With the world witnessing numerous banking scams and corporate failures, a shake- up and meaningful reform of auditors’ role and responsibilities is definitely on the cards. Auditors can no longer seek refuge in the 19th century statement by Justice Lopes that “he is a watchdog not bloodhound”. In fact, this single statement has done much disservice to an otherwise very important aspect of financial management called auditing. It has created confusion about their role. The role of auditors in general and the internal auditors in particular have descended from one of ‘watchdogs’ to ‘secret keepers’ to ‘nobody’.
During investigations into one of the biggest bank scams of the country called the PNB Bank Fraud, it was pointed out that the transactions were off-books and so internal auditors were not in a position to detect them. “None of the transactions were routed through the CBS system, thus avoiding early detection of fraudulent activity.” To add to the difficulties of the auditors, the scam happened in collusion with certain employees and it pertained to fraudulent transactions with respect to one client.
Does this mean that auditors, particularly the in house auditors, are under no obligation to detect fraud or are in no position to red flag suspected deviations? In the PNB case, successive Financial Stability Reports (FSRs) issued by the Reserve Bank of India (RBI) were available. In the case of IL&FS mismanagement, there were whistleblower complaints, RBI inspection reports. What hindered the red flagging then?
The Indian Banking system has, theoretically, a very well defined structure of audit in place to safeguard against possible irregularities, scams and frauds.
Four layers of Auditing
Firstly, Concurrent Auditors-In banks with branches having corporate exposures, a senior official is designated as ‘concurrent auditor’, who is supposed to track all the transactions of the branch on real time basis and the audit report generated is signed by the concurrent auditor and the manager and then it goes to the head office. The auditor is supposed to report directly to the head office.
Secondly, Internal Auditors-There is another set of auditors called internal auditors. Depending upon the size of the branch, an internal audit is conducted once, or a couple of times in a year.
Thirdly, Statutory Auditors-There is another kind of audit called statutory audit. This is done by outside auditors who are highly trained and specialised. However, they do rely on internal audit reports to collate the branch-based data.
Finally, the auditors of the Reserve Bank of India- mainly in the head office. This auditing is for risk-based supervision and is not mandated to look into day today operations of the banks.
In order to understand the internal & external auditors role, one must look at how the scam unfolded and what is the system in place in the banking sector.
How the PNB scam unfolded
Alleged employee of the bank issued a series of fraudulent Letter of Undertaking [LoUs] to other banks so that they would provide loans to a group of Indian jewellery firms.
These letters were sent to overseas branches of banks, mostly Indian that would then lend money to the jewellery firms.
For this the bank’s SWIFT system was used by the employee to log in with passwords to serve as both the person who sent messages and as the person who reviewed them for approval
After entering the transactions on SWIFT, the same was to be recorded in the bank’s internal system [CBS] as bank’s internal software system was not linked with SWIFT, and hence employees were expected to manually log SWIFT activity. If that was not done, the transactions did not show up on the bank’s ledgers.
What is the system that is in place in banks?
A borrower approaches foreign bank (or overseas branches of Indian banks) for availing buyer’s credit for payment to be made to the foreign supplier
The Letter of Credit/Undertaking [LoU] is issued by Indian bank to the foreign bank through SWIFT message.
The foreign bank remits funds to the NOSTRO Account of the Indian bank, backed by the LoU.
The Indian bank remits the funds to foreign supplier through its NOSTRO and on the due date the Indian bank remits the funds (inclusive of interest) to the overseas bank and recovers the similar amount from its customer
The entries of inward and outward remittances have to be recorded in the books of the India bank (a NOSTRO mirror account)
With computerised system and checks of audit in place, as stated above, can one employee’s complicity be enough to overawe the four layer audit mechanism? The following questions come to our mind as regards audit-
1. Accepted that fraudulent SWIFT entries were not recorded in CBS, it does leave a trace and eventually gets linked up with the CBS through the nostro account overseas. But how entries recorded in NOSTRO account of PNB remained unreconciled for years?
2. Even the entries of remittances recorded in the books of the India bank (Nostro Mirror account) count not catch anyone’s attention?
3. How the concurrent auditor who conduct real time audit failed to check surpluses in Nostro accounts?
4. How Nostro account surpluses invested in money market leading to increase in treasury income of PNB went unnoticed?
5. Were funds remitted by Indian banks overseas into the Nostro account of PNB not integrated with CBS?
6. Were the fees earned on LoUs not credited in any accounts?
To the auditors defence-
Auditors usually evaluate financial statements, audit evaluation and testing is predictable and employees are often aware of the scope of the audit. Only random samples and not all transactions is test checked. With time and budget control and heavy dependence on internal management, fraudsters often get the better of auditors.
What need to change now to revamp the audit mechanism and especially strengthen the internal audit set up?
The “one size fits all” remedy of promoting use of data analytics technology in the audit process to detect outlier transaction is now well known. But the biggest take away from the scam is the need to take a step back and think how one of the main pillars of supervision- internal audit- can be strengthened.
