The recent disclosure by IDFC FIRST Bank of a potential ₹590 crore fraud at its Chandigarh branch has sent tremors through India’s banking and audit community. This is not merely another episode of operational failure or weak controls—it is a stark case study in how traditional compliance-based auditing can crumble in the face of internal collusion.
For professionals in Internal Audit, Risk, and Compliance, this incident deserves close attention. It challenges long-held assumptions about control effectiveness and underscores the urgent need to rethink how audits are designed, executed, and interpreted.
A Routine Closure Request That Unmasked a Massive Fraud
What triggered the unravelling was deceptively ordinary.
In February 2026, the Haryana Government requested the closure of one of its accounts maintained at the Chandigarh branch. During reconciliation, officials noticed a significant mismatch between the balances reflected in the bank’s internal ledgers and the actual funds available.
This discrepancy wasn’t marginal. Preliminary estimates suggest a shortfall of around ₹590 crore—a figure that exceeds the bank’s entire Q3 net profit of approximately ₹503 crore.
The most unsettling detail? The issue surfaced not through internal audit or compliance reviews, but through external client verification.
The Anatomy of the Fraud: Old Tricks, New Consequences
Early reports indicate that the irregularities were localized to a cluster of government-linked accounts and allegedly involved branch-level employees, possibly acting in collusion with external parties.
The Method: Forged Physical Cheques
Ironically, the suspected instrument of fraud is one of the oldest in banking history: forged physical cheques.
Despite:
- Core banking systems,
- Maker–Checker–Authorizer controls,
- Physical document retention,
- Segregation of duties on paper,
the fraud allegedly continued long enough to balloon into hundreds of crores.
This raises a disturbing but necessary question:
Were controls bypassed—or were they faithfully followed by people acting in concert?
When Controls Exist, but Integrity Doesn’t
Most banks pride themselves on robust control frameworks. Internal audits typically verify whether:
- Required documents exist ✔️
- Signatures are in place ✔️
- Maker–Checker steps were completed ✔️
- System logs show approvals ✔️
In the Chandigarh case, it is entirely plausible that:
- The paperwork was “complete”
- The system showed “proper authorization”
- Files were neatly stored
Yet the data represented by those documents was fundamentally false.
This is the core weakness of compliance-based auditing: it often treats process adherence as proof of control effectiveness.
Why Compliance-Based Auditing Is No Longer Enough
Compliance audits are retrospective and procedural. They ask:
Was the process followed?
But fraud prevention requires a deeper question:
Should this transaction have existed at all?
When multiple actors collude, compliance becomes a theatrical performance—roles are played, steps are followed, signatures are affixed, and systems are updated. The audit trail looks pristine, even as money quietly drains away.
The Necessary Pivot: From Compliance to Forensic Skepticism
The IDFC FIRST Bank episode is a compelling argument for forensic-style internal auditing—a mindset shift rather than just a new checklist.
1. Question the Data, Not Just the Workflow
Forensic auditors are inherently skeptical. They are less interested in who approved a transaction and more concerned with why it exists.
What must change:
- Move from sample-based testing (5–10% of transactions)
- To full-population analytics using audit and data tools
Red flags to algorithmically scan for:
- Large-value transactions in low-activity accounts
- Repetitive round-number withdrawals
- Sudden spikes in account turnover
- Transfers to recently opened or rarely used accounts
Fraud at this scale leaves patterns long before it leaves headlines.
2. Detect Pattern Anomalies, Not Isolated Errors
Fraud rarely occurs as a one-off event. It evolves.
Internal audit teams should monitor:
Velocity Risks
- Funds exiting government or escrow accounts immediately after deposits
- Rapid back-to-back debit entries without economic justification
Access Irregularities
- Employees accessing sensitive accounts outside business hours
- Excessive use of override or exception authorities
- The same staff repeatedly acting as Maker or Checker on high-risk transactions
These signals are often visible in system logs and metadata, even when vouchers look legitimate.
3. Reinstate External Confirmation as a Core Audit Tool
Perhaps the most damning lesson from this case is that the fraud was detected by the client, not the bank.
A critical corrective step:
- Mandatory, periodic independent balance confirmations
- Directly with large corporate and government clients
- Routed outside the branch structure, preferably through central audit or risk teams
This single control—long used in statutory audits—can dismantle even the most carefully colluded internal frauds.
The Human Element: Still the Weakest Link
Banks have digitized products, automated workflows, and invested heavily in technology. Yet incidents like this reaffirm an uncomfortable truth:
The most sophisticated system can still be undone by trusted insiders.
No amount of automation can replace:
- Skepticism
- Independent verification
- Behavioral analysis
Internal Audit must therefore evolve—from being custodians of compliance to investigators of intent and outcome.
The Road Ahead for Internal Audit Teams
The Chandigarh fraud is more than a governance failure—it is a strategic warning.
Internal auditors must stop behaving like historians who merely document what happened, and start acting like investigators who ask:
- Why did this transaction occur?
- Who benefited?
- What pattern does it fit into?
- What assumption am I taking for granted?
Only by embracing forensic skepticism, data-driven auditing, and independent validation can banks hope to shift from post-mortem detection to real-time deterrence.
Because in modern banking, fraud doesn’t announce itself with missing files—it hides behind perfectly completed ones.
Indrajit Roy Choudhury 