I. Current Status of Role of Internal Audit in Fraud Risk Management

1. As per a RBI Report, Indian banking system detected Rs 71,500 Cr worth of frauds in financial year 2018-19. The report also said that the average lag between the date of occurrence and its detection by banks was 22 months. Further, in reply to a RTI query RBI had disclosed that in 2019-20, Scheduled Banks and select FI’s reported 84,545 fraud cases, involving about Rs 1.85 lac Cr. As per information available, bulk of the amounts involved in these frauds has come under ‘loan related’ frauds. The fraud in Punjab National Bank involving Mehul Choksi and Nirav Modi, will be known to all with an interest in the Indian Financial System.

2. Against this background, the role of Internal Audit in Fraud Risk Management has come under intense scrutiny. In case of PNB scam, the Internal Audit executives had to face penal action too.

3. Internal Audit often comes under criticism for not being able to detect frauds during on-site audit or at the least flag the risk of frauds in branches, where eventually instances of frauds come to light. Even in the case of the PNB scam, the concerned branch would have been subjected to a few onsite Audits during the period the fraud unfolded as well as regular Concurrent Audit would have been in place. Yet, the fraud had remained undetected for long. RBI says clearly that bulk of the amounts of frauds are related to loans and also there is considerable delay in detection and reporting. It follows that Credit Audits and periodical Onsite Branch Audits have been unable to detect/ deter loan frauds.

4. As regards other frauds related to operational risk and cyber risk, there is no material available in public domain on the effectiveness of Internal Audit in either detecting or preventing such frauds. Our Banking Advisors opine that currently with Internal Audit mainly depending on periodical onsite audits, its efficacy in contributing to Fraud Risk Management is limited.

II. Identifying the Factors that Currently Impede Internal Audit From Playing a More Effective Role in Fraud Risk Management.

Impeding Factors Remarks

Limited Coverage of issues in Credit Audit and Periodical Audit of Loans. Also even in this Digital Age, Audit still remains only a ‘Point in Time Exercise’

  • Currently, Credit Audit largely looks at various compliances and documentation issues. There is no in-depth audit of the appraisal, internal rating exercise or checking the credentials of the promoters. In some Banks, Credit Audit is not even under the control of Internal Audit.
  • Other than Credit Audit, loans are audited only during onsite branch audits or Concurrent Audits. in both these audits, focus seems to be on Documentation issues or operational matters like revenue leakage.
  • Our Banking Advisors feel in most Indian Banks, there is a reluctance on the part of Internal Audit to be assertive in the Audit of high value loans.
  • As against this, a leading PSB does loan Origination Audit online very close to origination. Also, high value loans are subjected to continuous off-site audit. The bank’s IA also gets specialised borrower-wise reports from Credit Rating agencies.

Limited scope of Offsite and Concurrent Audit

  • Onsite Concurrent Audit is seen more as regulatory compliance rather than an effective component of IA.
  • Unfortunately Banks still subject only a tiny proportion of branches to Concurrent Audit. With extensive digitisation, banks could easily have opted for digitisation of CA with a much higher coverage in terms of branches and issues covered.
  • Although many Banks have introduced Offsite Transaction Monitoring System, its coverage is patchy and it is far from evolving into a component of Concurrent Audit across all branches, which is its real potential.

Not aligning Audit Checklists to Fraud Risk on a continuous basis.

Banks have a wealth information on frauds occurring across the Banking system. RBI, circulates not only data as also the ‘modus operandi’ followed in perpetration of frauds in various Banks. This will enable Banks to identify the control breaches that led to such frauds. Strengthening audit checklist to in relation to the controls the breaches of which led to frauds, will make Internal Audit contribute effectively to ‘Fraud Risk Management’

III. Way Forward for an Enhanced and More Effective Role for Internal Audit in Fraud Risk Management.

5. Based on the NCS team’s experience in automating Internal Audit and the domain knowledge of our Banking Advisors, we suggest the way forward as follows for an “Enhanced Role of Internal Audit in Fraud Risk Management”

Moving Loan Review Mechanism (applicable to loans above Rs 5 cr) , which is a regulatory prescription, totally online. Increasing the intensity of LRM. In any Loan related fraud, the warning signals start from the origination stage itself.

  • We know that SBI has been running an online LRM for over 6 years now. One of our Banking Advisors who was then in SBI, had conceived and implemented the project.
  • Warning signals in loans which turn out to be frauds are often discernible at the loan origination stage itself.
  • Internal Audit has to be given the tools available for verification of credentials of customer, financial data of similar units, industry profiles etc. All such data points are available from various sources.
  • As it is an existing compliance requirement, what a Bank will be doing is realigning LRM to suit today’s needs. In fact, going online will reduce costs.

Off-site Audit of Post Sanction of High Value Loans

  • RBI has often commented adversely on quality of Post Sanction Monitoring of Loans in Banks.
  • An Off-site Audit model for Post Sanction will definitely put the necessary pressure on operations to improve in this critical area.
  • It is generally accepted that weak Post Sanction encourages fraudsters and also frauds remain undetected for long.
  • Off-site Audit of Post Sanction is also the best industry practice.

Upgrading OTMS

  • Based on the information on frauds both within the Bank and frauds reported in other banks will identify the controls in which breaches have to be eliminated.
  • Designing OTMS alerts for these controls will help the Bank track compliance which by itself will improve compliance.
  • OTMS data will also help collaborate with Risk and Operations to strengthen critical controls to mitigate fraud risk.

“We are illustrating this with an example. Frauds relating to fraudulent ‘Ware house receipts for Agri products’ have happened in Banks in many States. The usual modus operandi is for a a fraudster in rural/ semi urban centre to get fake warehouse receipts issued in connivance with ware house owners/ authorities without actually putting any produce inside’. Branch Managers fall prey as they see opportunity for bulk business. Also, normally such loans are safe if all the controls are adhered to. The critical control breach which takes place is not verifying that the borrower tendering the ware house receipt, actually has the landholding required for growing the produce he is warehousing. Such documents are available with all genuine farmers. Having an OTMS alert for new warehouse receipt loans for checking borrower capacity will help mitigate the fraud risk”

Aligning Audit Check Lists to Fraud Risk

  • As a one-time measure, IA can review the various audit checklists to make changes/ enhancements to cover the control risks, breach of which, could have contributed to the frauds (a list of current frauds in the Bank and in other Banks needs to be made) being perpetrated.
  • Any breach of these controls need to be tracked regularly. The regular branch audits say in a month, provides a convenient sample to form a conclusion of the effectiveness of the control across the Bank. If the control breaches are significant, warning signals to be conveyed to Operations & Risk Management.

Root Cause Analysis of New Frauds.

Whenever any new fraud is reported in the Bank or in the Banking system, IA can take up a root cause analysis (small value frauds due to human error can be excluded) to identify the control breaches which contributed to the fraud. Wherever needed modifying/ enhancing audit checklist can be done so that such breaches are identified by IA.

As cyber frauds are on the rise, the scope of Internal audit of IT needs considerable enhancement.

A Dash board can be constructed to keep the Top Management informed about the findings/ developments relating to the above points.


This is a paragraph.It is justify aligned. It gets really mad when people associate it with Justin Timberlake. Typically, justified is pretty straight laced. It likes everything to be in its place and not all cattywampus like the rest of the aligns. I am not saying that makes it better than the rest of the aligns, but it does tend to put off more of an elitist attitude.

You must be logged in to post a comment.