Everyone loves to preach about “trust.” It is easy. It feels good. It looks good on glossy company brochures and leadership seminars. Trust without verification is negligence wearing a suit. Trust but verify means giving people freedom to act, but building systems to independently confirm that what they promised is what they delivered. It is about combining optimism with brutal realism. What it does It empowers leaders to stop playing the victim when fraud happens. It creates a culture where honesty is respected and inspected. It turns risk management from a prayer into a process. The best, most practical application? In retail banking. One fast-growing bank in East Africa implemented a smart trust but verify system: daily surprise cash counts, random transaction audits, independent reconciliation reviews, and mandatory staff rotations. Meanwhile, competitors who only “trusted” woke up one morning to discover billions gone siphoned quietly by insiders they thought were “loyal.” How to apply it step-by-step Map critical trust points; Identify where you heavily rely on people’s honesty: cash handling, procurement, approvals. Design independent verification; Add random checks, dual sign-offs, audit trails, and surveillance. Not because you suspect. Because you are responsible. Automate and anonymize checks; Use tech tools like reconciliation bots or data analytics to cross-verify transactions without bias or boredom. Reward honesty exposed by verification; Praise people who are verified clean, not just assumed clean. Make truth-telling a celebrated behavior. Act decisively on breaches; When verification exposes fraud, do not drag your feet. Fire fast. Prosecute. Publicize internally. The benefits for leaders are many. You sleep better. You stop guessing. You move from reactive firefighting to proactive risk control. And you send a clear message: “We trust you, but we respect our duty to protect everyone, including you, from human weakness.” At the fast-growing bank, a branch manager once thanked HQ for a surprise audit that caught a teller skimming early. Instead of embarrassment, it saved the branch’s reputation. Trust but verify worked. Not just for the numbers, but for the people.
Uganda’s cyber laws: Are they strong enough?
A padlock on a chicken coop means nothing if the fox has the keys. In a recent cybersecurity audit, we discovered that sensitive data; employee emails, client info, and even board minutes were being stored on unencrypted USB drives carried in handbags. One manager proudly said, “But we have complied with the Data Protection Act.” My colleague asked him, Have you complied with common sense? Here is the hard truth: Uganda has cyber laws. What we lack is cyber muscle. a) Laws on paper, chaos in practice Uganda has made strides. The Computer Misuse Act (2011), the Data Protection and Privacy Act (2019), and the Electronic Transactions Act, among others. But here is the challenge: laws do not enforce themselves. In 9 out of 10 cases I have handled, organizations did not even know they were in breach. b) Enforcement agencies lack teeth CERT. NITA-U. Police Cybercrime Unit. Now the ACF. Government forensics lab. They exist. But do they have the capacity? Budget? Independence? In a world of anonymous VPNs, AI-generated scams, and cross-border fraud, enforcement must be smarter than the criminal. c) The judiciary is overwhelmed and undertrained Cybercrime cases are delayed, misclassified, or thrown out due to technicalities. Some judges still do not know the difference between a DDoS and a USB stick. That’s not justice. That is a circus. Think about this Would you fight a drone with a panga? That is what Uganda is doing. We are fighting 21st-century crime with 1990s capacity. The hackers are not in Uganda. They are on Telegram, on dark forums, in North Korea, or next door in Nairobi. Your systems are exposed 24/7. But your legal protection clocks out at 5 pm. At one of our trainings, a CEO asked: “Can a hacker be sued under Ugandan law?” Yes, I said. But only if you can catch them, prove it, and hope the court understands how malware works. Good luck with that. So, are Uganda’s cyber laws strong enough? No. They are well-written, but practically toothless. This is not just about legislation. It is about the entire cybersecurity ecosystem; legal, technical, institutional, and cultural. Here is what needs to change: Make breach reporting mandatory. Right now, companies quietly pay ransoms and cover up leaks. That is how systemic vulnerabilities grow. Bring sunlight into the room. Fund the cybercrime units with tech, not tea. Give them digital forensics labs, AI threat detectors, and 24/7 monitoring centres, not just Toyota Prados for PR. Train judges and prosecutors. They must understand digital evidence, chain of custody, and cross-jurisdiction cyber threats. Otherwise, justice will always lag behind innovation. Make company directors legally liable. If you sit on a board and allow cyber negligence, you should face personal consequences. That is how we wake up boards. Create a real-time cyber task force with private sector linkages. Not a talk shop. A real unit with engineers, analysts, and incident responders that work with banks, telcos, ISPs, and major corporates. In the village, they say: “A hyena does not ask permission to enter.” Cybercriminals are not waiting for our laws to catch up. They are exploiting our delays. Uganda needs not just cyber laws. We need cyber deterrence. Action against cybercrime. We need to strike back hard, fast, and legally. Create cyber weaponry and cyber warfare for both offensive and defensive capabilities. Because the next war will not be fought with guns. It will be fought with code. IFIS Team.
