The classic post-scandal question to auditors: What happened in the black box?

The Wells Fargo saga of fake accounts—known to, but undisclosed by, Wells Fargo’s own auditors—is a textbook example of how investors have become fed up with the black box in which audits are performed.

Investors have little insight into what auditors do when they encounter something that ought to smell fishy, like their discovery as far back as 2013 that managers at Wells Fargo were creating accounts by the millions, without customer authorization, to meet seemingly unachievable sales targets.

When news finally breaks, as it did for Wells Fargo in the fall of 2016, it leaves investors wondering what they really get out of a financial statement audit. If routine audit work didn’t drive action to clean up the creation of millions of fake accounts over multiple years, then what’s the point of the audit?

It’s hard to know if it will ever be clear what role, if any, the auditors at KPMG ultimately had in bringing down the hammer on the errant culture at Wells Fargo. Neither KPMG nor Wells Fargo would comment on the case.

But it’s worth exploring what auditors are expected to do, alongside what little is known about KPMG’s actual response, in discerning if there’s more investors should justifiably expect out of the routine financial statement audit.

The unfolding scandal

The Wells Fargo scandal came to a head in September 2016 when the Consumer Financial Protection Bureau fined the bank—one of the largest in the United States—$100 million for “the widespread illegal practice” of opening deposit and credit card accounts in the names of unsuspecting customers. The Office of the Comptroller of the Currency and the city and county of Los Angeles assessed another $85 million in fines of their own.

The scandal began in a highly public fashion with revelations of more than 2 million unauthorized deposit accounts, more than 560,000 fraudulent credit card applications, and more than 5,300 staff dismissals over a five-year period. Wells Fargo’s stock fell to a 30-month low, losing 12 percent of its value in a month. But the revelations and the financial implications certainly didn’t end there.

“Auditors are supposed to consider the qualitative effects. What could happen in the future in the way of a liability? Loss contingencies have to be disclosed if there’s more than a remote possibility it could result in a loss.”

Doug Carmichael, Accounting Professor, Baruch College

The U.S. Justice Department piled on with charges that Wells Fargo’s repossession tactics violated the rights of more than 400 members serving in the armed forces. That cascaded into the identification of more than 570,000 Wells Fargo customers harmed by the bank’s method of placing insurance policies on car loans, even where customers didn’t need or want the coverage. The bank said the bill to remediate that problem will cost about $80 million.

Predictably, Wells Fargo now faces litigation both over fake accounts and staff firings associated with the various tentacles of its unfolding scandal. The bank has already settled a $142 million class action for claims dating back as far as 2002. And more recently, the bank’s internal investigation revealed the fake account scandal is much bigger than initially disclosed — another 1.4 million accounts dating back to early 2009, and another $2.8 million in refunds and credits.

After the initial Consumer Financial Protection Bureau fine that got the public disclosure of Wells Fargo’s antics rolling, members of Congress started peppering the CFPB with questions about why it didn’t expose the activity sooner when the Los Angeles Times profiled abuses in 2013. Likewise, members of the U.S. Senate, led by Sen. Elizabeth Warren, R-Mass., fired off a list of questions to Wells Fargo’s auditor, KPMG.

Did the firm know about “illegal sales practices” described in the CFPB action? Did it discuss the matter with anyone at Wells Fargo? Was KPMG ever misled by Wells Fargo employees on the matter? Has KPMG rechecked its work after the public unveiling of fake accounts? Has KPMG’s regulator, the Public Company Accounting Oversight Board, come knocking on the matter?

Perhaps most importantly, does KPMG still stand by the clean audit opinions it issued on Wells Fargo, asserting the company maintained effective internal control over financial reporting in all material respects?

