It happened quietly, and that is how most frauds begin in Uganda; not with alarms, but with silence.
On a Tuesday evening in late August, long after the office had emptied and boda bodas thinned on the road, a junior accountant stayed behind at a mid-sized institution on the outskirts of Kampala. The reason sounded noble: month-end reconciliations. The reality was darker.
By the time the security guard locked the gate, UGX 1.48 billion had already begun its journey out of the organization. No gun, no hacking, no drama, just a series of approvals that looked routine, numbers that felt familiar, and people who trusted each other a little too much.
This was not a failure of intelligence. It was a failure of discipline. I know this pattern well. I have walked into too many boardrooms where leaders say, “We trusted our people,” as if trust were a control. It is not. Trust is a sentiment. Controls are systems.
The internal conflict that opened the door
Every serious fraud starts with tension, not greed.
Suspect 1 was competent, respected, and exhausted. A mid-career professional, sharp suit, soft-spoken, known for “saving the day” during audits. But for two years, his promotion had stalled. New managers arrived. Younger. Louder. Less experienced.
Suspect 2 was different. Charismatic. A fixer. He knew everyone, from mobile money agents to suppliers to the cashier at the bank branch. He thrived in the informal spaces where rules bend.
Their conflict was not personal. It was structural. The organisation had grown, but its controls had not. Roles overlapped. Segregation of duties existed on paper, not in practice—management prized speed over process. “Just make it work” had become the unofficial strategy. That is where fraud feeds.
How the scheme was engineered
This was not sophisticated. That is what makes it dangerous. The scheme had three moving parts.
First, dormant supplier accounts. Over the years, dozens of suppliers had been onboarded for projects that no longer existed. Their profiles were never deactivated. Bank details sat quietly in the system, untouched but alive.
Second, manual overrides. The finance system allowed senior staff to bypass certain approval thresholds “temporarily.” Temporary, in Uganda, often means forever.
Third, mobile money as the bridge. Instead of moving funds directly to personal accounts, which would raise flags, money was routed through supplier accounts, then broken down into smaller mobile money transfers; UGX 20 million here, UGX 15 million there. Familiar amounts. Normal-looking flows.
Suspect 1 processed the entries. Suspect 2 handled the distribution. A third, never formally identified, provided cover by delaying reconciliations.
No single transaction looked suspicious. That is the genius of bad systems.
The money trail no one wanted to follow
When Summit Consulting Ltd was called in, the brief was simple: “Just help us confirm the numbers.” That sentence always worries me. We started where most internal teams avoid: timing. Not amounts. Timing.
Why were supplier payments peaking on Fridays? Why did mobile money transfers spike between 6:30 pm and 8:00 pm? Why are reconciliations always postponed to “next week”?
We mapped three months of transactions against staff attendance, system logs, and mobile money statements. Patterns emerged quickly.
Supplier A received UGX 320 million over six weeks, for services last rendered three years ago. Supplier B’s bank account showed immediate cash withdrawals, followed by mobile money deposits to numbers registered under different names but sharing the same national ID photo. This is Uganda. Paper lies. Patterns don’t.
The red flags the auditor finally trusted
The turning point came from an auditor who almost ignored his instinct. He noticed something small: rounding. Payments consistently ended in double zeros. Real operational payments are messy. They include odd figures, fuel adjustments, tax differences, and decimals. Fraud likes clean numbers.
Then came the lifestyle lag. No flashy cars. No mansions. Instead, school fees paid in cash. Loans settled early. Quiet generosity. Fraudsters in Uganda often hide by being modest.
Most importantly, there was fear. Staff avoided certain questions. Files went missing, meetings were postponed, silence thickened, and fear is the loudest red flag.
How internal controls were bypassed
Let us be clear. The controls did not fail. They were never real. Segregation of duties existed, but the same people covered for each other during “busy periods.” User access reviews were performed annually, long after damage was done. The board received dashboards, not discomfort.
No one asked the most important question: “Show me how this could be abused.” I say this from experience. Boards prefer assurance. Fraud thrives on reassurance.
The moment the case cracked
The case broke not through technology, but through conversation. A junior staff member, quiet and observant, mentioned casually that Suspect 2 always knew when funds would hit certain accounts, even before system notifications went out. That is insider knowledge. That is coordination.
We cross-checked call logs against transaction timestamps. Correlation was near-perfect. At that point, the numbers no longer argued. They confessed.
The cost, counted honestly
The total loss stood at UGX 1,482,600,000. Recoverable? Partially. Some funds had been converted to cash. Some invested informally. Some gone.
But the real loss was trust between staff, management, and the board. And trust, once broken, costs more to rebuild than any balance sheet can show.
What leaders must confront?
Fraud is rarely about bad people. It is about lazy systems, unclear accountability, and leaders who confuse activity with control.
If your best defence is “we trust our people,” you are already exposed. If reconciliations can wait, so can fraud detection.
If no one is uncomfortable in your boardroom, someone is comfortable stealing.
I have carried coffins in Munteme village. I have watched savings groups collapse because no one wanted to ask hard questions. The lesson is the same at every level: darkness is not evil. It is merely unattended.
Fraud does not announce itself. It waits for permission. And permission is often silent.
