The issue was not the missing money, which came later. The real issue was a sentence repeated quietly by a trusted staff member in a medium-sized Ugandan organisation: “After all I have done for this place, this small facilitation is not theft.” That sentence was the crime scene before the crime scene.
By the time Summit Consulting was called in, the organisation had already lost money through irregular payments, inflated supplier invoices, split procurements, cash advances that never retired properly, and mobile money transactions disguised as field facilitation. On paper, everything looked normal, the vouchers had signatures, suppliers existed. The approvals appeared complete. The finance files were neat enough to impress a casual reviewer. But fraud does not always enter the building wearing a mask.
Sometimes it enters wearing loyalty, long service, family pressure, delayed promotion, unpaid allowances, and the dangerous belief that management also eats. That is rationalization, the inner lawyer that defends a wrong action before the first shilling is taken.
In this case, the main actor was Suspect 1, a calm middle-aged officer with a tired face, an old laptop, and the confidence of someone who knew the organisation’s weak points better than the policy manual. Suspect 2 was a field supervisor, energetic, always moving, always on calls, the kind of person people trusted because he looked busy. Suspect 3 was a supplier representative, soft-spoken, patient, and unusually available whenever urgent paperwork was needed. The scheme was simple because most successful frauds are simple.
Suspect 2 would initiate field activity requests for work that was partly genuine, partly exaggerated, and sometimes entirely recycled from previous assignments. Suspect 1 would process the payments using familiar descriptions such as transport refund, urgent community mobilisation, emergency supplies, field meals, airtime facilitation, and temporary labour support. These descriptions were not dramatic. That was the genius of it. Nobody steals loudly when the system rewards quiet paperwork.
Money moved in small amounts first, UGX 450,000 here, UGX 780,000 there, UGX 1.2 million for field facilitation, UGX 2.4 million for supplier support. Some funds went through mobile money numbers registered in names that looked unrelated to staff, but the investigation later showed links through family members, former casual workers, and contacts saved in phones under innocent labels. Some money was withdrawn in cash and shared. Some was paid to Suspect 3’s small supply business, which issued invoices for items delivered in lower quantities than stated. Some transactions were reversed in practice but not in records, meaning the field activity closed administratively while value leaked quietly.
The fraud was noticed not because the controls were strong, but because one auditor refused to accept a beautiful file as proof of reality. That is a lesson many leaders must hear. A complete file is not the same as a true transaction.
The auditor noticed four things.
- the same wording appeared repeatedly across different payment requests, as if several activities had been copied from one old template and only dates and amounts changed.
- field activities seemed to attract similar costs even when the locations, number of participants, and duration differed.
- some mobile money numbers kept appearing around different activities, not as official beneficiaries, but as informal recipients of facilitation.
- supplier invoices had the same formatting errors, the same spelling habits, and the same rushed signatures, even though they were supposedly from different business days.
That is how fraud begins to cough, not loudly, just enough for a trained ear to hear. When Summit Consulting entered, we did not start by accusing people. That is amateur work. We started by rebuilding the transaction story. Every payment was treated like a witness, every voucher had to explain itself, every mobile money number had to find its owner, every supplier invoice had to meet delivery evidence, and every approval had to be matched against authority, budget, activity reports, and actual field confirmation.
The breakthrough came when the team compared activity dates with vehicle movement records, staff attendance, mobile money withdrawals, and supplier delivery notes. One activity claimed to have taken place in a field location, yet the vehicle assigned to that work was recorded elsewhere. Another payment claimed support for community mobilisation, yet the listed participants could not confirm attendance. A third transaction showed supplier delivery of materials, yet the store records carried no matching goods received note.
The file was speaking in fragments, so the investigator’s work is to make fragments testify. In interviews, Suspect 1 did not begin with denial. He began with justification. He spoke about years of service, poor pay, pressure from home, unfair promotions, and how senior people wasted more money through bad decisions. Suspect 2 said field work was difficult and sometimes required flexibility. Suspect 3 said he only supplied what he was asked to supply and assumed internal people had obtained the right approvals.
That is the anatomy of rationalization. The fraudster does not always say, I stole. He instead says, I compensated myself, I was only borrowing, the organisation owed me, everyone does it. They say, no one was hurt, but the organisation is always hurt, trust is hurt, cash flow is hurt, staff morale is hurt, strategy is hurt, and the board is hurt because it made decisions based on numbers that were quietly bleeding underneath.
In law, motive does not clean dirty hands. A person may have pressure, frustration, family obligations, or resentment, but those circumstances do not convert unauthorised benefit into lawful entitlement. A hungry man may explain why he entered the garden, but the court will still ask who owned the cassava, who harvested it, who carried it away, and whether permission existed. That is why evidence matters.
The investigation closed the matter by showing the pattern, not just the isolated transactions. One payment could be explained away, two could be coincidence, ten with the same behaviour became a scheme the team prepared a loss schedule, linked payments to beneficiaries, identified control failures, preserved the supporting records, documented interview explanations, and separated confirmed loss from suspected exposure.
The confirmed loss stood at UGX 186.7 million. The larger lesson was more expensive. The organisation had treated fraud as a finance problem, yet the fraud succeeded because operations initiated weak requests, procurement failed to verify suppliers properly, finance processed familiar paperwork without enough challenge, supervisors approved based on trust, and management tolerated informal shortcuts because work appeared to be getting done.
Controls were bypassed through familiarity, approvals became rituals, mobile money became a blind spot. Supplier due diligence became a formality. Activity reports became storytelling documents. That is why rationalization is so dangerous. It does not fight the control environment from outside but slowly teaches good people to negotiate with wrong behaviour from inside.
This is where risk culture training becomes non-negotiable. Staff must learn that fraud does not start when money disappears but when people begin explaining why rules should not apply to them today. Managers must learn that urgency is not a control, trust is not evidence, a signature is not assurance, a clean file is not truth, and a policy that is not lived becomes decoration for auditors and comfort for boards. And this is where platforms like MelaGRC become powerful, not because software replaces judgement, but MelaGRC makes risk visible, assigns ownership, tracks incidents, links controls to responsible officers, follows action plans, escalates overdue issues, and creates one source of truth across departments. It democratizes risk management by removing risk from the office of one person and placing it into the daily hands of process owners, supervisors, executives, auditors, and the board.
In the old world, risk sat in a department while in the future-ready organisation, risk sits in every decision. MelaGRC helps leaders see what is moving before it becomes a scandal. It helps a procurement weakness speak to finance, an audit finding speak to management, an incident speak to the board, and a small exception become visible before it matures into a major loss. That is the shift.
Fraud prevention is not merely about catching thieves, it is about removing the stories people tell themselves before they become comfortable crossing the line. Rationalization is the hidden driver of fraud because it gives wrongdoing a clean shirt, polished shoes, and respectable language. The best leaders do not wait for the confession, they listen for the justification.
