Risk management and internal controls expert Norman Marks dissects the bank's failure to prevent a wide-scale fraud

As the fallout from the Wells Fargo fraud case continues, several questions still linger. Chief among them is if CEO John Stumpf will continue to hang on to his job. During a congressional hearing on the scandal on Tuesday, Senator Elizabeth Warren (MA-D) called on the CEO to resign and for a criminal investigation into the fraudulent activity at the bank. Another big question is whether similar behavior was taking place at other big banks. 

For internal auditors and risk managers looking for lessons from the case to guard against something similar from happening at their own companies, the open questions are of a different nature: Was there a breakdown in internal controls to allow the fraud to take place? Did internal audit fail to uncover the illegal practices or were concerns ignored when internal audit raised them to senior management? Where was the breakdown in oversight to allow so many individuals to do the wrong things?

To shed some light on these and other questions, we turned to Normal Marks, author of the blog, Norman Marks on Governance, Risk Management, and Audit. He is a former chief audit executive and risk manager at several Fortune 500 companies. In this Podcast, we look at the early lessons from the Wells Fargo case and what the company must do to move past it.

"This is quite disturbing for many reasons," says Marks. Wells Fargo has agreed to pay a $180 million fine to the Consumer Financial Protection Bureau to settle charges that employees created nearly 2 million unauthorized accounts to collect commissions and other incentive payments.

"I think it suffered a breakdown—I wouldn't call it a major one—but it's certainly a large one and certainly a pervasive one. There are some questions about culture and, frankly, from my point of view if the culture of the organization allowed this to happen, what else did it allow to happen?" asks Marks. "When you have people who are willing to do the wrong thing like this, they are typically willing to do other wrong things."

According to Marks, it still unclear what the role of internal audit was in finding or allowing the fraud to continue for so long. He says the threat of continued litigation and criminal investigations is likely to keep the bank from saying too much about the details of the case.

"What we do know is that these individuals forged customer signatures," says Marks. "So I have to ask 'where were the controls that would have detected or prevented the forging of customer signatures?' Who is supposed to be checking that?"

Marks says the issue comes down to what was likely a problem with culture and the mixed message of ethics and pressure to make sales targets. "That is a very common problem," he says.

LISTEN TO THE PODCAST

Length: 20 min. 32 sec.
size: 18.8 MB