pursue inconsistencies. They extract accountability from patterns ordinary investigators dismiss as staff attitude. The investigator’s pen, therefore, does more than write. It diagnoses. It exposes managerial hypocrisy. It highlights resource gaps. It reveals when a department is overworked, when employees feel unsafe, when leadership is absent, and when controls exist only on paper. Investigators who treat reporting as the final step misunderstand the craft. Report writing is the actual investigation. It forces clarity. It eliminates bias. It holds a mirror to leadership. If the culture is rotten, the report will smell. Good investigators understand that their job is not to punish. Their job is to illuminate. They know the goal is not naming and shaming, but strengthening the organization’s immune system. Fraud is merely a symptom. Culture is the disease. And the investigator’s pen is the diagnostic tool. Boards and executives must therefore stop celebrating fast investigations. Fast usually means superficial. Effective investigations require diligent listening, thorough documentation, and precise writing. They demand investigators who are humble enough to doubt themselves and brave enough to document uncomfortable truths. They demand leadership that welcomes those truths without flinching. So here is the uncomfortable conclusion. A good investigator is not judged by how many fraudsters they catch. They are judged by how well they help the organization confront itself. Their pen must restore trust, not theatrics. It must cut through politics, not dance around it. It must protect the evidence, preserve the process, and safeguard the organization’s integrity. If boards want real accountability, they must empower investigators to write without fear, review without bias, and report without interference. In the end, the investigator’s pen is the most honest voice an organization has, if leadership allows it to speak.

Dear colleague, Every week, I meet professionals who quietly admit a painful truth: the investigation was strong, but the report was weak. In boardrooms, HR offices, police stations, and compliance desks across Uganda, cases collapse not because the wrongdoer was innocent, but because the report could not stand up to scrutiny. In my work advising CEOs, auditors, investigators, and regulators, I have seen internal cases that read like audit summaries, not investigative reports. One company literally begged a fraudster to resign because their report could not withstand the questions of opposing counsel. Another lost a multi-million-dollar wrongful termination case because the report was built on hearsay instead of structured evidence. In the 2026 cycles, those who master investigative writing will stand apart. Not because they speak louder, but because their reports are clear, defensible, and impossible to ignore. I invite you to join a hands-on training session designed for professionals who cannot afford to have weak documentation. You will work on real-world cases. You will write. You will revise. You will learn how to transform raw facts into a report that wins. Why this session matters Because in the real world, a poorly written report can let a guilty party walk free or ruin an innocent person’s life. A strong report, however, protects your organisation, strengthens your decisions, and gives you the confidence to stand before any tribunal, board, or court. What you will gain A full suite of tools and templates, including an investigation report template Practical techniques for gathering, structuring, and presenting evidence Skills to write reports that survive scrutiny from lawyers, regulators, and senior decision-makers Hands-on exercises from real cases we have handled Clarity on legal, ethical, and procedural risks in investigative writing Available training dates Third week of January 2026 (Hybrid) Second week of February 2026 (Hybrid) Delivery options Attend our training institute, or bring us in-house for a customised session at your premises. Fee: UGX 500,000 per person (in-house arrangements negotiable) If you lead investigations, supervise them, depend on them, or are held accountable for them, you cannot afford to miss this. Secure your seat today. Strengthen your team. Protect your organisation. Reply to us: https://forensicsinstitute.org/contact/ or call us to register: +256 784 270586/ +256783373637 Your investigation is only as good as your report. Make it count.

At IFIS, our mission has always gone beyond technical excellence. While we are known for shaping professionals in digital forensics, cybersecurity, risk management, and ICT governance, our core belief remains unchanged: a nation only grows when its people grow together. Community is the heart of sustainable progress. It is where families are formed, values are nurtured, and hope is restored. And for many Ugandans, faith spaces, especially churches, have long stood as pillars of strength, comfort, and unity. They are places where people run to in times of joy and in times of need. Places where spirits are lifted, relationships are strengthened, and futures are rebuilt. It is in recognition of this deep cultural and spiritual foundation that IFIS is honoured to support the construction of the new church at St. Balikuddembe Catholic Sub-Parish, Kisaasi–Kyanja. This church is not just a physical structure but a sanctuary that will stand for decades, shaping lives and nurturing faith. It will host baptisms, weddings, confirmations, and community gatherings. It will become a center for prayer, renewal, and direction, especially for young people seeking identity and families seeking peace. The new building will offer a dignified, welcoming environment for worship, free of the limitations that have challenged the parish for years. It will allow the church to expand its ministries, empower youth groups, strengthen family fellowships, and grow community outreach programs. Faith Meets Purpose: IFIS CSR in Action Our CSR vision is rooted in giving back to the communities that nurture the very professionals we serve. Supporting the construction of a church aligns with our values of integrity, service, and nation-building. When a community’s spiritual foundation is strong, its people are stronger—and this strength radiates into schools, workplaces, and society at large. By contributing to this project, we are not just funding construction materials. But we are investing in: Community unity and resilience Youth moral development and mentorship Family support systems Strengthening social fabric and shared identity A legacy of faith that will outlive all of us This is development that begins in the heart and spreads outward. An Invitation to Join Hands Great community projects succeed when many hearts pull in the same direction. We therefore extend a warm invitation to our partners, alumni, clients, friends, and well-wishers to join us in supporting the completion of this sacred space. Every contribution, big or small, adds a brick to a legacy that will stand for generations. Donate here: https://app.twezimbe.com/crowd-funding/campaigns/9f318a1b-44d2-48a6-9f2f-5a57b78c17db Your generosity helps transform faith into action and intention into impact. As IFIS continues to empower professionals with knowledge and skills for the digital future, we remain committed to strengthening the moral and spiritual foundations that keep our communities whole.  

