The rise of invisible theft It doesn’t start with a gun. It starts with a click. A wrong link. A fake email. A too-good-to-be-true job offer. Online fraud is no longer the exception, it’s the rule. And in Uganda, cases reported to the CID’s Cybercrime Division have quadrupled in the last two years. From Kampala to Kabale, cybercriminals are no longer hiding in the shadows. They’re hiding in your inbox. The con in convenience We investigated a recent case in Mbarara involving a school bursar who lost UGX 38 million to a fake supplier portal. The fraud started with a well-crafted email mimicking the Ministry of Education’s supplier payment platform. Everything looked authentic: logos, language, and layout. All it took was one click. Once she logged in, the fake site harvested her credentials. Within two hours, the fraudsters had logged into the real platform, changed the payment details of three contractors, and diverted the funds to mobile money accounts registered under fake national IDs. How the red flags were spotted It wasn’t the police who spotted it. It was the school’s internal auditor. During routine review, he noticed discrepancies in contractor payment confirmations; payment vouchers existed, but no contractor acknowledged receipt. He called one of them directly. That call saved the school millions more. He froze all pending transfers and initiated a forensic review. When our team from Summit Consulting was brought in, we traced the IP addresses to a rented office space in Kikuubo where a cybercrime ring was using VPNs and rented laptops to coordinate the attacks. These weren’t just unemployed youths; two of them were IT interns from a local university. The money trail The UGX 38 million was broken down and split into 19 different mobile money accounts, each capped below UGX 2 million to avoid triggering suspicious transaction alerts. The withdrawals happened across three districts within hours. This was not amateur fraud. This was industrialized deception. What you must do now If you’re a CEO, audit head, or accountant, stop thinking cybercrime is an IT problem. It’s a leadership problem. It’s a culture problem. And it’s a systems problem. You must invest in continuous fraud risk assessments, mandatory staff leave, dual approvals, and penetration testing. Do not wait for URA or NITA to tell you. Act. Because online fraud doesn’t just steal your money. It erodes trust. And when trust goes, your business dies next.
Fraud alert! 7 red flags every employee should watch out for
When fraud happens, it is never out of the blue. The signs are always there, ignored, excused, or misread. As an internal investigator and strategist, I have seen organizations lose billions simply because no one asked the obvious question. Let me break it down. Fraud does not start with fake invoices or missing cash. It starts with silence. With people minding their own business while corruption blossoms in plain sight. Below are the telltale signs to note. 1) Living beyond means (i) A junior staff member suddenly drives a brand-new car. (ii) A modest salary earner starts vacationing in Dubai with the whole family. Not Jinja. Not Fort Portal. But to Dubai. Emirates. Burj Khalifa. Floating breakfast. All in full HD on their WhatsApp status. (iii) Let us be honest. You know your colleague’s payslip. You all queue at the same salary office. Then out of nowhere, this person shows up driving a car whose logbook is allergic to salary loans. He says it is “God’s blessing.” Yet even God is whispering, “My child, do not drag me into this one.” When you see lifestyle levitate while the pay grade remains grounded, do not clap. Do not borrow style. Ask: What is funding this miracle? Because when fraud happens, the red flag is not the theft. It is the silence and side-eyes from colleagues who pretend not to notice. And by the time HR wakes up, the car is sold, the Dubai album is complete, and the audit trail is colder than your office tea. I always tell people that do not envy what you do not understand. Fraud always looks like success until the handcuffs come. 2) Unwillingness to take leave (i) Fraudsters guard systems like gold mines. You would think their password is their blood type. (ii) They fear exposure, not sunburn. If someone else logs in while they are away, the secrets start coughing. (iii) When someone refuses annual leave for five years straight, claiming they “just love working,” do not applaud. Raise the alarm. Let me paint you a picture. Peter in Accounts has not taken leave since Museveni last reshuffled the cabinet. Every year, HR begs him: “Please go and rest.” He smiles, declines, and somehow still gets his leave allowance. But here is the trick: Peter is not hardworking. He is hard to hide. His Excel sheets have more formulae than a PLE math paper. He reconciles his books, approves his payments, and sends his audit responses. Ask to sit at his desk? “Ah, boss, my work