The data privacy debate: Freedom vs security
A monkey tied to a tree still thinks it is free. That is the modern internet user clicking “I Agree” a hundred times a day without reading anything. Giving away their location, contacts, voiceprints, and heartbeats in exchange for emojis and free Wi-Fi. The illusion of control in a world engineered for surveillance. One afternoon, the Summit Consulting team was consulting for a large bank that wanted to roll out a facial recognition login system “for convenience.” During our break, the IT head proudly demonstrated it scanning faces faster than a matatu conductor spots a fare-dodger. Everyone applauded. Except for my team. “Who owns this data?” my colleague asked. Silence. “Where is it stored? Who else has access to it? What happens if a disgruntled admin leaks this?” More silence. The kind that says, we did not think that far. That is when we realized: we were building digital prisons and calling them fortresses. Here is the real issue a) Security has become the Trojan horse. Governments, corporations, and even schools are justifying unprecedented surveillance “for your protection.” Yet, history whispers a warning, every authoritarian regime started by promising order in exchange for liberty. b) Privacy is seen as paranoia You are labeled difficult if you ask where your data goes. But as an executive, if you do not care about your organization’s data lineage, you are not managing risk; you are sleepwalking into regulatory chaos. c) Convenience is the new currency We give away rights in return for speed. Faster apps. Shorter queues. Personalized ads. But each trade strips another layer of our autonomy. The same tools built to “understand us better” are profiling us for manipulation. A Ugandan proverb says: “When the roots of a tree begin to decay, it spreads death to the branches.” The root here is this: we never defined a boundary. We rushed to digitize before we governed. We let tech companies set the rules, and now we are catching up with Data Protection Acts like children sweeping after elephants. In one of my assignments at a major telco, we discovered that over 3,000 third-party apps had API access to customer data unmonitored, undocumented, and ungoverned. “We trusted the developers,” they said. I said you do not build trust. You enforce it. That system was a time bomb. We defused it in 60 days. But most companies do not even know the timer is ticking. So what should bold leaders do? Adopt zero-trust like you breathe oxygen. Stop assuming your systems, staff, or partners are safe. Verify everything. Trust no one; not even yourself. Turn your privacy policy into a governance engine. Make it a living document. Tie it to your internal audits, procurement processes, and third-party onboarding. Educate your board and staff. Most breaches come from ignorance, not malice. Train people not just in cybersecurity, but in ethical tech use. Push for citizen-first regulation. Don’t wait for NITA-U to force your hand. Design systems that protect the least tech-savvy user. If your grandma can not opt out easily, your system is broken. Set the standard. Do not just comply; lead. Compliance is the floor. Leadership is the roof. Be the company that earns trust, not just accepts consent. My final word Security without privacy is surveillance. Privacy without security is fiction. We need both. And as a leader, you must stop delegating this to IT. Data is not just a technical issue. It is a strategic, ethical, and existential one. If you are not in the room where your data protection decisions are made, then you are the one being served; not the one being protected. Wake up. Build fortresses, not cages. Institute of Forensics & ICT Security
The first 48 hours after fraud: What top investigators never miss