1. (A)GIVE A FACE-LIFT TO INTERNAL AUDITORS-THE FIRST LINE OF DEFENCE AGAINST ANY FRAUD -Broadly frauds involve financial misreporting, often with connivance of senior management and misappropriation of funds, which can be done by employees even at lower levels. More than external/statutory auditors, it is the internal auditors, who are aware of the ground realities. Internal auditing need to be taken seriously. In the case of banks, the internal/concurrent auditors should not be men/women on the verge of retirement or on deputation from other centres. Rather they should be well-trained, having an interest in audit. Any foreign branch audit would have detected the PNB embezzlement. Internal auditors are good at accounts, but are they trained to track foreign exchange transactions?
(B)INCENTIVES TO INTERNAL AUDITORS- Incentivisation of internal auditors may increase efficiency. If needed, employees must be encouraged to take postings in audit divisions by offering certain incentives by way of special pay, rewards for detecting aberrations etc.
(C)FOLLOWING RBI GUIDELINES IN LETTER & SPIRIT- In its guidance note, RBI talks of risk -based internal audit which will include, in addition to selective transaction testing, an evaluation of the risk management systems and control procedures prevailing in various areas of a bank’s operations. The implementation of risk-based internal audit would mean that greater emphasis is placed on the internal auditor’s role in mitigating risks.
2. AUDIT IS ALL ABOUT ASKING QUESTIONS AND SHEDDING PRE-CONCEIVED NOTIONS-Auditing has to be done with a questioning mind and sans pre-conceived notion that all clients are honest. SAS no. 99 requires “brainstorming”, which is a new concept in auditing procedure, to be done with same amount of due care as any other audit procedure. Pose questions to employees, such as: If you were the Accountant for the entity, how could you embezzle funds and not get caught?; If you are in the senior management, how might you dress up the balance sheet to impress investors?
3. AUDITORS MUST ADOPT 360 DEGREE APPROACH- It’s true that auditors need to have a thorough understanding of the business needs and related risks of the clients Right now, auditors rely mostly on what the management says. But, Auditors could use the information available publicly, whether it is the government data or information from social media, etc, to enable them to validate some of the information given by the entity.
4. PASSING THE BUCK-Importantly, one must fight the urge to blame someone or create an additional regulator.
“All change is preceded by crisis” Well crisis or no crisis, an auditor is definitely standing at a crossroad with the increasing attention on their role in organizations where major frauds are detected. The watchdog needs to wake up, quick and fast, otherwise he may be subjected to blood-hounding by others. In this, the internal auditors need to play the role of truth tellers and not get submerged in organisational politics.
Letter of undertaking (LoU) is a form of bank guarantee under which a bank can allow its customer to raise money from another Indian bank’s foreign branch in the form of a short term credit.
SWIFT [Society for Worldwide Interbank Financial Telecommunications] is a messaging network that financial institutions use to securely transmit information and instructions through a standardized system of codes. SWIFT assigns each financial organization a unique code that has either eight characters or 11 characters. The code is interchangeably called the bank identifier code (BIC), SWIFT code, SWIFT ID, or ISO 9362 code.To understand how the code is assigned, let’s look at bank fo America Headquarteed at New York, it has 8-character SWIFT code BOFAUS3N
Assume a customer of a Bank of America branch in New York wants to send money to his friend who banks at the ABI Bank branch in Milan. The New York customer can walk into his Bank of America branch with his friend’s account number and ABI bank’s unique SWIFT code for its Milan branch. Bank of America will send a payment transfer SWIFT message to the Italian branch over the secure SWIFT network. Once Italian Bank receives the SWIFT message about the incoming payment, it will clear and credit the money to the Italian friend’s account.
Nostro Account and Vostro Account- Nostro and Vostro are terms used to describe the same bank account. A Nostro account is a bank account established in a foreign country usually in the currency of that country for the purpose of carrying out transactions there. For example most commercial banks maintain US dollar accounts with their correspondent banks in USA in order to facilitate settlement of interbank and customer transactions in US dollar. Say, two banks- ABC Bank, Washington and XYZ Bank, Mumbai. For XYZ Bank, its account in ABC Bank is a ‘Nostro Account’ (Italian for “My account with you”) and ABC Bank’s account with it is a ‘Vostro Account’ (Italian for “Your account with me”). Reconciliation of these accounts is called Nostro Account Reconciliation.
The replica of this account is maintained by the bank in its own books for operational purposes in local currency and is known as a Nostro Mirror Account Effectively, all credits to a Nostro account represent inflows of foreign exchange and these are purchased by the bank (XYZ) to the debit of mirror of the Nostro account which they maintain locally. All debits to a Nostro account represent outflows of foreign exchange and the local currency proceeds of such sales are credited by the bank to the mirror of Nostro account.
It is important for banks to reconcile Nostro accounts immediately on receipt of the statements from the correspondent banks as
this will enable them to reconcile the same with their Nostro mirror balances and also take quick remedial action in case of discrepancy in transactions.
CBS refers to Core Banking System where all branches are inter-connected to ensure that the bank customers – regardless of their home branch – are able to operate their account and transact in any of the member branch located anywhere in the world. After the advent of this system, a customer is no more customer of a branch, but s/he becomes customer of bank.