Skip to Content

Auditors in the Hot Seat

Articles Alexander Heggen, CIA Jun 12, 2023

Late last year, the U.S. Office of the Comptroller of the Currency (OCC) Office of Financial Institution Adjudication released a report and recommendations related to the consumer account and cross-selling failures at Wells Fargo Bank. The report recommends fines for three former internal audit and risk management executives at the bank ranging from $1.5 million to $10 million. Although there have been cases where organizations were fined because of weaknesses related to internal auditing, it is extremely rare to hear of an individual internal auditor being fined.

The OCC report contains allegations related to deficiencies and weaknesses in governance, risk, and control (GRC) activities, with emphasis on the risk management and internal audit functions. The fines are just recommendations  for now. However, if the OCC decides to pursue them, there could be significant implications for CAEs, internal auditors, and risk management professionals. Regardless of the outcome, there are takeaways from the report for all CAEs and internal audit functions to consider.

Report Highlights

The report notes five specific conditions that led to the potential enforcement action (see “Fuel to the Fire” on this page). The first being that employees engaged in sales practice misconduct, with most of the report summarizing the failures that led to those charges. The second, third, and fourth conditions relate to the accused parties not determining the root cause of the sales misconduct. The fifth being engaging in unsafe and sound banking practices, which in this case relates to “failing to identify and effectively address known issues of risks.” 

According to the report, Wells Fargo’s internal auditors were required to:

  • Recognize The IIA’s definition of internal auditing and adhere to The Institute’s International Standards for the Professional Practice of Internal Auditing and Code of Ethics.
  • Maintain an audit charter with language indicating that internal audit would provide the board assurance that business lines comply with policies and procedures and would bring a systematic and disciplined approach to evaluating and improving the effectiveness of enterprise governance, risk, and compliance processes.
  • Determine whether the governance system is adequately designed and that the board receives timely information.
  • Provide assurance of governance functions and processes.
  • Ensure an appropriate culture, including risk culture, is established, understood, and consistently complied with throughout the bank.
  • Ensure that effective correction actions are timely.
  • Provide assurance related to the compensation program.

The chief auditor participated on at least five committees — Operating, Enterprise Risk Management, Team Member Misconduct, Ethics, and Incentive Compensation — and may have had voting authority. The Ethics committee is responsible for significant ethical and business conduct issues. Sales misconduct violations and deceptive practices along with overly aggressive sales goals appear to fit this definition.

Based on the report, the main issue was how the risks were disseminated and escalated throughout the organization. There appears to be little to no responsibility taken for risks related to sales practice misconduct and no upward reporting to the highest levels of governance: the audit committee and the board. In 2015, the OCC issued a report detailing five specific “Matters Requiring Attention” related to sales practices. However, there appeared to be no process for follow-up, reporting, and corrective action.

Interestingly, the report notes that the bank used the Three Lines risk management system throughout the relevant period. However, the OCC questions how well the first line created controls related to incentives and sales practices, how the second line being the risk function operated, and how the internal audit function fulfilled its responsibilities as the third line. The IIA Three Lines Model demonstrates the need for clear communication and reporting among all three lines, which might be the biggest surprise in the report. The information either did not reach the highest level or it was decided that the information did not need to reach those levels, which indicates a failure to fully understand the risk.

Opportunities for Internal Audit

The report provides CAEs with the opportunity to turn the magnifying glass on their own operations, teaches some important lessons, and offers guidance for internal audit activities and oversight.

Tone at the Top. The report noted numerous charters that guided Wells Fargo’s internal audit, risk groups, and various committees. Corporations can be complex with international operations, affiliates, subsidiaries, holding companies, and various levels of operations. If an organization has multiple governing charters, internal audit should make sure they do not conflict.

Audit should review its charter and ensure it covers internal audit responsibilities at every entity and level. The charter should note that, based on the Standards, internal audit must include the evaluation and reporting of all aspects of GRC, but should not be responsible or have primary oversight of these functions, as that could impair independence and objectivity when performing assurance audits.

Committee Responsibilities. CAEs or other internal auditors who participate on a committee of any kind must ensure that those responsibilities do not conflict with the audit charter and the independence of the internal audit function. A CAE who provides assurance for compensation, ethics, or risk management as part of the audit plan should not be a voting member of a committee that designs or administers any of these activities. Internal auditors need to be careful when a significant portion of an internal audit bonus plan is based on financial results. This could impair independence and objectivity. The committee meeting minutes or the committee policy should clearly state that any internal audit participation is in an advisory capacity and the auditor has no ability to vote.

Audit Plan. Audit plans do not need a major overhaul based on this report. Internal audit cannot audit every operation and transaction. However, internal audit should be meeting with the board, senior management, and key department managers. In addition, internal audit should meet with any leaders in risk management, compliance, or a fraud-inspection group to at least coordinate efforts and ensure clear communication and reporting. From here, the function should audit to business objectives. For example, if sales goals are a key business objective, internal audit should include this in the audit plan.

For community banks with branch and retail locations, these operations are a significant part of the business. In many companies, customer interactions and sales are critical for growth. Internal audit needs to understand the major revenue and expense streams, understand key lines of business, and make sure these areas have appropriate audit coverage.