The issue is: Time is not money, it is evidence On 26th February 2025, the CEO of a prominent government agency in Mbale made a panicked call at 8:14 am. Their revenue accountant had failed to show up for work. UGX 1.8 billion in land fees had disappeared from the suspense account. Worse still, the audit trail was unclear. IT had already formatted the accountant’s computer “to prepare for a new hire.” We arrived within six hours. But the damage was done. Log files were gone. Devices tampered with. Colleagues in ‘defensive mode’. The first 48 hours are not about panic. They are about preservation. The best investigators do not look for culprits first. They look for what cannot be replaced: digital footprints, physical evidence, and staff memory. Miss that window, and you bury your case. Management reacts emotionally, not forensically. When fraud is discovered, most leaders focus on reputation management: public statements, damage control, and “dealing with the person.” That is why they suspend the suspect without collecting their devices or reassign access before imaging logins. It is understandable but wrong. Fraud response is not an HR event. It is a crime scene protocol. One wrong move and the trail evaporates. You do not discipline a suspect before investigating. You secure the evidence first. The first 48 hours: What we always do a) Secure digital assets before anything else (i) Confiscate all devices; phones, laptops, and USBs immediately. Not for punishment, but preservation. They’re evidence. (ii) Image the drives; we create forensically sound copies (bit-by-bit) before any internal IT “cleans up” the mess. This protects the integrity of files, timestamps, and logins. (iii) Lock down email and network access; not just to block the suspect, but to freeze the activity. All logs are time-sensitive. Every second counts. b) Establish a digital chain of custody (i) Who handled what? When? Where? This includes security guards, IT staff, and line managers. (ii) Every file moved must be logged. Every conversation recorded. One misplaced flash drive can discredit an entire prosecution. c) Interview the environment, not just the suspect (i) The best information comes from those around the fraud; assistants, peers, and cleaners. Their memory is sharpest within the first 24 hours. After that, fear sets in. Stories change. (ii) We run anonymous digital surveys using mobile USSD tools for sensitive staff. No app. No trace. d) Conduct a shadow cashflow audit (i) We map financial movement from 60 days prior and identify unusual patterns. (ii) We extract parallel logs from the bank or mobile money aggregator to correlate transactions. Even if devices are wiped, money always leaves clues. The land registry theft in a not-far-distant land In August 2023, UGX 920 million was siphoned through a series of false plot entries and manipulated arrears payments. We were called 72 hours after discovery. IT had already “reset” passwords, believing they were helping. But the real loss was not the money. It was the metadata. Login IP addresses, session IDs, and edit timestamps were all gone. With no forensic imaging, we could not attribute actions to individuals. No prosecution. No recovery. 5) Forensic checklist: What smart investigators never miss (i) First login after fraud is discovered; who accessed the system, and did they alter logs? (ii) Print logs and edits; especially in procurement or HR systems. Many frauds involve fake deletions. (iii) Unstructured files; fraudsters often hide data in Excel files, drafts, or email attachments, not the main system. (iv) USB registry keys; when did the last external device plug into the machine? (v) Live memory dump; from any active suspect computer. RAM holds session keys, passwords, and temporary logs. Evidence before emotion At Summit Consulting, our iShield360™ Forensic Response Unit is trained for zero-hour deployment. We treat every incident like a crime scene: gloves, logs, isolation, and preservation. We move before files disappear, and we secure the story before it becomes fiction. You do not get a second first 48 The biggest mistake you can make after fraud is thinking you have time. You do not. The fraudster is deleting. Staff are whispering. It is overwriting. Every moment you delay, the truth fades, and lies take its place. That is why you call Mr Strategy first. Not to find the thief. But to preserve the truth.
