Recently, we finished investigating and resolving a meaningful case of staff fraud in Uganda, and are sharing the results and lessons publicly. As in previous cases, we want to set a norm that charities report this stuff. Fraud is a fact of life in any charitable work and needs to be discussed openly, not kept secret. In this particular case, we conservatively size the fraud at less than 0.5% of funds transferred, but also gained some valuable insights.
First the facts. Fraud occurred primarily through staff enrolling ineligible households with the expectation of receiving part of their transfers. We were tipped off to this behavior both by whistleblowers and by our internal audit team. We then conducted a multi-month investigation, triangulating between data analyses, internal audit field work, and direct conversations with staff. We ultimately dismissed the employees involved, including those in management positions who were aware of the situation but failed to escalate it.
The fraud we found did not exploit any single vulnerability in our processes but instead required multiple, concurrent failures. Our focus is therefore on incrementally strengthening each check rather than redesigning the overall process. Specific changes we have made include:
- Operations: enforcing stricter independence between enrollment teams; reexamining household-level targeting
- Technology: built automated dashboards running field data checks to expose suspicious patterns
- Culture: instituted recurring reviews of our whistleblower policies; added more explicit field staff pledges, including an honor code, a commitment to survey device accountability, and a conflict of interest declaration
- Management: created a security committee comprised of our Chief Operating Officer, Chief Financial Officer, and Chief Technology Officer to examine and manage risks across every facet of the organization