fraud and corporate misconduct

Fraud and Corporate Misconduct

Case Studies and Analysis

Publication Date: May 2020

Fraud and Corporate Misconduct

Case Studies and Analysis

Copyright © 2020 by

DELTACPE LLC

All rights reserved. No part of this course may be reproduced in any form or by any means, without

permission in writing from the publisher.

The author is not engaged by this text or any accompanying lecture or electronic media in the

rendering of legal, tax, accounting, or similar professional services. While the legal, tax, and accounting

issues discussed in this material have been reviewed with sources believed to be reliable, concepts

discussed can be affected by changes in the law or in the interpretation of such laws since this text

was printed. For that reason, the accuracy and completeness of this information and the author's

opinions based thereon cannot be guaranteed. In addition, state or local tax laws and procedural rules

may have a material impact on the general discussion. As a result, the strategies suggested may not

be suitable for every individual. Before taking any action, all references and citations should be

checked and updated accordingly.

This publication is designed to provide accurate and authoritative information in regard to the subject

matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal,

accounting, or other professional service. If legal advice or other expert advice is required, the services

of a competent professional person should be sought.

—-From a Declaration of Principles jointly adopted by a committee of the American Bar Association

and a Committee of Publishers and Associations.

Course Description

A series of corporate misbehavior and scandals where employees, investors, and other stakeholders

suffered tremendous loss have made the world aware of the severity of fraud. While fraud varies in

sophistication, it can reach and impact every business, regardless of size, industry, or length of time in

business. Fraud is a common risk that cannot be ignored and tolerated. A recent study reveals that

organizations typically lose approximately 5% of revenues each year to fraud. Whether due to an

aggressive sales culture, lack of moral leadership, ineffective monitoring systems, or weak internal

controls, questions always beg “why did it happen?”, “why couldn’t it be prevented or detected by the

existing internal controls?”, and “where were the auditors and why didn’t they uncover the fraud?”

This course is designed to help professions better prepare for these questions by examining two

infamous corporate scandals: 1) The Retail Empire: Crazy Eddie, and 2) The King of Cross-Sell: Wells

Fargo. It details how Crazy Eddie applied various techniques to “cook the books” and deceive auditors.

It explains how Wells Fargo employees engaged different types of sales practice misconduct to meet

unrealistic sales targets. It also reviews the factors that led to the end of Crazy Eddie and Wells Fargo’s

widespread customer abuses. Moreover, it discusses lessons learned from both cases that can result

in improved audit processes. It identifies specific mistakes made by Crazy Eddie’s auditors and

discussed what the auditors should have done. It also describes how internal auditors can help prevent

the unethical practice from snowballing in Wells Fargo. Finally, it includes sample audit programs to

provide insights into both financial and corporate culture audits.

Field of Study Auditing Level of Knowledge Overview Prerequisite None Advanced Preparation None

Table Contents

Introduction ................................................................................................... 1

Learning Objectives ........................................................................................ 2

Case 1: Confessions of A Fraudster ................................................................. 3

I. The Masterminds Behind the Craziness .................................................... 3

1. The Rise and Fall of a Retail Empire ................................................................................... 3

2. The Toxic and Close-Knit Culture ....................................................................................... 7

3. The Deceptive Accounting Practice .................................................................................... 8

Artificial Company Growth ............................................................................................................................. 8

False Asset Valuation ................................................................................................................................... 13

Concealed Liabilities ..................................................................................................................................... 13

Attempts to Mislead the Auditors ............................................................................................................... 14

Review Questions - Section 1 ...................................................................................................16

II. Learning from the Scandal ................................................................... 17

1. How to Diagnose the Fraud Symptoms .............................................................................17

Recognize the Warning Signs ....................................................................................................................... 17

Examine the Major Red Flags ....................................................................................................................... 19

2. Where the Audit Went Wrong ..........................................................................................24

3. What the Auditors Should Have Done...............................................................................26

Exercising Professional Skepticism ............................................................................................................... 26

Identifying and Assessing Fraud Risk ........................................................................................................... 27

Obtaining Sufficient Appropriate Audit Evidence ........................................................................................ 32

Performing Analytical Procedures ............................................................................................................... 33

Other Considerations ................................................................................................................................... 34


Case 2: The King of Cross-Sell ........................................................................ 45

I. Examining the Company and Its Environment ......................................... 45

1. Behind the Impressive Performance .................................................................................45

Corporate Profile .......................................................................................................................................... 45

Widespread Illegal Conduct ......................................................................................................................... 47

2. Overview of Federal Regulations ......................................................................................50

The Financial Regulatory Framework ........................................................................................................... 50

The Role of Major Regulators ...................................................................................................................... 53

3. The Pressure-Cooker Environment ...................................................................................61


II. Analyzing the Fake-Account Scandal .................................................... 66

1. A Violation of Public Trust and Confidence .......................................................................66

Consumer Abuses: Deceptive and Abusive Acts .......................................................................................... 66

The Race to Eight: A Misleading Performance Matric ................................................................................. 68

Reckless Behavior: Deficiencies in Oversight of Sales Practices .................................................................. 70

2. The Price of Deceitful Behavior .........................................................................................72

Penalties and Fines ...................................................................................................................................... 72

The Damage to Brand and Reputation ......................................................................................................... 73

Other Regulatory Related Matters ............................................................................................................... 75


III. Learning from the Scandal ................................................................... 79

1. Why the Improper Sales Practices Happened ....................................................................79

The Toxic Sales Culture ................................................................................................................................ 79

Leadership Failure ........................................................................................................................................ 82

Aggressive Incentive Compensation Plan .................................................................................................... 86

Theory of Fraudulent Behavior .................................................................................................................... 90


2. How Internal Auditors Can Help Prevent Misconduct from Snowballing ............................98

Why Corporate Culture Should Be Audited? ............................................................................................... 98

What and How to Measure Culture? ......................................................................................................... 103

Review Questions - Section 4 ................................................................................................. 125

Review Question Answers .......................................................................... 127

Case 1: Review Questions ........................................................................... 127

Section 1 ............................................................................................................................... 127

Section 2 ............................................................................................................................... 129

Case 2: Review Questions ........................................................................... 132

Section 1 ............................................................................................................................... 132

Section 2 ............................................................................................................................... 134

Section 3 ............................................................................................................................... 136

Section 4 ............................................................................................................................... 138

Glossary ...................................................................................................... 141

Index .......................................................................................................... 142

1

Introduction This course is divided into two parts (two cases):

Case 1: Confession of a Fraudster

The Crazy Eddie fraud, lasting from 1969 to 1987, was one of the longest running scandals in modern

times. The case may seem smaller than the high-profile accounting scandals exposed in recent years.

However, a variety of deceptive methods (e.g., skimming money, inflating inventory and sales

numbers, and swindling investors) demonstrate how easily rationalized unethical practices can

escalate into complex conspiracies and damaging schemes.

The content of Case 1 includes:

I. The Masterminds Behind the Craziness

1. The Rise and Fall of a Retail Empire

2. The Toxic and Close-Knit Culture

3. The Deceptive Accounting Practice

II. Learning from the Scandal

1. How to Diagnose the Fraud Symptoms

2. Where the Audit Went Wrong

3. What the Auditors Should Have Done

Case 2: The King of Cross-Sell

Wells Fargo had a systemic sales practices misconduct problem from the early 2000’s. The distortion

of the bank’s sales culture, which, when combined with aggressive sales management, led to a series

of unsound sales practices. The scandal exposed a world of corporate misconduct from unethical

culture, deceptive business practices, to misaligned priorities. As more attention has been paid to

corporate culture and the impact that it has on organizational performance, the accounting

professionals have now entered the corporate culture game.

The content of Case 2 includes:

I. Examining the Company and Its Environment

1. Behind the Impressive Performance

2. Overview of Federal Regulations

3. The Pressure-Cooker Environment

II. Analyzing the Fake-Account Scandal

1. A Violation of Public Trust and Confidence

2

2. The Price of Deceitful Behavior

III. Learning from the Scandal

1. Why the Improper Sales Practices Happened

2. How Internal Auditors Can Help Prevent Misconduct from Snowballing

Learning Objectives After completing this course, you will be able to:

1. Recognize techniques used to manipulate earnings

2. Identify the red flags missed and audit mistakes made

3. Recognize the characteristics of financial statement fraud

4. Recognize the role of auditors in detecting financial statement fraud

5. Identify common fraudulent activities and misconduct

6. Identify the factors that led to Wells Fargo’s widespread customer abuses

7. Recognize how pressure, opportunity, and rationalization facilitate fraudulent activity

8. Cite the importance of and needs for corporate culture audits

9. Recognize the role of internal auditors in auditing corporate culture

10. Identify audit procedures and considerations for corporate culture

3

Case 1: Confessions of A Fraudster This case study draws primarily, and in some instances quotes verbatim, from the confessions of Sam

E. Antar. Additional details are sourced from Crazy Eddie, Inc. Annual Reports, various research papers

and news articles. The case study is intended to be used as a resource for management and accounting

professions of all sizes, so that they may learn from it.

I. The Masterminds Behind the Craziness

1. The Rise and Fall of a Retail Empire

“We committed our crimes at Crazy Eddie for fun and profit and simply because we could. We had no

empathy whatsoever for our victims. During my 16 years at Crazy Eddie and two years spent covering

up our crimes after being terminated from the company, I never had a single conversation with any of

my co-conspirators about morality or the suffering of our victims. Our conversations focused solely on

the successful coldblooded execution of our crimes.”

Sam E. Antar, Former CFO of Crazy Eddie, Inc.

Industry Consumer electronics

Founded Brooklyn, New York in 1969

Status Bankrupt in 1989

The Auditors 1976 - 1983: Penn & Horowitz

1984 - 1986: Main Hurdman

1987: Peat Marwick (Main Hurdman merged with Peat Marwick).

Today Peat Marwick is part of KPMG

Dollar Loss1 Between $500 million and $600 million, in a combination of

investor losses plus the money skimmed from the company

Key Players Eddie Antar, co-founder, president, and CEO

Sam M. Antar, co-founder

Sam E. Antar, CFO

Crazy Eddie, Inc. (Crazy Eddie) was a leading chain of electronics stores based in New York in the late

1970s and 80s, fueled by its popular TV and radio commercials. It also successfully built up customer

loyalty by circumventing fair trade laws and offering deep discounts on popular electronic products.

1 Data on dollar loss are from "Criminal minds”, Journal of Accountancy, with values accessed on January 8, 2020.

4

At its peak, Crazy Eddie had 43 stores in four states and reported more than $300 million in sales2. As

the chain grew, so did Crazy Eddie’s propensity for fraud.

Crazy Eddie went public with cooked books and overpriced stock in 1984, at $8 a share. Within two

years, its stock price hit $79 per share3. However, success was deceptive. Crazy Eddie’s long-lasting

financial statement fraud was not discovered until 1987. The management, Eddie Antar, co-founder,

president and CEO, Sam M. Antar, co-founder, and Sam E. Antar, CFO, orchestrated major frauds by

engaging in a series of deceptive practices for years including cash skimming, falsification of inventory

counts, and the inflation of sales figures of certain stores.

Lesson Note: Consumer electronics retailers were subject to fair trade laws until 1972. Fair trade laws

prohibited retailers from selling products below the suggested retail price. In other words,

manufacturers could insist on one standard retail price for all retailers.

In February 1987, the U.S. Attorney's Office for the District of New Jersey commenced a federal grand

jury investigation into the financial activities of Crazy Eddie. In September 1987, the Securities and

Exchange Commission (SEC) initiated an investigation into alleged violations of federal securities laws

(e.g. insider trading) by certain Crazy Eddie officers and employees. According to the SEC, they

artificially and fraudulently inflated the price of the stock, and then sold their substantial stockholdings

to an unwitting public, while profiting in excess of $20 million.

Crazy Eddie’s 1988 Annual Report included the following message for the shareholders of Crazy Eddie):

“In November 1987, new management commenced an extensive review of the company’s assets and

operations. This review disclosed a shortfall in inventory on hand of approximately $65 million from

recorded book inventory and substantial understatement of accounts payable…New management

believes that portions of the company’s financial statements for periods which include periods prior to

November 6, 1987 are inaccurate and may not be relied upon.”

Eddie Antar (Eddie) fled to Israel as investigators closed in, and was extradited to stand trial in the U.S.

He was sentenced to 12-and-a-half years in prison for his series of crimes. His conviction on fraud

charges was overturned in 1995 on the ground that the trial judge's remarks during sentencing created

an appearance of bias. In 1996, Eddie pleaded guilty to racketeering conspiracy instead of facing retrial.

According to the court document, he admitted the following:

2 Data on Crazy Eddie stores are from "Eddie Antar, "Crazy Eddie" Electronics Store Founder, Dead At 68”, Gothamist, with values accessed on January 8, 2020. 3 Data on the stock prices are from "Eddie Antar, Retailer and Felon Who Created Crazy Eddie, Dies at 68”, The New York Times, with values accessed on January 8, 2020.

5

1. Prior to Crazy Eddie's IPO in September 1984 and continuing up to 1987, he and other members

carried out various schemes to falsify the books and records of Crazy Eddie to make the

company's financial performance appear stronger than it actually was.

2. In 1985, he caused the value of the inventory of Crazy Eddie reported to the auditors to be

falsely overstated by approximately $2 million.

3. He caused the inventory counts to be artificially inflated by the falsification of count sheets or

inventory tickets when Crazy Eddie took a physical inventory at the end of its fiscal year on

March 2, 1986, thereby overstating the inventory by approximately $10 million.

4. Just before year-end 1986, he caused approximately $2 million from outside sources to be

deposited into Crazy Eddie's bank accounts in such a way that the money would be booked as

proceeds of retail sales.

5. He caused an infusion of approximately $2 million into bank accounts of Crazy Eddie

comparable stores to inflate the reported sales in those stores.

6. At the end of fiscal year 1987, when Crazy Eddie took a physical inventory, he caused the

inventory counts to be artificially inflated by the falsification of count sheets, thereby

overstating the inventory by millions of dollars.

7. His primary purpose in perpetrating these fraudulent schemes was to increase the price of

Crazy Eddie stock to public investors.

8. He urged Crazy Eddie employees to destroy business records to conceal the falsification of the

company's business records from the SEC and others.

Eddie was sentenced to eight years and served over six years in prison. He died in 2016, at the age of

68. About $120 million was later recovered in offshore accounts (secret bank accounts in Israel and

around the globe).

To avoid prosecution, Sam E. Antar (Sam) made a deal with the U.S. Attorney. He testified against

Eddie Antar (cousin and boss), and other family members. Sam plead guilty to charges of securities

and mail fraud conspiracy and obstruction of justice. He spent six months under house arrest and 1,200

hours of community service. Today, Sam, a forensic accountant, serves as a consultant to law

enforcement agencies (FBI, SEC, Treasury, Department of Defense) on the issue of white-collar crime.

His other clients include corporations, law firms, accounting firms, hedge funds, and other

organizations.

6

Exhibit A: The Mind of a Former White-Collar Criminal

The following conversations with Sam were extracted from Worth, “Why the CFO of a Famously

Corrupt Company from the 1980s is Working for the Government”, accessed on January 22, 2020.

What happened when you graduated from college?

Eddie had this plan to take the company public one day. And I said, “Eddie, if you’re going to go public,

you’re not showing any profits, and public companies are valued at how much money they make. If

you want to go public, we have to gradually reduce our skimming to zero.”

So now you’ve got the FBI on your tail. Because you’re the CFO.

Right. So in March of 1989 I made a deal and I started negotiating with the feds. Now, when they first

investigated the Crazy Eddie fraud, they only knew the securities fraud—from 1984 to 1987 when we

were inflating the income. They didn’t know about the Panama pump, they didn’t know about the

skimming before we went public or the gradual reduction of skimming. I added a whole new dimension

to the case. And the feds were fascinated by this young guy who knows all of these sophisticated

financial crimes. And they took a liking to me. So of course, I ended working with the feds, and

eventually, Eddie got prosecuted and went to jail.

How did your relationship with the FBI evolve?

They took me under their wing. I was like an orphaned child from the Antar family. It transcended into

a long-term relationship. They started recommended me for work. It helped put me on the right track.

Why do you think the government is less aggressive today than it was in the ’80s?

White-collar crime requires a lot of resources. It requires a long timeframe to investigate. Everybody

thinks that white-collar investigation is like a two-hour movie. It’s not. It’s a two- to four-year

investigation, which might or might not bear fruit. And most of these people that are working in these

positions in the government aren’t going to be there for two to four years.

7

2. The Toxic and Close-Knit Culture

“... this was not a big public corporation where there was a bureaucracy with checks and balances. It

was a close-knit control, Eddie and his father. If they wanted to circumvent procedures and this is

how they wanted, that is how things were done. No questions asked."


Eddie, a high school dropout, started selling televisions from a small stand at the Port Authority,

grabbing attention by talking fast and eventually wearing customers down. Sam described Eddie as “a

charismatic leader who inspired intense loyalty from his family and employees.” Like any effective

leader, Eddie understood the psychology of people, their needs, desires, and weakness. Sam recalled

that Eddie often said, "People live on hope." He also described that “top management exploited the

hopes and dreams of their victims in the pursuit of money and power.”

Eddie grew a single store in Brooklyn into a retail empire; 43 stores at four states at its height. Due to

his aggressive sale tactics, wild promises of low prices, and frantic television advertising, Eddie became

known as "Crazy Eddie". For example, Eddie would follow customers out of the store to talk them into

deals. Eddie’s salespeople learned from him quickly and used high-pressure sales tactics like bait and

switch, a common deceptive sales practice used in retail sales (e.g. electronic and computer stores,

and car retailers).

Prospective customers are “baited” by the low bargain price of advertised products or services into

the store. When customers attempt to buy the product, they find out that the product is not available.

The idea is that since customers are already in the store, the seller can “switch” the product with

higher-priced items and pressure the customers into buying it. For example, the first salesperson

attempted to sell the customer a more expensive product (the “switch”) by recommending an

alternative, which was a higher margin product but a bad deal for the customer. A second salesperson

took over the customer in an effort to close a deal if the first salesperson could not convince the

customer to purchase the “switch” product. A third salesperson, the "nail at door" person, made the

final effort if the second salesperson failed. Crazy Eddie sometimes repackaged used (e.g. previously

returned) or defective/damaged merchandise as brand new products to resell to unsuspecting

customers.

Lesson Note: Bait and switch advertising, a violation of consumer laws as false advertisement, is illegal.

The consumer can sue for false advertising. Manufacturers or distributors of the product or service

used as bait can also sue the seller for trademark infringement based on the fact that the seller uses

trademarked images in their advertisements with no intention to sell them. However, sellers have not

committed a crime by talking consumers into buying something else as long as the original deal (bait)

is available. Moreover, sellers are not liable if they mention in their advertisements that the products

have limited quantities.

8

According to Sam, the culture of tax evasion was prevalent from the onset at Crazy Eddie. For example,

to avoid paying income and sales taxes, cash proceeds of sales were not recorded on the books and

reported to the government. Instead, it was used for the company’s off-the-books payroll or personal

use as discussed in the next section. This arrangement worked for everyone since employees paid off

the books did not pay income taxes or social security taxes.

Sam also mentioned that to ensure that their crimes went undetected and unreported, Eddie skillfully

established a tightly knit, loyal, company culture. In the early years, to work for the company, the

employee was required to be a relative, a friend of the family, or a friend of a friend of the family. This

demonstrated his inability to trust anyone outside his large extended family. According to Sam, there

were no so-called "employees." Rather, they were "Crazy Eddie people." There was no need to “punch

clocks”. The employee review process did not exist as everyone working at Crazy Eddie was considered

part of the extended family.

3. The Deceptive Accounting Practice

“I am a convicted felon and a former CPA. As the criminal CFO of Crazy Eddie, I helped my cousin

Eddie Antar and other members of his family mastermind one of the largest securities frauds

uncovered during the 1980s. I committed my crimes in cold-blood for fun and profit, and simply

because I could.”


Artificial Company Growth

Before going public, Crazy Eddie’s management already engaged in various fraudulent activities. For

example, the company routinely understated its income to avoid taxes by skimming the profits from

cash-paying customers and paying employees under the table. Eddie, motived by greed, decided to

take the company public and plan to dump huge amounts of stock at inflated prices on investors. Thus,

management carried out multiple methods of deceit to inflate the company’s earnings. This section

details how Crazy Eddie conspired to create fictitious earnings growth, escalating from tax evasion to

money laundering.

Cash Skimming

“We did not want to support the government with our tax dollars.

It did not deserve our hard-earned money.”


Skimming, an “off-book” fraud, is a popular scheme for tax evasion. For example, to avoid the tax

9

liability, a company intentionally failed to record a transaction in the accounting system and pocked

the cash without reporting the sale taxes and profits. Before Crazy Eddie was a public company, the

Antar family underreported earnings to avoid paying income and sales taxes between 1969 and 1979.

When there was a cash payment, the company not only stole the sales taxes (collected but never

remitted) but also underreported about an 8% profit according to Sam. Some of the cash skimming

was used to pay employees "off the books" to avoid paying full payroll taxes. For example, managers

were paid minimal salary by check and the balance in cash. Other use of the money included lifestyle

improvement for family members. Much of the money was secretly deposited to accounts at the Bank

of Leumi through frequent trips of family members to Israel. Eddie testified that he was skimming

between $5,000 and $10,000 per week in 1974. The Antar family skimmed an estimated $3 to $4

million per year at the height of their fraud.

Gradual Reduction in Skimming

“We needed to report a higher profit before getting a higher public valuation. So from 1980 to 1984,

when we went public, that was my job. You legitimize the business in order to commit bigger fraud.”


Crazy Eddie decided to go public around 1980. The company carried out more large-scale frauds to get

a “bigger bang for the buck by inflating earnings as a public company” according to Sam. For example,

all skimming activities were phased out prior to the initial public offering (IPO) in order to falsify a

drastic increase in the company’s growth. Crazy Eddie gradually skimmed less money each year, from

approximately $3 million per year in 1980 to nearly zero in 1984. In other words, the company gave

the appearance of rapid growth by reporting sales which had previously been kept off the books.

Lesson Note: The majority of financial statement frauds and audit failures have traditionally involved

revenue manipulation and misrepresentation.

The Crazy Eddie’s actual trend line would have demonstrated a stable business rather than one with a

rapid growth trend. However, an average investor would have been less likely to invest in the company

had the cash skimming been reported. The following table demonstrates how Crazy Eddie manipulated

the earnings by gradually reducing the cash skimming.

Effect of Gradual Reduction in Skimming on the Overall Growth

FY Ended 05/31/80

FY Ended 05/31/81

FY Ended 05/31/82

FY Ended 05/31/83

FY Ended 05/31/84

A. Reported Income $ 1,709,000 $ 2,273,000 $ 3,404,000 $ 4,637,000 $ 7,975,000

B. Skimming, Net of Cash Used to Pay Certain Expenses Such as Payroll $ 3,000,000 $ 2,500,000 $ 1,500,000 $ 750,000 $ -

C. Actual Income (A+B) $ 4,709,000 $ 4,773,000 $ 4,904,000 $ 5,387,000 $ 7,975,000

Reported Growth (artificial increase via reduction in skimming) 33.0% 49.8% 36.2% 72.0%

Actual Growth (without skimming) 1.4% 2.7% 9.8% 48.0% Note: A and C were income computed before pension contribution and income taxes.

Source: Sam Antar, “Crazy Eddie’s Two Sets of Books”, Whitecollarfraud.com.

10

In the retail industry, analysts often compare individual store performance with prior period data as

well as other stores of the chain. The higher the growth, the better. The following table further

demonstrates how the gradual reduction in skimming created a rosy picture of the individual store

performance.

Effect of Gradual Reduction in Skimming on Average Store Performance

FY Ended 05/31/80

FY Ended 05/31/81

FY Ended 05/31/82

FY Ended 05/31/83

FY Ended 05/31/84

Average Number of Stores Open During Period 7.77 9.22 10.30 11.27 12.91

Reported Income Per Average Number of Stores $ 219,975 $ 246,600 $ 330,610 $ 411,522 $ 617,738

Actual Income Per Average Number of Stores $ 606,122 $ 517,828 $ 476,296 $ 478,083 $ 617,738

Reported Growth (artificial increase via reduction in skimming) 12.1% 34.1% 24.5% 50.1%

Actual Growth (without skimming) -14.6% -8.0% 0.4% 29.2% Note: Average number of stores opened during the period takes into account new store openings and store closings during the year and the average number of days that stores were operating during the year.


33.00%

49.80%

36.20%

72.00%

1.40% 2.70%9.80%

48.00%

FY 81 FY 82 FY 83 FY 84


Reported Growth (artificial increase via reduction in skimming)

Actual Growth (without skimming)

11

Crazy Eddie had shown consistent growth over the years, from 12.1% to 50.1% resulting from the

reduction in skimming. Moreover, it experienced rapid growth between 1980 and 1984 (180.8%). In

reality, the company only grew from $606,122 per store in 1980 to $617,738 in 1984 (1.9%), it hardly

grew at all. As a result of the cash skimming, however, Crazy Eddie's reported income figures were

materially false and misleading.


FY Ended 05/31/80

FY Ended 05/31/84

Reported Income Per Average Number of Stores $ 219,975 $ 617,738

Actual Income Per Average Number of Stores $ 606,122 $ 617,738

Reported Growth (artificial increase via reduction in skimming) 180.8%

Actual Growth (without skimming) 1.9%


Since Crazy Eddie gradually lessened its skimming, it could no longer pay the employees off the books.

As a result, the employees’ entire wages were subject to payroll tax and income tax. To make up for

the loss of off-the-books compensation, Crazy Eddie “grossed up” their employees' total check

compensation. For example, a store manager had previously been paid $40,000 in cash (off the books),

and $10,000 in check. He would have take-home pay around $48,500 (40,000 cash plus 10,000 less

payroll and income taxes which is about 1,500). The company increased the store manager’s salary to

$65,000 (in check) to keep his take-home pay at a similar level.

12.10%

34.10%

24.50%

50.10%

-14.60%-8.00%

0.40%

29.20%

FY 81 FY 82 FY 83 FY 84


Reported Growth (artificial increase via reduction in skimming)

Actual Growth (without skimming)

12

Money Laundering

“Most kids, they learn how to wash their clothing and use a washer/dryer. I learned how to launder

money. College gave me the tools to help me help the company commit more sophisticated crimes.”


Money laundering is the process of disguising illegally obtained money through elaborate financial

transactions often involving foreign banks and legitimate businesses. To conceal the origins of money,

fraudsters usually take the following stages:

1. Placement: Involves putting illegitimate funds (dirty money) into the legitimate financial

system, such as a bank account, which makes the transfer and manipulation of the money

easier.

2. Layering: Carries out a series of transactions and accounting tricks (creating confusion) to

conceal the source of the fund (e.g., using foreign bank accounts, creating shell companies,

buying and selling assets).