Every scam begins long before the money moves. It begins with a story; one written for you, rehearsed by someone else, and perfected to make you believe you’re in control. Whether it’s a phone call, an email, a text message, or even a well-dressed stranger at your office reception, every scam follows a predictable script. And the sad truth? It works because people stick to theirs; polite, trusting, distracted, and afraid to offend. Fraudsters don’t steal your money. They borrow your confidence and make you hand it over. Scams are not random. They are performances, each with a cast, a plot, and an audience: you. The actor (the fraudster) studies your habits, your tone, and your weaknesses. The script is tested and refined on thousands of victims before it reaches you. And the stage is wherever you feel safe: your phone, your office, your inbox, or your church WhatsApp group. The moment you engage, the scene begins. “Good morning, this is the bank. We’ve detected unusual activity on your account…” Or, Congratulations! You’ve been shortlisted for an interview; please confirm by paying a processing fee.” Each line is rehearsed to trigger emotion, fear, greed, curiosity, or guilt. And once you respond, the scam doesn’t need force; it has your trust. Why smart people fall for scams “Intelligence doesn’t prevent fraud. Ego enables it.” Executives, bankers, and engineers; they all get conned. Not because they are naïve, but because they believe they can’t be deceived. That’s exactly what scammers count on. In one investigation Summit Consulting handled, Subject 1, a senior procurement officer, received an email “from a supplier” offering a bulk discount. The email signature matched the real vendor. The only difference? A single letter in the domain name. He approved the transfer. UGX 86 million gone in a day. When interviewed, he said, “It looked real.” Of course, it did. It was designed to. Fraudsters don’t need to hack your system; they hack your assumptions. Every scammer studies one thing religiously: human behaviour. They understand how we respond to urgency, authority, and validation. They use simple tactics: Fear: “Your account will be closed if you don’t act now.” Greed: “You’ve won a prize but need to pay a processing fee.” Flattery: “We’ve selected you for an exclusive opportunity.” Guilt: “I’m in trouble, please help; you’re my only hope.” Each message triggers a reflex, not reflection. The moment emotion replaces reason, the script wins. You don’t need to be foolish to fall for a scam; you just need to be human. The new frontier: corporate scams Fraudsters have upgraded. They no longer target individuals alone; they target systems through people. They impersonate CEOs through email spoofing, requesting “urgent wire transfers.” They infiltrate board communication channels with fake attachments. They pose as vendors seeking “payment verification.” In one Ugandan firm, Suspect 2 impersonated a regulator and sent “compliance forms” to the finance team. The forms carried malware that captured passwords. By the time IT noticed, the company’s vendor accounts had been drained. Every scam has a script. The question is: why do organizations keep playing along? Because culture rewards compliance, not curiosity. Staff are trained to respond quickly, not wisely. When professionalism becomes vulnerability In many organizations, employees are taught to be polite; to respond immediately, to trust hierarchy, to avoid questioning authority. That’s precisely what fraudsters exploit. They impersonate bosses because they know subordinates won’t verify. They rush requests because they know no one wants to delay “urgent” matters. They use an official tone because we equate professionalism with legitimacy. “The same obedience that makes you efficient can make you a victim.” Good governance requires courage to question, not just competence to act. How to break the script The only way to beat a scam is to step off the stage. Pause before you respond. Fraud relies on urgency. Every scam begins with “now.” Delay is your best defence. Verify the source. Call the organization using official contacts, not the ones provided in the message. Normalize scepticism. Doubt is not rudeness; it’s due diligence. Report and educate. Every scam you report protects someone else. Scammers lose when people share their stories. Silence sustains the script. Case study: the deepfake deception In 2024, a multinational firm nearly wired $1.1 million after its CFO received a video call from the “CEO.” The call was perfect: voice, face, gestures; all AI-generated. The scam failed only because the finance officer noticed the CEO’s background was slightly blurred and called to confirm. Technology is no longer the threat. Trust is. As AI advances, fraudsters no longer need access; they need believability. Boards must prepare for a future where seeing is no longer believing, and verification becomes a moral duty, not a bureaucratic step. The greatest threat to your organization is not external fraud; it’s internal compliance without critical thinking. Fraudsters don’t always need your password; they need your cooperation. They script the lines. You deliver them faithfully. Risk management, therefore, is not just about controls; it’s about consciousness. Train your people to think, not just to follow. To question, not just to act. Because when everyone performs their role perfectly, the scam runs smoothly. Scams succeed when leadership underestimates human vulnerability. Boards must demand cyber awareness that’s continuous, not ceremonial. Ask management: How often do we test staff with simulated phishing attempts? How quickly are fraud reports escalated? Who owns the culture of verification here? Make fraud awareness part of board oversight, not IT housekeeping. Leadership is not about trusting less; it’s about verifying more intelligently. Every scam has a script. It’s predictable, emotional, and always urgent. But every leader has a choice: to play along or to rewrite it. Fraud prevention begins the moment you stop being an actor and start being an author of your own vigilance, your own decisions, your own awareness. Because in the theatre of deception, the smartest person is not the one who knows the lines; it’s the one who walks off stage.