is a bit sensitive.” Sensitive indeed. The last guy who insisted on relieving him? Transferred to stores. When a staff member treats leave like a death sentence, they are not loyal. They are laundering. Remember, everyone needs rest. But a fraudster? They can not afford it. Their scheme collapses the moment someone else logs in. Audit tip: If someone resists delegation like it were a crime, check. It probably is. 3) Over-familiarity with vendors (i) Personal friendships become procurement shortcuts. “I know a guy,” they say, and that guy always wins. (ii) One supplier keeps getting the deals even when they quote higher, deliver late, or write invoices like riddles. Why? Because he buys the drinks and sometimes the fridge too. (iii) That “drink after work” culture? It is not networking. It is onboarding into a kickback scheme. Let us unpack this. Meet Sharon from procurement. Friendly. Efficient. Always available. Her best friend, Brian, owns “B-Tech Supplies.” Every tender? He wins. Every evaluation? He scores 98%. One time, his quote arrived in PowerPoint instead of Excel. Still awarded. Why? Because Sharon and Brian have a rhythm. You will find them every Friday at Cayenne laughing like business is a comedy. But what is not funny is how B-Tech delivers reams of paper that vanish faster than the toner. Ask Sharon for a justification report, and she replies, “Trust me, Brian is reliable.” That’s not due diligence. That is due to fraud. Real suppliers compete. Fake ones collude. If one vendor keeps winning while everyone else is just ‘for formality,’ you are not running procurement. You are hosting a reunion. Friends do not let friends win tenders. At least not without proper evaluation, clear documentation, and a firewall between social life and supplier lists. Because when vendors and staff are this cozy, what is being supplied is not just stationery. It is a scandal. 4) Excessive control over processes (i) One person handles everything: initiation, approval, reconciliation. (ii) That is not efficiency. That is fraud in stealth mode. (iii) Segregation of duties exists for a reason. Now, meet Sarah. The finance admin at a vocational institute in Wakiso. On paper, she was a miracle worker. Initiated payments, approved them, updated the ledger, and even printed the cheques herself. The Principal used to praise her: “Sarah is very reliable. Does not disturb anyone.” Exactly. Because disturbing people brings witnesses. When the internal auditor finally got access to her files, they found something strange. The same stationery supplier had invoiced the same items four times in a quarter. Toner. A4 paper. USB flash drives. Same descriptions, same amounts, just different invoice numbers. Turns out, Sarah had been processing and paying ghost suppliers. But since she reconciled the books herself, it always looked clean. Until a sick day exposed her empire. A colleague covering for her asked one innocent question: “Why are we paying UGX 4 million for ‘flash disks’ every month?” That is when the curtain dropped. The fraud had been running for 3 years. Estimated loss? UGX 212 million. One-person processes are not a strength. They are a system failure. Segregation of duties is not a bureaucratic nuisance. It is your first line of defense. When one person controls every step, audit trails vanish, checks collapse, and fraud moves in quietly, confidently, and with receipts. 5) Missing or suspicious documentation (i) Ghost receipts. (ii) Repeated ‘lost’ files. (iii) Frequent ‘technical errors’ in audit trails. Classic cover-up tactics. Now
The fraud diamond: How good people cross the line
Fraud doesn’t begin with bad people. It begins with pressure. With a quiet “just this once.” With a system that looks away. To truly understand how fraud happens, forget the Fraud Triangle. That’s kindergarten. Step up to the Fraud Diamond, a sharper, more dangerous model. It exposes not just why fraud occurs, but how the fraudster pulls it off. There are four points to this diamond. Each one cuts deeper. 1) Motivation or pressure – the fire under the pot I call it the boiling kettle. Pressure builds in silence. It could be school fees, a sick parent, a gambling habit, or a toxic bonus structure. Inside, the kettle starts to boil. If there’s no ethical outlet, no support system, the steam seeks escape. In one case in Mbale, a payroll officer altered the system to pay herself “advances.” Why? Her landlord had given a final eviction notice. Her children’s school threatened suspension. In her head, this wasn’t theft, it was survival. Just last Saturday, I was sitting in a restaurant having a meal when a man suddenly shouted at the top of his voice: “James, you’re a very bad person. I’m coming to evict you tomorrow. How do you live in someone’s house for over ten months without paying a single coin? I borrowed money to build that house, I pay URA, I pay KCCA, and even the man who opens the gate for you—but you sleep there, produce children, and don’t even think about paying rent? What kind of man are you? How do you even find the energy to get in the mood for producing children with that ever-accumulating rent hanging over your head?” The man, clearly the landlord, was furious and didn’t allow the tenant to say a single word. That, my friend, is pressure. Now imagine that same tenant works in your company… and has access to money. 