The issue was not that money disappeared because money rarely disappears. It is moved by a person, through a system, under a control that looked alive but was already dead.
In this case, a trusted accounts assistant in a Jinja-based organisation had been with the company long enough to know everyone’s habits. She knew which manager approved without reading attachments, which supplier shouted when payment delayed, which IT officer reset passwords casually, which auditor preferred neat schedules, and which board member only asked questions after the loss had already found its way into the accounts.
She was not the person people suspected, that is why she was useful to the fraud.
The scheme began small, not with greed but with pressure; school fees, sick parent, a mobile money loan app sending those cold reminders that make honest people feel like criminals before they have stolen anything. She borrowed UGX 300,000 from petty cash and repaid it before the end of the month, and no one noticed. That was the first control failure. Not the borrowing but the silence of the system. A weak control does not tempt only thieves, but it educates honest people badly.
The next time, she delayed banking a customer cash receipt by one day. Then she used a supplier refund to cover the gap. She discovered that the company’s accounting system allowed her to prepare payment schedules, attach invoices, and forward them to the finance manager for approval without anyone independently confirming supplier bank details from the master file. The policy said segregation of duties existed but the system said otherwise.
This is where most practitioners get fraud wrong. They look for a villain when they should first look for a path. Fraud is rarely a dramatic jump from honesty to theft. It is often a staircase. Each step feels survivable and explained internally. “I will reverse it.” “I deserve this.” “They waste more money than this.” “I am only borrowing.” “No one is hurt.” That is rationalisation, it is not a theory in a textbook. It is the private language of a person negotiating with their conscience. By the time the loss became visible, the employee had become expensive.
The organisation had an ERP system, online banking, email approvals, mobile money payments for field refunds, and a shared finance folder where payment schedules were saved in Excel. It looked modern but modern tools do not create modern controls. Technology only records the quality of the discipline around it.
The accounts assistant created three practical channels of leakage. She inserted small duplicate supplier payments below the review threshold, changed mobile money beneficiary numbers in field refund schedules after departmental approval but before upload. She also created a comfort supplier, not a fully fake company, but a real small vendor willing to receive payments, withdraw cash, and retain a commission. That is the common fraud trick in Uganda. The company may be real, the invoice may be real-looking, the delivery note may carry a stamp, but the transaction is fiction wearing business shoes.
The money moved quietly, UGX 1,200,000 here, UGX 2,800,000 there. A field facilitation refund to a phone number registered under a cousin, a duplicate payment split across two weeks, a supplier refund posted against an old credit note, and a cash withdrawal described as urgent operational support. Nothing looked dramatic enough to stop a busy manager.
That is how fraud survives, it stays below the emotional threshold of leadership.
The first red flag came from boredom. A junior internal auditor was reconciling supplier payments and noticed that one vendor’s invoice references had a rhythm, same invoice style, same bank branch, similar amounts, similar narration, but different dates. He then checked the payment approval emails and found that the attachments in the email trail did not always match the final schedules uploaded to the bank portal. That small mismatch opened the door.
The investigation did not begin with interviews, that would have been an amateur way of doing things. The team first preserved the evidence, the accounting system audit logs, payment schedules in native format, supplier master file change history, bank portal approval logs, email headers, mobile money schedules, user access rights, CCTV near the finance desk, and the laptop used to prepare the schedules. Under Uganda’s Computer Misuse Act framework, electronic records require proof of authenticity, and the person introducing them carries the burden of showing that the record is what they claim it to be. That is where a decorative legal point decides whether your beautiful investigation survives challenge.
A 2025 Supreme Court decision in Uganda involving fraud and embezzlement around a mobile money system showed why technical trails matter. The court record highlights attribution through system usernames, IP and login trails, and authentication of electronic records under the Computer Misuse Act. The lesson for investigators is blunt, do not arrive in court with screenshots when the system can give you logs.
The forensic review found that the employee’s user account prepared the payment schedules, but that alone was not enough. Usernames are not people. Passwords are often shared in lazy offices. The team needed pattern, access, motive, benefit and corroboration. They pulled login times, device names, file creation dates, modification history, email routing data, bank upload records and mobile money beneficiary changes. They compared approved schedules with uploaded schedules. They found that changes were made after approval but before payment release. They also found that the altered files were saved from the same workstation during periods when the employee was logged into the accounting system and visible on CCTV at the finance desk.
The phone evidence mattered. The employee had deleted WhatsApp chats with the comfort supplier, but deletion is not magic. The investigators preserved the phone state before internal curiosity destroyed it. They recovered message fragments, call patterns, payment confirmations and contact aliases. They did not treat the phone as a private inconvenience but as a computer with a battery and a bad attitude.
The legal line had to be managed carefully. Investigators are not licensed to rummage through people’s private lives because they are angry. Uganda’s data protection regime regulates the collection and processing of personal data, and investigation teams must keep collection lawful, necessary and proportionate. That means collect what is relevant to the allegation, protect unrelated private material, document access, and involve counsel early where privilege, employment procedure or criminal referral may arise.
The closure came through a confrontation interview after the documents had already spoken. The interview was not a fishing trip, it was a controlled walk-through evidence. The investigator began with role clarity, then supplier setup, schedule preparation, approval flow, file modification, beneficiary changes, mobile money cash-outs, and then communications with the vendor. The employee first denied and then she blamed system errors, shared passwords, and pressure. Then she admitted the first “borrowing.” That admission mattered, but it was not the case. The case was the evidence trail.
The total confirmed loss was UGX 47.6 million, with suspected exposure of UGX 68.4 million pending recovery from the supplier channel and related mobile money recipients. The organisation had not been defeated by a criminal genius, it had been defeated by small permissions, shared passwords, weak supplier verification, no maker-checker discipline on final upload files, no independent review of supplier changes, no exception report for duplicate payments, no reconciliation between approved schedules and paid schedules, no alert when beneficiary numbers changed after approval.
The honest employee became expensive because the organisation confused trust with control. Trust is not a control but a leadership value. Controls are how serious leaders protect honest people from pressure, protect money from opportunity, and protect the organisation from explanations that arrive after the cash has gone.
The future-ready fraud team must now think like a lawyer, an investigator and a technologist at the same time. Preserve before probing, get native files before screenshots, logs before opinions, metadata before memory changes, the full payment journey, not the final voucher, and never forget this, the first compromise is usually small because the fraudster is still learning whether the organisation is awake.
In many cases, the thief does not break the door, the organisation leaves it open, oils the hinges, and later acts shocked that someone walked through.
Copyright Institute of Forensics & ICT Security, 2026. All rights reserved.


