Re-engineering in internal audit operations

Bangladesh has come a long way in economic growth since 1972. In 1972, the gross domestic product (GDP) was US$ 5.70 billion where as in 2025 it stands at US$ 475.00 billion. Contribution to GDP from the services sector is continuously increasing since 1990. The main contributor of the service sector is financial sector specially, banks and financial institutions (FIs). But banks and FIs are suffering for long due to poor political commitment of the political parties, corruption in all areas of operations, poor supervisions from regulatory authorities and also absent of good governance in commercial banks.

Transparency International Bangladesh (TIB) has recorded phenomena of systematic governance failures that support the occurrences of fraud, loan default and money laundering.

The “bank and non-bank financial sector of Bangladesh has long been devilled by scandalous corruption in the form of deliberate loan default, swindling and money laundering”, says TIB, with one scandal after another “allowed over the years to become a part of the country’s bank loan culture”

Along with the above loopholes, fraud and internal control lapses have become growing threats to the stability of Bangladesh’s banking sector. Despite a robust regulatory framework guided by Bangladesh Bank, commercial banks continue to experience internal and external frauds ranging from embezzlement and cybercrime to loan manipulation and financial statement misrepresentation. These incidents not only erode profitability but also undermine public trust and investor confidence.

The evolution of technology, increasing complexity of financial products, and institutional weaknesses in governance have together created a fertile ground for fraudulent behaviour. The effectiveness of internal audit functions — the cornerstone of corporate control — has come under scrutiny, with calls for comprehensive re-engineering to align audit operations with digital transformation, real-time monitoring, and risk-based auditing models.

However, this scribe will try here to identify important issues which underline re-engineering of internal audit in Banks and FIs-

• Emerging patterns of financial fraud in Bangladeshi banks,

• Weaknesses in traditional internal audit structures,

• The necessity for re-engineering audit operations, and

• Strategic frameworks for establishing resilient fraud management systems.

The thoughts conclude with policy recommendations for Bangladesh Bank, commercial banks, and policymakers to ensure integrity, transparency, and sustainability in financial operations.

The Changing Banking Landscape in Bangladesh

The banking system of Bangladesh has expanded rapidly since the 1990s, driven by strategy for industrialisation, demand for RMGs in the global markets, financial liberalisation, private sector participation, and digital financial inclusion. There are currently more than 61 scheduled banks (including banks to be merged), comprising state-owned commercial banks (SCBs), private commercial banks (PCBs), and foreign commercial banks (FCBs). The huge expansion (although experts think this large number of banks is enough for Bangladesh economy) increased complexity of operations substantially.

While technology has enhanced service delivery such as mobile banking, agent banking, and internet banking it has also introduced new vulnerabilities. Inadequate cyber controls, short of independent server room, short of in-house core banking software, weak internal audits, and human manipulation have resulted in both traditional frauds (forged instruments, insider collusion, loan frauds) and modern frauds (ATM skimming, phishing, online identity theft).

Bangladesh Bank has issued multiple guidelines to manage operational and fraud risk — including the “ICT Security Guidelines,” “Risk Management Framework,” and “Guidelines on Internal Control and Compliance.” However, persistent weaknesses in enforcement and oversight leave significant loopholes resultantly, the BASIC Bank loan scam, Farmers Bank irregularities, and cyber heists (including the 2016 BB reserve theft) illustrate systemic weaknesses in both fraud management and audit culture.

Emerging Trends in Fraud Management in Bangladesh

The transformation of banking into a digital ecosystem, mobile apps, agent networks, and e-wallets has created new fraud channels. Cybercriminals increasingly exploit social engineering, weak authentication, and inadequate cybersecurity awareness among clients and staff.

Many recent fraud cases involve collusion between internal employees and external parties. This blurs accountability and makes detection difficult. For example, insider assistance in LC manipulation or forged documentation allows large-scale misappropriation before auditors detect anomalies.

Fraudulent rescheduling of non-performing loans, often with board-level approval, remains a major area of financial misconduct. Banks artificially reduce NPL ratios by granting repeated reschedules, concealing actual risk exposure.