2) Opportunity – the unlocked window A window left open at night gives easy access to intruders. Pressure alone doesn’t cause fraud. Opportunity invites it. Weak controls. No supervision. Poor segregation of duties. In most district local governments, fuel fraud thrives because no one reconciles fuel cards against mileage and journeys. No trackers. No oversight. So drivers inflate trips. Storekeepers divert fuel to boda riders. The window is open, and the thief doesn’t even need to break in. 3) Rationalization – the bedtime story When a thief believes s/he’s the hero, smiles while stealing! To sleep at night, fraudsters tell themselves stories. “They owe me.” “It’s just a loan.” “Everyone does it.” “I have worked for this company for too long, I deserve this!” In Gulu, a hospital accountant stole UGX 75 million over 3 years. He told investigators, “I was just reclaiming all the weekends I worked without pay.” That’s not a justification—it’s a confession wrapped in entitlement. 4) Means – the master key Before you make that spare key, make sure your locksmith has good morals. This is what the traditional fraud triangle missed. You can have the motive or incentive or pressure, the chance or opportunity, and the excuse or rationalization but without the means, you’re still locked out. Means are the skills, access, and tools to execute fraud. System access. Insider knowledge. Technical know-how. In Wakiso, an IT assistant cloned mobile money withdrawal codes after observing the finance team for months. No one suspected him until one day, UGX 210 million vanished from a project account. The complete diamond motive, opportunity, rationalization, and means. If you want to stop fraud, don’t just audit. Don’t just preach ethics. Break the diamond. Remove the pressure by offering support. Start personal finance training, family planning talks, and staff mentorship programs. Shut the window by tightening the controls. Separate duties, enforce approvals, and audit surprise transactions regularly. Challenge the stories people tell themselves. Teach ethics through real-life case studies and promote an open, values-driven culture. Block the tools they need to act. Limit system access, rotate roles, and monitor user activity with alert systems. Fraud isn’t magic. It’s mathematics. Fix the equation before it breaks you. And now you know the formula.
Don’t be the next headline: 5 simple steps to prevent fraud today
Fraud doesn’t knock. It walks right in through your open doors, process gaps, ignored red flags, and blind trust. And when it hits, it hits hard. Reputations ruined. Careers ended. Cash gone. Before you become the next cautionary tale, here are IFIS’s five practical steps to block the fraudster’s path starting now. 1) Segregate duties If one person controls initiation, approval, and payment, you’ve built a perfect fraud machine. Split roles. Always. No one person should control an entire transaction process. This includes payroll, procurement, and reconciliations. In Ugandan SACCOs, for example, we’ve seen treasurers process fake withdrawals for non-existent members simply because no one else was checking. 2) Verify before you trust Your most trusted employee could be your biggest threat. Do independent verifications, especially for suppliers, ghost staff, and “urgent” payment requests. Call back. Confirm. Don’t assume. That “vendor” might be your staff using a cousin’s bank account. 3) Monitor your logs System logs don’t lie, but only if you review them. Watch for late-night logins, multiple failed password attempts, or sudden system changes. Many fraud cases begin after hours when no one is watching. Install alerts. Review them weekly. 4) Rotate responsibilities Never let one person own a role for years without a break. Fraud loves routine and familiarity. Make leave mandatory. Rotate roles periodically. That alone exposes long-running schemes. A cashier’s theft was only discovered during maternity leave in one Eastern Uganda district. 5) Train everyone Fraud is not just an IT problem. It’s a people problem—train staff to spot social engineering, phishing emails, and manipulation tactics. Make fraud prevention part of onboarding and annual refresher training. When everyone is alert, the fraudster is isolated. Final word: Fraud isn’t just a finance problem. It’s a leadership failure. Fix the culture. Build systems. And for heaven’s sake, stop relying on trust alone. Trust is not an internal control. Stay alert. Stay protected.