3. Integration: Refers to re-introducing the fund into the legitimate economy such as the banking

system so that the fund appears to be normal business earnings,

One of Crazy Eddie’s major schemes was a money-laundering operation. After going public, to meet

analyst sales expectations (about $2.2 million) and maintain an impressive growth, the company

transferred the previously skimmed money ($1.5 million) from the secret offshore account in Bank of

Leumi Israel to Panama branch into “Aeronautics Traders Corporation” as a fake customer. This is also

known as the “Panama Pump”. The money eventually was deposited in the company’s bank accounts

and recorded on its books as sales proceeds (fictitious revenues) in 1986. This allowed Crazy Eddie to

sell stocks at inflated prices by overstating its revenue. The following diagram shows how the scheme

worked.

Dirty Money Skimmed Funds

from Tax Evasion

Placement

Bank of Leumi

Layering

Panama Bank

Integration

Crazy Eddie Sales Proceeds

13

False Asset Valuation

“My family put me through college to help them commit more sophisticated fraud in the future. I was

trained to be a criminal. People have a certain idea of Crazy Eddie. In reality, it was a dark criminal

enterprise."


To falsely strengthen a company’s financial performance, management often exaggerates the value of

assets through the manipulation of the accounts receivable, fixed assets, inventory, and business

combinations. In this case, to ensure that earnings for the quarter would be favorable, Sam and Eddie

planned the three-pronged scheme by inflating the inventories in the stores, warehouse, and the

returns department. For example, the store inventory inflation scheme was carried out by the store

managers who altered the count sheets to falsify the merchandise quantities. Sam testified that the

employees volunteered to help the auditors during the inventory counts in the warehouse. They

climbed over big stacks of boxes to count the items to provide the auditors with the inflated numbers.

Then, the auditors recorded the falsified count accordingly. Moreover, the auditors did not take the

copies of inventory counts for the entire store when leaving the sites. Instead, they only took the test

count samples. Thus, Sam easily manipulated (inflated) the inventory counts in these stores that were

not part of the audit test counts. Sam confessed that the company overstated store inventories by $2

to $4 million in 1986. In 1987, they became more aggressive and overstated store inventories by $15

to $20 million.

Lesson Note: The gross profit and net income are overstated as a result of overstating inventory since

not enough of the cost of goods available is being charged to the cost of goods sold.

Concealed Liabilities

“I simply changed two words in the footnotes of our disclosure regarding the treatment of trade

discounts and allowances to being recognized “when earned” rather than “when received”……. I had

discussed this change with the auditors but there was no accounting change adjustment as required

under generally accepted accounting principles (GAAP).”


A debit memo, commonly called a “reep”, allows Crazy Eddie to return merchandise and offset against

amounts owed to the vendor. According to Sam, prior to 1987, the company did not recognize these

purchase discounts and trade allowances until vendors issued a credit memo to acknowledge

“chargebacks” or “offsets” to accounts payable. Its policy was disclosed in the footnotes as:

"Purchase discounts and trade allowances are recognized when received."

14

Starting in 1987, instead of waiting to receive a credit memo, Crazy Eddie recognized these purchase

discounts and trade allowances when it received a debit memo. Thus, its accounts payable

immediately was reduced by the credit upon the issuance of a debit memo. Its policy was disclosed in

the footnotes as:

"Purchase discounts and trade allowances are recognized when earned."

This change in accounting principle allowed the Antar family to create $20 million in phony debit

memos to claim fictitious purchase discounts and trade allowances that reduced the amount of

accounts payable. Although Sam included the new policy in the financial statements and discussed the

change with the auditors, no prior-year comparison of its impact was provided as required by ASC 250

Accounting Changes and Error Corrections. The auditor should have added an explanatory paragraph

or a modification of wording for a lack of consistent application of GAAP.

Lesson Note: According to the court document, the complaints allege that the Peat Marwick partner

knew about the overstated debit memos and failed to examine them. Moreover, Peat Marwick failed

to indicate that the accounts payable in 1987 were not reported in a manner consistent with the

reporting of accounts payable in 1986, in violation of the GAAP.

Crazy Eddie also pressured its vendor, Wren Distributors, to ship merchandise before year-end and

hold the billing until after the auditors completed the year-end audit. Therefore, the company was

able to understate its accounts payable and include the merchandise in the year-end inventory count.

Attempts to Mislead the Auditors

“We always appeared to be cooperative with the auditors. However, from the day the auditors set

forth on Crazy Eddie premises until the day the audit was completed, we did our best to distract them

from their fieldwork.”


Opportunities to commit fraud often occurs because the fraudster knows what, when, and how much

the auditor will do. For example, if the fraudster expects that the auditor always tests only large

transactions from June, the fraudster can commit the fraud on small transactions in other months. The

fraudster may form a cozy relationship with the auditors attempting to distract them from scheduled

work or prevent them from conducting an effective audit.

The Antar family paid for Sam’s accounting degree so that his skills and knowledge could help them

carry out more sophisticated schemes. Between 1981 and 1984, Sam worked for Penn & Horowitz,

Crazy Eddie’s accounting firm, to not only meet the CPA license requirements but also to learn how to

stay ahead of the audit. For example, Sam made sure that the auditors did not have enough time to

properly complete its audit fieldwork and appropriately examine the company’s books and records.

15

According to Sam, he intentionally had female employees to distract the auditors from their tasks by

engaging in small talk. He also constantly invited them out for coffee and lunch. Audit issues were

often discussed over lunch and dinner on Crazy Eddie’s tab. The auditors often ran out of time to

perform key procedures (e.g. testing of internal controls, cut-off tests) and rushed to complete the

audit. Finally, Sam established a close relationship with the auditors. The close relationship definitely

clouded the auditors’ judgment and professional skepticism. For example, when the audit partner

questioned Sam about the unusual increased inventories at the store level, Sam convinced him to sign

off on the audit without a re-count of inventories, even though major tests were not completed yet.

Sam stated that “Regarding both the small and large accounting firms, as criminals taking advantage

of human nature, we believed our largess made them (auditors) less likely to ask the tough questions.”

16

Review Questions - Section 1

1. Crazy Eddie salespeople used which of the following sales tactics to lure customers into its

stores?

A. Premium pricing

B. Scarcity marketing

C. Bait and switch

D. Side agreements

2. To artificially inflate the company’s profit, Sam Antar committed all of the following fraud

schemes EXCEPT:

A. Gradual reduction in cash skimming

B. Inflation of inventory through the inclusion of fictitious inventory

C. Improper capitalization of expenses as fixed assets

D. Understating payables through manipulation of purchase discounts

3. Which of the following techniques is often used for tax evasion?

A. Check tampering

B. Skimming money

C. Procurement fraud

D. Billing scheme

4. What is the process of disguising illegally obtained money through elaborate financial

transactions often involving foreign banks and legitimate businesses?

A. False claims

B. Business email compromise

C. Money laundering

D. Contractor fraud

5. What are the stages of money laundering?

A. Placement -> Layering -> Integration

B. Integration -> Layering -> Placement

C. Layering -> Placement -> Integration

D. Placement -> Integration -> Layering

17

II. Learning from the Scandal

1. How to Diagnose the Fraud Symptoms

Recognize the Warning Signs

Fraudsters often display certain behaviors or characteristics that may suggest red flags. To detect

fraud, the auditors must understand and recognize red flags and fraud symptoms and pursue them

until they obtain evidence that proves fraud is or is not occurring. The American Institute of Certified

Public Accountants (AICPA) identifies the following symptoms of financial statement fraud:

1. A company has a culture of arrogance fostering an atmosphere in which bad behavior can

flourish. It leads people to believe that they can handle increasingly greater risk without

encountering any danger. Thus, this type of culture usually encourages employees taking

excessively high risks and applying aggressive accounting methods to meet targeted plans.

2. A highly domineering senior management accompanied by either an ineffective board of

directors or by compensation tied to reported performance.

3. Deterioration of earnings quality, as evidenced by a decline in sales volume or quality or by

excessive interest of senior management in the effect of accounting alternatives on earnings

per share.

4. Business conditions that may create unusual pressures, such as inadequate working capital,

major investment in a volatile industry, and debt restrictions with little flexibility (e.g., required

working capital ratios and limitations on additional borrowings).

Nearly all members of the extended Antar clan worked for the company, dominated by Eddie. The

Antar clan ruled Crazy Eddie. All key positions were filled by relatives and friends as shown in the

following table. As Sam described, “It was us against them - "Them" being customers, the government,

insurance companies, the auditors, and everyone else who did not serve the company's interests.”

Although the collusion of key personnel made it challenging for the auditors to detect the fraud. A risk

assessment would have helped the auditors identify a risk with many family members employed at

the company.

Officers Board of Directors

Eddie Antar

Chairman of the Board President,

Chief Executive Officer

Sam Antar

Executive Vice President

Mitchell Antar

Executive Vice President Marketing

Eddie Antar

Chairman of the Board President,

Chief Executive Officer

Sam Antar

Executive Vice President

Mitchell Antar

Executive Vice President Marketing

18

David Pardo

Executive Vice President Purchasing

Mort Gindi

Vice President Operations

David V. Panoff

Vice President Consumer Service

Operations

Eddy Antar

Treasure

Sam E. Antar

Controller

Solomon E. Antar

Secretary and General Counsel

Eddy Antar

Treasurer

James H. Scott, Jr.*

Professor of Finance at Columbia

University

Carl G. Zimel*

Senior Vice President

Midland Bank and Trust Co.

*Audit Committee

Source: Crazy Eddie 1985 Annual Report

Exhibit B: Indicators of Financial Crime

Source: Adapted from “Investigative Methods in Forensic Accounting” by Tom O'Connor.

Unrealistic Performance Compensation Packages: The organization will rely almost exclusively

(and to the detriment of employee retention), on executive pay systems linked to the

organization's profit margins or share price.

Inadequate Board Oversight: There is no real involvement by the Board of Directors, Board

appointments are honorariums for the most part, and conflicts of interest, as well as nepotism

(the second cousin to corruption), are overlooked.

Unprofitable Offshore Operations: Foreign operation facilities that should be closed down are

kept barely functioning because this may be where top management fraudsters have used

bribes to secure a "safe haven" in the event of a need for swift exit.

Poor Segregation of Duties: The organization does not have sufficient controls on who has

budget authority, who can place requisitions, or who can take customer orders, and who settles

or reconciles these things when the expenses, invoices, or receipts come in.

Poor Computer Security: The organization doesn't seem to care about computer security, has

slack password controls, hasn't invested in antivirus, firewalls, IDS, log files, data warehousing,

data mining, or the budget and personnel assigned to internet security. Simultaneously, the

organization seems over-concerned with minor matters, like whether employees are

downloading music, chatting, playing games, or viewing porn.

19

Low Morale, High Staff Turnover, and Whistleblowers: Low morale and staff shortages go

hand-in-hand, employees feel overworked and underpaid, frequent turnover seems to occur in

key positions, and complaints take the form of whistleblowing.

Examine the Major Red Flags

Many symptoms of fraud at Crazy Eddie went unnoticed, or recognized symptoms were not vigorously

pursued. If symptoms were timely and properly addressed, many frauds could be detected earlier. This

section examines some red flags that the auditors allegedly failed to recognize and investigate.

Too Good to Be True

“If it sounds too good to be true, it probably is too good to be true”

Without the reduction in skimming, the company’s pro forma earnings increased from $4.7 million in

1980 to about $8.0 million in 1984, indicating that the company grew 69% in five years. To attract

investors by appearing very profitable and gaining high valuation, Crazy Eddie reported that the pro

forma earnings grew from $1.7 million in 1980 to about $8.0 million in 1984 (with a 367% increase) by

simply reducing its skimming to give the appearance that the company was rapidly growing. According

to the U.S. Commerce Department, the retail sales growth for October 2019 was 3.10%. Although the

data only indicated the current periods, 367% growth was a red flag of an artificially increased growth.


FY Ended 05/31/80

FY Ended 05/31/84

A. Reported Income $ 1,709,000 $ 7,975,000

B. Skimming, Net of Cash Used to Pay Certain Expenses Such as Payroll $ 3,000,000 $ -

C. Adjusted Income (A+B) $ 4,709,000 $ 7,975,000

Reported Growth (artificial increase via reduction in skimming) 367%

Adjusted Growth (without skimming) 69%

Source: Sam Antar, “Crazy Eddie’s Two Sets of Books”, Whitecollarfraud.com, accessed on January 8, 2020.

Moreover, for the three years prior to becoming a public company, the company’s reported income

increased between 33% and 50%. As it became public in 1984, Crazy Eddie grew at the rate between

72% and 96%. Its sales grew at a rate of approximately 25% between 1984 and 1985. In 1987, it

increased by 57% when its established competitors were experiencing periods of weak performance.

The growth should have raised concern, especially since the industry experienced a slowdown during

that time.

20

Unexplained Anomalies

“They (the auditors) did not want to believe we were crooks. They believed whatever we told them

without verifying the truth. You can steal more with a smile!”


Fraud, by its nature, is hidden. Unusual data in financial statements may or may not be indicative of

potential fraud. However, many schemes are detected simply because the numbers do not make sense

through financial analysis. This section discusses several anomalies missed by the auditors.

33.0%

49.8%

36.2%

72.0% 74.8%

95.9%

FY 81 FY 82 FY 83 FY 84 FY 85 FY 86

Crazy Eddie Reported Income GrowthFY 1981 to FY 1986

26.6% 24.4%

56.9%

FY 84 FY 85 FY 86

Crazy Eddie Sales GrowthFY 1984 to FY 1986

21

Unusually High Pay Raises

As discussed in “Gradual Reduction in Skimming”, since Crazy Eddie gradually reduced its skimming,

the company stopped paying its employees in cash. In an attempt to make up for the loss of the off-

the-books compensation, the company significantly increased more than 100 employees’ salaries in

the years prior to going public. According to Sam, employees who were previously paid with very low

wages considering their positions and responsibilities had received a salary increase in multiples of

three to as many as 20 times their previously reported salaries. For example, some employees who

had been paid only $5,000 per year were suddenly being paid $50,000 or more per year. Although

both accounting firms (Penn and Horowitz in 1980-83, and Main Hurdma in 1984) identified these

variances, the unusual salary increase was not properly addressed.

High Amount of Sales at Year-End

The funds from Panama were converted into $25,000, $50,000, $75,000, and $100,000 amounts and

deposited into store bank accounts a day after the fiscal year ended. Thus, it appeared that the

company had an increase of over 90% in comparable-store sales in the last two days of the fiscal year.

Sam stated that “Crazy Eddie’s average sales were about $300 per customer. The auditors did not

examine our bank deposits for unusual transactions in large dollar amounts, and these unusual

transactions weren't even backed up by false invoices.”

Significant Inventory Increase

Inventory drastically increased while accounts payable significantly reduced

Inventory grew at a faster pace than sales

Crazy Eddie’s accounts payable decreased from 1986 ($51 million) to 1987 ($50 million) for only 3%.

However, its inventory increased by 82% within the same period. The change was unusual since the

inventory and accounts payable should be correlated. The more inventory a company purchased

should reflect higher year-end accounts payable. Inventory balances growing significantly faster than

accounts payable may indicate possible signs of fraud (e.g. phantom inventory). The auditors should

further investigate the unusual trends.

Before the company went public, its inventory increased by about 21%. Since it became public, its

inventory drastically increased by 126% from 1985 to 1986, and by 82% from 1986 to 1987. If the

auditors had properly conducted the analytical procedures and followed up on the unexpected

discrepancies, the inventory fraud could have been detected.

FY 85 FY 86 FY 87

Accounts Payable $ 23,078,000 $ 51,723,000 $ 50,022,000 % Change 26.9% 124.1% -3.3% Inventory $ 26,543,000 $ 59,864,000 $ 109,072,000 % Change 20.8% 125.5% 82.2%

Source: Sam Antar, “Crazy Eddie Documents”, Whitecollarfraud.com, accessed on January 8, 2020.

22

Inventory turnover is a measure of the number of times that a company sells its average level of

inventory during the year. The ratio establishes the relationship between the volume of goods sold

and inventory. The inventory turnover for businesses in different industries and within industries can

vary widely. A grocery store may have an average turnover of 20, for all items. A furniture store would

normally have a much smaller turnover. The inventory turnover is computed as:

Cost of Goods Sold

Average Inventory

A high turnover indicates an ability to sell the inventory (better), while a low number shows an

inability. As the company’s sales increase, one expects that inventories would be turning over faster.

26.9%

124.1%

-3.3%20.8%

125.5%

82.2%

FY 85 FY 86 FY 87

Crazy Eddie Trend Analysis Accounts Payable vs. Inventory

FY 1985 to FY 1987

Accounts Payable Inventory

21.6% 20.8%

125.5%

82.2%

FY 84 FY 85 FY 86 FY 87

Crazy Eddie Inventory % Change FY 1984 to FY 1987

23

The days sales of inventory measures how many days it takes for inventory to turn into sales. It is

calculated as:

365

Inventory Turnover

A lower day’s sales of inventory is better since it would translate to fewer days needed to turn

inventory into cash. Since Crazy Eddie demonstrated its ability to grow, one expects that its days sales

of inventory would be reduced. However, the ratio showed that the age of inventories increased from

69 days to 81 days in 1987.

Finally, Crazy Eddie’s sales increased by 57% from 1985 to 1986 and by 34% from 1986 to 1987.

However, its inventory increased significantly faster than sales. Between 1985 and 1986, the inventory

increased by 126%. In general, inventory balances growing significantly faster than sales or cost of

goods sold may indicate obsolete, slow-moving merchandise or possible signs of fraud (e.g. overstated

inventory). The auditors should have further investigated the unusual trends.

FY 85 FY 86 FY 87

Sales $ 167,147,000 $ 262,268,000 $ 352,523,000 % Change 24.4% 56.9% 34.4% Inventory $ 26,543,000 $ 59,864,000 $ 109,072,000 % Change 20.8% 125.5% 82.2% Inventory turnover 5.2622 5.2618 4.4989 Average number of days inventory outstanding 69.3622 69.3668 81.1297

Source: Sam Antar, “Crazy Eddie Documents”, Whitecollarfraud.com, accessed on January 8, 2020.

24.4%56.9%

34.4%20.8%

125.5%

82.2%

FY 85 FY 86 FY 87

Crazy Eddie Trand Analysis Sales vs. Inventory FY 1985 to FY 1987

Sales Inventory

24

Changes in Accounting Policy

As discussed in “Concealed Liabilities”, Crazy Eddie changed its accounting policy for purchase

discounts and trade allowances to conceal $20 million in fictitious debit memos or chargebacks in

order to reduce the accounts payable. According to the court document, the complaints suggest that

any trained auditor would have detected the debit memo fraud, given the size of the scheme and the

inherent risk of fraud posed by the immediate recognition of debit memos. However, the Peat Marwick

partner willfully ignored unmistakable evidence of such fraud.

Pressure of Meeting Expectations

“Crazy Eddie’s high stock price was based on large increases in same store sales growth. We believed

that a failure to meet analysts’ projections would have substantially dropped the price of our stock.”


The attractiveness of a particular stock is primarily determined by a company's ability to generate

profit. Companies with poor earnings prospects will typically have lower share prices than those with

good prospects. Thus, the need to meet or exceed investor and analyst expectations can create

pressure to commit fraud. In this case, Crazy Eddie management deliberately manipulated the

company's earnings to achieve a designated growth level. According to the SEC, the most commonly

cited motivations for fraudulent financial reporting include:

The need to meet internal or external earnings expectations

An attempt to conceal the company’s deteriorating financial condition

The need to increase the stock price

The need to bolster financial performance for pending equity or debt financing

The desire to increase management compensation based on financial results

An attempt to cover up misappropriate assets

2. Where the Audit Went Wrong

“An “A/P status report” simply lists all invoices owed to vendors and offsetting debit memos.

Therefore, the debit memos were traced to a report listing the phony debit memos. Our auditors

simply traced the phony debit memos to the books and records that reflected them, but did not do

any follow-up work to confirm their validity.”


An audit ultimately aims at providing trust among its intended parties. It focuses on both the truth of

the records and the question of whether or not the statements were faithfully prepared from those

25

records. All companies that wish to access the U.S. capital markets must obtain an audit, and auditors

have a unique responsibility. Auditors, an independent guarantor of financial information, validate a

company’s transactions and verify the integrity of accounting entries (e.g. sales, expenses). Since

auditors work on behalf of investors and the public interest by providing an objective opinion on the

integrity of financial statements, they must follow auditing standards to form an opinion of whether

the financial statements are free of material misstatement, whether caused by error or fraud.

The auditors, for failure to detect Crazy Eddie’s large-scale fraud, were sued for malpractice. Apart

from failure to notice red flags, there were many fraudulent activities that the auditors should have

caught. Crazy Eddie inflated the inventory levels, falsified and altered documents, understated

accounts payable, and overstated sales. Sam bragged "Our fraud was never uncovered by auditors."

and identified the biggest mistakes of Crazy Eddie’s auditors:

Under-educated, underskilled, and under-experienced auditors

Lack of forensic accounting skills or background in fraud

Lack of understanding of the business operation environment

Failure to exercise due professional care and the appropriate level of professional skepticism

Inappropriate close relationship with the client

Allowing company personnel to have access to audit paperwork during the audit process

Inability to ask proper, tough and follow-up questions

Failure to secure audit paperwork

Failure to perform key audit procedures:

• Test of internal control procedures

• Deposits in transit at year-end

• Sales cut-off testing

• Age of accounts payable

• Inventory test count

• Inventory observations

Failure to perform all required analytical testing and investigate significant variances

26

3. What the Auditors Should Have Done

"The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about

whether the financial statements are free of material misstatement, whether caused by error or

fraud.”

PCAOB AS 1001: Responsibilities and Functions of the Independent Auditor

“PMM (Peat Marwick Main) had already signed off on Crazy Eddie’s audit on April 28, 1987, and the

young inexperienced auditor started his test work that same day.”


Exercising Professional Skepticism

“Since evidence is gathered and evaluated throughout the audit, professional skepticism should be

exercised throughout the audit process.”

PCAOB AS 1015: Due Professional Care in the Performance of Work

“the gullible auditors accepted our silly explanation that our employees had sacrificed many years

working at below-average wages for the opportunity to be part of what they hoped might become a

growing public company.”


Auditing standards require that appropriate professional skepticism be applied in the exercise of

professional judgment. Professional skepticism, a foundation of the auditing profession, is an attitude

that includes a questioning mind and a critical assessment of audit evidence. For example, instead of

blindly accepting what the client provides, the auditors should have a questioning mind throughout

the planning and performance of the audit. Professional skepticism includes a mindset in which the

auditors assume neither that management is dishonest nor of unquestioned honesty. Maintaining

professional skepticism throughout the audit is necessary if the auditor is, for example, to reduce the

risks of:

1. Failing to identify unusual circumstances/events/transactions

2. Over-generalizing when drawing conclusions from audit observations

3. Using inappropriate assumptions in determining the nature, timing, and extent of the audit

procedures and assessing the results

In general, the auditor should have an attitude of professional skepticism by being alert to the

following situations:

• Audit evidence contradicts other audit evidence obtained

27

• The information raises a question of the reliability of documents

• Responses to inquiries used as audit evidence

• Conditions may indicate possible fraud (e.g., red flags, inconsistencies)

• Circumstances suggest the need for additional audit procedures or follow-up

The PCAOB reminds the auditors that skepticism is especially critical when considering transactions

outside the normal course of business, such as:

1. Nonrecurring transactions

2. Financing activities

3. Related-party transactions that might be motivated solely or in large measure by an expected

or desired accounting outcome

Identifying and Assessing Fraud Risk

The Nature of Financial Statement Fraud

“Fraud is a broad legal concept and the auditors do not make legal determinations of whether fraud

has occurred. Rather, the auditor's interest specifically relates to acts that result in a material

misstatement of the financial statements.”

PCAOB AS 2401: Consideration of Fraud in a Financial Statement Audit

Although there is no universal definition of fraud, fraud essentially involves using deception to make

a personal gain for oneself dishonestly and/or create a loss for another. That is, fraud includes any

intentional or deliberate act to deprive another of property or money by deception or other unfair

means.

The auditor is primarily concerned with fraud that causes a material misstatement in the financial

statements. Misstatements can result from errors or fraud. Some examples of misstatements due to

errors or fraud include:

An inaccuracy in gathering or processing data from which financial statements are prepared.

A difference between the amount, classification, or presentation of a reported financial

statement element, account, or item and the amount, classification, or presentation that

would have been reported under GAAP. For example, finance cost is included within cost of

sales in the income statement.

The omission of a financial statement element, account, or item.

A financial statement disclosure that is not presented in accordance with GAAP. For example,

a contingent liability disclosure is missing or inadequately described in the notes to the

financial statements.

28

The omission of information required to be disclosed in accordance with GAAP.

An incorrect accounting estimate arising, for example, from an oversight or misinterpretation

of facts.

Management's judgments concerning an accounting estimate or the selection or application

of accounting policies that the auditor may consider unreasonable or inappropriate.

The difference between fraud and error is intent. Financial statement fraud (“cooking the books”) is a

scheme in which individuals deliberately carry out the following acts in order to create a rosy picture

of the company's financial position, performance, and cash flows:

• Altering or destroying documents (e.g., records, terms) to manipulate outcomes or hide

unusual transactions.

• Creating fictitious transactions and false journal entries to manipulate operating results.

• Deliberately applying biased assumptions and judgments to estimate accounting balances.

• Making unsupported adjustments to amounts reported in the financial statements.

• Misapplying accounting principles relating to classification and presentation, or disclosure.

Lesson Note: According to Sam, Crazy Eddie’s document retention policy was to destroy all evidence

of wrongdoing as soon as possible. They destroyed copies of all falsified documents (to the extent

possible) to cover up their crimes.

Financial statement fraud is sometimes referred to as management fraud because it almost always

occurs with the knowledge or consent of management. It is perpetrated by an intentional override by

upper-level management of what might otherwise appear to be effective internal control. This is

because management has the ability to override controls, or to influence others to perpetrate or

conceal fraud. Moreover, executives and managers are entrusted with access to nearly all data and

employees. Power and access within a company make it possible for larger frauds to be committed

and covered up.

The SEC and PCAOB have identified the following common fraud risk factors accumulated from the

scandalous fraudulent behavior of various companies:

1. Threatened financial stability or profitability such as:

− High degree of competition or sales saturation

− High vulnerability to rapid changes (e.g., technology, interest rates)

− Decline in customer demand, business failures in industry

− Operating losses

− Negative cash flows from operations

− Rapid growth or unusual profitability

− New accounting, statutory, or regulatory requirements

2. Excessive pressure on management to meet requirements or third-party expectations due to:

29

− Profitability or trend level expectations

− Need for additional debt or equity financing

− Marginal ability to meet exchange listing requirements

− Likely poor financial results on pending transactions

3. Management or directors’ financial situation threatened by:

− Significant financial interests in the company

− Significant portions of compensation contingent on results of the company

− Personal guarantees of debts of the company

4. Excessive pressure to meet financial target set up by directors or management.

Intentional overstatement of financial information, such as revenue and/or assets, is only one example

of common fraudulent financial reporting. The auditor must consider all the potential fraud risk

factors which might be relevant for their client through team brainstorming sessions, and should

develop procedures to address identified fraud risk(s).

Lesson Note: All organizations face some degree of fraud risk. The absence of fraud does not indicate

that fraud risk does not exist. Therefore, organizations of all sizes should have controls to prevent and

detect fraud.