Fraud never walks through the front door. It slips in quietly, wearing a company ID, armed with trust, and fluent in your internal processes. It doesn’t shout; it whispers. It doesn’t rush; it waits. Every fraud I’ve ever investigated began with something ordinary, a trusted staff member, a small exception, a delayed reconciliation. And yet, months later, it always ends with executives asking the same question: “How did we miss it?” The answer is simple. Fraud hides best in places where everyone believes it cannot exist. The illusion of loyalty The first mistake leaders make is confusing loyalty with integrity. In many organizations, loyalty is the highest currency. “He has been here for ten years,” they say proudly, as if tenure guarantees honesty. But long service doesn’t create integrity; it creates access. Fraud thrives not in chaos but in routine. The longer someone works within your systems, the more invisible their actions become. When Suspect 1, a mid-level accountant, started approving vendor payments without secondary review, it was not because he was cunning. It was because no one imagined he could be deceitful. He was “family.” He had signed the visitors’ condolence book, led morning prayers, and even chaired the welfare committee. By the time Summit Consulting Ltd was brought in, he had siphoned over UGX 420 million in small, unremarkable transfers; all within approved thresholds. The anatomy of invisible fraud “Fraud is not a storm. It’s a slow leak you mistake for humidity.” Most frauds begin as an opportunity disguised as a necessity. An employee feels underpaid, overworked, or overlooked. They see a loophole and convince themselves it’s temporary. Fraud follows a predictable lifecycle: Rationalization: “They owe me this.” Opportunity: Weak oversight, manual controls, or predictable approvals. Capability: Knowledge of how the system works and how to exploit it. By the time external auditors arrive, the fraudster has already perfected the cover-up. They understand your audit cycles, your risk appetite, and your blind spots. They operate beneath thresholds and within policies, using your own procedures as camouflage. When systems become accomplices In one government agency, Subject 2, a systems administrator, used dormant supplier accounts to authorize “system test” payments. Each was below the internal approval limit, so no red flags appeared. When questioned, he said, “It was just a test transaction.” It was for the first six months. By month twelve, he was testing his retirement plan. Fraudsters love predictable systems. When every control operates the same way every time, they know exactly when to strike. Static controls create dynamic vulnerabilities. That’s why your internal control manual isn’t enough. Fraud doesn’t need to break your system; it only needs to understand it better than you do. The culture that nurtures fraud Fraud doesn’t start with accounting entries; it starts with organizational silence. In one case, a junior staff member suspected that cashiers were “rounding off” daily collections. But when she raised the issue, her supervisor told her, “Stop being paranoid.” Six months later, the company discovered UGX 90 million in unaccounted cash. The red flag wasn’t missed; it was dismissed. When staff stop speaking up because no one listens, you create the perfect ecosystem for deception. Culture, not control, is your first line of defence. You can install the best fraud detection software in the world, but if people fear being labelled “troublemakers,” fraud will continue to thrive, politely, quietly, and profitably. The problem with traditional audits Boards often say, “Our auditors will catch it.” They won’t. Not because they’re incompetent, but because audits are designed to confirm accuracy, not detect intent. Fraud operates between transactions, in timing, relationships, and subtle behavioural changes. Auditors test samples; fraudsters manipulate exceptions. In one bank, a teller consistently reversed customer transactions after hours, claiming “system errors.” Because reversals matched entries, the system showed no loss. Only when Summit conducted a forensic data analysis did patterns emerge; reversals clustered around end-of-month reconciliation dates. The insight? Fraud lives in patterns people stop noticing. The key to early detection is not more data; it’s sharper interpretation. Here’s what I teach boards: Look for behavioural anomalies. Fraudsters change before systems do. Sudden defensiveness, reluctance to take leave, or late-night logins are red flags. Follow the flow of exceptions. Fraud often hides in “temporary” approvals, “manual adjustments,” or “test accounts.” Watch your culture metrics. When staff turnover spikes in finance or IT, fraud risk rises. Good people don’t leave strong cultures. Fraud detection is not a forensic task; it’s a leadership discipline. Fraud is not about bad people. It’s about good people making bad choices in environments that allow it. When leaders treat fraud as an external enemy, they miss the point. Fraud doesn’t invade; it emerges. It grows in cultures where success is celebrated but process is tolerated, where speed trumps scrutiny, and where leaders mistake charisma for credibility. “You don’t prevent fraud by locking doors. You prevent it by unlocking conversations.” If you want to spot fraud before it strikes, build an organization that sees everything twice: once through data, and again through human judgment. This means: Rotating responsibilities: No one should handle end-to-end processes for too long. Rewarding transparency: Make it safer to report anomalies than to ignore them. Modernizing detection: Deploy continuous monitoring tools that flag unusual trends in payments, vendors, or access logs. And most importantly, train leadership to see silence as a symptom. When staff stop raising issues, don’t celebrate; investigate. The board’s responsibility Boards must move beyond the comfort of audit reports. They should demand behavioural dashboards, not just financial ones. Ask management: What percentage of staff are overdue for mandatory leave? How many system access rights exceed job responsibilities? When was the last time whistle-blower data was analysed for patterns? Fraud awareness should be a standing board agenda item, not a post-crisis topic. Because the true measure of governance is not how you respond to fraud, but how you prevent it from becoming a headline. Fraud in the shadows is like a termite in wood: quiet, patient, and

