A 103-page business standards report released by Wells Fargo last week outlines changes the bank has undertaken as a result of its missteps, and they include important changes to its approach to internal audit.
One of the most important changes is the consolidation of its retail banking audit team into one centralized group. In the aftermath of the scandals, an internal report showed organizational silos had stymied efforts to report bad practices through established control processes and structures. Consolidation of the audit team is designed to break down those silos, a company spokesman told The Wall Street Journal.
The bank also created new management-level governance teams tasked with supporting leadership in carrying out risk management. Each team has a defined set of authorities and responsibilities. Of great significance are policies that create "clear escalation paths and risk-reporting expectations." From the Wells Fargo report:
The governance committee structure is designed to enable understanding, consideration, and decision-making of significant risk and control matters at the appropriate level of the company and by the appropriate mix of executives."
This step reflects a strong commitment to risk management that the bank report says will be guided by four core principles: long-term relationship focus, accountability, risk philosophy, and an environment of inclusiveness and candor.
That philosophy is applied to Wells Fargo's use of its internal audit division. It described Wells Fargo Audit Services as "delivering independent and objective internal audit services such as assessments and credible challenge regarding the company's governance, risk management, and controls." It is significant that the description includes the words "credible challenge."
This concept has been part of the bank regulation for several years, but it typically is applied to boards of directors, who are expected to challenge management actions, decisions, and recommendations. It is encouraging that internal audit at Wells Fargo is tasked with that same job. In addition to conducting tests and providing assessment and assurance of the bank's risk management, governance, and control structure, internal audit is tasked with proactively advising management on, "risks, management practices, and controls in the design and implementation of new business products, service, and processes; systems development; operational changes; and strategic initiatives."
Other details of internal audit's operations — including explicitly requiring adherence to The IIA's International Standards for the Professional Practice of Internal Auditing and Code of Ethics — describe a textbook example of an empowered and respected component of Wells Fargo's risk management team. At least on paper, it appears that internal audit is invited, indeed expected, to act as a trusted advisor to the board and management.
Of course, only time will tell whether Wells Fargo's actions will remain true to its written policies, but there are signs the bank is committed to the changes. The Wall Street Journal reports the bank has increased its audit staff size by about a third to 1,350 employees over the past two years. The bank also added more experienced directors to its board-level risk committee.
I am convinced that the changes undertaken by Wells Fargo — if embraced by management and nurtured by the board — will strengthen the organization and improve its risk management, governance, and control. If this happens, it may ultimately serve as a model for others to emulate.
As always, I look forward to your comments.