With digital core banking systems, manipulation of transaction records or data deletion has become a sophisticated tool for concealing irregularities. Lack of audit trail monitoring facilitates such fraud.

Outsourced services, IT vendors, agents, remittance partners, have introduced new operational risks. Without adequate due diligence, third parties may exploit gaps in system integration and security protocols.

Events such as the Bangladesh Bank reserve theft in 2016 exposed global vulnerabilities. Even with enhanced SWIFT controls, cross-border payment systems remain vulnerable to coordinated cyberattacks.

Current Fraud Management Framework in Bangladesh

Bangladesh’s fraud management mechanism involves a layered approach combining the central bank’s supervisory role and internal bank-level controls. Commercial banks must establish comprehensive internal systems, including independent risk management units, robust internal controls, and employee training, to identify, evaluate, and mitigate fraud risks. Bangladesh Bank oversees this by conducting inspections, setting prudential requirements, and acting against non-compliant banks. 

The central bank’s initiative for fraud management in addition to onsite/off-site supervisions includes-

• Guidelines on ICT Security (2015, updated 2023) mandates cyber risk policies and incident reporting.

• Fraud Prevention Policy (2018) requires banks to establish a Fraud Monitoring Cell (FMC).

• Internal Control and Compliance (ICC) Framework (2014) defines audit and compliance structures.

• AML/CFT Guidelines address money laundering and terrorist financing risks.

• Centralized Incident Reporting System (CIRS) specifies banks must report frauds exceeding Tk 1 lakh.

Despite these frameworks, practical enforcement remains uneven. Many banks’ fraud monitoring units lack skilled staff, data analytics tools, or authority to act independently. Fraud detection often occurs post-event, not proactively because of weaknesses in current internal audit operations.

Weaknesses in Current Internal Audit Operations

Weaknesses in internal audits of banks in Bangladesh include a lack of investment in strengthening the function, internal control system gaps, heavy workloads, and a tendency to conceal audit reports. Other issues are inadequate coordination between departments, limited skilled manpower for modern auditing, and a failure to address fraud and mismanagement, often due to a lack of independence and management lusion. 

Key weaknesses

Compliance-Oriented, Not Risk-Oriented

Most internal audit departments focus on checklist-based compliance audits rather than dynamic, risk-based assessments. This limits their ability to detect emerging fraud patterns.

Limited Technology Use

Audit teams often rely on manual sampling instead of data analytics or continuous monitoring systems. Fraud indicators hidden within massive data sets go unnoticed.

Lack of investment and political influence: 

Banks are often unwilling to invest in strengthening their internal audit systems, and a lack of independence can be a problem. 

Internal control system gaps: 

Weaknesses in internal control systems make banks vulnerable to errors and fraud. 

Heavy workload and staffing issues: 

Internal audit personnel face excessively heavy workloads, and there is often a lack of properly trained and skilled staff for modern and effective auditing. 

Lack of departmental coordination: 

In many banks, there is a significant lack of coordination between different internal departments. 

Concealment of reports: 

Some banks have been reported to “conceal” their internal audit reports due to inconsistencies in the current structure of their internal control and audit departments. 

Collusion and management failure: 

Past scams have revealed weaknesses were rooted in management failures and collusion between insiders and outsiders. 

Failure to address fraud and non-performing loans (NPLs): 

Internal audit failures have contributed to issues like the rise in non-performing loans and scams, as they have not effectively identified and alerted management to irregularities. 

Limited risk assessment and analytical reviews: 

Some audit functions may not effectively use customized processes like risk assessments and analytical reviews to mitigate risks. 

Delay in Reporting and Corrective Action

Audit findings are often not acted upon promptly. Weak follow-up mechanisms and tolerance for irregularities diminish deterrence.

Need for Re-Engineering Internal Audit Operations

To manage fraud effectively, internal audit must shift from a traditional, periodic review model to a dynamic, technology-driven, continuous assurance model.