In every boardroom I visit, there is one phrase that signals danger: “Let us not overreact.” It sounds rational, even mature. But in the world of risk in which we live, those four words have birthed more crises than any cyberattack, audit failure, or fraud scheme combined. Because risk ignored is not risk removed. It is risk deferred, and deferred risk always returns with interest. Human beings crave stability. When everything looks fine, leaders convince themselves that it is fine. The dashboard is green, sales are steady, and compliance is “under control.” But green does not mean safe; it often means blind. Every crisis you have read about, from failed banks to corporate collapses, began as a small, ignored signal. A delayed report. A whistleblower dismissed. A vendor anomaly is buried in “reconciliation issues.” No catastrophe arrives unannounced. It is preceded by ignored emails, unreviewed minutes, and board papers full of polite silence. In one investigation Summit Consulting Ltd handled, a medium-sized institution experienced a massive data breach. The root cause was not the hackers; it was complacency. Months earlier, IT had flagged unpatched servers. The CIO promised to “look into it next quarter.” The quarter passed. Then the hackers came. By the time management reacted, the system was already compromised. Risk did not act suddenly; it simply waited for them to stop paying attention. When comfort becomes culture The most dangerous risk in any organization is not external, it is internal comfort. Success makes leaders lazy. When profits rise, risk reports become ceremonial. Meetings are filled with optimism bias, an invisible belief that “it cannot happen here.” Leaders love predictable numbers and smooth dashboards, but predictability is the first enemy of vigilance. The paradox is this. The more successful an organization becomes, the less it questions itself. Executives stop challenging assumptions. Teams stop reporting bad news. And soon, everyone is playing defence against the truth. A weak control is ignored because “it has never failed before.” An over-reliant supplier is tolerated because “they have always delivered.” A minor policy breach is excused because “he is a good performer.” Risk management becomes reactive, not preventive. “What you ignore in good times will define your headlines in bad times.” Crises are simply risks that have grown tired of waiting. Look at any recent corporate scandal and trace it backward, and you will find ignored red flags dressed as “normal.” In one organization, a junior internal auditor noticed that supplier invoices always ended with sequential numbers. She raised it. Her manager laughed it off. Six months later, the company discovered a UGX 513 million procurement fraud; all through fake vendors created by an insider. The first alert had come, but no one listened. Leaders don’t get blindsided by risk; they get seduced by routine. You can’t predict every threat, but you can guarantee one thing: denial multiplies damage. The leadership blind spot Most boards talk about “risk appetite,” but few truly define it. They discuss risk in financial terms: losses, exposure, and capital buffers, but rarely in cultural terms. Yet every financial failure starts as a cultural one. When staff fear speaking up, risks mutate unseen. When senior management rewards obedience over curiosity, no one challenges weak controls. That is how organizations build quiet pipelines of disaster. A “yes culture” is a risk culture. The absence of dissent is not unity; it is suppression. Leaders must create an environment where uncomfortable truths are welcomed early, not celebrated post-mortem. Ask your team: What risk are we pretending does not exist? Which issue have we normalized because it is inconvenient to fix? Who benefits from us staying silent? Those questions do more for resilience than any quarterly audit report. The fraud connection, when risk meets rationalization Fraud is not a financial problem. It is a risk management failure. In nearly every fraud Summit Consulting investigates, there was a prior control weakness that someone had already documented. It was in an internal audit report, a management letter, or a risk register, but it was “low priority.” The fraudster simply acted on what leadership ignored. When Suspect 1, a senior accountant, embezzled over UGX 300 million, it was not because he was clever. It was because risk management was passive. Segregation of duties had been waived “temporarily.” Reconciliations were delayed “due to staff shortage.” Audit recommendations were marked “ongoing.” In other words, leadership left the door open, and someone walked through. Ignored risks invite betrayal. It is a fact of life that risk is not necessarily bad. Let me say what most executives will not: risk is not the enemy. The absence of risk means the absence of ambition. The goal is not to eliminate risk; it is to domesticate it. Successful leaders do not fear uncertainty; they shape it. That begins by reframing risk conversations from “compliance” to “competitive advantage.” Strategic risk tells you where your blind spots are. Operational risk tells you how resilient your systems are. Reputational risk tells you how authentic your culture is. Risk management, when done well, is not bureaucracy; it is strategy. It helps you act early while others react late. Building a culture of foresight Boards must evolve from passive oversight to active foresight. That means embedding four disciplines: Curiosity over comfort. Reward those who ask “what if,” not just those who deliver results. Data-driven vigilance. Use predictive analytics to detect weak signals before they become losses. Decentralized ownership. Make every employee a risk owner, not a risk reporter. Real-time learning. After every incident, update controls and culture, not just procedures. The best organizations do not just survive uncertainty; they anticipate it. They treat early warning signs as gifts, not nuisances. Risk is everyone’s job. The board’s role is to ensure that risk awareness is institutional, not departmental. Risk cannot be managed in a spreadsheet maintained by one person in the corner office. Every department must translate the concept of “risk” into its own everyday language. Finance must think about liquidity and credit exposures. IT must think