Causes of Financial Statement Fraud

“Three conditions generally are present when fraud occurs.”

PCAOB AS 2401: Consideration of Fraud in a Financial Statement Audit

To identify a company’s vulnerability to fraud, the auditor should always recognize that errors or

events could be the result of a deliberate act designed to benefit the fraudster. It involves

brainstorming with the team by asking questions such as:

• What could go wrong?

• Why would someone (internal and external) commit fraud?

• Where is the company vulnerable? (opportunities already existed)

• How might a fraudster exploit weakness in the system of controls?

• How might a fraudster override or circumvent controls? (e.g. transaction approval)

• What could a fraudster do to conceal the fraud? (e.g. creating fraudulent physical documents)

• What types of assets are susceptible to fraud? What are their locations?

• Which personnel have control over or access to tangible or intangible assets?

In order to answer these questions, the auditors must first be familiar with the concepts of the fraud

model. Various theories have attempted to explain the causes of fraud and the most cited theory is

the fraud triangle theory, which identifies the elements that lead fraudsters to commit fraud.

30

According to Donald R. Cressey, a criminologist, all three following drivers must be present for an act

of fraud to occur.

Pressure or incentive is what causes a person to commit fraud. Fraud is not always the result of a

grand plan or conspiracy. It may begin with pressure to meet financial expectations and a fear that

failure to meet these expectations will be viewed as unforgivable. This pressure forces management

to manipulate financial statements to show the expected business results. For example, in the

conditions of the financial crisis, management is often pressured to achieve as good results as possible.

The Public Company Accounting Oversight Board (PCAOB) explains that an individual may hold

incentives to manipulate earnings when any of the following four conditions occurs:

✓ Financial stability or profitability is threatened by economic, industry, or company operating

conditions (e.g., high degree of competition, operating losses, and significant declines in

demand).

✓ Excessive pressure exists for management to meet the requirements or expectations of third

parties (e.g., shareholders, analysts).

✓ Available Information indicates that management or the board of directors' personal financial

situation is threatened by the company’s financial performance.

✓ Excessive pressure on management or operating personnel to meet financial targets set up by

the board of directors or management, including sales or profitability incentive goals.

Opportunity is the ability to commit or conceal fraud and convert the theft or misrepresentation to

personal gain. Although the opportunity is often the most challenging to spot, it is fairly easy to control

through improvements to internal controls and organizational or procedures. Failure to establish

adequate controls to detect fraudulent activity increases the opportunities for fraud to occur.

Opportunities often result from circumstances that provide chances to commit financial fraud, such

as:

The Fraud

Triangle

Developed by Donald R. Cressey

Opportunity

The Ability to Commit Fraud

Rationalization

The Justification to Commit Fraud

Pressure

The Motive to Commit Fraud

31

Inadequate monitoring of controls, including automated controls and controls over interim

financial reporting.

Insufficient auditing.

An unstable organizational structure.

Ineffective accounting and information systems, including situations involving reportable

conditions.

High percentage of complicated transactions.

High percentage of estimates required significant subjective judgment by management.

The neglectful behavior of the oversight functions (e.g. passive oversight by the audit

committee).

Domination of management by a single person or small group (in a nonowner-managed

business) without compensating controls.

Unclear policies regarding acceptable behavior.

Lack of financial expertise (e.g., insufficient knowledge or lack of ability).

Lack of an audit trail.

Lesson Note: According to the Association of Certified Fraud Examiners (ACFE), Report to the Nations:

2018 Global Study on Occupational Fraud and Abuse, in 30% of cases, lack of controls was the main

factor that enabled the fraud to occur. Another 19% of cases occurred because the fraudster was able

to override the controls that had been put in place.

In this case, opportunity also occurred because the fraudster knew the auditor’s procedures. If the

fraudster expects that the auditor always tests only large transactions in June, the fraudster can

commit the fraud on small transactions in other months. As Sam recalled, “Knowing exactly what our

auditors were doing, it was relatively easy for us to falsify inventory and accounts payable numbers in

excessive amounts.”

Example: Opportunity of Fraud

Many Crazy Eddie’s fraudulent activities could have been detected or prevented by removing the

opportunity. For instance, the lax audit procedures (insufficient auditing) provided an opportunity to

carry out the inventory fraud over the years. According to Sam,

“The auditors simply did not observe the inventory counts in all of the Crazy Eddie stores. In 1986 they

observed the inventory counts in roughly 50% of the stores. When leaving the store premises after the

inventory was observed the auditors only took their "test counts" with them and not copies of the entire

store inventory. We simply inflated the inventory counts in the stores of which the auditors did not

observe the inventory counts at year-end.”

Sam further explained “A credible audit cannot be made in the absence of good internal controls. A so-

called strong audit and strong internal controls are not mutually exclusive.”

32

Rationalization is known as a justification of fraudsters’ crime to make the act acceptable. It also refers

to behavior, character or ethical values allowing individuals to justify their reasons for committing

fraud. There are two aspects of rationalization:

• The fraudster concludes that the gain to be realized from fraudulent activities outweighs the

possibility for detection.

• The fraudster needs to justify committing the fraud. Justification can relate to job

dissatisfaction or perceived entitlement, or saving one’s family, possessions, or status.

Sometimes, managers may rationalize the appropriateness of a misstatement as an aggressive rather

than an indefensible interpretation of complex accounting rules. Or they may consider it as a

temporary solution, to be corrected later when operational results improve, or as something that is in

the best interests of the company or the employees. Whatever the rationalization, these individuals

intend to mislead financial statement users.

Example: Elements of Fraud

Fraud Schemes: Crazy Eddie skimmed cash sales from customers to avoid income and sales taxes.

Pressure: Crazy Eddie gained a great competitive advantage by failing to report cash purchases and

keeping the sales tax.

Opportunity: Cash skimming is a particular concern in retail operations where most of the daily sales

are in cash. Sam stated that since most customers paid for electronic products with cash during the

70s, Crazy Eddie took full advantage of that.

Rationalization: The philosophy at Crazy Eddie was that the government did not deserve their hard-

earned money.

Obtaining Sufficient Appropriate Audit Evidence

“The auditor must plan and perform audit procedures to obtain sufficient appropriate audit evidence

to provide a reasonable basis for his or her opinion.”

PCAOB AS 1105: Audit Evidence

“The audit partner approved the year-end audit number for public release at a board meeting before

the accounts payable audit was completed.”


Audit evidence means the information obtained by the auditor in arriving at the conclusions on the

audit opinion. The auditor must plan and perform audit procedures to obtain sufficient appropriate

audit evidence to provide a reasonable basis for his or her opinion. According to the PCAOB:

33

• Sufficiency is the measure of the quantity of evidence used to support the findings and

conclusions related to the audit objectives.

• Appropriateness is the measure of the quality of evidence that encompasses the relevance

and reliability of evidence used for addressing the audit objectives and supporting findings and

conclusions.

Audit evidence includes both information that supports and corroborates management's assertions

(e.g., existence, completeness, disclosure). Thus, the auditors should design proper tests for

management’s assertions. For example, the auditors should perform:

1. Walk-through procedures that allow them to trace a transaction (e.g. sale) step-by-step

through the accounting system from its inception to the final disposition.

2. Sales cut-off procedures to ensure that transactions are recorded in the proper period. Funds,

especially large amount transactions, are traced to supporting documents (e.g., invoices or

sales contracts).

Performing Analytical Procedures

“A basic premise underlying the application of analytical procedures is that plausible relationships

among data may reasonably be expected to exist and continue in the absence of known conditions to

the contrary.”

PCAOB AS 2305: Substantive Analytical Procedures

It is very important to compare a company’s ratios to those of competing companies in the industry

or with industry standards. This comparison will allow the auditors to answer the questions "how does

this business fare in the industry?" and “is its gross margin or out of line with industry trends?” The

inconsistency between the company performance and industry statistics may indicate a possible

manipulation.

Analytical procedures involve comparisons of recorded amounts to expectations developed by the

auditor. The auditor develops such expectations by identifying and using plausible relationships that

are reasonably expected to exist based on the auditor's understanding of the client and of the industry

in which the client operates. For example, the auditor should:

✓ Compare current and prior period sales, returns and allowances, discounts, and gross profit

percentages.

✓ Compare the current period items referred to above to anticipated results (i.e. budgeted

amounts).

✓ Compare company statistics (e.g. gross profit percentage) to industry standards.

✓ Investigate any significant differences from expected results or unexplained fluctuations.

34

Variability in these relationships can be explained by, for example, unusual events or transactions,

business or accounting changes, misstatements, or random fluctuations. In this case, the auditors

could have detected the anomalies through analytical procedures since an unusual growth in business

did not make any commercial sense. Warning signs, such as unexplained anomalies, are a signal to

start asking questions.

Other Considerations

Cash in the Bank

“The auditors should have performed tests of internal control procedures by tracing funds deposited

in our store bank accounts back to the source, which was supposed to be actual customer invoices, to

determine if adequate controls were in place to insure accurate reporting of sales. Obviously, we had

no invoices backing up the $1.5 million funds transferred from Panama and the $500,000 in cash

deposited into store bank accounts reported as "revenue."


Although auditing cash tends to be straightforward, cash is an inherently risky asset that can be easily

manipulated. The next section provides an audit program of cash in the bank to help the auditors

ensure that all important areas are considered.

Sample Audit Program: Cash in the Bank

I. Audit Objectives:

A. Determine that cash recorded in books exists and is owned by the company (Existence and

Right).

B. Determine that cash transactions are recorded in the correct accounting period at appropriate

values, i.e., that there is a proper cut-off of cash receipts and disbursements (Completeness and

Valuation).

C. Determine that balance sheet amounts include items in transit as well as cash on deposit with

third parties (Completeness).

D. Determine that cash is properly classified in the balance sheet and that relevant disclosures are

presented in the financial statement notes (Presentation and Disclosure).

II. Procedures:

A. Perform analytical procedures to identify obvious discrepancies or errors before conducting

tests of details. These types of procedures include:

35

• Compare cash balances with forecasts and budgets. For example, when cash balances

greatly exceed or fall below expectations for the year, it should alert the auditor for items

to look for during the tests of details.

• Review company policies regarding minimum cash balances and the investment of surplus

cash.

B. With respect to the bank reconciliations prepared by accounting personnel:

• Verify that proper segregation of duties between custodian, accounting and approving

personnel exist.

• Trace book balances to general ledger control totals.

• Compare ending balances from the bank statements to the ending balances on the bank

reconciliation.

• Verify the mathematical and clerical accuracy including checking extensions.

• Trace deposits in transit and outstanding checks to subsequent months’ bank statements

which are intercepted before accounting personnel have access to them.

• Inspect canceled checks for dates of cancellation in order to identify checks which were not

recorded in the proper accounting period.

• Ascertain that checks listed as outstanding are in fact: (1) recorded in the proper time

period, and are (2) checks that have not cleared. Scrutinize data when outstanding checks

have cleared to see if the books have been held open to improve ratios.

• Identify and investigate checks that are: (1) above limits prescribed by management, (2)

drawn to “bearer,” and (3) drawn payable to cash.

• Determine if unusual reconciling and long outstanding items are followed up and proper

disposition of such items is made.

• If balances have been confirmed with banks, compare confirmed balances with bank

balances per the year-end bank statements.

C. With respect to listings of cash investments:

• Trace book balances to general ledger control accounts.

• Verify the accuracy of all extensions and footings.

• Consider confirming balances directly with bank personnel.

• Obtain and inspect passbooks and certificates of deposit.

• Recalculate income derived from cash investments and trace the income amounts to the

books of original entry. Also, reconcile (for reasonableness) the interest revenue amounts

to the amount of cash investments.

• Consider using a custodian to maintain physical custody for safekeeping and to guard

against forgeries.

D. Prepare a bank transfer schedule which identifies:

• Name of disbursing bank

• Check number

• Dollar amount

• Date disbursement is recorded in books

36

• Name of receiving bank

• Date receipt is recorded in books

• Date receipt is recorded by bank

E. Perform cut-off test wherein transactions for the last few days of the year and the first few days

of the next year are scrutinized.

F. Inspect bank statements in order to identify obvious erasures or alterations.

G. Inspect debit and credit memos and trace them to the bank statements.

H. Read financial statements and investment certificates for appropriate classification of cash

balances.

I. With respect to cash on hand (i.e. petty cash funds):

• Determine the identity of all funds.

• Select funds to be counted and list currency and coins by denomination, account for

vouchers, stamps, and checks, trace fund balances to general ledger control accounts.

J. Investigate the reasons for delays in deposits.

K. Note unusual activity in inactive accounts since it may be indicative of cash being hidden.

L. In a cash-basis entity, reconcile sales with cash receipts.

M. List unusual cash receipts (e.g. currency receipts).

N. Examine third-party endorsements by reviewing canceled checks.

Inventory

“Inflation of store inventories was particularly easy since the auditor did not supervise the counting of

more than 40% of the store units or store inventory values.”


Due to the materiality of inventory, the auditors should consider the inventory cycle as a high-risk

account balance. Especially when inventory constitutes a substantial portion on the balance sheet for

a manufacturing or merchandising company, it has a direct impact on profit. The following table lists

examples of assertions for inventory with common auditing procedures.

Assertions Examples of Common Auditing Procedures

Completeness • Perform analytical procures (e.g., inventory turnover ratio, budgetary analysis) to test

inventory reasonableness.

• Trace the physical inventory to the general ledger.

37

Valuation & Allocation

• Review the pricing method used.

• Review the overhead allocations and rates.

Existence • Observe the year-end inventory count on an unannounced basis.

• Trace the inventory records to physical inventories.

Occurrence & Cutoff

Examine supporting documentation (e.g. receiving and shipping documents) to determine if transactions were recorded in the proper period and account (receiving - into inventory, shipping - out of inventory).

Rights & Obligations

• Confirm inventories held at public warehouses and that the audit entity owned them

(direct written confirmation from the third party).

• Review inventories on consignment to determine that the audit entity owned them.

The next section provides an audit program of inventory to help the auditors ensure that all important

areas are considered.

Sample Audit Program: Inventory


A. Determine that inventory quantities properly include products, materials, and supplies on hand,

in transit, in storage, and out on consignment to others (Existence, Completeness, and Valuation

or Allocation).

B. Determine that inventory items are priced consistently in accordance with U.S. GAAP (Valuation

or Allocation).

C. Determine that inventory listings are accurately compiled, extended, footed, and summarized

and determine that the totals are properly reflected in the accounts (Existence, Completeness,

and Valuation or Allocation).

D. Determine that excess, slow-moving, obsolete, and defective items are reduced to their net

realizable value (Valuation or Allocation).

E. Determine that the financial statements include disclosure of any liens resulting from the

pledging or assignment of inventories (Presentation and Disclosure).

II. Audit Procedures:

A. Review management’s instructions pertaining to inventory counts and arrange to have

sufficient internal audit personnel present to observe the physical count at major corporate

locations. Keep in mind that all locations should be counted simultaneously in order to prevent

the substitution of items.

B. At each location where inventory is counted:

• Observe the physical inventory count, record test counts, and write an overall observation

memo.

38

• Determine that pre-numbered inventory tags are utilized.

• Test the control of inventory tags.

• Test shipping and receiving cut-offs.

• Discuss obsolescence and overstock with operating personnel.

• Verify that employees are indicating obsolete items with inventory tags.

• Note the condition of inventory.

• Note pledged or consigned inventory.

• Determine if any inventory is at other locations and consider confirmation or observation

of material.

• Determine that inventory marked for destruction is actually destroyed and is destroyed by

authorized personnel.

C. Follow up all points that might result in a material adjustment.

D. Trace recorded test counts to the listings obtained from management, list all exceptions and

value the total effect.

E. Trace the receiving and shipping cut-offs obtained during the observation to the inventory

records, accounts receivable records, and accounts payable records. Also, trace inventory to

production and sales.

F. Obtain a cut-off of purchases and sales subsequent to the audit date and trace to accounts

receivable, accounts payable, and inventory records.

G. Note any sharp drop in market value relative to book value.

H. “Red flag” excessive product returns which might be indicative of quality problems. Returned

merchandise should be warehoused apart from finished goods until quality control has tested

the items. Are returns due to the salesperson overstocking? Returns should be controlled as to

actual physical receipt, and the reasons for the returns should be noted for analytical purposes.

I. Trace for possible obsolete merchandise that is continually carried on the books. For example,

the author had a situation in which a company continued to carry obsolete goods on the books

even though it wrote off only a small portion of similar goods.

J. With respect to price tests of raw materials:

• Ascertain management’s inventory pricing procedures.

• Schedule, for a test of pricing, all inventory items in excess of a prescribed limit and sample

additional items.

• Inspect purchase invoices and trace to journal entries.

• Inquire and investigate whether trade discounts, special rebates, and similar price

reductions have been reflected in inventory prices.

• Determine and test treatment of freight and duty costs.

• If standard costs are utilized:

39

1. Determine whether such costs differ materially from actual costs on a first-in, first-out

basis.

2. Investigate variance accounts and compute the effect of the balances in such accounts

on inventory prices.

3. Ascertain the policy and practice as to changes in standards.

4. With respect to changes during the period, investigate the effect on inventory pricing.

5. If process costs are used, trace selected quantities per the physical inventory to the

departmental cost of production reports and determine that quantities have been

adjusted to the physical inventory as of the date of the physical counts.

K. With respect to work-in-process and finished goods:

• Ascertain the procedures used in pricing inventory and determine the basis of pricing.

• Review tax returns to determine that the valuation methods conform to those methods

used for financial statement purposes.

• On a test basis, trace unit costs per the physical inventory to the cost accounting records

and perform the following:

1. Obtain, review, and compare the current period and prior period’s trial balances or

tabulations of detailed components of production costs for the year, note explanations

for apparent inconsistencies in classifications and significant fluctuations in amounts,

ascertain that the cost classifications accumulated as production costs and absorbed in

inventory are in conformity with U.S. GAAP.

2. Review computations of unit costs and costs credited against inventory and charged to

cost of sales.

3. Review activity in the general ledger control accounts for raw materials, supplies, and

work-in-process and finished goods inventories and investigate any significant and

unusual entries or fluctuations.

4. Review labor and overhead allocations to inventory and cost of sales compare to actual

labor and overhead costs incurred and ascertain that variances appear reasonable in

amount and have been properly accounted for.

5. Trace who obtains the funds received from the sale of scrap.

Accounts Payable

“The auditors reconciled the accounts payable of only three major vendors. There were significant

reconciling items for all of them, most of which were the bogus debit memos. For a certain vendor,

that company had said Crazy Eddie owed it $17 million while we said Sony was owed $7 million and

most of the $10 million difference was bogus debit memos……..The auditors never contacted any of

the companies they reconciled. The person for the auditors who handled the accounts payable part of

the audit never had retail accounts payable audit experience.”

40


Regardless of the reasons for audit and the size of the operation, the auditors should always apply

various audit procedures to ensure that the accounts payable account represents authentic obligations

of the company. The following table lists examples of assertions for accounts with common auditing

procedures.

Assertions Examples of Common Auditing Procedures

Existence

• Review the reconciliations of vendor statements with recorded accounts payable.

• Examine supporting documentation for recorded payables.

• Special attention is paid to invoices dated just before year-end and quarter-end dates.

Completeness

• Search for unrecorded accounts payable by:

− Scanning vouchers payable subsequent to the balance sheet date, and

− Reviewing files of unmatched receiving reports and unpaid invoices

• Perform analytical procures to test inventory reasonableness.

Valuation & Allocation

Assess reasonableness of payable amounts and budget totals at year-end in relation to expenditure totals.

Rights & Obligation

Review documents that create financial responsibilities for the company such as contracts and vendor invoices.

Presentation & Disclosure

• Review all significant reclassification and adjustments related to payables.

• Determine that the method of estimation and significant assumptions used are

properly disclosed.

The next section provides an audit program of accounts payable to help the auditors ensure that all

important areas are considered.

Sample Audit Program: Accounts Payable


A. Determine that accounts payable, in fact, exist (Existence or Occurrence).

B. Determine that accounts payable represents authorized obligations of the entity (Existence or

Occurrence).

C. Determine that accounts payable are properly classified in the financial statements

(Presentation and Disclosure).

D. Determine that recorded accounts payable are complete (Completeness).

E. Determine that the appropriate disclosures are included in the financial statements

(Presentation and Disclosure).

41

II. Audit Procedures:

F. With respect to the schedule of accounts payable prepared by accounting personnel:

• Verify mathematical accuracy of extensions and footings.

• Trace totals to general ledger control accounts.

• Trace selected individual accounts to the accounts payable subsidiary ledger.

• Trace individual account balances in the subsidiary ledger to the accounts payable schedule.

• Investigate accounts payable which are in dispute.

• Investigate any debit balances.

• Read minutes of board meetings to ascertain the existence of pledging agreements.

G. Prepare a trend line of invoices (e.g., by year and by month or by year and by quarter) in order

to determine the reasonableness of amounts. Special attention should be paid to invoices dated

just before year-end and quarter-end dates.

H. Run a basic test for duplicate invoice payments (e.g., searching for any pairs of invoices which

have the same vendor number, invoice number and amount) and potential invoice errors (e.g.,

searching for same vendor number, same invoice number, but different amounts).

I. Consider confirming accounts payable if there is: (1) poor internal control structure, or (2)

suspicion of misstatement.

J. Search for unrecorded liabilities:

• Examine receiving reports and matching them with invoices.

• Inspect unprocessed invoices.

• Inspect vendor’s statements for unrecorded invoiced amounts.

• Examine cash disbursements made in the period subsequent to year-end and examine

supporting documentation in order to ascertain the appropriate cut-off for recording

purposes.

K. With respect to obligations for payroll tax liabilities:

• Examine payroll tax deposit receipts.

• Examine cash disbursements in the period subsequent to year-end to identify deposits that

relate to prior period.

• Reconcile general ledger control totals to payroll tax forms.

• Trace liabilities for amounts withheld from employee checks to payroll registers, journals,

and summaries.

• Perform analytical procedures by comparing payroll tax expense to liabilities for payroll

taxes, and liability to accrued payroll taxes.

• Reconcile calendar year payroll returns to fiscal year financial statements for payroll

amounts.

L. Reconcile vendor statements with accounts payable accounts.

42

M. Compare vendor invoices with purchase requisitions, purchase orders, and receiving reports for

price and quantity.

N. Investigate unusually large purchases.

O. With respect to accrued expenses:

• Consider the existence of un-asserted claims.

• Obtain a schedule of accrued expenses from accounting personnel.

• Recalculate accruals after verifying the validity of assumptions utilized.

• Perform analytical procedures by comparing current- and prior period accrued expenses.

• Ascertain that accrued expenses are paid within a reasonable time after year-end.

• Ask management and indicate all details of contingent or known liabilities arising from

product warranties, guarantees, contests, advertising promotions, and dealer

“arrangements or promises”.

• Determine liability for expenses in connection with pending litigation:

1. Ask management.

2. Confirm in writing with outside legal counsel.

43


1. Which of the following trends appear unusual and require the auditor’s attention?

A. Sales and cost of goods sold decreased at the same pace.

B. Inventory grew significantly faster than sales.

C. Sales and accounts receivable increased at the same rate.

D. Inventory turnover increased with the growth of business.

2. Which of the following ratios helps an auditor establish the relationship between the volume of

goods sold and inventory?

A. Quick ratio

B. Asset turnover

C. Current ratio

D. Inventory turnover

3. Which of the following terms measures the quantity of audit evidence?

A. Appropriation

B. Sufficiency

C. Significance

D. Reasonable Assurance

4. According to Sam, it was easy to inflate store inventories because the auditor did not supervise

enough inventory counts at stores. Which fraud element best explains his behavior?

A. Concealment

B. Opportunity

C. Rationalization

D. Pressure

5. Which of the following assertions indicates that inventories are included in the financial

statements at appropriate amounts?

A. Rights & Obligations

B. Completeness

C. Existence

D. Valuation & Allocation

44

6. An auditor reviews the supporting documentation to validate the recorded payable amounts in

support of which of the following assertions?

A. Rights & Obligations

B. Completeness

C. Existence

D. Valuation & Allocation

7. The objective of performing analytical procedures in planning an audit is to identify the existence

of which of the following scenarios?

A. Unusual transactions and events

B. Illegal acts that went undetected because of internal control weaknesses

C. Undisclosed related party transactions

D. Recorded transactions that were not properly authorized

45

Case 2: The King of Cross-Sell This case study draws quotes primarily (and in some instances) verbatim from the report of Wells

Fargo’s investigation of sales practices and court documents. Additional details are sourced from Wells

Fargo Annual Reports, and various research papers and news articles. The case study is intended to be

used as a resource for management and accounting professions of all sizes, so that they may learn

from it.

I. Examining the Company and Its

Environment

1. Behind the Impressive Performance

“If anyone tells you it’s easy to earn more business from current customers in financial services, don’t

believe them. We should know. We’ve been at it almost a quarter century. We’ve been called, true or

not, the “king of cross-sell.”

Wells Fargo 2010 Annual Report

Corporate Profile

Vision

We want to satisfy our customers’ financial needs

and help them succeed financially.

Goals

We want to become the financial services leader in

these areas:

• Customer service and advice

• Team member engagement

• Innovation

• Risk management

• Corporate citizenship

• Shareholder value

Values

• What’s right for customers

• People as a competitive advantage

• Ethics

• Diversity and inclusion

• Leadership

Wells Fargo & Company, headquartered in San Francisco, is a financial and bank holding company

(BHC) with $1.9 trillion in assets. In the U.S., most banks are operated under BHCs. According to the

Bank Holding Company Act, a BHC, a company that owns a controlling interest in one or more banks,

must meet the following criteria:

1. Directly or indirectly owns, controls, or holds at least 25% of the voting shares of the bank.

2. Controls the election of a majority of the board of directors of the bank, or

3. Directly or indirectly influences the management or policies of the bank.

46

In other words, BHCs do not provide banking services and engage in banking activities, but they do

exercise a controlling influence over management and company policies. For example, they can hire

and fire management, approve strategies and policies, oversee the risk management processes, and

monitor the bank’s performance. The company was founded by Henry Wells and William Fargo in 1852

during the California Gold Rush. It remains one of the “Big Four Banks” in the U.S. alongside Bank of

America, JPMorgan Chase and Citigroup that are all are operated by BHCs. It was ranked fourth in

assets and third in the market value of its common stock among all U.S. banks at December 31, 20184.

Wells Fargo & Company has offices in 32 countries and territories to support customers in the global

economy. With approximately 259,000 active, full-time equivalent team members, Wells Fargo &

Company serves approximately 70 million customers; one in three households in the U.S and was

ranked No. 29 on Fortune’s 2019 rankings of America’s largest corporations 5.

• 3rd in Total Deposits (2019) FDIC data

• 5th Most Profitable Company in the U.S. (2019) Fortune

• 6th in Total Assets (2019) Fortune

• 10th Largest Public Company in the World* (2019) Forbes

• 19th Biggest Employer in the U.S. (2019) Fortune

• 29th Biggest Company by Revenue in the U.S. (2019) Fortune

*Based on sales, profits, assets, and market value. Source: Wells Fargo, 4th Quarter 2019

In 2019, Wells Fargo & Company generated $19.5 billion in net income6. The company is organized for

management reporting purposes into three operating segments:

1. Community Banking offers the everyday banking products targeted to individuals and small

businesses including checking and savings accounts, credit and debit cards, and automobile,

student, mortgage, home equity and small business lending. The Community Bank unit is the

largest operating segment, and consistently generated more than half of the company’s

revenue (and in some years more than two-thirds) from 2007 through 2016. The Community

Bank managed the U.S. branches.

