A preliminary internal investigation by Société Générale noted that Kerviel had previously worked in the bank's IT department, and so had in-depth knowledge of its systems and procedures. Staff mostly followed those procedures, the investigating committee found, but the procedures were not in themselves sufficient to identify the fraud before Jan. 18, partly because of the effort Kerviel made to avoid detection, and partly because staff did not systematically conduct in-depth investigations when warning flags were raised.

Among the tricks Kerviel used to hide his activities, the bank's investigation highlighted the use of fake e-mail messages to justify missing trades, and the borrowing of colleagues' log-in credentials to conduct trades in their name. Investigators identified at least seven occasions on which Kerviel faked messages between April 2007 and Jan. 18, four of them referencing trades that never existed. The deception was uncovered when they could find no trace of Kerviel receiving the purported messages in the bank's e-mail archival system, Zantaz.

Between July 2006 and September 2007, internal control systems raised 24 alerts when the value of Kerviel's trades exceeded authorized limits, the General Inspection department reported. At the time, the bank's risk monitoring unit put the anomalies down to recurrent problems with the way the trading software recorded operations, and asked Kerviel's superiors to make sure he didn't exceed limits again.

The special committee made a number of recommendations, including the use of stronger, biometric authentication systems to prevent traders from accessing one another's accounts, and the improvement of alert procedures so warnings reach the appropriate managers. In addition, it suggests the tightening of trading controls, which do not cover cancelled or modified transactions—two of the tricks Kerviel used to conceal his bets.

Auditors are still looking for suspect trades to make sure all have been uncovered, and investigators have yet to review Kerviel's use of an instant-messaging service for evidence of his activities, the special committee said. It will present a final report to shareholders at the annual general meeting on May 27.

Meanwhile, on April 1, at a conference sponsored by Morgan Stanley, Oudea said the bank had tightened its IT security and access to its information systems, among other measures to improve its operational controls. Lessons for I.T.

Perhaps some good may come out of Kerviel's apparent fraud and Société Générale's blindness to it: The incident may spur other companies' executives to talk about risk management and IT controls inside their businesses. Organizations tend to think of access as being binary in nature: You get access to it all, or you don't, says Ian Walden, professor of information and communications law at Queen Mary, University of London. In reality, there are many more levels of access. "In modern, complicated systems, the granularity has to be much more sophisticated."