“Every fraud I have ever investigated began with trust. Not fake trust, genuine trust.” In every boardroom, trust is praised like a virtue. “We are like a family here,” someone says, and heads nod approvingly. But after two decades in fraud investigation, I now know that statement is often the prelude to scandal. Because families forgive. Families look away. Families assume good intentions even when the numbers tell a different story. And that precisely is where fraud begins. Fraud does not start in dark alleys. It starts in bright offices, between colleagues who know each other too well. The paradox of trust Trust is the oxygen of collaboration. It allows organizations to move fast and innovate. But when unguarded, it becomes poison. I have seen many executives confuse loyalty and integrity. “He has been with us for ten years,” they say, as if tenure immunizes one from temptation. It does not. It only expands access and knowledge of control weaknesses. Fraud thrives where trust is absolute and oversight is absent. When Summit Consulting Ltd was called to investigate a mid-sized firm, the main suspect was not a stranger. It was Suspect 1, a veteran accountant everyone called “uncle.” He was diligent, faithful, and even prayerful. He also created fake suppliers with nearly identical names to legitimate vendors. Over 18 months, he quietly siphoned UGX 371.8 million through mobile money transfers. No breaking in. No hacking. Just comfort, routine, and trust. Fraud is not theft. It is a conversation gone wrong. “It begins as a story people tell themselves to justify small compromises.”  “I will just borrow and pay it back.” “They don’t value me anyway.” “Everyone does it.” Those are the real beginnings of corporate fraud, not elaborate schemes, but emotional rationalizations. Fraudsters rarely start as criminals; they start as disappointed employees seeking fairness their own way. The danger is psychological. When someone feels invisible, they construct private systems of justice. And once the first theft succeeds without consequence, it evolves from an act into a habit. The myth of the small fraud Boards often comfort themselves by saying, “It’s only a small loss.” But small frauds are not harmless; they are rehearsals. The first UGX 100,000 stolen is never about the money; it is about testing the system. When nothing happens, the next theft becomes UGX 2 million. Then UGX 10 million. Fraud is behavioural conditioning. When wrongdoing has no cost, it becomes culture. Many organizations in Uganda and the region at large do not lack systems; they lack courage. Employees see anomalies but hesitate to speak up. Fear of labelling, fear of job loss, fear of being called “difficult.” That silence is where fraud flourishes. The courage to distrust; intelligently High-trust cultures are not naïve. They practice structured scepticism. “Do not distrust people. Distrust blind systems.” Fraud prevention is not paranoia; it is professional hygiene. Here is the formula Summit teaches: The Circle of Intelligent Distrust: Segregate duties: No one should initiate, approve, and reconcile the same transaction. Automate analytics: Let systems flag anomalies in real time. Protect whistleblowers: Make honesty safe, not heroic. It is not about suspicion: it is about design. The best control systems make fraud difficult even for good people tempted by bad moments. Peter Drucker’s timeless phrase rings true in fraud management. Culture does not just eat strategy for breakfast; it eats controls for lunch. You cannot enforce integrity with policies alone. When leaders bend rules “because time is short,” they model deviance as efficiency. When a board ignores a conflict of interest “for now,” they signal that ethics is negotiable. As Mr Strategy loves to say: “Fraud prevention is not an audit function; it is a leadership function.” Culture flows from tone, and tone flows from example. You cannot demand compliance from a staff you publicly undermine. Boards must stop delegating integrity Fraud is not an accounting issue. It is a governance issue. Too many boards outsource ethics to audit committees as if integrity were a department. It is not. It is a discipline that starts in the boardroom itself. A winning board does not wait for forensic audits; it anticipates fraud through sharp questioning: Who reviews the reviewer? Which red flags are being ignored because they involve “trusted” people? How are we rewarding ethical courage, not just performance metrics? Boards must remember: when fraud breaks, the public does not blame the accountant; they blame the brand. From awareness to architecture Every November, the world marks Fraud Awareness Week. But awareness without architecture is time wastage. Do not just print posters saying, “Stop Fraud.” Build systems that make fraud unattractive. Below are the recommended practical steps for this month: Simulate fraud response. Run live scenarios. Audit the audit. Review who validates reconciliations and supplier approvals. Incentivize honesty. Publicly recognize employees who report control lapses early. Fraud awareness isn’t a campaign. It’s an ongoing redesign of trust. The digital frontier: new trust, new risks Uganda’s financial landscape is digitalizing at breakneck speed; mobile money integrations, fintech wallets, and instant payments. But technology amplifies whatever culture it finds. A dishonest employee with system credentials is more dangerous than any hacker. Boards must treat cybersecurity as an extension of fraud management. That means embedding behavioural analytics, systems that detect anomalies in user activity, not just system breaches. One lesson I have learned over the years is that “You don’t fight digital fraud with firewalls. You fight it with foresight.” The final lesson: leadership defines the temperature of integrity In one case, Suspect 2, a procurement officer, confessed: “I didn’t think they’d find out. Even the bosses do it.” That is the ultimate audit finding: hypocrisy at the top. Integrity is not enforced through slogans; it is modelled through decisions. When leaders compromise once, they license everyone else to compromise repeatedly. Fraud risk, therefore, is a mirror. It reflects the character of leadership more than the cleverness of employees. As we mark Fraud Awareness Week, every board and executive must face one question: How is