FINDINGS & CONCLUSIONS

Below is a look at “Findings and Conclusions as to Unauthorized Deposit Accounts & Simulated Funding” from the CFPB enforcement action against Wells Fargo.
16. Respondent’s analysis concluded that its employees opened 1,534,280 deposit accounts that may not have been authorized and that may have been funded through simulated funding, or transferring funds from consumers’ existing accounts without their knowledge or consent. That analysis determined that roughly 85,000 of those accounts incurred about $2 million in fees, which Respondent is in the process of refunding. The fees included overdraft fees on linked accounts the consumers already had, monthly service fees imposed for failure to keep a minimum balance in the unauthorized account, and other fees.
17. Section 1036(a)(1)(B) of the CFPA prohibits “unfair” acts or practices. 12 U.S.C. § 5536(a)(1)(B). An act or practice is unfair if it causes or is likely to cause consumers substantial injury that is not reasonably avoidable and is not outweighed by countervailing benefits to consumers or to competition. 12 U.S.C. § 5531(c)(1).
18. By opening unauthorized deposit accounts and engaging in acts of simulated funding, Respondent caused and was likely to cause substantial injury to consumers that was not reasonably avoidable, because it occurred without consumers’ knowledge, and was not outweighed by countervailing benefits to consumers or to competition.
19. Section 1036(a)(1)(B) of the CFPA prohibits “abusive” acts or practices. 12 U.S.C. § 5536(a)(1)(B). An act or practice is abusive if it materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service. 12 U.S.C. § 5531(d)(1). Additionally, an act or practice is abusive if it takes unreasonable advantage of the inability of the consumer to protect his or her interests in selecting or using a consumer financial product or service. 12 U.S.C. § 5531(d)(2)(B).
20. Respondent’s acts of opening unauthorized deposit accounts and engaging in simulated funding materially interfered with the ability of consumers to understand a term or condition of a consumer financial product or service, as they had no or limited knowledge of those terms and conditions, including associated fees.
21. Additionally, Respondent’s acts of opening unauthorized deposit accounts and engaging in simulated funding took unreasonable advantage of consumers’ inability to protect their interests in selecting or using consumer financial products or services, including interests in having an account opened only after affirmative agreement, protecting themselves from security and other risks, and avoiding associated fees.
22. Therefore, Respondent engaged in “unfair” and “abusive” acts or practices that violate §§ 1031(c)(1), (d)(1), (d)(2)(B), and 1036(a)(1)(B) of the CFPA. 12 U.S.C. §§ 5531(c)(1), (d)(1), (d)(2)(B), 5536(a)(1)(B).
Source: CFPB

KPMG has not spoken publicly to answer any such questions, but the Big 4 know better than to ignore a direct inquiry from Congress, and Warren’s office was happy to make the reply public. In a letter to Warren and her colleagues, KPMG Chairman and CEO Lynne Doughtie said yes, the firm knew about “unethical and illegal conduct” at Wells Fargo.

Doughtie says auditors were satisfied that appropriate members of management were fully informed. The firm observed an internal investigation in 2013 and 2014 that led to the termination of a number of employees, and then a lawsuit by the city of Los Angeles in 2015.

KPMG points out its duty is to assess financial statements and effectiveness of internal control from a financial reporting perspective. “From a financial reporting perspective, the improper sales practices did not involve key controls over financial reporting,” Doughtie wrote. “From the financial reporting perspective, its effects were not financially significant.”

The firm says it even engaged an outside consultant on the financial impact of setting up unauthorized accounts. “That consultant concluded the fees associated with unauthorized accounts were less than $5 million, and that amount had accumulated over a five-year period,” the letter says.

KPMG points out Wells Fargo’s net income in 2015 alone was about $23 billion, and no one implicated in creating fake accounts had any role in or influence over financial reporting. So yes, Doughtie says, the firm continues to support its audit opinions and continues to monitor investigation outcomes.

Incredulous at KPMG’s response, Warren and Sen. Edward Markey, D-Mass. queried PCAOB Chairman James Doty about its part in assessing KPMG’s work at Wells Fargo. Doty did not answer the questions directly, silenced by the privacy provisions afforded auditors under the Sarbanes-Oxley Act. Instead, he addressed what auditors are supposed to do in such situations.

Current auditing standards

Indeed, auditors are required to audit financial statements and internal controls over financial reporting with an eye on materiality at all times. While not defined in any bright-line terms, materiality is understood, via a Supreme Court precedent, to be any fact that would be viewed by a reasonable investor as having significantly altered the total mix of information made available.

PCAOB standards, namely AS 2105 and AS 2810, tell the auditor to consider both quantitative and qualitative factors in assessing materiality. Guidance from the Securities and Exchange Commission, Staff Accounting Bulletin No. 99, also tells auditors and preparers that they must consider quantitative and qualitative factors in making materiality calls.