Think like a hacker: The psychology behind cybercrime
Most people think hackers wear hoodies and speak in code. That’s Hollywood nonsense. Real hackers don’t need to break your firewall. They just need to break you. Cybercrime isn’t technical. It’s psychological. And the best hackers? They’re not IT geniuses. They’re master manipulators. a) The mindset: It’s not theft, it’s sport Hackers don’t see what they do as crime. They see it as a challenge. A game. A puzzle. i) The thrill isn’t in stealing your data it’s in proving they can. ii) The target isn’t your firewall it’s your behaviour. iii) The reward? Status in the dark web community. Bragging rights. Bitcoin. To them, your business is not sacred. It’s a test. b) The tools: Not software, but psychology i) Hackers exploit cognitive biases. Urgency. Curiosity. Fear. ii) That “your package is delayed” SMS? That’s your limbic brain reacting before logic kicks in. iii) That “invoice due today” email? It’s not about the invoice. It’s about creating panic. They don’t hack machines. They hack humans. c) The methods: Predictable humans make perfect targets i) You always log in at 9:04am. You click the first link. You never change passwords. ii) You’re too busy to double-check sender emails. Too trusting to verify calls. iii) That’s what they count on. In 2022, we traced a breach at a law firm in Kampala to a senior partner who opened an email during court recess. It read: “High Court Ruling – Urgent Copy.” He clicked. It downloaded a keylogger. For three weeks, every client instruction was monitored in real time. d) The motive: Control, not cash Money is a consequence. The real motive is power. i) The power to lock your systems. ii) The power to watch your panic. iii) The power to demand what they want because they know you’ll pay. e) Case in point In 2017, a top executive at an NGO in Entebbe received an email that appeared to be from her board chair. It asked her to urgently wire UGX 450 million to a “consultant.” She didn’t question it the tone was familiar. The address was almost identical. But the ‘i’ in the domain was a Turkish character. That one detail cost the organisation their annual programme funds. The hacker never touched their servers. He studied their emails. Their tone. Their habits. That’s social engineering. f) The defence: Become unpredictable i) Train your staff to verify before they trust. ii) Test your systems, and test your people. iii) Make cybersecurity a culture, not an IT function. Hackers don’t need to break in. They wait for you to open the door. That’s why cybersecurity begins in the mind, not the machine.
Top 10 cybersecurity mistakes small businesses make – and how to fix them
You don’t need a high-tech vault. You just need to stop being sloppy. Most small businesses still think cybercrime is a big company problem. That’s why they’re the softest targets. Not because hackers are smart. But because owners are careless. Here’s what I see every week. And what you must do. a) No backups. Or backups connected to the same network (i) When ransomware hits, your backups become useless if they’re on the same network. (ii) Fix: Keep offline backups. Back up daily. Test weekly. b) Weak passwords reused across accounts (i) The receptionist uses “123456” for email, social media, and admin panel. (ii) Fix: Enforce strong, unique passwords. Use a password manager like Bitwarden or 1Password. c) No two-factor authentication (2FA) (i) One password is never enough. Hackers can buy them off the dark web. (ii) Fix: Turn on 2FA on all critical accounts email, finance, admin. d) No cybersecurity training for staff (i) Most attacks succeed because someone clicked something. (ii) Fix: Train your staff quarterly. Teach them to spot phishing and fake invoices. Run simulated phishing tests. At Institute of Forensics & ICT Security, we provide affordable training solutions for enterprises. Visit www.forensicsinstitute.org to learn more. e) Using pirated or outdated software (i) Hackers exploit old software with known vulnerabilities. (ii) Fix: Use licensed software. Enable automatic updates. Schedule patch management. f) No firewall or antivirus monitoring (i) Installing antivirus and never checking it is like locking a door and leaving the key outside. (ii) Fix: Get active threat monitoring. At a minimum, use tools like Sophos or ESET. g) Poor email security settings (i) Attackers spoof your domain and trick your clients. (ii) Fix: Set up SPF, DKIM, and DMARC records for your domain. Your hosting provider can help. h) Shared accounts with admin rights (i) Everyone uses one account. No logs. No accountability. (ii) Fix: Give users only the access they need. Enforce role-based access control. i) No incident response plan (i) Something goes wrong and everyone panics. No one knows what to do. (ii) Fix: Draft a simple cyber incident plan. Include contacts, steps to isolate threats, and recovery plans. j) Ignoring mobile devices and Wi-Fi networks (i) Staff connect personal phones to office Wi-Fi. No control. (ii) Fix: Use guest networks. Secure mobile devices with screen locks, encryption, and remote wipe options. In 2023 alone, over UGX 12 billion was lost in Uganda due to preventable cyber incidents most in small businesses. You don’t need a cybersecurity budget of $100,000. You need discipline. Start with backups. Then train your people. That alone stops 80% of attacks.