2. Wholesale Banking provides financial solutions to businesses across the U.S. and globally with

annual sales generally in excess of $5 million.

3. Wealth and Investment Management provides personalized wealth management,

investment, and retirement products and services to clients across U.S.-based businesses.

4 The Wells Fargo statistics are from “2018 Annual Report,” with values accessed on February 21, 2020. 5 The Wells Fargo statistics are from “Form 8-K,” February 21, 2020. 6 The Wells Fargo financial result is from “News Release | January 14, 2020,” with values accessed on March 3, 2020.

47

Wells Fargo Bank, N.A., a wholly-owned subsidiary of Wells Fargo & Company, designates its main

office as Sioux Falls, South Dakota. Wells Fargo Bank, N.A. operates as a bank. Wells Fargo & Company

provides banking, insurance, investments, mortgage, and consumer and commercial finance through

Wells Fargo Bank, N.A. in more than 7,400 locations, 13,000 ATMs, the internet (wellsfargo.com) and

mobile banking.

Lesson Note: Wells Fargo in its current form is a result of a merger between Wells Fargo & Company

and Norwest Corporation in 1998 and the subsequent 2008 acquisition of Charlotte-based Wachovia.

Widespread Illegal Conduct

“The Bank (Wells Fargo) had better tools and systems to detect employees who did not meet

unreasonable sales goals than it did to catch employees who engaged in sales practice misconduct.”

The OCC Notice of Charges N20-001

Wells Fargo, a self-identified sales organization, had a long history of strong performance. For years,

Wells Fargo has developed its obsession with cross-selling products. Beginning in 1998, Wells Fargo

increased its focus on sales volume and reliance on year-over-year sales growth. A core part of this

business model was the “cross-sell strategy.” Wells Fargo has been the leader for its ability to sell

multiple products and services to its existing customers. The banking industry considered Wells Fargo

to be “the king of cross-sell.”

Cross-sell is a common and accepted business practice when the strategy is based on strong customer

satisfaction and excellent customer service. However, Wells Fargo’s cutthroat sales culture with

unreasonable or unattainable sales targets eventually led to the 2016 fake-account scandal. Under

pressure to meet aggressive sales quotas, employees opened millions of savings and checking accounts

without customers’ knowledge or consent. The Community Banking division was at the center of the

fake-accounts scandal. Approximately 5,300 employees had been terminated for sales practice

violations between 2011 and 2016.

Further details of Wells Fargo’s sales scandal are discussed in “Analyzing the Fake-Account Scandal”.

Wells Fargo had a systemic sales practice misconduct problem from the early 2000s. For example,

from 2006 through 2014, total EthicsLine (Wells Fargo’s hotline) complaints received from employees

increased year-over-year. As early as 2007, lack of customer consent was a main allegation in

EthicsLine complaints from employees. Moreover, each year, nearly half of all EthicsLine cases

investigated by Corporate Investigations related to employee sales integrity violations. Specifically,

from December 2013 through September 2015, Wells Fargo received at least 5,000 customer

complaints related to lack of consent7. Management bullied employees to meet unrealistic sales goals

7 The Wells Fargo widespread consumer abuses information is from the OCC Notice of Charges N20-001, January

48

year after year, including by monitoring employees daily or hourly and reporting their sales

performance to their managers. Employees were actually being terminated for failure to meet the

goals.

“The Toxic Sales Culture” and “Aggressive Incentive Compensation Plan” explain how Wells Fargo’s

cross-sell model and compensation plan contributed to the widespread sales integrity violations.

Lesson Note: The Wells Fargo’s Sales Quality Manual defined sales integrity violations as

“manipulations and/or misrepresentations of sales, service or referrals and reporting of sales, service

or referrals in an attempt to receive compensation or to meet sales and service goals.”

John Stumpf became Wells Fargo’s Chief Operating Officer in 2005 and served in that role until he

became Chief Executive Officer (CEO) in June 2007, (2007 − 2016). Stumpf joined the Board of

Directors in 2006 and became Chairman of the Board in January 2010. In 2015, Stumpf's total

compensation was $19.3 million with a base salary of $2.8 million, $4 million in a cash bonus, and

$12.5 million in stock granted8. In light of the fake-account scandal, Stumpf was subject to a hearing

before the Senate Banking Committee as shown in Exhibit A.

Exhibit A: The Regulatory Response of Wells Fargo’s Fraudulent Accounts

The following are excerpts from a hearing on September 20, 2016 of the Committee on Banking,

Housing, and Urban Affairs into the Wells Fargo’s unauthorized accounts.

Ms. Warren (Elizabeth Warren, Senator of Massachusetts): You know, here’s what really gets me

about this, Mr. Stumpf. If one of your tellers took a handful of $20 bills out of the cash drawer, they’d

probably be looking at criminal charges for theft. They could end up in prison. But you squeezed your

employees to the breaking point so they would cheat customers and you could drive up the value of

your stock and put hundreds of millions of dollars in your own pocket. And when it all blew up, you

kept your job, you kept your multimillion-dollar bonuses, and you went on television to blame

thousands of $12-an-hour employees who were just trying to meet cross-sell quotas that made you

rich. This is about accountability. You should resign. You should give back the money that you took

while this scam was going on, and you should be criminally investigated by both the Department of

Justice and the Securities and Exchange Commission.

Following the hearings, in recognition of his accountability for sales practices misconduct, Stumpf

agreed with the Board to forfeit all of his unvested equity awards in the approximate amount of $41

million. Carrie Tolsted, Head of the Community Banking, was asked to forfeit her unvested equity

awards valued at $19 million. The Board also revoked both executives’ 2016 bonus. According to the

23, 2020. 8 Stumpf’s compensation data is from “2016 Proxy Statement,” Wells Fargo Media, accessed on March 6, 2020.

49

Harvard Law School Forum on Corporate Governance, this was one of the largest claw backs of CEO

pay in history and the largest of a financial institution.

“Leadership Failure” explains how leaders distorted the sales model, fostering an atmosphere that

prompted low-quality sales and improper and unethical behavior.

In September 2016, the Board conducted a comprehensive investigation to understand the root causes

of improper sales practices and identify remedial actions. The investigation included 100 interviews,

the review of more than 1,000 existing and past investigations, and the examination of more than 35

million documents. The Independent Directors of the Board of Wells Fargo & Company Sales Practices

Investigation Report concluded that the bank’s sales culture, leadership, organizational structure, and

performance management systems put excessive pressure on employees to engage in improper sales

practices. The key findings are addressed throughout the course.

In addition to imposing forfeitures, clawbacks and compensation adjustments on senior leaders, the

Board has made fundamental changes to Wells Fargo’s leadership, governance, processes, controls,

and culture to address sales integrity issues:

✓ Replacing and reorganizing the leadership of the Community Bank.

✓ Eliminating sales quotas and reforming incentive compensation focused on customer service,

branch primary customer growth, household relationship balance growth, and risk

management.

✓ Modifying performance management metrics to balance quantitative factors with qualitative

ones, such as good customer service.

✓ Centralizing monitoring and controls that enhance oversight of sales practices.

✓ Considering new methods for determining and measuring employee engagement and

satisfaction.

Banks build and maintain trust, while the regulators enforce this trust through deposit insurance, laws

and regulations, and oversight. Bank regulation subjects banks to certain requirements, restrictions,

and guidelines. Various agencies took actions against Wells Fargo’s misconduct. According to the court

documents, Wells Fargo:

Violated the Consumer Financial Protection Act

Misled investors about the success of its core business strategy

Failed to address deficiencies in its compliance risk management program

Wells Fargo’s regulatory architecture is discussed in the next section.

50

2. Overview of Federal Regulations

Since Wells Fargo’s extensive improper sales practices were revealed, it had been under increased

scrutiny from Congress, financial regulators, and the public. This section provides highlights of the

federal regulations of Wells Fargo. First, it sets out the basic framework and the major federal

regulators. Then, it discusses the role of each major federal regulatory agency.

The Financial Regulatory Framework

The banking industry, a key driver of the financial system, is one of the most highly regulated industries

due to the interconnectedness (financial, capital, and insurance) of the banking industry and the

reliance that the economy has on banks. For example, commercial banks accept currency deposits,

offer various payment services ranging from the interbank association (e.g., operate ATM, clear

checks), point of sale to credit/debit card network, and an electronic funds transfer system. Banking

also plays a key role in the global and U.S. economy. For the 5,177 FDIC-insured commercial banks and

savings institutions, full-year 2019 net income totaled $233.1 billion9. The Big Four of U.S. banking—

JPMorgan Chase, Bank of America, Citigroup, and Wells Fargo—have a combined $8.8 trillion in assets

or half the U.S. total10. As a result, banks are subject to safety and soundness regulation that most

other financial firms are not subject to at the federal level.

Bank regulation is designed to promote accountability, create market transparency, and maintain the

safety and stability of the banking industry, the financial sector as a whole, and the payments system.

For example, mandatory deposit insurance was introduced in order to avoid bank runs. Capital

adequacy requirements make sure that banks do not become too exposed. According to the

Congressional Research Service (CRS), regulators regulate financial institutions, markets, and products

through different methods including licensing, registration, rulemaking, supervisory, enforcement,

and resolution powers detailed in the following table:

Licensing,

Chartering,

or

Registration

− Each type of charter, license, or registration granted by the respective regulator governs the

sets of financial activities that the holder is permitted to engage in.

− For example, a firm cannot accept federally insured deposits unless it is chartered as a bank,

thrift, or credit union by a depository institution regulator. To be granted a license, charter, or

registration, the recipient must accept the terms and conditions that accompany it.

− Depending on the type, those conditions could include regulatory oversight, training

requirements, and a requirement to act according to a set of standards or code of ethics.

− Failure to meet the terms and conditions could result in fines, penalties, remedial actions,

license or charter revocation, or criminal charges.

9 The FDIC statistics are from “Statistics At A Glance,” the FDIC, with values accessed on March 10, 2020. 10 The Big Four Banks data is from “America's Best And Worst Banks 2019,” Forbes, with values accessed on March 11, 2020.

51

Rulemaking

− Regulators issue rules (regulations) through the rulemaking process to implement statutory

mandates.

− Statutory mandates usually provide regulators with a policy goal in general terms, and

regulations fill in the specifics.

− Rules lay out the guidelines for how market participants may or may not act to comply with

the mandate.

Oversight

and

Supervision

− Regulators ensure that their rules are adhered to through oversight and supervision. This

allows regulators to observe market participants’ behavior and instruct them to modify or

cease improper behavior.

− Supervision may entail active, ongoing monitoring (as for banks) or investigating complaints

and allegations ex post (as is common in securities markets).

− In some cases, such as banking, supervision includes periodic examinations and inspections,

whereas in other cases, regulators rely more heavily on self-reporting.

− Regulators explain supervisory priorities and points of emphasis by issuing supervisory letters

and guidance.

Enforcement

− Regulators can compel firms to modify their behavior through enforcement powers.

− Enforcement powers include the ability to issue fines, penalties, and cease and desist orders,

to undertake criminal or civil actions in court, or administrative proceedings or arbitrations,

and to revoke licenses and charters.

− In some cases, regulators initiate legal action at their own bequest or in response to consumer

or investor complaints.

− In other cases, regulators explicitly allow consumers and investors to sue for damages when

firms do not comply with regulations or provide legal protection to firms that do comply.

Resolution

− Some regulators have the power to resolve a failing firm by taking control of the firm and

initiating conservatorship (i.e., the regulator runs the firm on an ongoing basis) or receivership

(i.e., the regulator winds the firm down).

− Other types of failing financial firms are resolved through bankruptcy, a judicial process.

Source: The Congressional Research Service, Who Regulates Whom? An Overview of the U.S. Financial Regulatory Framework,

March 10, 2020

52

The following diagram sets out the regulatory oversight of Wells Fargo customer accounts.

Source: Congressional Research Service, Wells Fargo Customer Account Scandal: Regulatory Policy Issues, September 28, 2016

The regulators are categorized into the following areas:

Depository Regulator

• Office of the Comptroller of the Currency (OCC)

• Federal Reserve

• Federal Deposit Insurance Corporation (FDIC)

Securities Markets Regulators • The Securities and Exchange Commission (SEC)

Consumer Protection Regulator • The Consumer Financial Protection Bureau (CFPB)

Wells Fargo & Company, a BHC, is regulated by the Federal Reserve. As a public company, it must

comply with the securities laws and the Securities and Exchange Commission (SEC) regulations related

to corporate governance, executive pay, and investor protection. Wells Fargo Bank, N.A. operates as

a large federally chartered depository bank, and is also subject to comprehensive federal regulatory

oversight and examination including:

• The Office of the Comptroller of the Currency (OCC) for enforcing its responsibilities for the

safety and soundness of nationally chartered banks,

• The Federal Deposit Insurance Corporation (FDIC) as an insured depository,

• The Consumer Financial Protection Bureau (CFPB) for regulating and supervising consumer

protection compliance.

53

In response to the financial crisis of 2008, the Dodd-Frank Wall Street Reform and Consumer

Protection Act (Dodd-Frank Act), a comprehensive financial reform legislation, was signed into law on

July 21, 2010, by President Barack Obama. The Dodd-Frank Act of 2010 created the CFPB and the

Financial Stability Oversight Council (FSOC). FSOC is responsible for identifying risks and responding to

emerging threats to the financial stability of the U.S. As a consultative council, the FSOC is charged

with facilitation of communication among financial regulators.

The next section provides an overview of each federal regulatory agency. A summary of the functions

of various agencies is addressed in Exhibit B.

The Role of Major Regulators

Office of the Comptroller of the Currency

The Office of the Comptroller of the Currency (OCC), created in 1863, is an independent bureau of the

U.S. Department of the Treasury. The OCC charters, regulates, and supervises all national banks and

federal savings associations as well as federal branches and agencies of foreign banks. To ensure that

national banks and federal savings associations operate in a safe and sound manner, provide fair

access to financial services, treat customers fairly, and comply with applicable laws and regulations,

the OCC carries out the following actions11:

✓ Issuing banking rules and regulations and providing legal interpretations and guidance on

banks' corporate decisions that govern their practices.

✓ Visiting and examining the banks it oversees for safety and soundness.

✓ Evaluating applications for new bank charters or branches, for other proposed changes in the

corporate structure of banks or their activities, and from foreign banks that wish to operate in

the U.S under an OCC charter.

✓ Imposing corrective measures, when necessary, on OCC-governed banks that do not comply

with laws and regulations or that otherwise engage in unsafe or unsound practices.

✓ Protecting consumers by making sure banks give fair access and equal treatment to customers,

and comply with consumer banking laws.

Banks must receive a full-scope, on-site examination every 12 or 18 months. According to the

Comptroller’s Handbook, a full-scope, on-site examination must consist of examination activities

performed during the supervisory cycle that:

11 The mission and scope of the OCC are from the Office of the Comptroller of the Currency website, accessed on March 8, 2020.

54

1. Satisfy the core assessment and are sufficient in scope to assign the bank’s regulatory ratings,

except the Community Reinvestment Act (CRA) ratings.

(Wells Fargo’s recent CRA rating is discussed later in “CRA Performance Evaluation”.)

2. Result in conclusions about the bank’s risk profile.

3. Review the bank’s Bank Secrecy Act compliance program.

4. Assess the bank’s compliance with the National Flood Insurance Program, if the bank is an

insured depository institution.

The OCC also conducts the consumer compliance examination to review a bank’s compliance with

consumer protection-related laws and regulations and the adequacy of its compliance management

system (CMS) as it pertains to consumer compliance. The bank’s CMS must be reviewed by examiners

at least once per supervisory cycle. According to the Comptroller’s Handbook, the review of a bank’s

CMS for assigning the bank’s consumer compliance component rating should include a risk-based

assessment of the following components:

1. Board and management oversight, which includes:

− Oversight and commitment, including third-party risk management.

− Change management.

− Comprehension, identification, and management of risk.

− Self-identification and corrective action.

2. Consumer compliance program, which includes:

− Policies and procedures.

− Training.

− Monitoring and audit.

− Consumer complaint response.

Lesson Note: The OCC employees who are responsible for the supervision and regulation of banks are

called examiners.

The OCC may take enforcement actions for violations of laws, rules or regulations, final orders or

conditions imposed in writing, unsafe or unsound practices, and for breach of fiduciary duty by

institution-affiliated parties.

55

Federal Reserve

The Federal Reserve, the central bank system, was created in 1913 with the enactment of the Federal

Reserve Act. The Federal Reserve provides the nation with a safer, more flexible, and more stable

monetary and financial system by performing the following five functions12:

1. Conduct the nation’s monetary policy to promote maximum employment, stable prices, and

moderate long-term interest rates in the U.S. economy.

2. Promote the stability of the financial system and seek to minimize and contain systemic risks

through active monitoring and engagement in the U.S. and abroad.

3. Promote the safety and soundness of individual financial institutions and monitor their

impact on the financial system as a whole.

4. Foster payment and settlement system safety and efficiency through services to the banking

industry and the U.S. government that facilitate U.S.-dollar transactions and payments.

5. Promote consumer protection and community development through consumer-focused

supervision and examination, research and analysis of emerging consumer issues and trends,

community economic development activities, and the administration of consumer laws and

regulations.

The Federal Reserve has supervisory and regulatory authority for all BHCs. The Federal Reserve also

supervises state member banks, savings and loan holding companies, foreign banks operating in the

U.S, and other entities. In overseeing the institutions, the Federal Reserve seeks primarily to promote

their safe and sound functioning and their compliance with all applicable laws and regulations that

govern their activities. Since the financial crisis, the Federal Reserve has substantially enhanced its

supervisory program for large institutions. For example, the Federal Reserve takes a risk-focused

approach by scaling its supervisory work based on the size and complexity of the institution.

Federal Deposit Insurance Corporation

In response to the thousands of bank failures during the Great Depression, Congress created the

Federal Deposit Insurance Corporation (FDIC) in 1933 to maintain stability and public confidence on

deposits in the nation's financial system by13:

1. Insuring deposits (for at least $250,000).

2. Examining and supervising financial institutions for safety and soundness and consumer

protection.

12 The five functions of the Federal Reserve are from “About the Fed,” the Federal Reserve Board website, accessed on April 8, 2020. 13 The mission of the FDIC is from “2018-2022 Strategic Plan,” the FDIC, accessed on March 10, 2020.

56

3. Making large and complex financial institutions resolvable.

4. Managing receiverships.

In the U.S., there are two agencies that provide deposit insurance to depositors. The FDIC provides

deposit insurance to depositors in U.S. commercial banks and savings banks. The National Credit Union

Administration regulates and insures credit unions. According to the FDIC, since the start of the FDIC

insurance on January 1, 1934, no depositor has lost a single cent of insured funds as a result of a failure.

The FDIC is the primary federal supervisor for all state-chartered banks that are not members of the

Federal Reserve System and state-chartered thrifts. As of December 31, 2019, the FDIC provided

deposit insurance at 5,177 institutions and supervised about 3,338 banks and savings institutions for

operational safety and soundness, more than half of the institutions in the banking system14. The FDIC

also examines banks for compliance with consumer protection laws, such as the Fair Credit Billing Act,

the Fair Credit Reporting Act, the Truth-In-Lending Act, and the Fair Debt Collection Practices Act.

Finally, the FDIC examines banks for compliance with the Community Reinvestment Act (CRA) which

requires banks to help meet the credit needs of the communities they were chartered to serve.

Details of CRA are discussed in “Other Regulatory Related Matters”.

Lesson Note: The Office of Thrift Supervision (OTS) was established by Congress in 1989 as the primary

federal regulator of all federal and state-chartered savings institutions across the nation that belong

to the Savings Association Insurance Fund (SAIF).

Consumer Financial Protection Bureau

The Dodd-Frank Act of 2010 created the Consumer Financial Protection Bureau (CFPB) to enhance

consumer protection in the financial market. The CFPB, an independent agency within the Board of

Governors of the Federal Reserve System, centralizes the regulation of various financial products and

services. The CFPB has supervision authority for depository institutions with more than $10 billion in

assets and has examination and enforcement powers for financial industry participants that offer

consumers financial products.

To protect consumers in the financial marketplace, the CFPB promotes fairness and transparency for

mortgages, credit cards, and other consumer financial products and services. For instance, the CFPB

administers rules that protect consumers by setting disclosure standards, setting suitability standards,

and banning abusive and discriminatory practices. The CFPB also ensures that the federal consumer

financial laws are enforced consistently. Examples of the CFPB’s legal actions include suing credit card

companies for engaging in unfair, deceptive and abusive practices, prosecuting banks for charging

14 The FDIC statistics are from “Statistics At A Glance,” the FDIC, with values accessed on March 10, 2020.

57

overdraft fees to consumers who had not agreed to overdraft services, and bringing lawsuits against

payday lenders15.

Lesson Note: In some areas where the CFPB does not have jurisdiction, the Federal Trade Commission

(FTC) retains consumer protection authority. State regulators also retain a role in consumer protection.

The Securities and Exchange Commission

The Securities and Exchange Commission (SEC) is a U.S. government agency whose main mission is to

protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. In the

wake of the 1929 Great Depression, the SEC was created by the Securities Exchange Act of 1934 to

protect investors and restore investor confidence through enforcing securities laws and regulating the

securities industry. Joseph P. Kennedy, President John F. Kennedy's father, served as the first Chairman

of the SEC.

The SEC administers the key participants in the securities world, including securities exchanges,

securities brokers and dealers, investment advisors, and mutual funds. The SEC is concerned primarily

with promoting the disclosure of important market-related information, maintaining fair dealing, and

protecting against fraud. The SEC is organized into five divisions and supported by a staff of

approximately 4,600 people, spread out between 11 Regional Offices throughout the country. The five

divisions are:

1. Division of Corporation Finance: Ensure that investors are provided with material information

in order to make informed investment decisions, both when a company initially offers its

securities to the public and on an ongoing basis as it continues to give information to the

marketplace.

2. Division of Enforcement: Conduct investigations into possible violations of the federal

securities laws and litigate the SEC's civil enforcement proceedings in the federal courts and

in administrative proceedings.

3. Division of Trading and Markets: Establish and maintain standards for fair, orderly, and

efficient markets. For example, it regulates the major securities market participants, including

broker-dealers, self-regulatory organizations (such as stock exchanges, FINRA, and clearing

agencies), and transfer agents.

4. Division of Investment Management: Administer the Investment Company Act of 1940 and

Investment Advisers Act of 1940, which includes developing regulatory policy for investment

companies (e.g. mutual funds) and for investment advisers.

15 Examples of CFBP’s legal actions are from “Consumer Financial Protection Act,” Investopedia, accessed on March 3, 2020.

58

5. Division of Economic and Risk Analysis: Integrate financial economics and rigorous data

analytics into the core mission of the SEC. For example, it is involved across the entire range

of SEC activities, including policy-making, rule-making, enforcement, and examination.

The SEC is mainly responsible for:

• Interpreting and enforcing federal securities laws.

• Issuing new rules and amend existing rules.

• Overseeing the inspection of securities firms, brokers, investment advisers, and ratings

agencies.

• Overseeing private regulatory organizations in the securities, accounting, and auditing fields.

• Coordinating U.S. securities regulation with federal, state, and foreign authorities.

Its main areas of enforcement include insider trading, accounting fraud, and false or misleading

investment information. For example, the Division of Corporate Finance (CF) selectively reviews public

filings to monitor and enhance compliance with the applicable disclosure and accounting

requirements. The CF selectively reviews transactional filings, such as registration statements, when

issuers engage in public offerings, business combination transactions, and proxy solicitations.

Accordingly, the CF may review a company more frequent than every three years if it files a registration

statement for an offering of securities, or if the SEC is monitoring compliance with a new or existing

rule, or a specific industry.

Lesson Note: The CF began reviewing the periodic reports of large financial institutions on an ongoing

basis following the 2008 financial crisis.

The Enforcement Division’s Financial Reporting and Audit (FRAud) Group is strengthening the agency’s

efforts to identify and prosecute securities law violations related to financial reporting and audit

failures. The work of the FRAud Group has led to a number of matters undertaken across the Division,

including inquiries, investigations, and filed enforcement actions. In short, the SEC promotes full public

disclosure, protects investors against fraudulent and manipulative practices in the market, and

monitors corporate takeover actions in the U.S.

59

Exhibit B: Federal Regulators and Who They Supervise

The CRS (Congressional Research Service) lays out the current federal financial regulatory structure

presented in the following table. According to the CRS, regulators are mainly divided into the three

main areas of finance—banking (depository), securities, and insurance (where state, rather than

federal, regulators play the key role). There are also targeted regulators for specific financial activities

(consumer protection; CFPB) and markets (agricultural finance and housing finance; FCA).

The following table does not include interagency-coordinating bodies, standard-setting bodies,

international organizations, or state regulators, which are described later in the report.

Regulatory

Agency Institutions Regulated

Other Notable

Authority

Depository Regulators

Federal

Reserve

• Bank holding companies and certain subsidiaries (e.g.

foreign subsidiaries), financial holding companies,

securities holding companies, and savings and loan

holding companies.

• Primary regulator of state banks that are members of the

Federal Reserve System, foreign banking organizations

operating in the United States, Edge Corporations, and

any firm or payment system designated as systemically

significant by the FSOC.

Operates discount

window (“lender of last

resort”) for

depositories, operates

payment system,

conducts monetary

policy.

Office of the

Comptroller of

the Currency

(OCC)

• Primary regulator of national banks, U.S. federal branches

of foreign banks, and federally chartered thrift

institutions.

Federal

Deposit

Insurance

Corporation

(FDIC)

• Federally insured depository institutions.

• Primary regulator of state banks that are not members of

the Federal Reserve System and state-chartered thrift

institutions.

Operates deposit

insurance for banks,

resolves failing banks.

National

Credit Union

Administration

(NCUA)

• Federally chartered or federally insured credit unions. Operates deposit

insurance for credit

unions, resolves failing

credit unions.

Securities Markets Regulators

Securities and

Exchange

Commission

(SEC)

• Securities exchanges, broker-dealers, clearing and

settlement agencies, investment funds, including mutual

funds, investment advisers, including hedge funds with

assets over $150 million, and investment companies.

• Nationally recognized statistical rating organizations.

Approves rulemakings

by self-regulated

organization.

60

• Security-based swap (SBS) dealers, major SBS

participants, and SBS execution facilities.

• Securities sold to the public.

Commodity

Futures

Trading

Commission

(CFTC)

• Futures exchanges, futures commission merchants,

commodity pool operators, commodity trading advisors,

derivatives clearing organizations, and designated

contract markets.

• Swap dealers, major swap participants, swap execution

facilities, and swap data repositories.

Approves rulemakings

by self-regulated

organizations.