When auditors encounter something that looks like a potentially illegal act, there are additional PCAOB and SEC standards to consider. First, there’s AS 2405, which addresses illegal acts by clients. It tells auditors to study the act and understand its possible effect on financial statements. It also tells auditors to consider materiality—not only the direct effect but also the potential fallout effect. Even if the act has an immaterial effect on financial statements directly, could it lead to a material loss of revenue or a “material contingent liability,” like fines, penalties, or litigation?

Any auditor facing such an examination should begin by consulting legal counsel, says Doug Carmichael, accounting professor at Baruch College and a former chief auditor at the PCAOB. “Auditors are supposed to consider the qualitative effects,” he says. “What could happen in the future in the way of a liability? Loss contingencies have to be disclosed if there’s more than a remote possibility it could result in a loss.”

Section 10A of the Securities Exchange Act of 1934 also directs auditors in much the same way. The standards even give auditors a required pathway of reporting the activity to management and responding to any failure on management’s part to take remedial action. It goes so far as to instruct the auditor on reporting to the audit committee and/or the full board, issuing an adverse opinion, resigning the engagement, and/or reporting the activity to the SEC, as necessary.

There’s a snag in all of that analysis, however. It presumes the creation of accounts without customer authorization is “illegal.” The CFPB called it “illegal” in its enforcement action, but that in itself could be a matter for legal debate.

Beyond the examination of possible illegal acts and the potential materiality of it, there are additional standards on information auditors are required to report to the audit committee and on evaluating audit results, including the effect of uncorrected misstatements.

Larry Rittenberg, an accounting professor at the University of Wisconsin and former chairman of the Committee of Sponsoring Organizations, says it’s pretty clear in applying hindsight that Wells Fargo had a serious failure in its control environment due to a cultural problem. He wonders if that should have flagged some kind of audit action given auditors’ duty to consider controls in the context of an internal control framework, like the one promulgated by COSO.

“The control environment was not good,” Rittenberg says about Wells Fargo. “The culture was not good. The incentives seemed to be dysfunctional, and that led to a huge impact on the market value of the stock. We report on internal control over financial reporting, and part of that is an assessment of the control environment. The focus auditors want to take is whether or not that is material to financial statements.”

On the horizon

Only a forensic investigation of the interaction between Wells Fargo and KPMG will ultimately shed light on whether auditors turned over every stone and considered every angle with investors’ interests in mind.

If KPMG followed all professional standards and its audit conclusions are found to be sound, that’s the kind of outcome that leaves investors unsatisfied. What’s missing in auditing and financial reporting standards that allows such a lapse in governance to occur?

There is an auditing standard on the horizon that could conceivably serve as the net when instances like that at Wells Fargo fall through the cracks left by current standards. It is awaiting approval by the SEC before it can go into effect.

The PCAOB developed over several years a controversial standard that requires auditors to disclose “critical audit matters” (CAMs) in their audit reports. CAMs are matters that have been or should have been communicated to the audit committee; they relate to accounts or disclosures that are material to financial statements and that involved especially challenging, subjective, or complex auditor judgment.

It’s difficult to know, based on publicly available information, whether the creation of false accounts would be deemed by auditors to qualify for CAM disclosure. It’s not entirely clear whether KPMG discussed the matter with the audit committee, or should have, and that’s the first criteria for a CAM disclosure.

In his letter to the members of Senate who inquired, the PCAOB’s Doty said the board is taking a fresh look at its standards on how auditors should respond to the discovery of illegal acts. Still in the research phase, the project seeks to determine “whether there is a need to strengthen the board’s standards to provide better direction to auditors regarding their responsibilities with respect to illegal acts,” Doty said.

The American Institute of Certified Public Accountants is further down the pathway of updating its standard on “non-compliance with laws and regulations,” yet the proposal has touched a nerve. The legal implications for auditors outside securities laws are a little different, raising questions about when auditors can override confidentiality to blow the whistle on questionable activity.

On the internal audit side, the case certainly lends some support to a recent idea pushed by the Institute of Internal Auditors to performing audits on corporate culture. However, that’s not a statutory requirement by any means, and the idea didn’t gain a groundswell of support even when the IIA pitched it.

Given the pace at which the regulatory and litigation wheels turn in the United States, investors can expect to wait years before knowing what really happened inside the auditing black box at Wells Fargo.