Ransomware attacks: How one click can cost millions
The incident On the morning of 3rd March 2024, a mid-sized logistics company based in Mombasa, Kenya went dark. All systems dispatch, email, finance froze. A red screen replaced the company’s normal login portal. The message: “Your data is encrypted. Pay $1.5M in Bitcoin within 72 hours or lose it forever.” The firm’s entire fleet coordination collapsed. By day two, port operations flagged the company for delays. By day three, clients began shifting to competitors. That’s how it starts. Not with fireworks. With one staff member clicking a fake invoice attachment titled “Revised LPO – Urgent”. You’d think a logistics company would have ironclad cybersecurity. Wrong. Most East African firms treat cybersecurity as an IT matter. But ransomware doesn’t attack systems. It attacks people. And people click. The IT Manager tried to downplay it. The CEO initially refused to pay. Legal flagged regulatory issues. But the firm couldn’t process a single delivery. By day five, their entire April shipment backlog had been forfeited to rivals. This wasn’t a data loss incident. It was a reputation meltdown. We were brought in on day six, after one of their clients also our client alerted us to the suspicious blackout. Within hours, we were on ground with our cyber incident response team. The scheme i) The attacker used a spear-phishing email with a spoofed supplier domain. ii) The email contained a malicious macro embedded in a Word document. iii) Once executed, the ransomware LockBit 3.0 variant propagated via shared folders. iv) Within 15 minutes, it disabled all backups connected to the network. v) The attackers used Cobalt Strike to maintain persistence and exfiltrated critical data. Their vulnerability? Poor email filtering. Shared admin credentials. No offline backups The forensic red flags Our audit picked up several signs missed by internal IT: i) A login attempt at 2:43am from an IP in Belarus. ii) Sudden traffic spikes to *.onion domains (Dark Web). iii) 28GB exfiltrated to an unknown external server via HTTPS. iv) Disabled antivirus via Group Policy on three machines simultaneously. v) No endpoint detection or MFA on admin accounts. The cost Total losses tallied UGX 9.3 billion. That’s just direct losses revenue lost, clients cancelled, systems rebuilt. It does not include brand damage or the CEO’s resignation that followed. When you measure in lost trust, the number is far higher. f) Case in point In 2010, a young woman from Ntinda walked into our office. She had clicked a link while applying for a bursary online. Her laptop got locked with a pop-up asking for $300. She ignored it. But it didn’t stop there. The ransomware spread to the school’s shared systems, wiping parent records. The school, unaware of the source, fired the bursar. That woman never told anyone it started with her. But her face told the whole story. g) What this means for you You don’t need millions to be a target. Just internet. And an employee who’s in a hurry. Cyber-crime is a silent war. No alarms. No patrols. Just a single click. And silence. By the time you know you’ve been hacked, it’s too late. Be proactive. Review your systems. Or wait for the ransom note.