Re-engineering involves rethinking processes, structures, and tools to align audit operations with modern banking realities.

Framework for Re-Engineering Internal Audit Operations

Re-engineering internal audit in Bangladeshi banks is crucial due to challenges like non-performing loans and fraud, and requires adopting modern approaches like risk-based auditing, technology integration, and improved governance structures. Key areas for re-engineering include shifting to a risk-based model, enhancing the skills of internal auditors, and improving reporting lines to ensure independence and effectiveness. The re-engineering will be with the following steps-

Strategic Alignment

Audit functions should align with the bank’s strategic objectives and risk appetite. The Audit Committee must ensure adequate resources and independence.

Risk-Based Audit Planning

Move from uniform audit cycles to risk-prioritized audits.

• Identify high-risk branches, departments, and products.

• Allocate audit frequency based on inherent and residual risk levels.

• Use risk registers to plan dynamic audit scopes.

Integration of Data Analytics and Artificial Intelligence

Deploy data analytics platforms that continuously scan transactions for anomalies, duplicate payments, unusual patterns, or suspicious account activities.

AI-driven models can identify red flags, while dashboards can alert auditors in real time.

Continuous Auditing and Monitoring

Replace year-end audits with continuous auditing using automated tools connected to the core banking system. Continuous monitoring detects fraud at the early stage, minimizing financial loss.

Forensic Audit Capability

Develop specialized forensic audit teams trained in digital evidence collection, fraud investigation, and root-cause analysis.

Each significant fraud case should undergo forensic review to identify process weaknesses.

Enhanced Governance and Independence

• The Chief Audit Executive (CAE) must report directly to the Audit Committee of the Board, not to the CEO.

• Establish audit charters ensuring functional independence and direct access to all information.

Collaboration with Compliance and Risk Management

Create integrated risk-audit platforms enabling real-time sharing of findings and alerts. Cross-functional coordination helps identify systemic fraud patterns.

Capacity Building

Continuous professional training in IT auditing, fraud analytics, cybersecurity, and regulatory compliance is vital.

Audit staff should be encouraged to obtain certifications such as CISA, CFE, or CIA.

Automation and Workflow Management

Adopt digital audit management systems to track audit progress, document evidence, and ensure accountability for follow-up actions.

Strengthen Follow-Up and Enforcement

Establish structured follow-up mechanisms with timelines. The Audit Committee should review implementation status of audit recommendations quarterly.

Re-engineering Outcomes: Expected Benefits

Re-engineering internal audit in Bangladesh offers significant benefits, including enhanced corporate governance and accountability, improved operational efficiency, and better risk management. Other key advantages include increased compliance with laws and regulations, strengthened internal controls, and improved financial reporting and strategic decision-making. These improvements help build trust among stakeholders and boost access to capital. 

If re-engineering is properly implemented, banks will get benefits as under:

• Early Fraud Detection: Continuous auditing allows real-time identification.

• Enhanced Governance: Clear accountability improves confidence of regulators and investors.

• Operational Efficiency: Automation reduces audit cycle time and human error.

• Regulatory Compliance: Stronger alignment with Bangladesh Bank’s ICC framework.

• Reputation and Trust: Reduced fraud incidents restore public confidence in the banking system.

Conclusion

Emerging fraud risks in Bangladesh’s banking sector threaten the integrity and sustainability of financial institutions. Despite regulatory improvements, the persistence of internal collusion, weak audit independence, and inadequate technological adaptation leave banks exposed to recurring frauds.

Re-engineering internal audit operations is no longer optional — it is a strategic necessity. By embracing risk-based auditing, digital analytics, and governance reform, banks can transform audit departments from reactive control units into proactive defenders of institutional integrity.

The success of this transformation will depend on leadership commitment, regulatory enforcement, and a culture of zero tolerance for corruption.

When banks combine technology, transparency, and ethics, they can not only prevent fraud but also rebuild the trust essential for the long-term stability of Bangladesh’s financial system.

Mohammed Shahid Ullah is a senior banker

rafan3379@gmail.com