Why every auditor needs a CFE badge in their arsenal
If you’re an auditor without fraud investigation skills, you’re just a glorified bookkeeper. In today’s Uganda, internal audit reports are littered with “irregularities noted,” “supporting documents missing,” and “recommend management action.” But no names. No loss quantification. No recovery plan. That’s not an audit. That’s avoidance. The gap- Auditors see red flags. CFEs act on them. Your audit flagged UGX 74 million in unsupported payments. Good. But who took it? How was it done? Who colluded internally? Where’s the evidence trail? That’s where the Certified Fraud Examiner (CFE) badge transforms an ordinary auditor into a value protector. You stop being the person who writes reports no one reads, and become the person who exposes what management fears most: the truth. What the CFE badge adds to your audit arsenal a) Forensic mindset (i) You stop accepting “we lost receipts” as an explanation (ii) You start mapping fraud schemes, not just control weaknesses (iii) You ask: Who benefited? Not just What went wrong? b) Evidence collection skills (i) Capture screenshots, trace mobile money flows, and preserve chat logs (ii) Chain of evidence for court, not just management memos (iii) Use metadata and timestamps to catch backdated documents c) Suspect interviewing and report writing (i) Turn denial into confession through skillful questioning (ii) Write airtight fraud reports with loss value, suspect profiles, and timelines (iii) Support prosecution with confidence, not fear of litigation The audit that saved nothing In 2022, a northern Uganda NGO did a standard audit. It noted missing inventory worth UGX 34 million. The report blamed “poor record-keeping.” Months later, a whistleblower exposed the truth: the finance officer was running a side hustle reselling donated goods. If the auditor had CFE training, the fraud could have been nailed in one week. Instead, it dragged on for six months, donors pulled out, and three staff walked away unpunished. Auditors without CFE training miss the real story Because fraud doesn’t show up in trial balances. It hides in behaviour, collusion, and paper trails. Traditional audit stops at compliance. CFE audit digs for truth Let me make it clear: If you’re auditing without forensic skills, If you rely only on vouchers and policy manuals, If your report says “may have been fraud” instead of “we found the suspect,” You need to upgrade. Get the badge. Become the person your board trusts when the money goes missing. Because in the fight against fraud, hope is not a strategy. Competence is. And the CFE badge is your sword. Or, just become a Certified Fraud Forensic Professional, CFFP. Click here to enrol, https://forensicsinstitute.org/course/certified-fraud-forensic-professional-cffp-2/
The CFE Toolkit. Skills every business needs to prevent fraud
Every business in Uganda is one fake invoice away from collapse. From SMEs in Ntinda to NGOs in Gulu, fraud is not just a financial problem. It’s a survival threat. And the truth is, most businesses won’t see it coming until it’s too late. That’s where Certified Fraud Examiners (CFEs) come in. They bring not just investigations, but a toolkit every serious enterprise needs to build fraud resistance from the inside out. Fraud is not an event. It’s a process. No fraudster walks in wearing a sign reading “I am a fraudster”. They study your loopholes. They exploit weak controls. They whisper, “This is how we’ve always done it.” Then they vanish with your money. CFE training equips professionals to interrupt that process early, surgically, and with finality. Inside the toolkit: Practical CFE skills every business must adopt a) Fraud risk assessment (i) Identify high-risk processes: procurement, payroll, and mobile money disbursements (ii) Score them for likelihood and impact (iii) Build a fraud risk register that goes beyond generic checklists b) Forensic document review (i) Detect manipulated supplier invoices and cloned contracts (ii) Verify vendor legitimacy against URSB and URA records (iii) Spot template fraud, same fonts, same printers, same lies c) Digital evidence