Fraud investigation report that withstands legal scrutiny
In fraud investigations, perception is not enough. You need precision. If your report can not stand cross-examination in court or scrutiny by an aggressive opposing counsel, you have wasted time and set your organization up for failure. Let me show you how to write a fraud report that survives not just audits but adversaries. From the cover letter to the annexes, every line must communicate clarity, integrity, and mastery. No sampling. No opinions. No hearsay. Just facts, plain facts. If you do not have evidence to support it, do not write it down. Cover letter Set the tone. Define the facts. Shield the process. ____________________________________ Date: 3rd April 2025 To: The Managing Director XYZ Microfinance Uganda Ltd Plot 14, Jinja Road, Kampala Subject: Submission of Final Fraud Investigation Report – Irregular Loan Disbursements Dear Sir, We write to formally submit the final fraud investigation report into irregular loan disbursements within your Credit Department, following your instruction dated 6th February 2025. This investigation was conducted independently and professionally in line with our mandate. All evidence collected was corroborated using documents, interviews, and digital logs. The report highlights a clear pattern of manipulation of loan records, unauthorized account creations, and internal collusion between Credit Officers X, Y, and B and third-party agents Jane Doe. The total financial exposure identified stands at UGX 178,240,000, as detailed in Section 5.2 of the report. We confirm that this report is supported by primary evidence annexed herewith and has been prepared to stand the test of legal and forensic scrutiny. We appreciate the opportunity to support XYZ Microfinance in securing its systems and culture. Please reach out for any clarification or expert witness services during disciplinary or criminal proceedings. Sincerely, James XP, CFE, Lead Investigator Institute of Forensics & ICT Security The report itself Precision over persuasion Title: Final Forensic Fraud Investigation Report Loan Disbursement Scheme XYZ Microfinance Uganda Ltd Report Ref: SUMMIT/FRD/004/2025 1.0 Executive summary This report presents findings from a fraud investigation commissioned on 6th February 2025. The inquiry focused on anomalies in group loans processed between September 2024 and January 2025 across four branches: Kawempe, Soroti, Mbale, and Lira. Our findings confirm collusion between internal Credit Officers and external agents to fabricate group membership, approve loans without due diligence, and divert disbursed funds. Total exposure is UGX 178,240,000. Disciplinary action and criminal referrals are recommended. 2.0 Mandate and scope 2.1 Terms of reference We were engaged to investigate: (i) Irregularities in group loan applications and approvals (ii) Potential internal collusion with agents (iii) Financial exposure and control gaps 2.2 Period under review 1st September 2024 to 31st January 2025 2.3 Departments and branches reviewed Kawempe, Soroti, Mbale, Lira Credit and Operations departments 3.0 Methodology (i) Reviewed 132 loan files (ii) Conducted 17 structured interviews with Credit Officers, branch managers, and clients (iii) Performed forensic analysis of T24 logs and signature comparisons (iv) Verified 37 clients physically, including household visits in Soroti and Lira 4.0 Summary of Findings 4.1 False group memberships (i) 46 group loans were approved for clients with no traceable addresses (ii) IDs used were photocopied from previous loan files, evidence of document recycling 4.2 Collusion (i) WhatsApp conversations (annexed) between Credit Officer Isaac W. and agent “Baba T.” confirm revenue sharing 30% kickback on each disbursed loan (ii) Audio recording (dated 14 Jan 2025) where Isaac explains how loan balances were rescheduled to disguise defaults 4.3 Systems override (i) Credit Committee signatures were cloned from prior meetings (ii) Disbursements were made outside working hours, in breach of internal policy 5.0 Financial Exposure 5.1 Value of fraudulent loans (i) A total of 46 group loans (ii) Average loan per group: UGX 3.88M (iii) Total exposure: UGX 178,240,000 5.2 Recovery status Only UGX 23,000,000 recovered to date. The rest is outstanding and likely unrecoverable. 6.0 Conclusion The fraud was perpetrated through internal collusion, poor supervision, and deliberate circumvention of policy. Management failed to follow up on red flags, especially repeated use of the same guarantors across unrelated groups. 7.0 Recommendations (i) Immediate disciplinary hearings for identified staff (ii) Termination and police referral for Isaac W. and Lydia K. (iii) System audit to plug override loopholes (iv) Enhanced verification using biometric tools at onboarding Annexes List of suspicious loans B. Interview transcripts C. WhatsApp chat printouts D. Signature analysis table E. Client visitation logs F. Management policies violated _________________________ If your investigation report is vague, you have just written a rumour. If it is overly technical, you have written it for machines. If it is dramatic, you have written it for newspapers. But if it is factual, clear, defensible, and precise, you have written it for court and justice. That is the report I deliver. Every time. Unlock your investigative skills and become a reporting pro: Sign up today for our Investigation and Report Writing Course and start making an impact! The IFIS Team Copyright IFIS 2025. All rights reserved.