It started with a phone call that should have been routine. “Good afternoon, this is IT; we are just updating your password. Kindly share your MFA code for system sync.” The voice on the other end sounded professional, confident, and even polite. Within 90 seconds, the officer in charge of treasury operations at a mid-sized local bank had unknowingly handed over the keys to the vault. By the time the fraud was discovered, UGX 3.2 billion had quietly vanished through a chain of digital transfers, small enough to evade automated alerts and clever enough to appear internal. What made this case exceptional was not the sophistication of the hackers. It was the naivety of convenience. The illusion of safety Inside the bank’s headquarters, efficiency was everything. The CEO prided himself on “frictionless service delivery.” Password resets were streamlined, system logins synchronized, and approvals automated. Staff called it the convenience culture. One password for all systems, minimal downtime, and the comforting belief that “IT has it covered.” When Summit Consulting Ltd was called in two weeks later, the board was in shock. The IT Manager insisted no system had been breached. The Compliance Officer swore all procedures were followed. Yet the treasury account kept haemorrhaging money in small, calculated withdrawals. This was not a brute-force attack. It was a culture breach. The first crack During the initial audit, Summit’s digital forensics team pulled server logs. They found that the initial access came from a legitimate device, a bank-issued laptop belonging to Suspect 1, a mid-level treasury officer. The investigators dug deeper. Behind the scenes, a remote-access application had been installed on his laptop, disguised as an update patch from IT. The malware did not just open the door. It stayed quiet, observing. For weeks, it captured credentials, clipboard data, and screenshots. How did it get there? Summit’s forensic image of the drive revealed the truth, a WhatsApp file transfer. The convenience trap “IT had told us email attachments were risky,” Suspect 1 explained during his interview. “So, we started sharing updates over WhatsApp instead. It was faster.” A colleague had shared what looked like an Excel macro update. The moment it was opened, a remote-execution script embedded in the file silently installed the backdoor. From that day, every click, password, and transaction entry was monitored by an external actor believed to be a former bank contractor. The irony? The breach originated from an alternative communication channel meant to make work “easier.” Convenience, again, had become the enemy. The anatomy of the heist Using harvested credentials, the attacker created a shadow approval workflow. They knew the internal routines; when managers logged in, when auditors checked balances, and which signatures were often delayed. Funds were routed in micro-transfers of UGX 18–25 million, labelled as vendor refunds and forex settlements. The accounts used were genuine, inactive client accounts reopened through social-engineered email approvals. To avoid suspicion, every transaction mirrored a legitimate one from the previous week. The total loss was masked under “system suspense clearing.” No alarms went off because nothing appeared abnormal. The transactions came from authorized users within working hours. The silent witnesses Inside the bank, several people saw red flags, but convenience muted their instincts. The internal auditor noticed the unusual pattern of “duplicate” transfers but assumed it was a system reconciliation. The compliance officer received an email query about the same vendor twice, but approved it because “the boss was traveling.” The system admin ignored a strange login because the credentials belonged to a trusted colleague. Every time someone felt something was off, they brushed it aside for the sake of speed. In the final analysis, Summit’s report noted, “This incident was not a hack. It was a harvest of human trust and organizational complacency.” The unmasking Forensic tracing led to a digital fingerprint left behind on the command server. The IP bounced through multiple VPNs, but one session slipped, revealing a location in Bukoto. Summit’s cyber team, working with law enforcement, mapped transactions through local mobile money aggregators. Some of the cash-out accounts were registered under stolen national IDs, but one SIM card connected to the same wallet had been used to pay a Yaka (UDCL Light) bill in the name of Suspect 2, a former staff member terminated six months earlier. When confronted, Suspect 2’s response was chilling: “They made security so easy I thought it was a test.” The forensic unravelling Summit’s forensic reconstruction revealed how the breach evolved in five stages: Access by deception. A fake WhatsApp file disguised as an Excel update installed remote-access malware. Credential capture. Keystrokes and screenshots were harvested silently. Privilege escalation. Compromised admin credentials were used to modify transaction approval queues. Transaction laundering. Micro-transfers funnelled through dormant customer accounts to evade detection. Cash-out & cover-up. Funds withdrawn via mobile aggregators and converted to cryptocurrency within 72 hours. The attackers understood one truth: in a culture of convenience, nobody double-checks what looks familiar. The emotional aftermath The boardroom was silent as Summit presented its findings. The chairperson, visibly shaken, asked, “So our systems were not hacked?” “No,” the lead investigator replied. “Your habits were.” The bank’s leadership realized they had invested in technology but neglected behaviour. They had built a fortress, but left the gate open for speed. The hardest pill to swallow was accountability. Every control had existed on paper. Every policy had a signature. Yet enforcement depended on human discipline, not design. The culture audit Following the investigation, Summit conducted a cyberculture audit. The results were eye-opening: 73% of staff reused passwords across systems. 58% admitted forwarding work documents via personal cloud email or WhatsApp. 41% had admin rights they no longer needed. Only 12% had ever changed default passwords on their devices. Convenience was not a behaviour. It was a system. Summit’s final report framed it starkly: “The institution achieved operational efficiency at the cost of digital resilience.” Redefining security The transformation that followed was painful but profound. Digital discipline became policy. All devices require MFA. WhatsApp file

