Introduction
National Commercial Bank, headquartered in Riyadh, was the first bank to be established in Saudi Arabi. It was founded in 1953. The bank was constituted as a partnership. It was one of the innovators of Islamic Banking in the world. It operated under a partnership form until 1997. Thereafter, it was converted to a Joint Stock Company. The CEO of the company is Mr. Saeed bin Muhammad Al-Ghamdi. He succeeded Abdul Kareem Abu Al-Nasr. The National Commercial Bank owns 90.424% of NCB capital ( Premier Investment bank) and 64.68% of Turkiye Finans Katilim Bankasti. As at 2011, the bank operated 288 branches across Saudi Arabia with a total of 1,791 Automated Teller Machines. The branches offer Islamic banking services. Further, as at December 2011, the company had 2.8 million customers. The total number of employees was 5,879 of which 90% were of Saudi Arabia origin. The bank’s external auditor is Ernst & Young. The table below summarizes financial results of the company for the year ended 31st September, 2011 and 2012.
Aim of the paper
The paper aims at giving facts of a real fraud case that occurred at National Commercial Bank. It explains the internal control put in place in the bank. It also explains how the fraud occurred at the bank. Finally, it gives conclusions and recommendations.
Facts on internal controls in the bank
The bank’s policy and procedure manual give guidelines on how transactions are supposed to be executed at the branches. The guidelines strengthen internal controls in the bank thus minimizing occurrence of fraud. At the branch, cashiers, by and large, execute two types of transactions. The first transaction is a local transfer from one bank to another. In this type of transactions, customers are able to transfer money from a National Commercial bank branch to other banks by using various ways such as internet, phone, ATM and bank branches. The procedure manual outlines the steps that must be followed when processing the transaction.
First, the customer is expected to fill in the transfer money form in front of the teller. The details to be included in the form include full names of the customer, identification number and expiry date, date of transaction, account number, address, the amount to be transacted, the name and account number of the recipient, bank of the recipient, and finally the customer should sign the transfer form. Filling in the form in front of the customer is an internal control since it assures the cashier that the customer initiated the transaction. Secondly, the customer must provide the original identification document. Thirdly, once the teller receives the transfer form from the customer, he / she should verify the information on the form with the information in the bank system. Cashiers should focus on verifying the original identification document and the customer’s signature. This third procedure ensures correctness of information provided. At this point, the cashier should also verify the account balance of the customer. This ensures that the customer has sufficient fund to execute the transaction. The fourth procedure entails keying in the information provided in the bank system. This should be done after ensuring that all the information provided are correct. The fifth step gives the control of authorization. An amount less than SR75, 000 should be approved by only one authorizer. An amount greater than SR75, 000 should be approved by two signatories. The approval is done through the bank system. The sixth procedure requires the person approving the transaction to validate all the information provided before approving the transaction. The final procedure requires the cashier to complete the transaction after approval. Thereafter, he / she should retain a copy of the transaction and give the customer a copy form of the transaction.
The second type of transaction that can be executed by the customer is the issue of cashier check. In this type of transaction, the National Commercial Bank’s customers can issue cashier checks only through a branch of the bank. The procedure manual for executing this transaction is the same as the procedure manual for the first transaction.
How the fraud happened
The conversation below explains how the SR 230 million fraud occurred. The fraud happens to be the largest fraud case among Saudi fraud cases.
Forensic accountant: Thank you all for attending the meeting in time as scheduled.
(Teller 1, teller 2, forensic accountant, and the branch manager all shake hands)
Forensic accountant: when did the fraud occur?
Branch manager: on 09/26/2010.
Forensic accountant: How was the whole amount of fraud (SR230 million) transacted?
Teller 1: the customer issued me with two checks each one with an amount equivalent to SR 65 million. This amounted to SR 130, 000.
Forensic accountant: how was the rest of SR 100 million transacted.
Teller 2: I received instructions to transfer SR 100 million as a local transfer from one bank to another.
Forensic accountant: who were the recipients of the money?
Branch manager: the amount was paid to one person though different methods.
Forensic accountant: were the transfer forms filled in front of the cashiers?
Branch manager: Since they were VIP customers, I ordered the cashiers to direct the customer to my office so that they can be served from my office. Therefore, the forms were not completed in the presence of the cashiers but in my office.
Forensic accountant: were the details provided in the form verified by the cashiers in the presence of the cashiers?
Teller 2: I requested the manager to let the customer come in front so that I can verify the customer detail in accordance to the bank’s policy. However, the branch manger declined to let the customers come in front of the us and gave both of us the assurance that he would approve all the areas that required approval since he has the authority.
Forensic accountant: did the two appointed signatories approve the transactions?
Teller 2: all the transactions were approved only by the branch manager in the form. However, we were not able to verify the customers original identification document and signature.
Forensic accountant: anyone with any additional information concerning the fraud?
Teller 1: we had received earlier instructions from the branch manager that no staff member of the branch had the permission to talk to, deal or serve the customer. The branch manager further stated that the customers had preferred to be served by the him only.
Teller 2: in cases where the customer came and the branch manager was not in, he refused to be served by other staff members at the branch and preferred to go back without being served. Further, I do not have adequate system rights to access the customers account. Only the branch manager has the right to access the customer’s account.
Forensic accountant: Thank you all for your time.
(They all shake hands again and the meeting ends)
Upon review of additional documents at the branch, it emerged that the customer held the account with the bank for 10years. Further, the bank manager has been working in the bank for the past 33 years. However, the fraud was detected 9 months after its occurrence. This came up when the customers failed a complaint on their checking accounts. The customers denied the allegations of being involved in the fraud. The branch manager later confessed guilty of forgery. The internal audit department also carried out investigations on the fraud. The report on internal audit resulted in laying off of 12 employees excluding one cashier
Conclusion and recommendations
Based on the facts of the case, it was evident that the cashiers did not comply with some of the procedures for carrying out transactions such as verifying the customer’s details before completing the transaction. Further, the transactions were not approved in the system as stipulated in the policies and procedure manual. Also, since the transactions were exceeding SR 75,000, they required approval by two signatories. This was not done. Further, the nature of the relationship between the branch manager and the customer was questionable. Therefore, it is evident that the fraud occurred as a result of noncompliance with the laid down policies and procedures. It is an indication of negligence.
Disciplinary action needs to be taken on employees who violated the policies and procedure manual. This should be applied uniformly and not in exclusion. Further, the internal audit department should have an adequate number of qualified staff members. Besides, the department should be reviewed on a periodic basis by external bodies. The bank should also consider coming up with an incidence reporting framework which allows all employees to report any peculiar activity which might expose the bank to risks. This might help in early identification of possible occurrence of fraud.