Conducting effective internal investigations and disciplinary hearings
When things go wrong internally; fraud, harassment, data leaks, ghost workers, it is not what happened that destroys your organization. It is how you respond. Most boards and CEOs hesitate, outsource blame, or overcomplicate the process. That is how rot spreads. Here is the practical, unfiltered guide from Institute of Forensics & ICT Security experts on how to conduct internal investigations and disciplinary hearings effectively without losing the plot which usually could cost the organization’s reputation and more money. a) The trigger: Know when to act (i) Every investigation begins with a trigger. A whistleblower email. A financial discrepancy. A complaint of harassment. An exceptional report by the Internal Audit or Analytics team. A system flag of an exceptional event. Do not wait for a perfect storm. The best time to investigate is when your gut tells you, “Something is off.” (ii) In 2010, a young lady in her mid-20s went directly to the CEO’s office. She was a cashier at a microfinance institution in Mbale. Her supervisor was forcing her to process loan top-ups for ghost clients. Her reports to head office were ignored. She risked everything to blow the whistle. That’s the real trigger. The courage of one. That is how we got involved as case investigators. (iii) Once a trigger is identified, activate your internal risk committee or a trusted triage team. Never the whole HR or audit department. Small, tight, and skilled wins. b) Scoping the investigation (i) Define what you are investigating. Not “Is there fraud,” but “Did person X manipulate loan disbursement records between January and March 2024?” In investigations, clarity of the investigation objectives is key. (ii) Avoid kitchen sink investigations. Scope creep kills credibility. Focus on facts, not gossip. Hard evidence not hearsay and opinions. You are investigating to identify who did what, where, when, and how. Better have your facts in order. Remember, there is no draft evidence! (iii) Create a work plan with milestones: document review, interviews, forensic review, draft report. c) Evidence gathering: the audit trail is king (i) Review emails, finance logs, door access records, and CCTV footage if available. In Uganda, where logs are often manual, focus on inconsistencies. Cross-check signatures, approvals, timestamps. (ii) In one case in Arua, our investigators discovered that fuel vouchers were signed by a staff member who had been on maternity leave. That single signature opened a trail of collusion worth UGX 124 million. (iii) Interview key suspects last. First, gather all evidence. Interviews are not fishing expeditions. They are confirmations. Better first take their statements. Study their alibi. Collect all supporting evidence. And interview only to connect the dots and determine the consistency of their statements. Investigations is a skill. d) Conducting the disciplinary hearing (i) Once evidence is clear, write a report (see next article on this) and prepare for a hearing. Send a formal letter to the accused with clear allegations, hearing date, right to representation, and relevant documents. (ii) Form a panel with an HR rep, a legal adviser, and a neutral chair. Avoid panels of friends or enemies. (iii) Hear both sides. Ask open questions. Let the accused respond freely. Maintain a verbatim record. In many cases, the truth slips out in tone, not words. e) Disposition: conclude with integrity (i) Decide based on facts, not emotions. Was there a breach of policy? Was it gross misconduct? Was it negligent or malicious? (ii) Document your decision. Clearly outline reasons. Issue a sanction proportional to the breach: warning, suspension, termination, or referral to police. (iii) In the Mbale case, the supervisor was terminated and reported to police. The cashier was promoted and became head teller. Protect whistleblowers if you want a culture of truth. f) Lessons learned: Fix the root (i) Every investigation must end with a report to management. What control failed? Where was oversight weak? What culture enabled the breach? (ii) Use findings to fix systems: update procedures, train staff, or even restructure departments. Otherwise, the next investigation will be déjà vu. An investigation is not about who you punish. It is about what you allow. Start fast. Stay focused. Finish with courage. That is how we build institutions that last. Unlock your investigative skills and become a reporting pro: Sign up today for our Investigation and Report Writing Course and start making an impact! The IFIS Team Copyright IFIS 2025. All rights reserved.