Government-Sponsored Enterprise Regulators

Federal

Housing

Finance

Agency (FHFA)

• Fannie Mae, Freddie Mac, and Federal Home Loan Banks Acting as conservator

(since Sept. 2008) for

Fannie and Freddie.

Farm Credit

Administration

(FCA)

• Farm Credit System, Farmer Mac

Consumer Protection Regulator

Consumer

Financial

Protection

Bureau (CFPB)

• Nonbank mortgage-related firms, private student lenders,

payday lenders, and larger “consumer financial entities”

determined by the CFPB.

• Statutory exemptions for certain markets.

• Rulemaking authority for consumer protection for all

banks; supervisory authority for banks with over $10

billion in assets.

Source: The Congressional Research Service, Who Regulates Whom? An Overview of the U.S. Financial Regulatory Framework,

March 10, 2020

61

3. The Pressure-Cooker Environment

"That's the whole foundation of Wells Fargo is cross-sell, cross-sell, cross-sell."

Former Employee, Wells Fargo

“A standard line we hear is ‘I can play by the rules and get fired for not making unrealistic goals or I

can cheat and hope I don’t get caught’.”

Manager of Corporate Investigations, Wells Fargo

Wells Fargo is known for its intense cross-sell model. Cross-sell, a critical strategy for banks to expand

business and generate profits, involves offering multiple services/products to existing customers. For

example, as a way to increase its customer base, the bank can offer an existing checking account

customer with different products such as mortgage, line of credit, and credit and debit cards based on

need, behavior or demography. Customer value is enhanced by holding multiple products. In general,

the more products sold to existing customers, the more money the bank would earn from each

relationship and the less likely those customers would exit their relationship with the bank. That is,

the deeper the relationship, the stronger the relationship, and the more revenue banks can expect to

generate.

Lesson Note: Cross-sell is often confused with up-sell. Cross-sell is the act of selling a different product

that provides an additional benefit to the customer. Up-sell is the practice of encouraging customers

to buy a comparable higher-end product than the current one. While cross-sell is offering a

complementary product, up-sell is offering another upgrade or premium product.

The cross-sell model has been at the heart of growth in Wells Fargo. In 1998, Wells Fargo merged with

Norwest Corporation in a $34 billion deal. Although the merged bank operated under the Wells Fargo

name, Norwest’s management culture was directing the combined company. For example, Richard

Kovacevich, the top executive at Norwest, was given the positions of president and CEO (1998 − 2005)

at the merged bank. Kovacevich determined to bring Norwest's sales culture to Wells Fargo by

promoting the cross-sell strategy, establishing the long-held, and infamous, goal of eight products per

household.

Lesson Note: Wells Fargo’s sales-oriented culture was also transferred to former Wachovia branches

and retail bank operations following the merger with Wachovia.

Kovacevich considered financial instruments, such as checking accounts, credit cards, and loans, as

consumer products that were no different from light bulbs sold by Walt-Mart. According to Fortune

magazine, in his lingo, bank branches were “stores,” and bankers were “salespeople” whose job was

to “cross-sell,” which meant getting “customers” not “clients,”— to buy as many products as possible.

In 1999, Kovacevich launched an initiative called “Going for Gr-Eight,” a sales-focused business model,

aimed to sell at least eight separate products to every customer. Management had been pushing the

62

“Gr-Eight Initiative” sales targets that could reach as high as 20 products a day or more. In context,

most big banks aim to have two to three per customer. Cross-sell is a common and accepted sales

practice when the strategy is based on strong customer satisfaction and excellent customer service.

However, under Wells Fargo’s high-pressure goal of eight products per household, employees were

pushed to cross-sell customers by persuading them to open new accounts and obtain new credit cards

that were unneeded and unwanted.

According to the Board Report, in many instances, leadership recognized that their sales targets were

unachievable. They were referred to as “50/50 plans”. That is, there was an expectation that only half

the regions would be able to meet them. Typically, there were minimum requirements for products

sold per day, daily profit, packages sold per quarter, quarterly partner referrals and/or the number of

loans made per quarter. One former employee said she could not meet sales goals in any ethical way.

She reported the concern to the Wells Fargo’s ethics hotline and was eventually fired16.

The “Jump into January”, created in 2003, initially was designed to motivate employees to achieve and

exceed January goals. From 2003 through 2013, the bank imposed higher daily sales targets from

January through March and emphasized and rewarded higher sales activity levels. The monthly sales

goal during “Jump into January” was set as high as 12% of the yearly total. To meet the sales goals and

incentives, employees intentionally held off on opening accounts in December, until January, also

known as “sandbagging”.

Example: Emphasis on Meeting Aggressive Sales Goals

The following are excerpts from the OCC Notice of Charges N20-001.

An email exchange between Tolstedt, Head of the Community Bank, and one of her managers:

The executive proposed a plan that provided for a 4% increase in sales. Tolstedt told the executive in

an email marked as high importance: “the front end guidance was a minimum of 10%.” She further

stated: “[w]ould you do me a huge favor and change your sales plan to reflect a growth rate of between

10% and 15%.” Tolstedt forwarded the email to the CEO stating: “[j]ust so you know I won’t let them

get away with this!!! … we need to ensure they [referring to the sales plans] are equally hard across

all regions.”

Source: The OCC Notice of Charges N20-001

Many former employees reported that mornings usually began with a huddle where managers pressed

them to meet their “solutions goals.” Each credit card or home equity loan or other product was called

16 The former employee’s statement is from “Wells Fargo Fraud,” McCombs Business School, accessed on February 28, 2020.

63

“a solution.” Employees were told to sell solutions all day long17. The aggressive sales targets put

significant sales pressure on employees. Some employees signed up customers for online access by

creating fake emails. They also accessed personal customer account information, such as customer

phone numbers, home addresses, and email addresses, without authorization. Others enrolled

customers in online banking and online bill-pay without consent, known as “pinning”.

According to a former Chief Administrative Officer (2005-2015), it was common knowledge within the

bank that employees who could not meet sales goals could and would be terminated. Employees often

and consistently complained that the sales goals were unrealistic and unreasonable in numerous ways,

by sending emails, calling the EthicsLine, holding protests, and even approaching newspapers.

However, management failed to adequately perform their responsibilities with respect to the sales

practices misconduct problem which persisted for many years.

“Leadership Failure” explains how leaders distorted the sales model, fostering an atmosphere that

prompted low-quality sales and improper and unethical behavior.

The Board Report indicated that employees below the branch manager level — lower level in-branch

managers and non-managers — frequently cited branch managers as actively directing misconduct or

offering inappropriate guidance to subordinates on what constituted acceptable conduct. Non-

managers, in particular, attributed sales pressure from branch managers, and occasionally to district

managers, who incessantly pushed employees to meet aggressive sales goals. The high turnover rate

(35% annually) in the Community Bank indicated that sales pressure was excessive and was driving

employee separations.

For years, Wells Fargo has developed its obsession with cross-sell products. According to the Board

Report, Wells Fargo identified itself as a sales organization, such as retail stores or departments, rather

than a service-oriented financial institution. This provided justification for a relentless monitoring of

sales, abbreviated training, and high employee turnover. Wells Fargo’s sales-oriented culture

eventually led to the widespread unsound sales practices discussed in “Analyzing the Fake-Account

Scandal”.

17 The statements from former Wells Fargo employees are from “Former Wells Fargo Employees Describe Toxic Sales Culture, Even At HQ,” NPR, accessed on February 24, 2020.

64

Exhibit C: Wells Fargo’s Cutthroat Sales Culture


The Community Bank implemented the following philosophy to drive sales results: “A whole bunch

of management gurus say you need BHAGs – bold, hairy, audacious goals. That’s a technique of

management – to give troops a goal that looks unattainable and flog them heavily. And according

to that line of thought, you will do better chasing a BHAG than you will a reasonable objective.”

Management within the Community Bank implemented aggressive “flogging” techniques, including:

1. Running the “gauntlet,” wherein local managers were required to run between rows of their

peers and announce their area’s sales performance, subjecting them to criticism and ridicule if

their performance was poor.

2. Threatening direct reports with termination and other corrective actions for not meeting the

unreasonable sales goals: “[y]ou struggle – you’re gone.”, “[s]ome of you truly need a miracle

today to get back on track. Most of you should be embarrassed by your numbers. Your numbers

ARE your measure of success-don’t fool yourselves. You are defined by your goal achievement.

If you are afraid to produce because you think you’re going to get fired, we have a much bigger

problem.”

3. Warning employees that if they did not achieve sales goals, they would be “transferred to a

store where someone had been shot and killed” and if they did not make enough appointments

they would be “forced to walk out in the hot sun around the block.”

4. Having multiple daily calls with management to discuss sales performance. Low performers

typically were called out in front of their peers and asked to explain how they would improve

their sales performance: “Be adults and get your asses on our calls. It’s pathetic that I have to

remind you all. And everyone se[ems] to have an excuse. Go work at Walmart if you cannot

handle any of the aforementioned. Thank you.”


65


1. Which of the following is NOT a primary function of the Federal Reserve?

A. Conducting the nation’s monetary policy

B. Promoting the stability of the financial system

C. Fostering payment and settlement system safety and efficiency

D. Requiring public companies to disclose meaningful financial to the public

2. Which of the following situations is under the jurisdiction of the Consumer Financial Protection

Bureau (CFPB)?

A. Activating unauthorized lines of credit on consumers’ accounts

B. Selling unapproved and misbranded drugs

C. Failing to make accurate and complete disclosure to investors

D. Dumping illegal disposal of hazardous waste

3. The Securities and Exchange Commission (SEC) performs all of the following tasks EXCEPT:

A. Maintaining standards for fair, orderly, and efficient markets

B. Investigating possible violations of the federal securities laws

C. Developing generally accepted accounting principles

D. Ensuring that investors are provided with material information

4. Pacific West, a life insurance company, suggests its customers sign up for car, home, and health

insurance. Pacific West uses which of the following sales techniques?

A. Inside sales

B. Cross-sell

C. Bait-and-switch

D. Up-sell

5. Tom works for a local bank. To meet his sales goals and incentives, he intentionally held off on

opening accounts in December until January. Which unsound sales practices was he committing?

A. Sandbagging

B. Pinning

C. Bundling

D. Simulated funding

66

II. Analyzing the Fake-Account Scandal

1. A Violation of Public Trust and Confidence

“Lack of trust and confidence in the banking sector creates material costs to society. Fixing culture in

banking is now a public trust—as well as an economic—imperative.”

Group of Thirty, Banking Conduct and Culture, July 2015

Trust is vital to the conduct of all businesses. For example, we trust grocery stores to provide safe food.

We trust airlines to deliver our luggage to the right destination on time. The core of the banking

industry is trust. Banks have traditionally recognized their duty to act in a manner of public trust and

confidence and maintain high standards of conduct. The most strategic dimension of trust is

relationship building, such as a banks’ willingness and ability to do what is right for its customers. This

level of trust indicates a bank’s commitment to keep its promise and deliver products and services that

contribute to its customer’s financial well-being.

Trust takes years to establish. However, it can be destroyed in a moment through failures caused by

poor ethics, values, and behaviors. This section examines how Wells Fargo violated the trust the bank

had with its customers.

Consumer Abuses: Deceptive and Abusive Acts

“Spurred by sales targets and compensation incentives, employees boosted sales figures by covertly

opening accounts and funding them by transferring funds from consumers’ authorized accounts

without their knowledge or consent, often racking up fees or other charges.”

CFPB Newsroom September 8, 2016

Between 2011 and 2016, employees created about 2.1 million fraudulent accounts, more than 1.5

million unauthorized checking and savings accounts, and about 565,000 fraudulent credit cards, to

meet aggressive sales quotas. As a result of the fake-account scandal, the bank fired 5,300 mostly

lower-level workers for engaging in these reckless unsafe banking practices, including the opening and

manipulation of customer accounts without the customer’s consent.

In 2017, Wells Fargo uncovered additional 1.4 million fake bank accounts and credit card accounts

opened between 2009 and 2016. This brings the total number of fake accounts to 3.5 million. Former

Wells Fargo Branch Manager Susan Fischer told CNN18 “These practices were going on way before

18 The former Wells Fargo’s employee interview is from “Wells Fargo workers: Fake accounts began years ago” CNN Business, accessed on March 1, 2020.

67

2011.” Fischer said she remembers her district manager instructing her in 2007 to make the employees

reporting to her open unauthorized accounts.

Having multiple credit card inquiries can affect a credit score, especially if they occur over a short

period of time. Thus, the consequential opening, closing, and reopening of credit card accounts

harmed customers’ credit scores. If the account had an annual fee and it was left unpaid and the

account termed delinquent, the customer credit score would suffer from the long-term consequences.

In 2016, The CFPB determined that Wells Fargo violated the Consumer Financial Protection Act of

2010, 12 U.S.C. §§ 5531 and 5536(a)(1)(B) by engaging in the following unsound banking practices19:

1. Opened unauthorized deposit accounts for existing customers and transferred funds to those

accounts from their owners’ other accounts, all without their customers’ knowledge or

consent.

2. Submitted applications for credit cards in consumers’ names using consumers’ information

without their knowledge or consent.

3. Enrolled consumers in online-banking services that they did not request.

4. Ordered and activated debit cards using consumers’ information without their knowledge or

consent.

Consumer Financial Protection Act of 2010:

12 U.S.C. §§ 5531: PROHIBITING UNFAIR, DECEPTIVE, OR ABUSIVE ACTS OR PRACTICES.

12 U.S.C. §§ 5536(a)(1)(B): IN GENERAL.—It shall be unlawful for— (1) any covered person or service

provider—(B) to engage in any unfair, deceptive, or abusive act or practice.

19 The consent order from the CFPB are from “Consent Order 2016-CFPB-0015,”CFPB, September 8, 2016.

68

The Race to Eight: A Misleading Performance Matric

“Because of the centrality of the cross-sell metric to Wells Fargo’s investor narrative, Company

executives were focused on maintaining cross-sell growth from at least 2007 through 2016. The

compensation of certain Company executives was impacted by cross-sell growth.”

The SEC Settled Administrative Order No. 3-19704

Wells Fargo had a long history of strong performance as a self-identified sales organization. The bank

used the cross-sell metric, the ratio of the number of accounts and products per retail bank household,

to measure its success at executing this core business strategy. It is considered as a driver of future

revenue. From at least 2000 until the third quarter of 2016, Wells Fargo published a Community Bank

“cross-sell metric” in its annual reports and SEC Forms 10-Q, 10-K, and 8-K.

Wells Fargo has been a master of cross-sell over the years. In 1998, Wells Fargo’s retail banking cross-

sell ratio was 3.2 products per household. For the next 10 years, it increased the ration each year, up

to 5.95 products per household. In 2010, the ratio was reduced to 5.7 because Wells Fargo combined

its cross-sell ratio with recently acquired Wachovia Bank.

By 2012, its cross-sell ratio had reached to 6.05, almost triple the banks average of 2.3 products used

by customers. Wells Fargo has sought to distinguish itself in the marketplace as a leader in “cross-sell”

of products and services to existing customers who did not already have them. The sales-oriented

culture helped the bank's bottom line. Wells Fargo expanded the number of products it sold to millions

of customers and from 2006 to 2015 the banks stock rose 67%20.

Note: In 2010, Wells Fargo began to combine Wachovia and Wells Fargo cross-sell numbers, lowing the overall ratio.

Source: Public Citizen, The “King of Cross-Sell” and the Race to Eight, 2016

20 The Wells Fargo stock information is from “Former Wells Fargo Employees Describe Toxic Sales Culture, Even At HQ,” NPR, accessed on February 21, 2020.

3.2 3.43.7 3.8

4.2 4.34.6 4.8

5.25.5

5.735.95

5.705.92 6.05 6.16 6.176.11

3.0

4.0

5.0

6.0

7.0

1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Wells Fargo Retail Banking Cross -Sell Ratio(Annual Report 1998 - 2015)

69

According to the SEC, Wells Fargo characterized its cross-sell strategy to investors as a key component

of its financial success and routinely discussed its efforts to achieve cross-sell growth during investor

presentations and analyst conferences. It represented to investors that the bank’s ability to execute

successfully on its cross-sell strategy provided the company with a competitive advantage that caused

an increase in revenue. For example, CNN Business reported that the key message Wells Fargo wanted

to drive home to its shareholders: the bank averaged an impressive 6.1 products per household, far

better than the rest of the industry.

In February 2020, the SEC charged Wells Fargo for misleading investors about the success of its core

business strategy, the cross-sell model. Wells Fargo induced investors to continue relying on its cross-

sell metric even though it was inflated by low-quality accounts and services that were unused,

unneeded, or unauthorized. The unauthorized products and services inflated the cross-sell metric and

resulted in enhanced stock prices.

Lesson Note: To protect investors from dangerous or illegal financial practices or fraud, the Securities

and Exchange Act of 1934 requires public companies to disclose full and accurate financial and other

information to the public. This provides a common pool of knowledge for all investors to use to judge

for themselves whether to buy, sell, or hold a particular security.

According to the SEC order, Wells Fargo violated Section 10(b) of the Securities and Exchange Act of

1934 and Rule 10b-5 by engaging in the following fraudulent activities21:

1. Thousands of Wells Fargo’s employees participated in the extensive sales practices

misconduct to attain sales through fraud, identity theft, and the falsification of bank records.

As a result, Wells Fargo opened millions of accounts or financial products that were

unauthorized or fraudulent between 2002 and 2016. During the same period, Wells Fargo also

opened significant numbers of low-value products (e.g., unneeded, unwanted).

2. Accounts and financial products opened without customer consent or pursuant to “gaming”

practices were included in the Community Bank cross-sell metric until such accounts were

eventually closed for lack of use.

3. Wells Fargo failed to disclose to investors that the Community Bank’s sales model had caused

widespread unlawful and unethical sales practices misconduct from 2012 to 2016.

4. Wells Fargo characterized the cross-sell metric as a ratio of “products used by customers in

retail banking households” in response to an SEC Comment Letter that asked how the cross-

sell metric was calculated, and in its 2014 and 2015 Annual Reports. Management knew that

21 The Wells Fargo improper sales practices information is from the SEC Settled Administrative Order No. 3-19704, February 21, 2020.

70

the metric included many products that were not used by customers. Wells Fargo’s inclusion

of the word “used” to describe the accounts was therefore misleading.

Lesson Note: Gaming is defined as the manipulation and/or misrepresentation of sales to receive

compensation or meet sales goals.

Rule 10b-5 is the SEC main basis for investigating possible security fraud claims. The rule applies to any

person who directly or indirectly uses any means to defraud, make false statements, or omit relevant

information in the purchase or sale of any security. For example, the SEC often uses this rule to charge

a person with illegal insider trading. Another violation of this rule includes executives making false

statements or manipulating financial performance results to drive up share prices. These schemes

usually require ongoing, misleading statements in order to perpetrate the fraud.

Rule 10b-5: Employment of Manipulative and Deceptive Practices:

It shall be unlawful for any person, directly or indirectly, by the use of any means or instrumentality of

interstate commerce, or of the mails or of any facility of any national securities exchange,

a. To employ any device, scheme, or artifice to defraud,

b. To make any untrue statement of a material fact or to omit to state a material fact necessary in

order to make the statements made, in the light of the circumstances under which they were

made, not misleading, or

c. To engage in any act, practice, or course of business which operates or would operate as a fraud

or deceit upon any person, in connection with the purchase or sale of any security.

Reckless Behavior: Deficiencies in Oversight of Sales Practices

“The Bank (Wells Fargo) tolerated pervasive sales practice misconduct as an acceptable side effect of

the Community Bank’s profitable sales model, and declined to implement effective controls to catch

systemic misconduct.”


Although the OCC, Federal Reserve, and FDIC all have safety and soundness authority, the OCC is the

primary prudential regulator of Wells Fargo’s bank subsidiary. The OCC regulates Wells Fargo’s internal

controls, its management of operational and reputational risks, and deposit and lending activities. The

OCC has strong enforcement powers, including the ability to issue cease and desist orders and revoke

federal bank charters. In September 2016, the OCC found22:

Deficiencies and unsafe or unsound practices in Wells Fargo’s risk management and oversight

of its sales practices; and

22 The OCC findings are from the OCC Consent Order AA-EC-2016-66, September 1, 2016.

71

Unsafe or unsound sales practices by the bank.

The OCC stated that the incentive compensation program and plans within the Community Bank

fostered the unsafe or unsound sales practices. Thus, the OCC found that employees were pressured

to sell products by engaging the following fraudulent activities:

1. The selling of unwanted deposit or credit card accounts.

2. The unauthorized opening of deposit or credit card accounts.

3. The transfer of funds from authorized, existing accounts to unauthorized.

4. Unauthorized credit inquiries for purposes of the conduct described in 1 and 2.

The OCC also cited that the bank did not have a sufficient Enterprise-Wide Sales Practices Oversight

Program. As a result, the bank failed to prevent and detect the sales practices misconduct described

above and failed to mitigate the risks that resulted from such malpractices. Finally, the OCC identified

deficiencies in the bank’s customer complaint monitoring process that hindered the bank from:

Assessing customer complaint activity across banks.

Adequately monitoring, managing, and reporting on customer complaints; and

Analyzing and understanding the potential sales practices risk.

The OCC order also requires the bank to take corrective action to establish an enterprise-wide sales

practices risk management and oversight program to detect and prevent unsafe or unsound sales

practices.

72

2. The Price of Deceitful Behavior

“Without a culture that insists on high standards of values and conduct, it is difficult to generate and

sustain trust and reputation, which are the bedrock of a safe and effective financial system.”

Group of Thirty, Banking Conduct and Culture, July 2015

Penalties and Fines

In September 2016, Wells Fargo had been hit with total of $185 million in penalties by the CFPB ($100

million), the OCC ($35 million), and the City and County of Los Angeles ($50 million) for its pervasive

improper sales practices that harmed customers in a variety of ways (e.g., secretly opening

unauthorized accounts, transferring funds among unauthorized accounts) as previously noted. In

addition to the civil monetary penalties, Wells Fargo was required to take action to identify, correct,

and prevent deficiencies in the bank’s sales practices.

In February 2020, the bank agreed to pay an additional $3 billion in settling criminal and civil

investigations with the Justice Department and the SEC regarding the fake-account scandal. Wells

Fargo has agreed to pay $500 million to settle the charges, which will be returned to investors. The

$500 million payment is part of a combined $3 billion settlement with the SEC and the Department of

Justice23. The $3 billion fine is about 15% of Wells Fargo’s 2019 profits ($19.5 billion).

Table 1 identifies Wells Fargo’s top 10 primary offense types between 2000 and 2019. Table 2 lists

Wells Fargo’s most recent offenses (2016 - 2019).

Table 1

Top 10 Primary Offense Types (2000-2019) Penalty Total

mortgage abuses $5,625,783,671

toxic securities abuses $3,637,750,000

banking violation $3,541,932,386

investor protection violation $1,633,122,646

False Claims Act and related $1,200,000,000

consumer protection violation $634,199,965

wage and hour violation $214,903,723

anti-money-laundering deficiencies $163,500,000

price-fixing or anti-competitive practices $148,000,000

benefit plan administrator violation $130,775,000 Source: Good Jobs First, Violation Tracker Parent Company Summary, with values accessed on March 11, 2020.

23 The Wells Fargo settlement data is from “Wells Fargo to Pay $500 Million for Misleading Investors About the Success of Its Largest Business Unit,” SEC Press Release 2020-38, with values accessed on February 28, 2020.

73

Source: Good Jobs First, Violation Tracker Parent Company Summary, with values accessed on March 11, 2020.

The Damage to Brand and Reputation

“Rebuilding trust became our top priority when I became CEO last October. That’s when we began

our recovery from the reputation damage we sustained from unacceptable retail sales practices in

the Community Bank.”

Tim Sloan, Former CEO (2016 − 2019), Wells Fargo

A bank’s reputation is mainly built on trust, a strong predictor of loyalty. Banks consider trust a

strategic imperative as they need trust to retain customers and expand their business. Thus, building

and maintaining trust with consumers over the long term is vital. We trust banks to protect our money.

We trust banks to keep our private information confidential. We trust banks to provide us with

accurate information and access to the deposits on request. We trust banks to recommend the right

Parent Company Penalty Amount Penalty Year Primary Offense Agency

Wells Fargo $14,475,000 2019 investor protection violation Commodity Futures Trading Commiss ion

Wel ls Fargo $283,697 2019 employment discrimination Office of Federa l Contract Compl iance Programs

Wel ls Fargo $812,500 2019 investor protection violation Securi ties and Exchange Commiss ion

Wel ls Fargo $17,363,847 2019 investor protection violation Securi ties and Exchange Commiss ion

$32,935,044

Wells Fargo $500,000,000 2018 consumer protection violation Consumer Financia l Protection Bureau

Wel ls Fargo $17,250,000 2018 toxic securi ties abuses Il l inois Attorney Genera l

Wel ls Fargo $2,090,000,000 2018 toxic securi ties abuses Justice Department Civi l Divis ion

Wel ls Fargo $575,000,000 2018 banking violation Multis tate Attorneys Genera l Case

Wel ls Fargo $65,000,000 2018 investor protection violation New York Attorney Genera l

Wel ls Fargo $500,000,000 2018 banking violation Office of the Comptrol ler of the Currency

Wel ls Fargo $5,108,441 2018 investor protection violation Securi ties and Exchange Commiss ion

Wel ls Fargo $27,500,000 2018 wage and hour violation


$3,789,358,441

Wells Fargo $5,400,000 2017 Servicemembers Civi l Rel ief Act Justice Department Civi l Rights Divis ion

Wel ls Fargo $5,400,000 2017 workplace whis tleblower reta l iation Occupational Safety & Health Adminis tration

Wel ls Fargo $577,500 2017 workplace whis tleblower reta l iation Occupational Safety & Health Adminis tration

Wel ls Fargo $3,500,000 2017 anti -money-laundering deficiencies Securi ties and Exchange Commiss ion



Wel ls Fargo $685,000 2017 wage and hour violation


Wel ls Fargo $35,500,000 2017 employment discrimination

$71,462,500

Wells Fargo $8,500,000 2016 privacy violation Cal i fornia Attorney Genera l

Wel ls Fargo $400,000 2016 data submiss ion deficiencies Commodity Futures Trading Commiss ion

Wel ls Fargo $100,000,000 2016 banking violation Consumer Financia l Protection Bureau

Wel ls Fargo $4,010,000 2016 student loan abuses Consumer Financia l Protection Bureau

Wel ls Fargo $1,200,000,000 2016 False Cla ims Act and related Justice Department Civi l Divis ion

Wel ls Fargo $4,100,000 2016 Servicemembers Civi l Rel ief Act Justice Department Civi l Rights Divis ion

Wel ls Fargo $11,874 2016 Fami ly and Medica l Leave Act Labor Department Wage and Hour Divis ion

Wel ls Fargo $50,000,000 2016 consumer protection violation Los Angeles (CA) Ci ty Attorney



Wel ls Fargo $20,000,000 2016 Servicemembers Civi l Rel ief Act Office of the Comptrol ler of the Currency

Wel ls Fargo $440,000 2016 investor protection violation Securi ties and Exchange Commiss ion

Wel ls Fargo $8,000,000 2016 consumer protection violation West Virginia Attorney Genera l

Wel ls Fargo $12,000,000 2016 employment screening violation

$1,512,461,874

Total Penalities

(2016 - 2019) $5,406,217,859

Wells Fargo Penalities 2016 - 2019

Table 2

74

products and solutions for our needs. Ultimately, we trust the bank to be there to help. The actions

that Wells Fargo undertook violated the public trust and confidence on the most basic levels.