gathering (i) Recover deleted emails, WhatsApp chats, and manipulated PDFs (ii) Map internal collusion between staff and external actors (iii) Build evidence admissible in court d) Interview and confession techniques (i) Spot deception through inconsistencies and evasion (ii) Apply behavioural analysis to break down cover stories (iii) Convert suspects into state witnesses e) Fraud reporting and prosecution (i) Draft airtight case files with timelines, evidence chains, and loss estimates (ii) Present findings to CID, IGG, and internal disciplinary committees with clarity and confidence (iii) Push for asset recovery not just suspensions and transfers 3) Case in point: a silent fraud in a Kampala logistics firm A mid-sized logistics company in Nakawa lost UGX 91 million in “ghost warehouse rental fees.” Their internal accountant, in collusion with a junior procurement officer, fabricated lease agreements with a fictitious landlord. What stopped the bleeding? A newly certified CFE on the board noticed inconsistent TIN records and launched an internal probe. The suspects were arrested. Money recovered. Culture changed. Every business has three choices (i) Hire a CFE or a CFFP (https://forensicsinstitute.org/course/certified-fraud-forensic-professional-cffp-2/). (ii) Train your key staff as CFEs or CFFPs. (iii) Wait to be defrauded. Fraud does not discriminate. It doesn’t care if you are an NGO, SACCO, or a tech startup in Bugolobi. But CFEs do. They bring structure, foresight, and accountability. If your accountant can’t detect fraud, they are a risk. If your procurement team doesn’t understand red flags, they are a liability. It’s time to equip your team with the CFE toolkit. Because fighting fraud is not a department, it’s a discipline. And those who master it win. Become a CFE now
Become a fraud-fighting superhero: Get certified today!
In a country where billions vanish silently into forged invoices and ghost accounts, the real superheroes don’t wear capes. They carry audit trails, forensic reports, and courtroom-ready evidence. They are Certified Fraud Examiners (CFEs). And the battlefield is real. Why it matters: The fraud is already happening Every week, a district accountant approves payments to a supplier that doesn’t exist. A school headteacher lists “ghost pupils” to pocket capitation grants. A procurement officer inflates prices on desks by 300%. By the time the Auditor General flags it, the money is long gone. But what if you could catch it before it spreads? What if you were the person they feared in the room? What CFEs do is expose the schemes no one talks about As a CFE, you don’t wait for whistleblowers. You build systems that reveal fraud patterns before they explode. You: a) Trace the money: even when it moves through mobile money and cousins’ accounts b) Decode fake documents: from doctored receipts to manipulated contract minutes c) Interview suspects: and break their stories wide open d) Write forensic reports: that land in courts, not drawers You don’t accuse. You prove. And that changes everything. Why now: The space is wide open Uganda has fewer than 150 active CFEs, yet the fraud is multiplying. Ministries, NGOs, banks, SACCOs, and district offices are losing money. They don’t need talkers. They need trained warriors. With tools. With credentials. With confidence. How to start: Get certified. Join the movement. Summit Consulting’s Fraud Risk Management Masterclass is your first step. It’s local. Practical. Delivered by experts who’ve cracked real cases from fake medical procurement deals to parish development fraud. You’ll learn to: (i) Detect fraud early using red flags (ii) Conduct investigations with digital evidence (iii) Report fraud in formats that regulators and prosecutors can act on Then you’ll sit the CFE exam. And earn global credibility. You can rant. Or you can rise. Uganda doesn’t need more observers. It needs doers. Professionals trained to say: “Not on my watch.” So if you’re serious about becoming a fraud-fighting superhero Get certified. Join the Institute of Forensics & ICT Security. Change the game. Because silence is not neutral. It’s complicity.
