The Wells Fargo Fraud: Where Was Internal Audit?


The Wells Fargo scandal leaves a lot of unanswered questions PHOTO: Tony Webster

Many parts of the Wells Fargo staff “scam” are mind-boggling.

It’s not just that staff at Wells Fargo opened an estimated 2 million deposit accounts and applied for roughly 565,000 credit card accounts to meet sales goals. 

It’s not just that Wells Fargo was fined $185 million (including the largest ever fine by the CFPB).

It’s not even that the scam lasted 5 years.

What’s mind-boggling to me is that Wells Fargo fired about 5,300 workers (out of a total staff estimated at 265,000, or 2 percent of all employees).

‘Doing What Is Right for Our Customers’

And what’s troubling are statements like this from the bank’s former CEO, John Stumpf: 

“Our entire culture is centered on doing what is right for our customers.”

How can he say that when 2 percent of the total Wells Fargo workforce was fired as a result, presumably, of being involved?

When 2 percent of employees were fired, you have to assume that more people knew or should have known. The prevailing Wells culture was clearly do what was right for the company, not the customers!

According to the NY Times, “Wells said that the employees who were fired included managers and other workers. A bank spokesman declined to say whether any senior executives had been reprimanded or fired in the scandal.”

While Stumpf stepped down on Oct. 12, that statement implied, in my mind, that senior executives were not going to be held to account. 

More Than a Failure of Internal Controls

The CFPB says, “Spurred by sales targets and compensation incentives, employees boosted sales figures by covertly opening accounts and funding them by transferring funds from consumers’ authorized accounts without their knowledge or consent, often racking up fees or other charges.”

The Director of the CFPB adds, “Unchecked incentives can lead to serious consumer harm, and that is what happened here.”

It’s easy to say that “unchecked incentives can lead to serious harm.” That’s obvious — it applies to every organization.

It’s also easy to say, as they do, that internal controls failed.

But the incident raises so many questions:

  1. The culture was clearly massively flawed, despite what the Stumpf said. In fact, his statement reveals a lack of understanding not only of the word “culture” but also of the real problem. While his early retirement may be a small step in the right direction, he leaves his replacement Tim Sloan with the task of changing the culture. The surviving employees will be in shock and so risk-averse that the bank will suffer enormously.
  2. The PCAOB and others love to use the word “pervasive.” But here is an example of something that is truly pervasive. Senior executives either knew or should have known of the problem. Did no employees come forward? Did nobody see a trend in customer queries and complaints about accounts being opened they had not requested? Where was the Chief Compliance Officer?
  3. Was top management asleep or did they just have their eyes and ears closed?
  4. Should risk management have done something?
  5. Where was internal audit?
  6. Where was the board?

We have insufficient information with which to answer these questions.

Could Risk Management or Internal Audit Prevented (or Mitigated) This?

I don’t know that risk management could or should have done anything. I doubt this kind of scam would be identified as a risk.

I do have to ask whether risk management:

  • had satisfied themselves that the fraud risk assessment (assuming one was done) was complete;
  • were monitoring the level or type of consumer queries and complaints, which should have been a leading risk indicator; 
  • had effective monitoring of customer satisfaction, which should have been a risk to assess and watch; and
  • had done sufficient work relating to the organization’s culture.

The same questions apply to internal audit.

But, I would expect internal audit to be more aware of customer complaints and customer satisfaction than risk management. Controls over customer satisfaction risk, and especially responses to complaints, should have at least been considered in building the audit plan.

They should also be more skeptical than risk management can afford to be (for political reasons) of organizational culture. Were any warning signals picked up by auditors in the course of their work? Were they so focused on completing the audit program that they were not watching and listening to what was happening around them? Were they ‘auditing by walking around’? Did they listen to customers at all?

Where the Board Comes In

I don’t expect the board had any reason to believe this was going on. They have to rely on management, risk management and internal audit for information on culture, the management of fraud and other risks and the performance of controls.

But I do expect the board to take swift and decisive action once a problem like this appears.

That includes holding senior management to account. Hopefully we will hear more about what other actions they will take, beyond Stumpf’s retirement.

It also includes mandating that the new CEO fixes the culture.

What do you think? Do you agree with my comments?

What would you expect from the board, risk management and internal audit?

Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world and the author of World-Class Risk Management.


Source link