There is evidence that the scandal has inflicted serious damage on the Wells Fargo reputation.

According to American Banker’s reputation survey, Wells Fargo’s score dramatically fell from 67.3

(average) in 2016 to 48.6 (weak) in 2017, by far the lowest of any bank24. American Banker also

reported that Wells Fargo experienced a sharp decrease in new account openings in 2017 since the

scandal broke in 2016. Following Wells Fargo’s announcement of the 2016 settlements with the OCC,

the CFPB, and the City of Los Angeles, Wells Fargo’s stock experienced three significant stock drops

that translated into an approximately $7.8 billion decrease in market capitalization25.

Lesson Note: According to the American Banker, a score under 50 is considered "weak." Scores

between 60 and 69 are "average" between 70 and 79, "strong" and above 80, "excellent."

In May 2018, Wells Fargo launched a new, integrated marketing campaign called “Re-Established” to

emphasize the company’s commitment to re-establish trust with stakeholders. One key component of

this campaign is a commercial called “Trust” which aired nationwide and signaled Wells Fargo’s intent

in a bold way. In January 2019, the bank launched another integrated marketing campaign called “This

is Wells Fargo,” which followed the 2018 “Re-established” campaign. “This is Wells Fargo” which was

focused on changes the bank made to its operations and culture in order to deliver exceptional service

and rebuild trust with customers.

Followed by the campaign, Wells Fargo issued a Business Standards Report as part of its commitment

to transparency while it works to rebuild trust with stakeholders and transform the company. The

report, titled “Learning from the past, transforming for the future,” represents an important milestone

in Wells Fargo’s work to rebuild trust. It details the changes Wells Fargo has made since 2016 to

address the causes of past issues and provides updates on the company’s businesses, practices, and

progress on its goals.

24 The Wells Fargo reputation survey scores are from “2017 reputation survey: Banks avoid the Wells Fargo drag,” American Banker, accessed on March 11, 2020. 25 The Wells Fargo’s decreased market capitalization data is from the SEC Settled Administrative Order No. 3-19704, February 21, 2020.

75

Other Regulatory Related Matters

CRA Performance Evaluation

The Community Reinvestment Act (CRA) was enacted in 1977 (12 U.S.C. 2901). The CRA requires the

federal financial supervisory agencies (e.g., FDIC, OCC) to assess the institutions' record of helping

meet the credit needs of its entire community, including low- and moderate-income neighborhoods,

consistent with the safe and sound operation of the institution. A financial institution's CRA

performance in helping to meet the credit needs of its community is evaluated in the context of

information about the institution (capacity, constraints and business strategies), its community

(demographic and economic data, lending, investment, and service opportunities), and its competitors

and peers26.

OCC's responsibilities under the CRA include:

• Assessing a national bank's record of helping to meet the credit needs of its entire community,

including low- and moderate-income neighborhoods, and

• Considering that record in evaluating a bank's application for new branches, relocation of an

existing branch, mergers and consolidations, and other corporate activities.

In March 2017, the OCC downgraded Wells Fargo’s most recent CRA rating, from “Outstanding” to

“Needs to Improve” due to the bank’s sales practices abuses. This is Wells Fargo’s lowest level since

1994. According to the OCC report27, Wells Fargo demonstrated “an extensive and pervasive pattern

and practice of violations across multiple lines of business within the bank”. The OCC report further

explained that:

The bank failed to implement an effective compliance risk management program designed to

properly prevent, identify and correct violations.

Bank management instituted policies, procedures and performance standards that

contributed to several of the violations for which evidence has been identified.

26 The CRA purpose and criteria are from “CRA Rating Search Frequently Asked Questions (FAQs)”, the Federal Financial Institutions Examination Council's (FFIEC), accessed on March 9, 2020. 27 The Wells Fargo’s CRA information is from “COMMUNITY REINVESTMENT ACT PERFORMANCE EVALUATION- September 30, 2012,” Wells Fargo Media, accessed on March 18, 2020.

76

Lesson Note: Interstate banks receive an overall rating as well as an evaluation based on their CRA

performance in each state and metropolitan statistical area in which they have branches. An overall

CRA rating is assigned using a four-tiered rating system including “Outstanding”, “Satisfactory”, “Needs

to Improve”, and “Substantial Noncompliance”.

The rating, which is usually reviewed every five years, imposes regulatory restrictions and limitations

on the bank’s ability to engage in mergers/acquisitions and open branches. The rating also requires

the bank to seek prior regulatory approval for certain financial activities such as issuing or prepaying

debt and opening bank branches. Moreover, a “Needs to Improve” rating could potentially prevent

the bank from investing in certain government business that requires a higher rating.

The OCC assigns a rating for a large bank assessed under the lending, investment, and service tests.

The following table demonstrates the rating of “Needs to Improve” for lending performance.

Large Bank CRA Lending Performance Ratings

Rating Criteria

Needs to

Improve

• Poor responsiveness to credit needs in its assessment area(s), taking into

account the number and amount of home mortgage, small business, small

farm, and consumer loans, if applicable, in its assessment area(s).

• Small percentage of its loans is made in its assessment area(s).

• Poor geographic distribution of loans, particularly to low- or moderate-

income geographies, in its assessment area(s).

• Poor distribution, particularly in its assessment area(s), of loans among

individuals of different income levels and businesses (including farms) of

different sizes, given the product lines offered by the bank.

• Poor record of serving the credit needs of highly economically disadvantaged

areas in its assessment area(s), low-income individuals, or businesses

(including farms) with gross annual revenues of $1 million or less, consistent

with safe and sound operations.

• Little use of innovative or flexible lending practices in a safe and sound manner

to address the credit needs of low- or moderate-income individuals or

geographies.

• Low level of community development loans.

Source: The OCC, Comptroller’s Handbook − Examination Process: Bank Supervision Process, September 2019.

77

Asset Cap: The Growth Restriction

In early 2018, the Federal Reserve imposed an unprecedented order to cap Wells Fargo’s asset growth

as a penalty for its widespread consumer abuses and other lapses to the regulator's satisfaction. The

restriction barred Wells Fargo from increasing total assets beyond its level at the end of 2017 ($1.95

trillion). According to Federal Reserve Board Chair Janet Yellen28:

“We cannot tolerate pervasive and persistent misconduct at any bank and the consumers harmed by

Wells Fargo expect that robust and comprehensive reforms will be put in place to make certain that

the abuses do not occur again. The enforcement action we are taking today will ensure that Wells

Fargo will not expand until it is able to do so safely and with the protections needed to manage all of

its risks and protect its customers.”

The growth restriction will not be lifted until Wells Fargo proves that it has remedies to its risk

management and controls and implemented to the regulator’s satisfaction.

28 The Federal Reserve press release is from “Responding to widespread consumer abuses and compliance breakdowns by Wells Fargo, the Federal Reserve Board…announced that it would restrict the growth of the firm until it sufficiently improves its governance and controls. Concurrently, with the Board’s action, Wells Fargo will replace three current board members by April, and a fourth board member by the end of the year.” Federal Reserved, February 2, 2018.

78


1. By engaging unsound banking practices (e.g., sandbagging, pinning), Wells Fargo violated which of

the following regulations?

A. Expedited Funds Availability Act of 1987

B. Sarbanes-Oxley Act of 2002

C. Consumer Financial Protection Act of 2010

D. Foreign Corrupt Practices Act of 1977

2. To protect investors from dangerous or illegal financial practices or fraud, which of the following

laws requires companies to disclose full and accurate financial and other information to the

public?

A. The Securities and Exchange Act of 1934

B. The Investment Advisers Act of 1940

C. The Freedom of Information Act

D. The Private Securities Litigation Reform Act of 1995

3. Which of the following regulations encourages depository institutions to meet the credit needs of

low- and moderate-income neighborhoods?

A. Fair Credit Reporting Act of 1970

B. SAFE Banking Act of 2019

C. Community Reinvestment Act of 1977

D. Truth-In-Lending Act of 1968

79

III. Learning from the Scandal “The root cause of sales practice failures was the distortion of the Community Bank’s sales culture

and performance management system, which, when combined with aggressive sales management,

created pressure on employees to sell unwanted or unneeded products to customers and, in some

cases, to open unauthorized accounts.”

Independent Directors of the Board of Wells Fargo & Company - Sales Practices Investigation Report

1. Why the Improper Sales Practices Happened

“The Community Bank’s business model and the senior leaders of the Bank presented a stark dilemma

to employees every day for 14 years: they could engage in sales practice misconduct—much of which

was illegal—to meet their goals, or they could struggle to meet their goals and face adverse

consequences, including losing their jobs.”


The Toxic Sales Culture

Wells Fargo maintained an ethics program to instruct employees on recognizing and addressing

conflicts of interest. It also implemented a whistleblower hotline to alert senior management of

violations. However, under the overbearing sales culture, with increased pressure to meet the

unreasonable sales targets, employees inevitably were driven to engage in widespread fraudulent and

illegal activities to sell more, more, and more. This section explains how Wells Fargo’s undesirable

subculture (contradictive to the corporate values) led to the fake-account scandal.

The Intended Culture

“We want to satisfy our customers’ financial needs and help them succeed financially.”

Wells Fargo’s Vision

Wells Fargo has a reputation of serving customers through trusted relationships and products and

services that help customers succeed financially. Wells Fargo published a 44-page “Vision and Values”

brochure that explained, at length, how the bank built the journey toward the customer-centric, not a

product-centric path. The brochure used the word “trust” 56 times. In the brochure, the bank

emphasized that:

“Our vision has nothing to do with transactions, pushing products or getting bigger for the sake of

bigness. It’s about building lifelong relationships one customer at a time.”

“We start with what the customer needs—not with what we want to sell them.”

80

Moreover, Wells Fargo’s Code of Ethics explains that the bank’s aim is to promote an atmosphere in

which ethical behavior is well recognized as a priority and practiced on a day-to-day basis. The Code

of Ethics contains basic principles and additional guidance to help their employees make the best

decisions and to comply with the laws, rules, and regulations. The Code of Ethics also sets a clear

employee expectation that:

“We have a responsibility to always act with honesty and integrity. When we do so, we earn the trust

of our customers. We have to earn that trust every day by behaving ethically, rewarding open, honest

communication, and holding ourselves accountable for the decisions we make and the actions we

take.”

Specifically, the Code of Ethics reminds employees to always remember:

✓ Products provided to our customers should be in the customer’s best interest, must be

explained in a way that the customer can understand, and the terms and conditions must be

thoroughly and accurately disclosed.

✓ Steering a customer to an inappropriate or unnecessary product to receive sales credit may

harm the customer and is a violation of the Code.

✓ Manipulating or misrepresenting sales, reporting, or customer information is a violation of the

Code.

✓ Know the sales referral and compensation guidelines that are applicable to your role.

✓ Never engage in unfair, deceptive, or abusive acts or practices.

Finally, in its 2015 Annual Report, Wells Fargo emphasized that:

“Our approach to cross-sell is needs-based as some customers will benefit from more products, and

some may need fewer.”

Conflicts of Interest and Ethics

“Ethics and integrity are as critical as ever to our work to build a better bank for all of our stakeholders.”

Wells Fargo’s Code of Ethics – A Message from the CEO

As previously noted, Wells Fargo’s vision is clearly focused on acting in the best interests of their

customers to help them succeed financially. However, there was a growing conflict in the Community

Bank between Wells Fargo’s Vision Statement and its emphasis on sales goals. The Board Report found

that:

“Corporate control functions were constrained by the decentralized organizational structure and a

culture of substantial deference to the business units.”

81

The Board Report cited that the bank’s decentralized structure gave too much authority and autonomy

to the Community Bank’s senior management, who “were unwilling to change the sales model or even

recognize it as the root cause of the problem.” That is, the decentralized operation aided by a culture

of strong deference to management of the lines of business had an adverse impact on how the control

environment functioned.

Moreover, according to its 1999 Annual Report, Wells Fargo was: “Going for gr-eight product

packages29,” known internally as the “Gr-Eight Initiative” discussed earlier. In its 2010 Annual Report,

Wells Fargo sent out the following message clearly focused on sales volume:

“Even when we get to eight, we’re only halfway home. The average banking household has about 16.

I’m often asked why we set a cross-sell goal of eight. The answer is, it rhymed with “great.” Perhaps

our new cheer should be: “Let’s go again, for ten!”

In contrast to Wells Fargo’s Vision Statement, Code of Ethics, and disclosures about needs-based

selling, the Community Bank implemented this volume-based sales model in which employees were

directed, pressured, or caused to sell large volumes of products to existing customers, often with little

regard to actual customer need or expected use30. For example:

1. To meet the sales goals, employees engaged in “simulated funding” by transferring funds from

existing accounts to unauthorized accounts. This widespread practice gave the employees

credit for opening the new accounts. Thus, they were able to earn additional compensation.

Consumers, in turn, were sometimes harmed because they were charged for insufficient funds

or overdraft fees since the money was not in their original accounts.

2. During the sales push "Jump into January", former employees said they were expected to sell

20 products a day. Customers were sold unnecessary or unwanted services and products. For

instance, employees misrepresented to customers that certain products were available only

in packages with other products, known as “bundling”.

One of Wells Fargo’s primary values is that employees are committed to the highest standards of

integrity, transparency, and principled performance. There was a clear breakdown between the values

articulated in the corporate headquarters with those out in the field, in the branch offices selling

consumer banking products.

29 The 1999 annual report information is from “The “King of Cross-Sell” and the Race to Eight,” Public Citizen, 2016. 30 The Wells Fargo improper sales practices information is from the SEC Settled Administrative Order No. 3-19704, February 21, 2020.

82

Examples of Wells Fargo Perpetual Sales Integrity Violations


In February 2013, the Team Member Misconduct Executive Committee—including Respondent

Julian (Chief Auditor)—received a presentation that showed that “sales integrity violations” was

the second-most common category of employee investigations.

In August 2013, the Team Member Misconduct Executive Committee—including Respondent

Julian —received data that approximately half of the over 7,000 EthicsLine complaints investigated

by Corporate Investigations related to sales integrity violations and that the number of sales

integrity cases was increasing.

The Chief Security Officer and Head of Corporate Investigations reported to the Ethics Committee,

including Respondent Julian, in August 2013 that “Sales Integrity issues are most prevalent – there

needs to be continued focus in this area” and that most EthicsLine reports are “associated with

Sales Integrity Issues.”


Leadership Failure

Lack of Risk Awareness

“Over time, even as senior regional leaders challenged and criticized the increasingly unrealistic sales

goals — arguing that they generated sales of products that customers neither needed nor used — the

Community Bank’s senior management tolerated low quality accounts as a necessary by-product of a

sales-driven organization.”


As previously noted, Wells Fargo had a systemic and well-known problem with sales practices

misconduct that persisted for at least 14 years (2002 − 2016). Early problems with Wells Fargo’s sales-

focused culture date back to at least 1999 when the “Going for Gr-Eight” sales model was

implemented. Deceptive practices were widespread across the bank, and many former employees

stated that their managers knew about them. Senior executives chose profits and other market

rewards over taking action to stop the systemic issuance of unauthorized products and services to

customers. As a result, hundreds of thousands of employees engaged in numerous types of sales

practices misconduct.

According to the SEC, from at least as early as 2002 to approximately 2013, Wells Fargo management

directly and/or indirectly encouraged, caused and approved sales plans that called for aggressive

annual growth in a number of basic banking products, such as checking and savings accounts, debit

83

cards, credit cards, and bill pay accounts. Widespread misconduct has caused damage, including

downgraded credit ratings, reduced shareholder return, and reputational harm.

The Board Report pointed out that Stumpf was aware of aggressive sales goals, sales practice issues

(gaming) and associated incentive compensation plan over the years. For instance, Stumpf was

notified of the incident involving the branch in Colorado in 2002. Almost an entire branch in Colorado

engaged in a form of gaming to meet sales targets in connection with a promotional campaign. Sales

practice misconduct included issuing debit cards without customer consent and improper teller

referral credits. Moreover, Stumpf received numerous customer and employee complaints about sales

practices and sales pressure, which he or his assistants referred on to appropriate subordinates

without further follow-up. In short, Stumpf did not engage in investigation and critical analysis to fully

understand the sales practice issues. The Board Report concluded that:

“The former Chief Executive Officer, relying on Wells Fargo’s decades of success with cross-sell and

positive customer and employee survey results, was too slow to investigate or critically challenge sales

practices in the Community Bank. He also failed to appreciate the seriousness of the problem and the

substantial reputational risk to Wells Fargo.”

Exhibit D: Independent Directors of the Board of Wells Fargo & Company − Sales Practices

Investigation Report

The following are excerpts from the Board Report.

John Stumpf

After decades of success, Stumpf was Wells Fargo’s principal proponent and champion of the

decentralized business model and of cross-sell and the sales culture. His commitment to them

colored his response when sales practice issues became more prominent in 2013 and subsequent

years and led him to stand back and rely on the Community Bank to fix the problem, even in the

face of growing indications that the situation was worsening and threatened substantial

reputational harm to Wells Fargo. Because it was the responsibility of Community Bank leadership

to run the business “like they owned it,” Stumpf did not engage in investigation and critical analysis

to fully understand the problem.

Stumpf’s commitment to the sales culture also led him to minimize problems with it, even when

plausibly brought to his attention. Stumpf was by nature an optimistic executive who refused to

believe that the sales model was seriously impaired. His reaction invariably was that a few bad

employees were causing issues, but that the overwhelming majority of employees were behaving

properly. He was too late and too slow to call for inspection of or critical challenge to the basic

business model.

Stumpf was ultimately responsible for enterprise risk management at Wells Fargo, but was not

perceived within Wells Fargo as someone who wanted to hear bad news or deal with conflict. In

accordance with the decentralized model, a deferential culture existed whereby there was limited

84

encouragement for the management of different businesses to challenge each other or comment

on significant issues in the other lines of business. Under Stumpf, weekly Operating Committee

meetings generally did not serve as a forum for discussion, engagement or challenge among its

members.

Source: Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report

In light of the fake-account scandal, Stumpf was subject to a hearing before the Senate Banking

Committee on September 20, 2016, in an effort led by Senator Elizabeth Warren. Senators criticized

the bank for perpetrating a fraud on its customers, putting excessive pressure on low-level employees,

and failing to hold senior management responsible. On September 29, 2016, in testimony before the

House Financial Services Committee, Stumpf stated that he is “fully accountable for all unethical sales

practices in our retail banking business” and acknowledged his failure for “not doing more sooner to

address the causes of this unacceptable activity.”

In October 2016, Stumpf resigned as CEO and Chairman. Stumpf stepped down with a $134 million

retirement package. In April 2017, the Board determined that the bank will claw back approximately

$28 million of Stumpf’s incentive compensation paid in March 2016. In 2020, The OCC also issued a

prohibition order that included a lifetime ban on participation in the banking industry and a $17.5

million civil money penalty for the widespread sales scandal. In October 2016, Tim Sloan became CEO

and resigned at the end of March 2019. In September 2019, Charles Scharf was appointed as the CEO

of Wells Fargo. Wells Fargo separated the roles of Chairman and CEO and changed the company by-

laws to reflect the separation.

Lesson Note: According to Group of Thirty, Banking Conduct and Culture, if the Chair and CEO positions

are not split, boards should ensure that the lead independent director spends adequate time in the

effective challenge role to the CEO on values and conduct issues.

Weak Management Oversight

Although Stumpf admitted that he made significant mistakes and helped create the culture that

resulted in sales practice abuses, senior management had a deep-seated adherence to its sales model,

fostering an atmosphere that prompted low-quality sales and unethical behavior. The Board Report

faulted management for:

Failing to address the unreasonable or unrealistic sales goals resulted in low quality accounts

and improper behavior:

As the senior leaders mainly focused on the financial performance, they were worried that

tightening up too much on quality would risk reducing sales of products. Thus, they tolerated

low quality accounts as an acceptable side effect of the bank’s profitable sales model. They

viewed these low quality accounts as a necessary by-product of a sales-driven organization.

Specifically, they failed to take necessary actions to examine the issues relating to improper

85

sales practices because they believed such actions could have a negative impact on the

financial performance.

Failing to recognize the significant risk to the bank’s brand and reputation from sales

practices misconduct and identify the potential for financial or other harm to customers:

Employee misconduct had increased over time under the relentless pressure to meet the

higher and higher daily sales targets. For instance, according to a memorandum issued by

Wells Fargo’s Internal Investigations group, annual sales gaming cases increased from 63 in

2000 to a projected 680 in 2004. That is, between 2000 and 2004, gaming cases increased

979%. The memorandum also identified a similar increase in terminations, from 21 in 2000 to

a projected 223 in 2004, increasing by 962%31.

Management failed to make meaningful changes to address the increasing scope of sales

practice violations and their association with sales incentives. For example, the Law

Department, particularly at its senior levels, did not discuss or address the seriousness and

scale of sales practice issues or fully consider whether there might be a pattern of illegal

conduct involved. Moreover, management did not conduct sufficient investigation to identify

and assess the impact of violations on customers. In general, management did not consider

reputational risk associated with and nonfinancial harm to customers resulting from the

misuse of personal information or the opening of accounts without their authorization.

Failing to escalate issues to the Board regarding the sales practice issues by ignoring

warnings and minimizing the seriousness and scope of problems for years:

Prior to 2014, sales integrity issues were not identified as “noteworthy risks” either to the

Board as a whole or to any committee (e.g. Audit & Examination Committee, Risk Committee).

Following the Los Angeles Times article criticizing Wells Fargo’s sales practices, sales practice

issues was reported as a “noteworthy risk” to the Board and Risk Committee beginning in 2014

and thereafter. Although the Board regularly monitored the issue throughout 2015 and 2016,

management reports that minimizing the sales practice violations did not accurately convey

the scope of the problem.

For example, the Board only realized that thousands of employees had been terminated for

sales practices misconduct from the September 2016 settlements with the Los Angeles City

Attorney, the OCC and the CFPB. Although management’s report usually lacked details and

was not accompanied by concrete action plans and metrics to track plan performance, the

31 The internal investigation information is from “Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report,” Wells Fargo Media, accessed on February 24, 2020.

86

Board Report cited that the Board and Risk Committee should have requested more

information (e.g. action plans).

In January 2020, to reinforce the OCC’s expectations that management and employees of national

banks and federal savings associations provide fair access to financial services, treat customers fairly,

and comply with applicable laws and regulations, the OCC issued the Notice of Charges N20-001

(Notice of Charges) against the following former senior executives for their role in the systemic sales

practices misconduct.

Name Former Position Report to Civil Money Penalty

Carrie Tolstedt Head of the Community Bank CEO $25,000,000

Claudia Russ

Anderson

Community Bank Group Risk

Officer

Head of the

Community Bank $5,000,000

James Strother General Counsel CEO $5,000,000

David Julian Chief Auditor

Audit and Examination

Committee of the

Board and

administratively to the

CEO

$2,000,000

Paul McLinko Executive Audit Director Chief Auditor $500,000


The Notice of Charges alleged that these executives failed to address the root cause of systemic

improper conduct across the entire Community Bank for at least 14 years (2002-2016). The pervasive

misconduct affected millions of customers including compromised accounts, misuse of personal

information, and actual financial harm. The Notice of Charges conclude that:

“It took a massive failure on the part of the senior management of the Community Bank, the Law

Department, and Audit for the sales practices misconduct problem to become as severe and pervasive

as it was and last as long as it did.”

Lesson Note: According to the OCC, as of November 2019, Wells Fargo has refunded at least $42.9

million to customers in connection with its review of sales practices.

Aggressive Incentive Compensation Plan

The Obsession with Sales Goals

“As this investigation confirmed, the only way definitively to address the broken sales model and the

root cause of sales practice abuses was to emphasize other metrics for performance and to abandon

exerting pressure through sales goals and sales-driven incentive programs.”


87

An incentive compensation plan drives the employees’ performance. It also supports key business

goals and helps an organization to produce targeted results (e.g. increased revenue) by rewarding

employees who are responsible for those results. When properly implemented and monitored,

reasonable incentives can benefit consumers and the organization as a whole. For instance, companies

may be able to attract and retain high-performing employees to improve their overall competitive

performance. Consumers may also benefit if these programs lead to enhanced customer service or

introduce them to products or services that are beneficial to their financial interests. However, when

a plan develops aggressive, unreasonable, or impossible sales goals tied to reward structures, it can

encourage widespread bad behavior.

According to the Los Angeles City Attorney complaint32, Wells Fargo imposed “an ambitious and strictly

enforced sales quota system” in which “those failing to meet sales quotas are approached by

management, and often reprimanded and/or told to ‘do whatever it takes’ to meet their individual

sales quotas.” The Los Angeles City Attorney also found that “managers constantly hound, berate,

demean and threaten employees to meet these unreachable quotas.” Moreover, the OCC Notice of

Charges found that “the incentive compensation plans in the Community Bank were based upon these

unreasonable sales goals.”

The Wells Fargo’s compensation plan emphasized cross-sell as a performance metric for awarding

incentive pay to employees. By creating an incentive compensation program rooted exclusively in sales

(e.g. number of new accounts), combined with unattainable sales goals and sales management, Wells

Fargo adopted an environment that perpetuated improper and illegal conduct. Compensation plans

for branch bankers were structured such that bankers had to meet certain threshold requirements to

be eligible for incentive compensation. Employees were ranked against one another on their

performance relative to goals, and their incentive compensation and promotional opportunities were

determined relative to those goals.

The Board Report indicated that the reward system created intense pressure to perform and, in certain

areas, local or regional managers imposed excessive pressure on their subordinates. For example, the

bank published scorecards that ranked individual branches on sales metrics (e.g. cross-sell). Scorecards

were updated daily, and employees and managers could check their progress against the sales plan at

any time and were encouraged to do so. In some cases, senior managers called their subordinates

several times a day to check in on sales performance and chastised those who failed to meet sales

goals. Certain managers made meeting scorecard goals their sole objective, a tactic referred to as

“managing to the scorecard”33.

32 The statements of Los Angeles City Attorney are from, “Complaint for Equitable Relief and Civil Penalties”, The People of the State of California, September 6, 2016. 33 The reward system information is from “Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report,” Wells Fargo Media, accessed on February 24, 2020.

88

The Board Report further identified that after 2010, Wells Fargo integrated performance management

and recognition with sales goals. As a result, incentive compensation and performance rating were

both linked with sales. That is, bankers, branch managers and district managers who did not meet sales

goals could miss out on opportunities to earn incentive compensation and were also at risk of poor

performance reviews.

The Amended Incentive Compensation Plan

“Our company is committed to developing and executing incentive compensation arrangements that

align with and reinforce our Vision, Values & Goals and comply with all applicable statutes and

regulations.”

Wells Fargo, Business Standards Report, December 2018

In general, recognition and reward systems should not send the message that standards are less

important than results. For example:

A company should ensure that its performance management does not reward individuals who

do not meet acceptable behavior in alignment with company values and conduct expectations.