From red flags to real cases how CFEs uncover hidden crimes
The quiet theft that bled a district dry In March 2024, the Chief Administrative Officer of a western Uganda district noticed an odd spike in “fuel and maintenance” expenses for sub-county motorcycles. What raised eyebrows was simple: most motorcycles hadn’t moved an inch for months, yet the ledgers showed full tanks and frequent repairs. By April, the CAO escalated the matter to the Internal Auditor, who pulled receipts from the sub-counties. That’s when the case started to stink. The fuel vouchers bore forged signatures. Some mechanics listed had died years ago. The audit report highlighted “possible fraud,” but no further action was taken. That’s when we were brought in. Our job? Move beyond suspicion. Expose the architecture of theft. And find the culprits. Everyone was in on it This was not an isolated fraud. It was a cartel. The scheme (i) Ghost motorcycles were listed in the asset register (ii) Drivers claimed fuel and repair advances (iii) Funds were disbursed through mobile money accounts of relatives posing as suppliers The red flags (i) Fuel logs had identical mileage for weeks (ii) Mechanics issued repairs on non-existent chassis numbers (iii) Receipts were printed on the same template from a shop in Rukungiri The District Engineer approved everything. So did the Internal Auditor—until the scandal broke and he went silent. The investigation: Following the money and the lies We began by mapping the money flows. a) Disbursement trail We traced UGX 186 million over 13 months, siphoned via mobile money in tranches of UGX 480,000 to UGX 1.2 million. Most went to one number registered to “Mugabe Estates Ltd”—a fake entity linked to a cousin of the sub-county chief. b) Document forensics and analysis We ran a document analysis. The receipts had identical font kerning and were printed using the same Epson dot-matrix. The Uganda National Supplier Registration System had no record of the vendors. c) Interview trap We set up a quiet sting and called the listed “mechanic” as a potential partner. He arrived in a taxi and admitted he’d been paid UGX 50,000 per signature. We got it on tape with his permission. The system failed, and we showed how In total, the district lost UGX 186 million in 13 months. But worse, it exposed a culture of silence and cover-ups. Procurement, audit, accounts, engineering—everyone signed off. And they all blamed “the system.” We filed a detailed forensic report with the CID, Anti-Corruption Unit, and the IGG. Three arrests have been made so far. The CAO is under pressure to explain the delayed action. A case in point: the Kyotera Diaries This is not unique. In Kyotera in 2023, a parish chief claimed 60 boda-boda repairs for motorcycles impounded two years earlier. That case alone cost UGX 43 million. Again, forged invoices. Again, mobile money trails. Again, the internal auditor slept on the job. The lesson: Red flags are not conclusions. They are starting points. Most fraud is not hidden. It is ignored. It thrives in silence. Certified Fraud Examiners are not magicians. We just do what others don’t—follow up, verify, ask who benefits, connect the dots, and then put it in a report so sharp no one can pretend not to see it. That’s how you turn red flags into arrests. That’s how you break the culture of impunity. That’s how you protect public funds from disappearing in plain sight. And if you don’t, who will? Become a CFE now The iShield 360
Our pentest approach. Why most risk management teams are NOT future ready
You have a penetration testing process. You have a risk management department. You have an internal audit team. Yet you are still vulnerable. Why? Because most teams are not evolving as fast as the threat landscape. At Summit Consulting, our VAPT approach is simple and brutal: Inception meeting: Define timelines, expectations, and failure points up front. Blackbox penetration testing: Simulate a real-world external attack without insider knowledge. Vulnerability assessment: Identify cracks before the enemy does. Whitebox penetration testing: Simulate insider threats with full access. Internal vulnerabilities assessment: Your weakest links are always inside. Final report compilation: No sugar-coating. Just the truth. Presentation of findings: Executive-level intelligence, not geek talk. Here’s the real question Are your internal audit and risk teams evolving to meet today’s threats? Or are they still stuck writing yesterday’s audit checklists? Cyber risk is not a compliance exercise anymore. It is a survival strategy. Why most risk management teams are not future-ready In 2024, a mid-sized Ugandan financial institution asked us for a routine vulnerability assessment. They had just passed a regulatory audit with flying colours. Their internal audit team had ticked all the boxes. We applied our summit iShield 7-step VAPT approach. Inception meeting: Their IT head assured us, “We’re clean. Just do a quick scan.” Blackbox testing: Within 4 hours, we breached their email gateway and sat silently inside their network. Vulnerability assessment: Found 47 high-risk exposures, including default admin credentials on core switches. Whitebox testing: Gained domain admin privileges in less than a day, with full access to their backup systems. Internal vulnerability check: Discovered weak passwords like “Welcome@123” and unpatched ERP servers. Final report: We drafted a 54-page red alert report with proof-of-exploit screenshots. Board presentation: Their CEO nearly fell out of his chair. His exact words were: “But our IT team said we were safe?” Here’s the reality Their internal audit team had never tested controls, only reviewed paperwork. Their risk team didn’t even understand what a lateral movement attack was. That is the problem. Too many organizations are blind, not because they lack talent, But because they confuse compliance with security. They are auditing locks, not testing doors. Our VAPT approach is not just a scan, it’s a war game. If your internal experts can’t handle simulated attacks, how will they survive real ones? Now is the time to partner with experts who can support them to add value. Future-ready internal audit and risk management team, outsource the cybersecurity assurance services to an external firm, so that they do not move blindly. Leadership takeaway Compliance passed. Pen test failed. Only one of those outcomes protects your business. Wake up. Test. Transform. Contact us today to be your partner. Visit www.summitcl.com. #RiskManagement #InternalAudit #CyberSecurity #VAPT #BeTransformed #MrStrategy
Fraud happens in silence: Speak up, Save millions
On 11th February 2025, a procurement officer at a prominent government parastatal in Entebbe signed off an “emergency” UGX 360 million payment for the supply of solar panels. No panels arrived. No alarm was raised. No questions were asked. By June, after seven similar “emergency procurements,” over UGX 2.7 billion had quietly disappeared. Nobody saw. Nobody heard. Nobody dared to speak. Until one junior stores clerk, earning UGX 800,000 a month, finally blew the whistle anonymously. Summit Consulting Ltd was contracted to investigate, weeks after internal damage-control efforts failed spectacularly. By then, the silence had cost them dearly. Culture versus Compliance Most Ugandan organizations boast thick policies, glossy codes of conduct, and colorful posters urging integrity. But when fraud happens, real culture shows. At this parastatal, the culture was loud in meetings, but dead silent when it mattered. Staff had seen inflated invoices. They had noticed the rushed LPOs. But speaking up meant isolation. Transfers to Karamoja. Career death. So they shut up. Until it was too late. How the fraud was perpetrated a) Emergency procurement loophole i) “Emergency” procurements bypassed standard competitive bidding, based on fictitious justifications like “urgent rural electrification.” ii) Dummy suppliers, registered two months prior, were awarded contracts. iii) Payments were made before delivery, with fake site inspection reports signed off by internal colluders. b) Covering the tracks i) Manual alteration of bid committee minutes to reflect fake evaluation processes. ii) Destruction or loss of key procurement files under the guise of office “renovations.” iii) Coordination with rogue internal auditors to delay review cycles. Money movement details a) 65% of stolen funds were withdrawn in cash within 48 hours of payment disbursements from the institution’s account. b) 20% was layered through school fees payments, and land purchases in Wakiso and Mukono registered under third parties. c) 15% was used to pay off insiders and fund a political “war chest” in anticipation of the 2026 elections for a local MP. By the time we traced the money, a full recovery was nearly impossible. Red flags ignored a) Repeated emergency procurements from the same five “suppliers.” b) Payment schedules consistently just below the UGX 500 million threshold requiring higher level scrutiny. c) Frequent staff reshuffles of whistleblowers and critical thinkers. Our investigation methodology a) Deep dive procurement audit We requested original procurement files and compared them with system records, uncovering material inconsistencies. b) Lifestyle forensics We profiled suspected staff: unexplained new houses, fancy SUVs, and unexplained “business investments” by spouses. c) Anonymous tipline deployment We set up a confidential reporting platform, receiving over 37 insider tips within one month painting the full picture of the syndicate. Challenges faced a) Fear culture Even after formal whistleblower protection was assured, most staff still hesitated to testify without heavy anonymization. b) Legal bottlenecks Prosecution processes dragged due to weak evidence preservation and political interference. c) Record tampering Several key files and emails mysteriously “disappeared” during the early days of the investigation. Confirmed loss: UGX 2,720,450,000. Projected indirect loss: Another UGX 4 billion in opportunity costs, reputation damage, and donor sanctions. Fraud thrives in silence. Fraud lives because honest people fear. Fraud wins because organizations punish candor more than they punish theft. If your staff fear HR more than they fear a court of law, your institution is one tender document away from collapse. If you truly want to save millions, build a culture where speaking up is rewarded not buried. Uganda’s biggest frauds are not committed by masterminds. They are committed by mediocres shielded by fear, enabled by silence. Fraud is not a financial risk. It is a cultural cancer. Kill the silence, or the silence will kill your organization.