If you have ever felt the pulse of a financial irregularity, the sudden spike, the hidden transaction, the silent whistle-blower, then you know this truth: the business of fraud is not simply accounting. It is a battlefield. And the credential that marks you as a qualified warrior in that battle is the Certified Fraud Examiner (CFE), issued by the Association of Certified Fraud Examiners (ACFE).   This November 2025, IFIS is your launchpad. It is time to move from being a good auditor or risk professional to becoming the fraud investigator organisations call when the fire hits. Here is your roadmap. The whys, the hows, and the strategic counsel to get you from today to credential-holding, career-elevated, fraud-fighting. Why the CFE makes sense and why now? Market demand meets prestige. Fraud is not going away. In fact, it is morphing. The ACFE’s vast body of research shows that organisations with CFEs on staff detect fraud faster and incur smaller losses. A tangible earnings premium. According to ACFE’s Compensation Guide. CFEs earn, on average, 32% more than their non-certified counterparts. For those with four-year degrees, median compensation among CFEs is approximately US $101,000, and for graduate-degree CFE, it is about US $112,000. In Africa/the Middle East, median CFE compensation was reported at around US $52,000, still significantly higher than many local peers. Professional credibility and organisational impact Holding the CFE signals you are more than an accountant or auditor; you are a trained investigator. CFEs bring “higher fraud detection, professional credibility, career advancement, and enhanced marketability.” In short, if you are working in internal audit, risk, compliance, or investigation (like many of you reading this), the CFE is the credential that marks the shift from good to elite. IFIS gives you the local gateway to that global benchmark. The eligibility and exam framework: Here is a breakdown of how to qualify and prepare, so you know exactly what you are signing up for Eligibility You must be an Associate Member of the ACFE. Use the ACFE “points system”: you need a minimum of 40 points to sit the exam, and 50 points to earn the credential. A bachelor’s degree typically grants ~40 points. If you do not have a degree, you may substitute two years of fraud-related professional experience for each year of academic study. You must have at least two years of professional experience in a field related, either directly or indirectly, to fraud detection/deterrence by the time you are certified. You must agree to the ACFE Code of Professional Ethics. Exam structure Once you are eligible, the path follows: Join ACFE.com as an associate member→ 2. Prepare for the CFE exam by buying study materials from the ACFE and also coming to IFIS for study classes→ 3. Apply for the exam → 4. Sit the exam → 5. Get certified. The exam covers four sections: Financial Transactions & Fraud Schemes Law Investigation Fraud Prevention & Deterrence. Each section is a separate exam (~100 multiple-choice/true-false questions), and you must achieve at least 75% in each to pass. Timeline and strategy Given you plan to begin this November 2025 at IFIS, here is a suggested timeline: Join ACFE, and begin your preparatory reading. November (IFIS class start): Attend IFIS guided sessions, form a study group, start weekly topic deep-dives. February-March 2026, Sit each of the four sections (or grouped as allowed by ACFE). On passing, gain the official CFE credential, commence leveraging it for career advancement and organisational value. Career guidance. Where the CFE takes you and how to position it There are several career paths you can aim for Internal Auditor (audit, risk & controls) External Auditor (public accounting firms) Compliance or Risk Management Professional Fraud Investigator / Examiner (private or public sector) Loss Prevention or Asset Protection roles How to use the CFE to stand out Leverage your current skills: If you are in internal audit, highlight your fraud-related work to meet eligibility and to show value. Show organisational impact: Use metrics, e.g., faster fraud detection, reduced losses. ACFE reports organisations with CFEs detect fraud ~40% sooner and have ~54% smaller losses. Network globally, act locally: Join the ACFE community, engage in its job board and webinars, but tailor focus to the East African context (mobile money risk, cyber-fraud, regulatory growth). Position for leadership: The credential not only earns more money; it signals readiness for roles with greater responsibility (manager, director). The Compensation Guide shows median compensation increasing significantly with the level of responsibility. Market the credential in your region: In Uganda, Kenya, Nigeria, etc., your “CFE” becomes a differentiator in insurance, banking, audit, and compliance hiring. Emphasise your global credentials plus local application. Five practical steps you must take right now Join ACFE today! Activate your membership, and you will start getting benefits and begin accumulating eligibility points. Conduct a gap analysis, identify your education points, and fraud experience points. If below 40, plan the experience or education to fill the gap. Register for the IFIS November class, commit now, block your study schedule, get your colleagues and manager informed (to support you). Design a study plan; e.g., 12 weeks before exam, break each of the four domains into weeks, include mock-tests, flashcards, peer-review sessions. Align your current role to your CFE journey; include fraud-related tasks in your performance goals, start logging fraud detection/prevention actions, and build your “case history” (for your resume and for ACFE’s experience requirement). Why now is the strategic moment for East Africa The financial services and audit sectors are increasingly under pressure, with rising regulation, greater digital/mobile-money risk, and stronger governance expectations. Organisations are seeking credible fraud–risk specialists. When you hold a globally recognised credential (CFE) and understand local mobile-money, SACCOs, and fintech risk in Uganda, you’re rare. By starting in November, you will be ahead of the curve: many professionals delay; being early gives you a first-mover advantage within your organisation or region. For the board/internal-audit context you already operate in (you are Head of Internal Audit in Nigeria), the CFE

