Oh, Wells. Buddy. What’s going on? Can’t seem to keep your nose clean.
Last week heralded another splashy headline in the WSJ:
Wells Fargo Employees Altered Information on Business Customers’ Documents
Even we’re getting sick of it!
This time, WSJ reported that employees in the wholesale subunit cut corners with data collection — including personal identifying information such as social security numbers — to comply with anti-money-laundering controls. The sloppy rush job was due to the time pressure of a regulatory consent order.
Everyone loves an easy copy-paste task, but rolling forward information — which we as auditors well know — can lead to inaccuracies if you don’t back it up with a direct inquiry to make sure it’s still up to date. The lack of follow-up is lazy.
But, as usual, Wells Fargo brushed it off without much acknowledgment. Per the WSJ, a Wells spokesperson is quoted, “This matter involves documents used for internal purposes. No customers were negatively impacted, no data left the company, and no products or services were sold as a result.”
It’s no secret that Wells struggles with internal controls and has for a long time. In fact, the ongoing saga of control failure dates back more than seven years. As far back as 2011, “Going Concern speculated about potential issues with internal controls at Wells Fargo that prompted the then CFO, Howard Atkins, to abandon ship.” These issues foreshadow the client-impacting drama that broke as newsworthy in 2016.
In February 2018, Senator Warren expressed her frustration and:
…slammed CEO Tim Sloan over the bank’s “utterly inept” efforts to compensate customers after a series of scandals.
The Wells Fargo spokesperson’s comments cite a “more robust internal processes that reinforce our values” and “swift action” to weed out bad apples. Then-CEO John Stumpf indicated he did some pruning to these same bad apples back in 2016; too bad the company keeps finding more.
We’ll ask again: Where is the external auditor — KPMG — in all of this? It appears, laying low and sticking with the defense that the control failures related to controls over compliance, not financial reporting. Key controls over financial reporting were A-OK.
That didn’t prevent many from urging Wells Fargo shareholders to ditch KPMG as their auditor. They’ve had a long run; KPMG has been auditing the bank since 1931. However, even with high profile pressure, these efforts were to no avail. Shareholders ratified KPMG as their auditor at the annual meeting in April, keeping the streak alive for at least another year.
This Pandora’s box of control failures leaves me wondering: Is it Wells Fargo? Do they have a lackadaisical culture that leads employees to go rogue, either bypassing controls or acting unethically without a checkpoint to stop them?
Alternatively, is all of the scrutiny of Wells Fargo over the last two years causing more findings to shake out? If we dug more deeply and used the same discerning eye and level of oversight, would we find something like this at all banks?
We’ve seen many other banks with internal control blunders that have made headlines in the last decade. In 2012, JPMorgan Chase was the center of a scandal dubbed the “Whale Loss” that arose when a single account manager was “deemed responsible for losses of $6.2 billion on bets in corporate debt markets. Other members of his team—his former boss and a junior trader—were indicted in the U.S. in 2013 for violating securities law by attempting to hide the full extent of the losses from J.P. Morgan management.” The trader who made the $6.2 B bet blames the media for “mischaracterizing” him. Poor schmuck. JPMorgan Chase was found by the Senate to ignore internal controls and manipulate documents as “it racked up trading losses last year , while its influential chief executive, Jamie Dimon, briefly withheld information from regulators.”
In 2014, Citibank received a comment letter from the SEC questioning the bank’s ability to detect fraud with its internal control environment beyond the deficiencies found in a subsidiary, implying the potential for a larger, more systemic issue. As discussed by blogger Derryck Coleman (and as every good auditor is trained to do) this extrapolation was mitigated away with compensating controls, and the materiality of the exceptions was small by comparison to the total number of facilities (and compensating controls) tested (5 of 110,000). The blog goes on to mention the slim chance that an independent audit firm will write up an adverse ICFR opinion, especially in a large, Fortune 500 company. The firm Audit Analytics has found the rate of adverse opinions to decrease over time, with a small increase in 2014, flat in 2015, but back down again in 2016. Of those adverse ICFR opinions, over 70% are blamed on the employees performing the controls, pointing to either bad apples or inadequate training.
Are you an auditor testing controls? Keep a tidy shop and document everything, especially if you’re auditing in the banking sector. Wells Fargo and KPMG are the current scapegoats, but given recent history, all it takes is one scandal for more skeletons to be drug out of the closet.