The problem here is that internal auditors are good at accounts, but they are not trained to track foreign exchange transactions
Illustration: Dominic Xavier/Rediff.com
Auditors are facing questions over how the fraud at Punjab National Bank (PNB) went on for six years and how they failed to detect it.
The process seems foolproof. A branch such as Mumbai’s Brady House, which is a corporate-focused one, is headed by a branch manager who holds the rank of an assistant general manager.
In such branches, a senior executive is designated as ‘concurrent auditor’, who tracks all the transactions of the branch and at the end of the day generates an audit report.
This report can be opened only by the branch manager in a specified room.
Both the concurrent auditor and the manager sign the report and then it goes to the head office.
The auditor reports directly to the head office and nobody can manipulate the auditor’s work.
“It is quite surprising that a few people, including one clerk, could continue issuing LoUs (letters of undertaking) of vast amounts without any checks and balances,” said a banker.
However, there is a catch. If the transaction is not done using the bank’s core banking system (CBS), the concurrent auditor has a slim chance of catching any discrepancy unless he is industrious enough to scrutinise every aspect of the operations daily.
“One person cannot do it. If the transaction has not been done using the CBS, the auditor cannot catch any discrepancy,” said a senior public sector banker.
Usually, these concurrent auditors do not have an easy relationship with bank employees, from the head office to branch level, some senior bankers said.
“Usually these people are on the verge of retirement or have been given the assignment as a punishment posting.
"Their job is essentially to sign vouchers. If a system-generated voucher does not come to them, they are least bothered,” said the retired chairman of a large public sector bank (PSB).
There is another set of auditors called internal auditors.
Ideally, they should have caught the fraud.
Even if a SWIFT (Society for Worldwide Interbank Financial Telecommunication) system sits outside the CBS, it does leave a trail and eventually is linked with the CBS through the nostro account overseas.
Any audit of a foreign branch should have easily picked up the amount hanging.
However, the issue again is lack of training and interest.
These are bank employees who join the audit department from other centres on deputation for around three years.
Depending upon the size of the branch, an internal audit is conducted once or a couple of times a year.
The problem here is that internal auditors are good at accounts, but are not trained to track foreign exchange transactions.
Since the number of treasury and foreign exchange specialists in PSBs is small, they are on the same job for years on end though the practice is to shift positions every three years.
Due to lack of skills, internal auditors are solely dependent on these specialists.
Bankers said if the specialist wanted to fudge something, chances of him being caught were slim.
There is another kind of audit called statutory audit. This is done by outside auditors who are highly trained and specialised.
However, they do not necessarily visit branches but rely on internal audit reports to collate branch-based data.
Finally come the auditors of the Reserve Bank of India. Their job is mainly in the head office.
This auditing was for risk-based supervision and not necessarily for the daily operations of a bank, said a person familiar with the process.
However, the recent scam pointed to a wider collusion than the initial numbers put out by PNB suggest, experts said.
When a guarantee is generated by a bank, the beneficiary bank sometimes wants to verify with the issuer bank if the payment has to be made.
This is not done always, but when there are hundreds of such guarantees, there should be some verification.
The SWIFT system is not integrated with the CBS of banks, but sits outside as a separate unit, according to bankers.
Because of the two-way communication, it is quite difficult to commit a fraud involving SWIFT.
The verification call would come to the zonal office of the bank and not to the branch where it had originated, said bankers.
In that case, there is no chance that the employee who generates the guarantee can access it.
“If the bank wanted to crack the fraud, it could have done it. But there are unanswered questions that would be clarified only after a full investigation,” said one of the executives.