It began with a knock. Not the kind that rattles your door at midnight, but the digital kind. The kind you don’t hear. The kind that seeps in through an innocent-looking email marked “Request for Quotation.” It was 2:13 a.m. on a Saturday in June when the first breach happened. The institution, a mid-sized government agency with offices along Jinja Road, had just completed its payroll run. The staff were asleep. The finance director was abroad. The systems administrator had left his token in a drawer “for convenience.” By Monday, UGX 1.2 billion had vanished; quietly, elegantly, and with surgical precision. That was the story that opened this year’s Cybersecurity and Risk Management Conference 2025, hosted by the Institute of Forensics and ICT Security (IFIS) at Speke Resort Munyonyo. And as each expert took the stage, it became clear: Uganda’s cyber war is no longer theoretical. It’s personal, psychological, and institutional. The calm before the breach Suspect 1 was a former IT officer. He knew the system well enough to exploit its blind spots but not well enough to fix them. He’d left the organization two years earlier after being denied a promotion. But his digital fingerprints remained. The agency had never deactivated his admin credentials from the legacy accounting platform. “It was just one of those things we’d get to later,” said one internal source during the post-mortem. Later never came. Using a VPN and public Wi-Fi from a café in Ntinda, Suspect 1 logged in with his old credentials. No alarms. No two-factor authentication. Within ten minutes, he had full access to the payments module. He then created four new supplier profiles. Each bore legitimate-sounding names: Kampala Supply Traders Ltd, Vision Industrial Parts, Equity General Solutions, and Mubende Agro Works. The National IDs used were genuine; they belonged to real people hired as boda riders and casual laborers, each paid UGX 50,000 for “helping open accounts.” The first red flag appeared two weeks later: the internal auditor noticed multiple supplier payments with near-identical narrative descriptions: “Supply of stationery.” But instead of investigating, she was told to “wait until next quarter’s audit.” That hesitation cost the agency almost a billion shillings. How the money moved Here’s how the fraud worked. Each ghost supplier had a mobile money-linked bank account. Once the payments cleared, the funds were split into smaller UGX 4–6 million transfers, sent to over 30 wallets. Some of those wallets belonged to staff relatives. Others to mobile money agents near Wandegeya, Kamwokya, and Kyengera. “Follow the cash, not the crime scene,” said the lead investigator from Summit Consulting Ltd, which was called in after the breach. Summit’s digital forensics team traced the movement of funds across three telecom platforms. Within hours, patterns emerged: transfers made between 2–3 a.m., withdrawals in batches of five, and multiple SIMs registered under a single national ID; a textbook indicator of a collusive scheme. “Every fraud has two halves,” explained the Summit investigator. “The insider who knows the door, and the outsider who knows when it’s open.” Their forensic reconstruction revealed that Suspect 1 had an accomplice; Suspect 2, the agency’s current accounts assistant. Suspect 2’s role was simple but crucial. He approved the transactions using his supervisor’s token while the supervisor was “on travel.” He’d convinced him that “system delays” required him to leave the token in the drawer “for continuity.” That drawer, investigators later discovered, was the breach’s front door. The breach beneath the culture At the conference, Summit’s presentation drew gasps; not because of the technical sophistication, but because of how ordinary the setup was. The agency had invested over UGX 300 million in cybersecurity tools. Yet none of them mattered because human culture was the weakest link. There was no segregation of duties. Tokens were shared. Audit logs weren’t reviewed. And the internal auditor lacked system access to monitor real-time transactions. One delegate whispered, “This could be any of us.” He was right. Ugandan institutions often think cyber risk is about hackers in hoodies. The real enemy, as we learnt, is organizational comfort; the belief that loyalty equals security. “We trust our people too much,” said one CEO on the panel. “But trust without verification is the breeding ground for fraud.” The forensic breakthrough Summit’s digital forensics lab, operating from Nakasero, recreated the full digital trail using forensic imaging. Every keystroke, timestamp, and token approval was reconstructed. A chilling detail emerged: Suspect 1 had logged in on Independence Day, a public holiday. No one noticed. The intrusion lasted only 17 minutes. Within that window, he created and approved four payment vouchers worth UGX 860 million. How did he get the approvals through? He used an automation script to mimic the payment workflow, leveraging the shared token credentials of the finance manager. The script executed instantly, bypassing human verification. When Summit Consulting presented this sequence during the conference, the room went silent. Because everyone realized: the system wasn’t hacked from outside. It was used exactly as designed. The anatomy of insider collusion Summit’s report to the board detailed a textbook example of insider-enabled fraud: Role Action Control bypassed Suspect 1 (ex-IT staff) Accessed the system using old admin credentials User deactivation control Suspect 2 (accounts assistant) Processed ghost supplier payments Token misuse and weak supervision Finance manager Left the token unsecured Poor physical control Internal auditor Deferred review Lack of real-time audit visibility HR Failed to ensure exit clearance Weak access offboarding Each small negligence formed a chain. Together, they became a breach. “Fraud isn’t a single act of genius,” said the Summit consultant. “It’s a series of small permissions.” How Summit cracked the case The investigation took 11 days. The first 72 hours were the hardest. Logs had been deleted. Tokens were “missing.” HR insisted Suspect 1 left cleanly. But Summit’s forensics team pulled a digital rabbit out of the hat. They recovered fragments of deleted logs from a backup server that had been “ignored” by IT. These logs showed a unique pattern: every intrusion occurred within