Employees should be reviewed by both what they do and how they do it.

Promotions, compensation, recognition, and rewards should not mainly and directly tie to

short-term financial targets. Instead, they are consistent with productivity measures, desired

values, and behaviors, personal or group performance goals or other key performance

indicators.

Wells Fargo no longer reports the cross-sell metric. In 2017, the bank modified its compensation plan

that is aligned with performance and promotes accountability. Compensation programs are designed

in accordance with the following principles34:

1. Pay for performance by linking compensation to company, business line, and individual

performance.

2. Promote a culture of risk management consistent with our Vision, Values & Goals, and avoid

unnecessary or excessive risk-taking.

3. Attract, motivate, and retain people with the skills, talent, and experience to drive superior

long-term company performance.

4. Align team members’ interests with shareholders’ interests and encourage behavior

consistent with long-term shareholder value creation.

34 The Wells Fargo compensation principles are from “Learning from the past, transforming for the future − Business Standards Report,” Wells Fargo, December 31, 2018.

89

Key aspects of the reformed incentive compensation plan include35:

• No product sales goals: Retail bankers who serve customers in bank branches and call centers

are instead focused on the customer experience.

• Primary customer growth and feedback: A larger allocation of incentives is associated with

direct customer feedback and growing the number of primary customer relationships.

• Longer-term view: Metrics in the plan take a longer-term view of customer relationships and

incorporate the quality of customer experiences and customer retention.

• Balance of performance: Incentive plans include a balance of team and individual

performance.

• Greater participation: A significantly higher percentage of team members will have the

opportunity to earn incentive pay under the plan, which is expected to drive greater alignment

across the Community Bank.

• Stronger oversight, governance, and risk controls: Stronger controls have been put in place

at the local, regional, and corporate levels to monitor behavior. Additional reporting is built

into the plan to provide enhanced oversight of the sales process

The CFPB issued a compliance bulletin entitled “Detecting and Preventing Consumer Harm from

Production Incentives” that describes the risk of significant harm to consumers posed by incentive

programs to employees or service providers. Details are included in Exhibit E.

Exhibit E: Detecting and Preventing Consumer Harm from Production Incentives

Following are excerpts from the CFPB Compliance Bulletin 2016-03: Detecting and Preventing

Consumer Harm from Production Incentives.

Depending on the facts and circumstances, such incentives may lead to outright violations of Federal

consumer financial law and other risks to the institution, such as public enforcement, supervisory

actions, private litigation, reputational harm, and potential alienation of existing and future

customers. Specific examples of problems include:

• Sales goals may encourage employees, either directly or indirectly, to open accounts or enroll

consumers in services without their knowledge or consent. Depending on the type of account,

this may further result in, for example:

− Improperly incurred fees,

− Improper collections activities, and/or

35 The Wells Fargo’s reformed incentive compensation plan information is from “Learning from the past,

transforming for the future − Business Standards Report,” Wells Fargo, December 31, 2018.

90

− Negative effects on consumer credit scores.

• Sales benchmarks may encourage employees or service providers to market a product

deceptively to consumers who may not benefit from or even qualify for it.

• Paying compensation based on the terms or conditions of transactions (such as interest rate)

may encourage employees or service providers to overcharge consumers, to place them in less

favorable products than they qualify for, or to sell them more credit or services than they had

requested or needed.

• Paying more compensation for some types of transactions than for others that were or could

have been offered to meet consumer needs, which could lead employees or service providers

to steer consumers to transactions not in their interests, and

• Unrealistic quotas to sign consumers up for financial services may incentivize employees to

achieve this result without actual consent or by means of deception.

Source: CFPB Compliance Bulletin 2016-03: Detecting and Preventing Consumer Harm from Production Incentives,

November 28, 2016

Theory of Fraudulent Behavior

Fraud does not just “happen.” Typically, various circumstances combine to create a situation favorable

to fraudulent activity. As previously noted, the fraud triangle usually starts with pressure (what

motivates the crime in the first place) followed by an opportunity, and finally a process of internal

rationalization. The prevailing corporate culture can directly produce one or more of these conditions.

The fake-account scandal was not an isolated incident, nor was it perpetrated by an individual

employee. The illegal conduct was pervasive throughout the Community Bank. All three elements

were present, laying the groundwork for the occurrence of systemic fraud that persisted for many

years. The following sections examine how pressure, opportunity, and rationalization facilitated

fraudulent activity in Wells Fargo.

Pressure

“A 2012 employee complaint sent to Respondents Tolstedt and Strother explained: When employees

are required to meet unreasonable numbers, they are forced into inappropriate activity to keep their

jobs. … Wells Fargo is playing a shell game – they are rewarding employees for fake accounts and will

terminate them if they find out this is the case. Yet management will chastise and come very close to

verbal abuse and put employees on written notice if they are honest and do not open fake accounts

to meet these unreasonable goals.”


91

As previously noted, pressure (also known as incentive or motivation) is what causes a person to

commit fraud. In simpler terms, motivation is typically based on greed or need. Pressure can come

from almost anywhere, from inside the workplace (e.g. unrealistic performance goals) to completely

unrelated to the person’s employment (e.g., financial distress, substance abuse, overspending,

addiction problems). Personality and temperament, including how frightened people are about the

consequences of taking risks, also influence their decisions. Finally, if employees have an incentive or

are under pressure, it provides a reason to commit fraudulent activities.

In Wells Fargo, employees’ incentive compensation and promotional opportunities in connection with

their ability to meet the unrealistic expectations and untenable sales quotas fostered an atmosphere

that perpetuated improper and illegal conduct. The poorly designed incentive compensation plan led

to pressure and caused a boiler room effect. According to the OCC Notice of Charges36, pressure on

Wells Fargo’s employees was exacerbated by stack ranking (which ranked from best to worst

performing in sales), aggressive sales campaigns, and demoralizing and hazing management

techniques. Examples of how Wells Fargo’s intense sales culture created excessive pressure on

employees include:

Unrealistic and unattainable sales goals

A relentless monitoring of sales performance

Subjecting employees to hazing-like abuse

Threatening to terminate and actually terminating employees for failure to meet the sales

goals

Performance management in connection with sales goals

In other words, misconduct does not always start with dishonesty. Instead, it may begin with pressure

to meet expectations and a fear that failure to meet these expectations will be viewed as unforgivable.

This pressure forced employees to engage in various unsound sales practices that caused customer

harm and inflicted serious damage on the Wells Fargo brand. The Board Report found that as sales

targets became harder to meet, the number of allegations and terminations increased, and the quality

of accounts declined. Moreover, a majority of terminated employees, whether branch bankers or

managers, admitted to engaging in misconduct. They often claimed that sales pressure was the reason.

Exhibit F: How Wells Fargo Put Excessive Pressure on Employees


A store manager received a formal warning in July 2011 because her store achieved only 98% and

90% of her store’s sales goals in the first two quarters of that year, respectively. The formal warning

36 The Wells Fargo’s aggressive sales model information is from the OCC Notice of Charges N20-001, January 23, 2020.

92

stated: “If your sales performance does not improve to an acceptable level, further action up to and

including termination of employment may result.”

An employee complaint to senior leadership: “[T]he noose around our necks ha[s] tightened: we

have been told we must achieve the required solutions goals or [we] will be terminated. This type of

practice guarantees high turnover, a managerial staff of bullying taskmasters, [and] bankers who

are really financial molesters [and] cheaters . . . .”

Another employee wrote to the CEO’s office and a senior leader in the Community Bank in 2013

that “I was in the 1991 Gulf War …. This is sad and hard for me to say, but I had less stress in the

1991 Gulf War than working for Wells Fargo.”

A 2013 employee complaint sent to senior leadership explained employee sentiments: “Make your

goals at any cost to the team member or customer – this is our environment. . . . I can't [sic] sleep at

night or look in the mirror. Too much pressure, feels like we have to treat team members poorly or

walk a very grey line to meet expectations.”

An investigation manager wrote in a 2009 email: “[W]e are hearing the [local regional president]

has told or insinuated that everyone must make 120% of their goals, no exceptions. We have been

made aware that some team members have actually be[en] form[ally] counseled for making [104%]

and 110% of their goals. In addition we discovered that one manager was getting ready to terminate

a banker for being at 105%.”


Opportunity

“The Bank’s Head of Corporate Investigations testified before the OCC that there was nearly a 100%

chance an employee’s boss would know if she failed to meet her sales goals, but the chances were

very small that an employee would be caught for issuing an unauthorized product or service.”


As previously noted, opportunity often results from circumstances that provide chances to commit

fraud. Thus, opportunities to commit fraud are more commonly present in organizations with weak

internal controls that provide a low-risk environment for getting caught. For example, an employee

may see an opportunity to open a fake checking account. However, the fake account may be identified

during the verification and review process by the system or the manager, and the employee would be

caught. Although an opportunity for unsound sales practice is present, there is no opportunity to

engage in such an act without being caught. If the control environment is weak, the employee has a

93

perceived opportunity to commit fraud. However, if the risk of getting caught is too high, the employee

will likely not exploit the perceived opportunity.

Lack of a positive workplace also creates more opportunities for poor employee morale, which can

affect an employee's attitude about committing fraud against an organization. This is because a

positive workplace environment improves teamwork, promotes business ethics, increases

productivity, enhances quality, reduces employee stress, and improves retention of the workforce.

Examples that provide opportunities for employees’ misconduct and violation of culture include:

Poor tone at the top

Ethics and cultural issues

Deficient internal controls and audit system (e.g. absence/inadequate of controls)

Little fear of exposure

Low probability of detection

Lack of supervision

Failure to discipline fraudsters

No consequence/punishment of fraudsters

Insufficient anti-fraud programs

Ineffective board of directors or audit committee oversight

Wells Fargo’s control environment was ineffective to prevent and detect the majority of customer

abuses providing opportunities for committing fraud. For example:

1. Poor tone at the top: According to the OCC, senior management failed to address the actual

root cause of the widespread unethical behavior and downplayed the problem’s seriousness

and scope. Specifically, the OCC found that “to avoid upsetting a financially profitable business

model, senior executives, including Respondents (senior management), turned a blind eye to

illegal and improper conduct across the entire Community Bank.”

2. Weak internal controls: When processing off-site applications, employees were not required

to obtain complete paperwork or provide authorization at the branch. Thus, these applications

often lacked customer consent or relevant customer information, such as drivers’ license

details. Besides, the bank’s system did not require evidence of customer consent when

employees issued products. For example, employees were not required applicants’ consent

before pulling a credit report.

3. Ethics and cultural issues: Employees were allowed to open accounts for family or friends,

who were often complicit in fraudulent activities. The Board Report cited that employees often

described opening accounts for family and friends in order to meet sales goals. A branch

manager had a teenage daughter with 24 accounts, an adult daughter with 18 accounts, a

husband with 21 accounts, a brother with 14 accounts and a father with 4 accounts.

4. Little fear of exposure: The process was not designed to proactively identify fraudulent

activities. For most types of misconduct, an employee could only get caught for improper sales

94

practices if another employee knew about the misconduct and blew the whistle, or if a

customer became aware of the unauthorized accounts and complained. According to the

Board Report, the bank began monitoring a few types of sales practices misconduct only after

2012.

5. No consequence of fraudsters: According to the OCC, between 2012 and 2016, the Chief

Auditor was well-informed of sales practices misconduct issues, volumes, and trends. The

Chief Auditor routinely received information on sales practices through the Team Member

Misconduct Executive Committee, the Ethics Committee, and the Enterprise Risk Management

Committee. However, the Chief Auditor failed to take actions within with their respective

responsibilities to identify, correct, and/or escalate the sales practices misconduct problem.

Lesson Note: Off-site applications, associated with initiatives in which Wells Fargo bankers would

collect product applications at events or workplaces outside a Wells Fargo branch.

In summary, failure to establish adequate controls to prevent and detect fraudulent activity increases

the opportunities for fraud to occur. According to various surveys, a weak internal control system is a

significant issue for organizations victimized by fraud, and the problem is growing. Organizations must

establish processes, procedures, and controls that do not put employees in a position to commit fraud,

as demonstrated in the following example.

Example: Wells Fargo’s Internal Meeting


At the same Team Member Misconduct Executive Committee meeting, Respondent Julian (Chief

Auditor) received a presentation that highlighted important misconduct considerations, including

whether the controls were “allowing to[o] much opportunity” for employees to commit misconduct

and whether the line of business “creat[ed] an environment whereby the [employee] must commit

misconduct.” At that meeting, the former Chief Security Officer and Head of Corporate Investigations

warned: “[t]oo much opportunity or too much personal or business pressure can sway most anyone.”


Rationalization

“Employees were much more likely to be disciplined or fired for failing to meet their sales goals—

against which they were tracked daily and measured in real time—than for engaging in sales

practices misconduct.”


As previously noted, a justification of fraudsters’ crime to make the act acceptable is known as

rationalization. It also refers to behavior, character or ethical values allowing individuals to justify their

95

reasons for committing fraud. Even honest individuals can commit fraud in an environment that

imposes sufficient pressure on them. The greater the incentive or pressure, the more likely an

individual will be able to rationalize the acceptability of committing fraud. The Chartered Institute of

Management Accountants (CIMA) concluded that people rationalize fraudulent actions as:

1. Necessary − especially when it is done for the business (e.g., meeting work expectations,

achieving sales targets)

2. Harmless − because there is no “real” victim (e.g. secretly opening an account that will be

closed later)

3. Justified − because it has to be done to keep everyone happy (e.g. inflating number of

products sold to meet targeted sales goal)

Examples of common excuses given by fraudsters to explain their misconduct include:

It is the only way or I will lose my job

Everyone is doing it

I deserve this

I am just trying to help

My manager does not care

The company owes it to me

We have always done this way

No one will know

It is not really a serious matter

The company can afford it

Nobody will get hurt

As previously noted, Wells Fargo had a very intense sales culture that could lead to the following

justifications by employees:

It is the only way, or I will lose my job or be punished.

Employees often witnessed that the individuals most likely to be praised, rewarded, and held

out as models for success were high sales performers. They believed that their future at Wells

Fargo depended on how many products they sold37.

Many employees felt that failing to meet sales goals could lead to shaming, career-hindering

criticism by their supervisors, or termination as the incentive compensation model overly

emphasized sales performance.

37 The interviews of Wells Fargo employees are from “Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report,” Wells Fargo Media, accessed on February 24, 2020.

96

Everyone is doing it

Thousands of employees engaged in secretly opening bank and credit card accounts for

customers without their consent.

I am just trying to help

Branch-level managers often cited the need to help branch employees meet individual goals

or reach branch goals.

My manager does not care

Certain managers explicitly encouraged their subordinates to sell unnecessary products to

their customers in an effort to meet the sales goals.

Nobody will get hurt

Transferring customer funds between accounts without customer authorization (simulated

funding) does not cause any financial harm.

In general, fraud occurs because of a combination of opportunity, pressure, and rationalization. An

opportunity arises, the person feels that the act is not entirely wrong, and has pressure pushing them

to commit the fraud. Thus, all organizations face a wide range of threats. However, the likelihood that

a fraud will be committed is greatly decreased if the potential fraudsters believe that the rewards will

be modest, that they will be detected, or that the potential punishment will be unacceptably high. The

main way of achieving such a goal is to establish an effective control environment which aims to

prevent fraud, and where fraud is not prevented, increases the likelihood of detection and increased

cost to the fraudster.

97


1. To meet the unattainable sales targets, Wells Fargo employees engaged in all of the following

schemes EXCEPT:

A. Transferring customer funds between accounts without customer consent

B. Stealing of the check after it has been recorded on the bank’s system

C. Delaying the opening of requested accounts to the next sales reporting period

D. Enrolling customers in online banking and online bill-pay without consent

2. To address the sales integrity issues, Wells Fargo reformed its incentive compensation plan by

implementing all of the following procedures EXCEPT:

A. Incentive paid based on types of transactions

B. Elimination of product sales goals in the retail bank

C. Greater participation in the compensation plan

D. Longer-term view of customer relationships

3. Lack of supervision, no consequence of fraudsters, and insufficient monitoring all describe what

element of the fraud triangle?

A. Pressure

B. Concealment

C. Rationalization

D. Opportunity

4. Identify the element of the fraud triangle in the following example: A&E Inc. did not employ a

proactive monitoring system to detect fraudulent activities.

A. Concealment

B. Opportunity

C. Rationalization

D. Pressure

98

2. How Internal Auditors Can Help Prevent

Misconduct from Snowballing

“It’s not enough to have policies. It’s not enough to have procedures. It’s not enough to have good

intentions. All of these can help. But to be successful, compliance must be an embedded part of your

firm’s culture.”

Lori A. Richards, Office of Compliance Inspection and Examinations, the SEC

Why Corporate Culture Should Be Audited?

“In the absence of active management, a culture will develop which may not align to the aims of the

overall business.”

Grant Thornton, Auditing culture, 2017

The number of corporate scandals due to poor corporate culture continues to rise. Boeing,

Volkswagen, Toshiba, and Wells Fargo faced public scrutiny for breakdowns in internal culture. Despite

the growing need to draw attention to a company’s culture, culture is often not part of internal or

external audit. Forbes magazine called culture the most overlooked element of audits. This section

explains why an Internal Audit should consider including a cultural review of the organization within

its plan of activities.

A Role for Internal Auditors: Protector and Helper

"Internal audit, acting as the eyes and ears of the board but independent of management is in a

unique position to judge and advise whether the tone from the top is being adhered to across an

organization.”

Dr. Ian Peters, Chief Executive, the Chartered Institute of Internal Auditors, July 2015

Effective organizational governance requires a robust internal audit function, a very necessary part of

healthy and successful business practices. As employees of the organization, despite the independent

role, internal auditors are fully vested in the organization’s successes by improving the organization's

operations on a continuous basis. Internal Audit partners with management and the board, and

evaluates the complete health of the organization, focusing on present and future events of the

organization, and ensures the accomplishment of goals and objectives.

The Institute of Internal Auditors (IIA) definition of internal audit is:

“An independent objective assurance and consulting activity designed to add value and improve an

organization’s operations. It helps an organization accomplished its objectives by bringing a

99

systematic, disciplined approach to evaluate and improve the effectiveness of risk management,

control, and governance processes.”

Internal Audit represents a key element of organizations’ corporate governance, risk management and

the structure of internal control. For example, internal auditors identify the risks that could keep an

organization from achieving its goals, alert leaders to these risks, and proactively recommend

improvements to help reduce the risks. Toxic culture and unethical behavior ultimately put an

organization at risk and can be placed at the heart of many corporate failures, collapses, and damaged

reputations. The following Three Lines of Defense model clarifies the roles and responsibilities for

achieving desired values and culture38.

The First Line of Defense: All employees and all levels of management should adhere to values,

conduct, and behavioral expectations. However, business line management is primarily responsible

for setting, delivering, and modeling desired values and conduct.

The Second Line of Defense: The second line, an oversight function, monitors and provides advice to

the first line. In the second line of defense, there are legal, ethics, compliance and risk management

functions, and a human resources department. They help ensure that the first line of defense is well

designed and functions well by monitoring culture-related risks and compliance with culture-related

policies and procedures.

The Third Line of Defense: This responsibility is usually discharged by Internal Audit. Internal auditors

perform an objective, independent review of the business culture to provide assurance that both the

first and second lines’ efforts are consistent with the expectations of the board and senior

management. Internal auditors may carry out the following activities:

1. Evaluating adherence to the organization’s stated and expected standards and evaluates

whether the corporate culture supports the organization’s purpose, strategy, and business

model, and

2. Assessing the overall culture and identifies areas where the culture is weak.

Addressing cultural issues must, of necessity, be the responsibility of the board and management. The

board and management need to rely on their internal audit functions to provide assurance and

advisory services that help them monitor and strengthen its culture, and to sound an alarm when

things may go wrong.

38 The Three Lines of Defense model information is based on “Global Perspectives and Insights; Auditing Culture – A Hard Look at the Soft Stuff,” IIA, February 2016, and “Banking Conduct and Culture,” Group of Thirty, July 2015.

100

The Power of Tone at the Top

“Establishing the right tone is essential to fortifying the organization’s reputation and its relationship

with all stakeholders.”

Deloitte, Tone at the top: The first ingredient in a world-class ethics and compliance program, 2014

Research in moral development strongly suggested that honesty can best be reinforced when a proper

example is set, sometimes referred to as the tone at the top. Tone at the top is the attitude of the

management toward maintaining integrity and ethical values demonstrated through their directives

and behavior. A proper tone at the top refers to the ethical and cultural atmosphere created by the

organization's leadership. It demonstrates management’s commitment towards openness, honesty,

integrity, and ethical behavior. It also sets an organization’s guiding values and ethical climate and

influences the control consciousness of the officers and employees.

The Board and c-suite executives are ultimately responsible for creating and maintain an ethical

environment that integrates an organization’s core values, motivates employees in doing what is right.

They reinforce the importance of building a culture of honesty and integrity. When leaders pressure

their employees to meet unreasonable sales goals to make profits for the company, they basically

force employees to do whatever it takes to achieve those goals, whether it is unethical or not.

The cross-sell strategy is not an unethical practice. On the contrary, cross-sell is an effective way to

increase revenue and average lifetime customer value. However, when leaders in Wells Fargo sent

inconsistent messages about company priorities, the sales culture open the door to unethical

behavior. Senior executives’ strong desire for growth and obsession about cross-sell can be spotted in

Wells Fargo 2011 Annual Report:

“Even if we get to eight products per retail bank household, we still have room to grow. We believe the

average American household has between 14 and 16 financial services products.”

In summary, there is a constant interplay between corporate culture and leadership as the

characteristics of a company are influenced by the characters of the person in it. The tensions between

the tone at the top and the employee conduct is demonstrated by the Wells Fargo fake-account

scandal.

The Connection to the Occurrence of Fraud

“The organization’s culture either discourages doing the right things, is blind to bullying behavior,

and/or rewards those who employs a “win at all costs” attitude. These types of “open secrets”

become fertile ground for fraudulent and unethical activity.”

Protiviti, Creating a Strong Corporate Culture Begins With Managing Fraud Risk, 2018

101

Fraud, especially fraud on behalf of an organization, tends to come with a certain corporate culture.

Corporate culture is a driving force in how a company conducts its business and manages its conflicts

of interest. Researchers suggest that businesses with poor company cultures are more likely to be

investigated for deceptive accounting practices. The connection between the corporate culture and

fraud of an organization is increasingly under public scrutiny.

Many case studies indicate that when companies foster a safe and ethical environment, they are more

resistant to misconduct of all kinds. In other words, unethical or illegal misconduct occurs less

frequently when employees work in a positive work environment than when they feel ignored, bullied,

or threatened. A strong ethical culture establishes standards and sets an expectation to do what is

right, thereby overcoming all three sides of the fraud triangle. For example:

• Pressure: Incentives and performance management based on a financial metric create

pressure for employees to meet targets which, in turn, may cause them to commit fraud to

achieve the goal. In other words, to lessen pressure and incentives to commit fraud,

companies should create an ethical culture (e.g. positive tone at the top, appropriate reward

system) that does not encourage a high-pressure environment.

• Opportunities: A strong ethical culture supports effective controls and oversight that limit

opportunities for fraud, which in turn will increase the likelihood that fraud will be detected

promptly.

• Rationalization: A culture of integrity prevents dishonest behavior because it limits the

fraudster’s ability to rationalize misconduct. It can become more difficult for fraudsters to

rationalize or justify their behavior if a company has an effective ethical culture that

discourages fraudulent actions.

Companies can be characterized as ethical or unethical companies based on their corporate culture.

After almost every major fraud scandal, news stories and congressional hearings discussed how

corporate culture encouraged and enabled fraud and its impact on financial outcomes. For example,

the Enron executives created a culture of greed and dishonesty that led to fraud and ultimate

breakdown. Wells Fargo’s cutthroat culture led to a series of unsound sales practices. The stories

exposed a world of corporate misconduct from unethical culture, deceptive business practices, to

misaligned priorities.

The Foundation of the Control Environment

“The corporate culture is the most powerful control in any organization.”

Jim Roth, Author Best Practices: Evaluating the Corporate Culture

Although there are no particular guidelines for auditors to conduct an audit of corporate culture, the

2013 COSO Internal Control – Integrated Framework (COSO Framework) provides guidance to auditors

on how to identify, measure, and report on corporate culture. The COSO Framework is a leading

102

framework for designing, implementing, and conducting internal control and assessing the

effectiveness of internal control. The COSO Framework consists of five integrated components:

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information and Communication

5. Monitoring

Corporate culture manifests itself in the control environment − how the leaders articulate, govern,

and maintain integrity and ethical values within the organization through their directives, attitude, and

behavior. The control environment provides an atmosphere in which people perform their activities

and carry out their control responsibilities. According to the COSO:

“The control environment is an organization’s culture, beliefs, and values. It includes the integrity,

ethical beliefs, and competencies of its people, which are visible in management’s operating style, how

management assigns authority and responsibility, and how management organizes and develops its

employees. Another indication of the control environment is the degree of involvement from its board

of directors.”

The control environment, the most important of the five elements, sets the tone of an organization,

influencing the control consciousness of its people. The effectiveness of the other four elements

ultimately will depend upon it because it:

✓ Reflects the board of directors’ and management’s commitment to internal control.

✓ Sets the tone of an organization and influencing control consciousness.

✓ Provides discipline and structure for achieving the objectives of the system of internal control.

Under the COSO Framework, culture is addressed in Principle 1 of the control environment: the

organization demonstrates a commitment to integrity and ethical values. Examples of responsibility

for Principle 1 assigned to Internal Audit include39:

1. Assesses the state of the organization’s ethical climate and the effectiveness of its strategies,

tactics, communications, and other processes in achieving the desired level of legal and ethical

compliance.

2. Evaluates the design, implementation, and effectiveness of the organization’s ethics-related

objectives, programs, and activities.

39 Examples of internal audit’s responsibilities relating to Principle 1 are from “Leveraging COSO Across the Three Lines of Defense,” the Institute of Internal Auditors, 2015.

103

3. Provides assurance that ethics programs achieve stated objectives, key risks are effectively

managed, and controls continue to operate effectively.

4. Provides consulting services to help the organization establish a robust ethics program and

improve its effectiveness to the desired performance level.

In the absence of a demonstrably healthy corporate culture, no level of controls, procedures, and

processes can provide meaningful assurance to stakeholders of the integrity in an organization.

Because corporate culture is critical to a company’s long-term success and viability, it should be

examined thoroughly and regularly.

What and How to Measure Culture?

“A culture audit sheds light on a company’s core DNA, that which guides decision-making, problem-

solving, and cross-functional communication processes.”

Forbes Magazine, Culture: The Most Overlooked Element of Audit, September 29, 2014.

Culture as a Soft Control

“Internal control is a process, effected by an entity’s board of directors, management, and other

personnel, designed to provide reasonable assurance regarding the achievement of objectives

relating to operations, reporting, and compliance.”

The COSO Framework

Management is primarily responsible for the design, implementation, monitoring, and reporting of the

controls. Management’s performance is subject to oversight by the organization’s governing board.