Policies and Procedures. Internal audit policies and procedures should be reviewed annually, and that includes more than just changing the last review date. If it is not in the internal audit charter, a policy needs to clearly delineate the reporting lines within internal audit, the supervision of engagements, and communication of results. The CAE can assign these responsibilities to other experienced internal auditors, but the policy needs to address how the CAE will be informed of audit results and any significant findings.

Policies need to further address procedures to communicate and document increasing risks or significant concerns noted by other areas within the organization. Do audit, management, and committee reports clearly identify key or increasing risks or ineffective controls in a way management can understand and take corrective action? If reports are numerous and long, key concerns may go unread.

The Standards state that communication is required, but the form of communication is open-ended. Internal audit should be creative and urgent when it comes to key risks. If necessary, internal auditors can send a text message, voice mail, or record a video. Internal audit should not rely on the first line, or even the second line, to escalate material risk issues. Internal audit should document any potential risks or concerns and follow up to ensure they are reported and addressed. The audit function should not be limited to reporting only the risks it identifies.

Quality Assurance and Improvement Program (QAIP). The Standards state the internal audit function must have an external review every five years. A QAIP demonstrates to regulators, external auditors, senior management, and the board that internal audit is operating in accordance with the Standards and Code of Ethics. A QAIP can highlight areas where risk, communication, and oversight need to be strengthened. It is not, however, a get-out-of-jail free card.

Fraud. To reach elevated sales goals, employees resorted to fraudulent activities. The Standards require internal auditors to evaluate the risk of fraud and how the organization manages fraud risk. Internal auditors need to understand the fraud triangle and be aware of where within the organization there could be the opportunity and the pressure for fraud to occur. Identifying the rationale for fraud could be difficult, but it might become evident through other audits, interactions with employees, and discussions with management. CAEs can assess whether the organization has a reasonable process to manage fraud risk including a review of the organization fraud risk assessment, channels for reporting fraud, and procedures to address potential fraud.

Removing Controls. Internal auditors frequently issue reports that highlight controls to implement or improve. It is less common to suggest removing a control. In these cases, internal audit needs to clearly document the benefit of the suggestion and why it is being made. In the Wells Fargo report, the OCC notes the audit group recommended removing a control that required customer account approval overrides with the reason being that the employees did not consistently follow the requirements. Internal audit needs to understand how key controls operate and why employees are circumventing or ignoring requirements. They should tread lightly when making these recommendations.

Fuel to the Fire: 5 Alleged Conditions Leading to the Charges

1. Wells Fargo Community Banking Group team members engaged in sales practices misconduct that threatened the safety, soundness, and reputation of Wells Fargo Bank, N.A.

2. The chief auditor, serving as the head of the bank’s third line, failed to: timely identify the root cause of sales practices misconduct in the Community Bank; provide credible challenge to risk control managers; evaluate the effectiveness of risk management controls; and identify, address, and escalate risk management control failures.

3. The group risk officer failed to: timely identify the root cause of sales practices misconduct; exercise credible challenge to the Community Bank’s head regarding risk management controls relating to sales practices; timely and independently evaluate the effectiveness of risk management controls; and identify, address, and escalate risk management control failures.

4. The executive audit director failed to: timely identify the root cause of sales practices misconduct; provide credible challenge when evaluating the effectiveness of the risk management controls; and identify, address, and escalate risk management control failures.

5. The three audit and risk executives failed to identify, address, and escalate inadequate controls over known issues of risks related to sales goals pressure. They misled regulators regarding the efficacy of controls over risks related to sales goals pressure, thereby advancing their individual pecuniary interests over the interests of Wells Fargo and breaching fiduciary duties each owed to the bank. Further, the group risk officer’s efforts to restrict material information from being disseminated among the bank’s senior leaders, board, and regulators violated federal statutes and regulations.

Source: U.S. Department of the Treasury Office of the Comptroller of the Currency Report and Recommendation — Executive Summary (Dec. 5, 2022) 

What’s Next?

The former head of Wells Fargo’s retail banking division, who is listed in the report, pleaded guilty to obstructing a government examination in April. She will pay a $17 million fine and serve up to 16 months in prison. 

The OCC report is a cautionary summary of the risk management events related to the Wells Fargo sales practices misconduct scandal. Banking has more regulations than most industries, and its internal auditors tend to have additional oversight. The lessons in this case, however, are a reminder that all internal auditors have a responsibility to protect organizational value and provide assurance to help reach strategic objectives. 

Internal auditors are fallible, and that is partly why assurance is only reasonable and not absolute. Even so, the profession should always be improving. Just because something has not happened yet, doesn’t mean it can’t happen.

IIA Resources:

Financial Services Exchange
Financial Services for Internal Auditors Certificate
Practice Guide: Foundations of Internal Auditing for Financial Services Firms

Alexander Heggen, CIA

Alexander Heggen spent 20 years as a financial services examiner and internal auditor. He currently is a teaching assistant professor at West Virginia University in Morgantown, W.Va.

Learn more with our other resources

Blogs

Mind of Jacka: A Client by Any Other Name

Blogs

On the Frontlines: Working with PR to Strengthen Ethics

Articles

Online Exclusive: Internal Audit’s Independence Conundrum

Articles

Online Exclusive: Internal Auditor Honors Top Authors