The Art of Investigations – how to uncover the truth like a pro
Dear Executive, Fraud does not always knock. Sometimes it wears a staff ID and walks in smiling. It is so friendly and helpful. Fraud is always hidden in plain sight. I started my career in a bank, Nile Bank, that was later acquired by Barclays, which became a prize of Absa. You know how competition has been changing the face of banking in Uganda. Today I will share a case that will make you question every approved loan you have ever seen. The case of the ‘invisible borrowers’ In late 2023, a CEO gave us a call and asked to meet a whistleblower. We arranged to meet at our offices where the whistleblower walked in with a brown envelope. Inside were photocopies of loan approval forms, schedules, and a curious memo from a branch manager at a mid-tier financial institution in Western Uganda. The claim? Over UGX 1.2 billion had been disbursed to borrowers who do not exist. No drama. No alarms. Just neatly approved loans. Here is what made it brilliant and dangerous. a) The setup (i) The fraudster was a seasoned credit officer. She had mastered the system, the process, and the people. (ii) Using dormant customer profiles real names but inactive accounts she started applying for small loans of UGX 5M to UGX 20M. (iii) Because she had access to the loan origination system, she generated internal approvals, forged signatures, and ensured the documents were “checked out.” (iv) She created fictitious phone numbers linked to the account numbers she controlled. All follow-ups were handled smoothly. b) The cash movement (i) Once loans were disbursed, she redirected the funds to two personal mobile money numbers under relatives’ names. (ii) From there, the funds were withdrawn in small amounts across different towns Kyenjojo, Fort Portal, and Kasese to avoid a pattern. (iii) The money funded a side business. A retail shop. Ironically, her own family thought she had won a government grant or in real local terms “married a Mzungu.” Family members were so proud of her success. She started being invited to the Church to share success stories and motivate young people on how to start small and grow steadily. Her shop was expanding and she was living a good life. For nearly two years, no one noticed. c) How the fraud came undone It was not IT. It was not Risk. It was not even Compliance. Not even Internal Audit. It was a newly transferred branch accountant. He could not reconcile a set of loan repayments there were over 30 active loans without corresponding cash inflows for 90+ days. He flagged them to his supervisor. The supervisor ignored it. But this man did not stop. He wrote directly to Head Office Audit, attaching a spreadsheet of loans by customer ID, disbursement date, and repayment history. That was when we were called in. d) The red flags we found (i) Multiple loans disbursed to customers with no current physical address. (ii) Similar handwriting on several KYC forms. Most had been filled by the same hand hers. (iii) Internal approvals during odd hours many done past 7 pm, when no managers were on duty. (iv) Loan repayments were all marked as ‘pending restructure’ or ‘in legal,’ yet no legal files existed. e) The moment of truth We staged a quiet confrontation. Having trained as a certified fraud examiner, computer hacking forensic investigator, and accountant, I know what makes a good investigator is an effective case investigation strategy. To make a good one, start by understanding the facts of the case. We sat down and reviewed the whistleblower reports. Listened to the internal auditor. Reviewed the loan process from start to finish, by studying the credit manual. We then did a walk-through of the process identifying areas of failure. My earlier experience has shown that processes are not applied consistently across all bank branches. In the city, near the head office, process reviews and approval are thorough. However, upcountry, due to low staffing levels and the pressure to grow the business, people do not focus on controls and reconciliations. After reviewing all the documentation, and interacting with other staff, we met the main suspect. We asked her to walk us through a loan application process. She became defensive. Claimed she had too much backlog. Then her phone buzzed a mobile money alert. It was a UGX 3M deposit. The same number we’d been tracking. That was it. When you have all the evidence and records, it is easy to get someone in the corner. She confessed. Tearfully. Claimed pressure to survive. Blamed poor pay. Total confirmed fraud? UGX 1.26 billion. Only UGX 240 million was recoverable. f) The real insight Fraud is not always technical. It is psychological. The best fraudsters exploit routine, not loopholes. They bank on you being too busy, too trusting, or too afraid to question. That is why real investigators must be obsessed with patterns, not personalities. Ask yourself: Are you reviewing loan portfolios with fresh eyes? Are dormant accounts truly dormant? And most importantly, is your system designed for integrity or just compliance? In investigations, do not wait for red sirens. Follow the silence. That is where fraud lives. The art of uncovering the truth is not about shouting. It is about noticing the thing no one else sees and asking the question no one dares ask. Investigate with discipline. Document everything. And when you find the thread pull hard. Unlock your investigative skills and become a reporting pro: Sign up today for our Investigation and Report Writing Course and start making an impact! Copyright IFIS 2025. All rights reserved.