Thus, even management is primarily responsible for internal controls, and the governing board is

ultimately responsible for ensuring that management fulfills this duty. Internal Audit is responsible for

examining, evaluating and reporting on the adequacy and application of internal controls. Therefore,

internal auditors need to understand the different nature of hard and soft controls and select the most

appropriate techniques.

Hard controls are tangible, such as the organization structure, systems, assignment of authority and

responsibility, policies, procedures, laws, and regulations. Soft (intangible) controls are relating factors

that influence attitudes, values, and behaviors of management and employees and their impact on

achieving organizational goals. An effective internal control system involves the application of both

hard and soft controls. For example, hard controls elicit the proper employee behavior through

defined policies and procedures. Soft controls can influence the behavior of the employees and have

a significant impact on the success of a company. Thus, soft controls, essential for the well-being of

organizations, are considered as the foundation of efficient hard controls.

104

Culture aligns goals, values, values, behaviors, and systems throughout the organization. It reflects an

organization’s objectives, management strategies, employee communication and relations, approach

to customers and investors, work environment, and attitude. Therefore, an audit of corporate culture

usually includes a review of soft controls such as:

✓ Morale

✓ Tone at the top

✓ Leadership

✓ Attitude

✓ Management philosophy

✓ Management operating style

✓ Ethical climate

✓ Shared values

✓ Enforcement

✓ Integrity

✓ Competence

✓ Trust and openness

✓ Employee motivation

✓ Transparency and accountability

✓ Sense of responsibilities

✓ Involvement and commitment

✓ Expectations

✓ Communication

The following table summarizes the differences between hard controls and soft controls.

Hard Controls Soft Controls

Nature of

Controls

• Tangible

• Explicit Activates

• Objective

• Intangible

• Implicit attitudes

• Subjective

Impact to

Audit

• Not difficult to obtain reliable

information

• Internal Auditor should have good

experience in analysis skills

• Usually evaluation based on

documents

• Clear recommended action in

internal audit report

• Difficult to obtain reliable

information

• Internal Auditor should have good

experience in interpersonal skills

• Usually evaluation based on results

of distributed survey

• Unclear recommended action in

internal audit report

Examples • Approvals

• Authorizations

• Verifications

• Reconciliations

• Moral

• Ethical climates

• Shared values

• Integrity

Source: KAD Consulting Services Inc., Soft Controls, Cultural and Governance Audits, 2016

105

The IIA provides the following example to demonstrate the different factors used when reviewing hard

controls and soft controls.

Example: Hard Control Audit vs. Soft Control Audit

Audit Objective: Gaining insight into the hard and soft controls that contribute to client trust

The key soft key success factors that came to the fore in interviews with management were:

• Demonstrating expertise and professionalism

• Empathy

• Showing integrity

• Communication (open, honest, personal)

• Visibly acting in the interest of the client

• Giving clients trust and loyalty

• Living up to expectations

• Taking responsibility for the client

• Client satisfaction

• Learning from experience

The key hard key success factors were:

• Clear, supported case for change

• Sticking to agreements

• Clear priorities/objectives

• Well-trained personnel

• High rate of ‘first time right’

• Focusing on responsible approach to client

• High client satisfaction

• Products meet client requirements

Source: The IIA Netherland, Discussion paper: Soft controls − What are the starting points for the internal

auditor?, June 2015.

The next section explains how to audit the corporate culture through the review of soft controls

including those around ethics, integrity, behaviors, and perceptions.

The Right Approach to Auditing the Culture

“Culture is complex and different within every organization and remains largely abstract. However,

even though a company’s culture may be abstract, one thing is clear: developing the right approach

for auditing an organization’s risk culture takes time and careful planning. And for any business, the

value of undertaking this process is developing a better understanding of the cultural causes that

create risk − in short, human behaviors.”

Brian Christensen, Protiviti Executive Vice President, Global Internal Audit

106

Because corporate culture affects every aspect of a business, it is a critical element in any business’s

ultimate success or failure. Therefore, auditing culture is a logical progression as regulators and

stakeholders hold senior management and boards and audit committees accountable for promoting a

culture of integrity. However, measuring corporate culture and obtaining reliable or concrete evidence

about soft controls often presents a challenge. For example, the Board Report found that “Audit’s

methodology for testing culture was less systematic than its approach to testing processes and

controls: witnesses explained that culture is a “squishy” concept, difficult to quantify and test using the

tools available to Audit.”

This section provides guidance to the internal auditor on the culture audit.

Planning the Audit

“Internal auditors must develop and document a plan for each engagement, including the

engagement’s objectives, scope, timing, and resource allocations. The plan must consider the

organization’s strategies, objectives, and risks relevant to the engagement.”

International Standards for the Professional Practice of Internal Auditing 2200: Engagement Planning

Define the Objectives and Scope

“Objectives must be established for each engagement.”

International Standards for the Professional Practice of Internal Auditing 2210: Engagement Planning

“The established scope must be sufficient to achieve the objectives of the engagement.”

International Standards for the Professional Practice of Internal Auditing 2220: Engagement Scope

Culture, the identity of an organization, encompasses the collective values and behaviors of all of its

employees, managers, and leaders. The key element for determining culture is whether leaders,

managers, and employees will do the right thing, especially when they face integrity and ethics

challenges. Thus, culture is a critical factor in corporate performance.

To provide assurance relating to the overall acceptance, adherence, and understanding of corporate

culture, internal auditors need to periodically evaluate culture or include consideration of culture in

each audit engagement by determining whether:

1. Culture aligns goals, values, values, behaviors, and systems throughout the organization.

2. Leadership promotes, monitors, and assesses the risk culture of the organizations;

3. Senior management is held accountable for creating and maintaining an environment of

integrity, honesty and ethical values.

4. Business activities, behaviors, and tone at the top properly reflect the values and ethics of the

organization.

107

5. Sound integrity and ethical values, particularly of senior management, are developed and set

the standard of conduct for doing business.

Internal auditors cannot successfully assess culture without a deep understanding of the organization’s

culture. As previously noted, corporate culture consists of shared beliefs, values, and standards that

shape and guide the behavior of employees. Thus, obtaining an understanding of culture can be

difficult and complex since culture itself is abstract, subjective, and not easily observable and

measurable. However, corporate culture can be approached in a systematic manner and perceived in

various ways such as:

✓ Organization values and tone at the top

✓ Performance management and incentives systems

✓ Staff development and promotion processes

✓ The effectiveness of the Three Lines of Defense model

Establish an Understanding of Corporate Culture

Internal auditors should obtain an understanding of an organization’s culture to plan the audit and to

determine the nature, timing, and extent of audit procedures to be performed. Internal auditors may

consider performing the following procedures to form an understanding of corporate culture:

1. Observing values and conduct are demonstrated by senior management, setting the tone at

the top, and daily practices of employees such as:

− Are sound integrity and ethical values, particularly of top management, developed,

maintained, and understood?

− What is management’s view as to the nature of the culture?

− Does management's philosophy and operating style promote a culture of honesty and

ethical behavior?

− Does management communicate its views on business practices and ethical behavior to

employees? If so, how?

− What is management’s attitude toward governance?

− How do leaders react to negative events?

− How do employees work and how are they evaluated?

− Do employees feel responsible and accept responsibility for their work?

− Who is hired, promoted, and rewarded?

− How do employees act when managers are not present and when matters of personal

judgment arise?

− How do the compensation plans, programs, and practices reinforce the culture?

− How are the company’s relationships with its customers?

− How does the company behave toward its competitors and within its community?

108

2. Obtaining an understanding of frameworks used to develop, communicate, and evaluate

conformance with the corporate culture indicate that:

− Are control functions valued within the organization?

− Are policy or control breaches tolerated?

− Does the organization proactively seek to identify risk and compliance events?

− Are supervisors effective role models of corporate culture?

− Are sub-cultures (e.g., at a branch office, a trading desk or an investment banking

department) that may not conform to overall corporate culture identified and addressed?

3. Obtaining an understanding of the approaches to identifying and managing conflicts of

interest and ensuring the ethical treatment of customers such as40:

− How does the company handle material breaches of company policies and procedures?

− Does the company promote the ethical and fair treatment of customers?

− Is compliance equipped with the necessary resources to help the company navigate a

complex and changing regulatory and market environment?

− How frequently has the company been faced with legal problems?

− How frequently has the company received negative media coverage?

The understanding of the procedures 1 through -3 will enable internal auditors to identify the

organization’s values and expected behaviors.

Identify the Risks of Cultural Failures

“Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under

review. Engagement objectives must reflect the results of this assessment.”

International Standards for the Professional Practice of Internal Auditing 2210.A1: Engagement

Objectives

As part of obtaining an understanding of the culture, internal auditors need to consider the risks of

cultural failures, which can impose substantial harm on companies themselves such as financial losses,

low productivity, high turnover, penalties, fines, regulatory action, reputation damage, litigation, and

loss of public trust. Examples of risk factors that may lead to cultural failures and unethical behavior

include:

Pressures for short-run performance in decentralized return on investment (ROI) centers may

inhibit ethical behavior.

40 Indicators of a company’s culture listed in 2. and 3. are based on “2016 Regulatory and Examination Priorities Letter”, Financial Industry Regulatory Authority, accessed on March 24, 2020.

109

Emphasis on strict adherence to chain-of-command authority may provide excuses for

ignoring ethics when following orders.

Aggressive or unreasonable sales goals tied to reward structures may encourage widespread

unsound sales practices.

Informal work-group loyalties may subvert ethical behavior.

The board may not provide effective oversight over the conduct of the organization’s

operations.

Committee decision processes may make it possible to abstain from or dodge ethical

obligations.

Pressure of competition may compromise ethics in the interest of survival.

Unethical behavior of others may force a compromise of ethics.

Definitions of ethical behavior may vary from one culture to another. Bribes to overseas

officials or buyers may be consistent with some countries’ customary business practices, but

such a practice is not considered ethical among U.S. purchasing agents. Bribes are now

considered illegal under the Foreign Corrupt Practices Act.

The propriety of superimposing our cultural ethical standards (by refusing to bribe) on another

culture may be controversial.

Poor ethical foundations and cultural failures were major causes of the recent financial crisis and

continue to be factors in the scandals since then. There are three broad categories of cultural failings41:

1. A culture of individualism and short-termism: This type of culture was a key driver of many

of the unsafe and inappropriate values, behaviors, and practices. A series of corporate

misadventures, such as Enron, Toshiba, Volkswagen, and Wells Fargo, have revealed cultural

failures due to a corporate environment that focused excessively on short-term results.

2. A weak risk culture: There are two factors that led to a weak risk culture:

Management did not allocate enough resources to the checks and balances required to

manage the inherent uncertainty of risk models, and

Checks and balances are not effective. For instance, compensation models did not reflect

the underlying risks taken. Thus, risk-takers were able to increase leverage and trading

activities to unsustainable levels.

3. A weak culture of oversight among board members: The Group of Thirty reports identified

several board weaknesses, including:

Underestimation of the time commitment required in serving on a board.

41 The categories of cultural failings are from “Banking Conduct and Culture,” Group of Thirty, July 2015.

110

Insufficient risk and/or financial institution experience.

A lack of understanding of the firm’s strategic position and of the competitive and

regulatory landscape.

The inefficiency and unsuitability of joint chair/CEO roles.

Boards that did not engage frequently enough with their relevant supervisors.

The Financial Stability Board developed Guidance on Supervisory Interaction with Financial Institutions

on Risk Culture: A Framework for Assessing Risk Culture to provide guidelines for financial institutions

in assessing risk culture. However, the guidance could be adapted to assessing overall organizational

culture in any industry or sector. The guidance identifies four areas that can be indicative of a sound

risk culture including tone at the top, accountability, effective communication and challenge, and

incentives.

Finally, the level of risks may vary across geography, business unit, or process. Business units may

create their own subculture that can be contradictive to the company values or the tone at the top.

Thus, the level of risk relating to improper conduct may be higher in some locations or departments

than others. For example, in Wells Fargo, some regional managers encouraged and implemented sales

pressure tactics, leading to a significantly higher number of integrity violations than other regions.

Gather Sufficient Information

“Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the

engagement’s objectives.”

International Standards for the Professional Practice of Internal Auditing 2310: Identifying

Information

There are sources of information that could provide direct evidence of soft controls. For example,

employee engagement surveys that allow anonymity are considered as one of the most effective and

efficient ways to understand and evaluate an organization’s culture. Data associated with ethical

culture provides an opportunity for better insights. For instance, common survey topics used by the

world’s most ethical companies when measuring ethical culture include42:

• Perception of the compliance and ethics function

• If misconduct has been observed

• Perception of the effectiveness of compliance training

• Perception of the effectiveness of the Code

• Awareness of compliance resources

• If pressure is felt to commit misconduct

42 The common topics addressed in ethical culture surveys are from “Leading Practices and Trends from the 2018 World’s Most Ethical Companies®”, Ethisphere Research Report, accessed on March 24, 2020.

111

• Perception of the effectiveness of policies

• Comfort in reporting misconduct

• Perception of organizational justice

• Opinion of executive ethical leadership or tone from the top

• Opinion of manager’s ethical leadership or mood from the middle

• Perception of coworkers

• Recommend someone take a job at the company

Thus, internal auditors may consider reviewing employee surveys or other similar tools and techniques

used by organizations. These surveys provide measurements of the effectiveness of one or more

control environment elements that help internal auditors gain an insight into an organization’s culture.

Other sources of data for internal auditors to consider when obtaining an understanding of culture

include:

✓ Media coverage

✓ Customer surveys

✓ Customer compliant data

✓ Customer activity track

✓ Regulatory (supervisory) reviews

✓ Rewards and incentives structures

✓ Hotline and whistleblower reporting

✓ Compliance and risk management breaches

✓ Continuous controls monitoring

✓ Employee turnover rate

✓ Enterprise risk management

✓ Past audit results over the control environment and the response and remediation

✓ Results of annual Sarbanes-Oxley Act and other compliance testing

Evaluating the Cultural Drivers

“Internal auditors must base conclusions and engagement results on appropriate analyses and

evaluations.”

International Standards for the Professional Practice of Internal Auditing 2320: Analysis and

Evaluation

The National Business Ethics Survey listed four outcomes that help determine the success of an ethics

and compliance program fostering a culture of integrity:

1. Reduced misconduct observed by employees.

2. Reduced pressure to engage in unethical conduct.

3. Increased willingness of employees to report misconduct.

4. Greater satisfaction with organizational response to reports of misconduct.

112

Culture is created by formal drivers which in turn impact the core beliefs and assumptions of the

organization. Thus, internal auditors may consider evaluating the following key drivers that have an

impact on these outcomes and influence an organization’s culture:

✓ Corporate Environment

✓ Leadership

✓ People Management

✓ Ethics and Conduct

Many considerations can be taken into account when determining whether behavior and conduct are

aligned with the values and ethics of the organization. Examples of values and ethics are listed in the

following table. However, the culture aspect of the audit should be tailored for the organization and

focus on its specific environment, opportunities, and challenges.

Drivers Types of Soft Control Evidence of Soft Controls

Corporate

Environment

• Vision, values,

and goals

• Communication

• Alignment

through the

organization

− The organization mission statement, objectives and goals are

communicated to employees at all levels.

− The atmosphere promotes a sense of loyalty and belonging

among employees, and a sense of caring and connection

between the organization and its customers.

− The organization supports values that create a collective sense

of belonging where employees feel that they have a stake in

the success of the company.

− The organizational structure facilitates the flow of information

upstream, downstream, and across all business activities.

− The tone exhibited by management of operating units is

consistent with that set by the board of directors and senior

management.

− There is adequate supervision and monitoring of decentralized

operations.

− Employees feel comfortable to voice their opinion, raise issues,

and discuss dilemmas.

Leadership • Tone at the top

• Attitude

• Management

philosophy

• Management

operating style

• Role modeling

• Communications

− Leadership demonstrates high ethical and behavioral

standards through its attitude, actions, and values, and

communicates this tone to all employees.

− Management fosters open communications and responds

appropriately when employees raise a concern.

− Management proactively seeks, gives, and applies feedback.

− Management shows and maintains a positive and supportive.

attitude toward integrity and ethical values at all times

through both its words and actions.

113

− Management makes sure that people feel included, valued,

and heard.

− Management removes or reduces incentives and temptations

that might prompt personnel to engage in dishonest, illegal, or

unethical acts.

− The extent and depth of conversations regarding risk, controls,

and compliance matters at executive and/or board meetings is

appropriate given the matters facing the organization.

People

Management

• Competence

• Commitment

• Transparency

• Achievability

• Accountability

• Enforcement

• Reward and

Incentives

− Managers and employees should have personal and

professional integrity and should be qualified to perform their

assigned duties.

− Employees feel motivated and engaged to follow the rules.

− Employees’ and management’s behavior are visible to others.

− Goals/targets are realistic. There is no undue pressure to meet

budget, profit, or other financial and operating goals.

− Managers and employees take responsibility for their own

actions.

− Desired behavior rewarded and undesirable behavior

sanctioned.

− There is relatively low turnover of key personnel (e.g.,

operating, accounting, data processing, internal audit).

Ethics

and Conduct

• Accountability

• Clarity

• Communication

• Enforcement

− Managers and employees are being held accountable by

others in the organization for misconduct.

− Management consistently reinforces the ethical and

behavioral standards.

− Management properly and timely addresses red flags that

problems exist such as integrity violations even when the cost

of identifying and solving the problem could be high.

− Management takes appropriate disciplinary action when

necessary to enforce the code of conduct.

− Management views Internal Audit as a vehicle for exercising

control over the organization’s activities.

− Employees are willing to come forward and report misconduct

or unusual activities without fear of retaliation.

− Whistleblower status and rights are protected.

− Board takes appropriate follow-up action when instances of

noncompliance are reported.

Investigative interview techniques combined with a strict interview protocol help the auditors achieve

the audit objectives. The Board Report indicated that Wells Fargo’s internal auditors audited its

incentive compensation plans and concluded that the plans were adequately balanced by customer

service and sales quality-related components. However, internal auditors did not conduct fieldwork

such as banker interviews to determine how the plans were in fact impacting employees. The IIA

114

suggests that the more internal auditors can utilize surveys and structured interview techniques, the

more concrete the evidence will be.

Internal auditors should also consider the implications of the identified weaknesses or gaps.

Undesirable culture (subculture) or weak soft controls often affect multiple areas and are basically

pervasive in nature. For example:

A company that does not build and sustain demonstrable accountability is likely to be

vulnerable to political challenges, and also to a disadvantaged competitive position and its

ability to attract talent.

Cutthroat sales culture focused on growth and profit increase often pushes employees to sell

customers as many products as possible leading to various unsafe sales practices.

The negative attitude and aggressive management style enables violations and obstructs

compliance within an organization.

Internal auditors should communicate the risk of ineffectively operating soft controls to senior

management. The issue is made open to discussion in the organization. As with hard controls,

ineffective soft controls can hinder the achievement of organizational objectives. When the chief audit

executive (CAE) concludes that management has accepted a level of risk that may be unacceptable to

the organization, the CAE must discuss the matter with senior management. If the CAE determines

that the matter has not been resolved, the CAE must communicate the matter to the board.

Moreover, internal auditors should provide persuasive evidence indicating weaknesses or gaps since

soft controls can be highly subjective. Assessing the degree to which soft controls achieve the

established objectives and correspond to the desired behavior is challenging and requires some

guidance by using a growth path or maturity model for the soft controls. The maturity level of each

identified soft control can be described in a growth model. This helps to qualify a soft control as

inadequate, barely adequate, adequate, good, or excellent as demonstrated below.

Example: Growth Path for the Development of Soft Controls

The following example demonstrates how the growth path can help with rating in a soft controls audit.

The Soft Control: Sense of Responsibility

1. Employees do not feel responsible, they do their thing, but others are responsible.

2. Employees feel responsible for reporting on their work, but they consider management or others

to be responsible.

3. Employees feel responsible and assume their responsibility. They have not made this visible,

though. Others cannot be certain that the aforementioned employees are assuming their

responsibility.

4. Employees feel responsible and set down that responsibility clearly and visibly.

5. Employees feel responsible, document this adequately, and explicitly let the organization know

that they are responsible

115

1 = weak and 5 = excellent



Finally, communication of audit results should include applicable conclusions, as well as applicable

recommendations and/or action plans. Internal auditors should identify preventive and detective

measures focused on minimizing future occurrences. The Board Report cited that:

“Audit reviewed relevant controls and processes and largely found them to be effective; however, while

it had access to information regarding sales practice concerns, it did not view its role to include

analyzing more broadly the root cause of improper conduct.”

Recommendations in the audit report should address the root cause of the identified

weaknesses/gaps. To properly address the root cause for the deficiencies in soft controls, internal

auditors should ask key questions such as:

✓ How did the breakdowns occur?

✓ Where were management, the board, the audit committee?

✓ Are deficiencies unique to a business unit, department, or geography?

✓ Why did management fail to model appropriate behaviors throughout the organization?

✓ Does the behavior exhibited impose substantial harm on the company?

✓ Do policies and procedures require revision?

Where appropriate, an internal auditors’ opinion should be provided. An opinion must take into

account the expectations of senior management, the board, and other stakeholders and must be

supported by sufficient, reliable, relevant, and useful information.

Lesson Note: The CAE needs to establish a follow-up process to monitor and ensure that management

actions have been effectively implemented or that senior management has accepted the risk of not

taking action.

Exhibit G provides a roadmap for supervisors of the banking system to assess conduct and culture. This

roadmap can be a useful tool for internal auditors who should have clear ideas about what it considers

good or acceptable with respect to conduct and values.

Exhibit G: Roadmap for Assessing Conduct and Culture

The following are excerpts from the Group of Thirty, Banking Conduct and Culture.

• Are the bank board and senior management adequately focused on understanding the culture

that exists and seeing adherence to firm values and conduct as a strategic imperative for the

bank?

116

• Is this evidenced in practices such as transparency for material transgressions, and owning the

responsibility for identifying and dealing with problems?

• Are the bank’s values and conduct statements taken seriously, and is there consistency among

strategy, business model, target returns, risk appetite, incentives, performance assessment,

desired conduct, and values to support the behaviors and outcomes the bank wants?

• Does the board focus adequately on the embedding of values and conduct by devoting

adequate time to these issues, receiving regular comprehensive reporting on these issues from

a variety of sources, acting on those as necessary, and itself participating in the internal

communication of the desired behaviors?

• Do the board and committee charters include oversight of values and conduct?

• And how are these matters reflected in the work of the board and its committees?

• Do the relevant management bodies and committees have charters that explicitly refer to

responsibility for oversight of values, conduct, and culture issues?

− Do the CEO and Executive team demonstrate persistent championing throughout the bank of

the desired conduct and values?

− Are the Executive team and midlevel managers engaged, and are they assessed and

compensated on how well they promote and assess conduct and values issues in their teams?

• Do the CEO and Executive team objectives include conduct, values, and cultural matters?

− Is an important part of the board’s annual evaluation of the CEO and his or her direct reports

championing the desired culture and effectively overseeing embedding of the desired conduct

and values and any remediation program?

− Does the Executive team demonstrate sound understanding of how a chosen remediation

program will achieve results, and does it have ways of measuring progress?

− Does the CEO and Executive team incentive regime have material financial consequences for

managers whose oversight (and living) of desired values and conduct is weak?

• Does the firm celebrate those who live the firm values and desired conduct in difficult

circumstances?

• Is there evidence that the firm is using a balanced scorecard with input from Compliance, Risk

Management, and Human Resources, and with significant weight on how results are achieved?

− Are there robust and comprehensive data to identify alignment with conduct and values by the

business and functional units and individuals?

− Is the Executive team reviewing in detail the top leadership group, and is there use of tools such

as 360-degree assessments?

− Are annual appraisals and penalties applied to breaches of cultural norms, values, and

principles, and not just to breaking specific rules of legal requirements?

− When deficiencies are identified, does the bank look at whether similar issues exist in related

areas of the bank?

117

− Is there evidence of robust internal sanctioning, with material consequences for staff in the

event of poor alignment with conduct and values?

• Do the bank’s promotion and hiring processes (including for senior management and the CEO)

place material weight on compatibility with the desired values and conduct and consistent

demonstration of the desired behaviors?

• Is frontline accountability clear?

− Do the frontline management and staff demonstrate understanding of, and the ability to

identify, values and conduct issues and act accordingly?

− Do frontline management demonstrate the ability to deal with breaches and to assess staff

performance?

− Are training and development programs anchored in cases relevant to the bank, delivered by

management, and regularly refreshed?

• Is there a clear second line of defense for values and conduct issues with demonstrated input

from Human Resources, Compliance, and Risk Management?

− Are second line and third line (that is, internal Audit) providing senior management reporting

to assist in understanding where the bank is at on conduct and values issues and how any

remediation program is working, and to support governance and oversight responsibilities?

− Do Compliance and Human Resources functions have stature and a proactive preventive

mindset in dealing with these issues?

• Is there a culture of welcoming escalation or self-identification of issues, including the

expectation of such conduct, and are there sanctions for willful blindness?

− Have managers been trained in how to constructively deal with escalation?

− Is the board satisfied that whistleblowing is treated seriously, and that staff who raise internal

flags are suitably protected and celebrated?

Source: Group of Thirty, Banking Conduct and Culture, July 2015

Sample Audit Program: Integrity and Ethical Values

The IIA provides guidance on how to audit the control environment. An audit of some elements of the

control environment includes a review of soft controls, such as those around integrity and ethical

values. The principle, elements and attributes are adapted from the COSO Framework control

environment component. The following table lists potential audit procedures created by the IIA that

might be considered in developing an audit of culture.

118

Integrity and Ethical Values: Basic Principle — Sound integrity and ethical values, particularly of senior management, are

developed and set the standard of conduct for doing business.

Elements and

Attributes

Control Design

Methods to Achieve Control Environment

(Principles, Elements, And Attributes) Control Testing Considerations

Developed — senior

management develops

a clearly articulated

statement of values or

ethical behaviors that

are understood by key

executives and the

board.

• Senior management conveys the

message that integrity and ethical values

cannot be compromised, both in words

and in actions.

• Senior management has developed a

code of ethics that emphasizes the

organization’s expectation that

employees will act with integrity in all

actions related to their scope of

employment.

• Senior management has developed a

code of business conduct that

emphasizes the organization’s

commitment to fair and honest dealings

with customers, suppliers, and other

external parties.

• Performance expectations and

incentives are designed so as to not

create undue temptations to violate

laws, rules, regulations, and

organization policies and procedures.

• Conduct periodic, anonymous “pulse”

surveys of employees as to the ethical

attitude communicated by senior

management.

• Review the existence and content of the

organization’s code of conduct and ensure

a process exists for periodic updating of

the code.

• Review the existence and content of the

organization’s code of business conduct

and ensure a process exists for periodic

updating of the code.

• Review the mix between fixed and

variable elements in employee

compensation plans, and the relative

weighting on short-term financial

performance in compensation plans.

• Review senior management’s

compensation system to understand if it

unduly incents excessive risk-taking and

the override of the entity’s system of

internal control.

Communicated —

senior management

communicates its

commitment to ethical

values through words

and actions.

• New employees receive a copy of the

organization’s code of ethics and code of

business conduct and are trained as to

how these guidelines apply to specific

factual situations common to the

organization’s business environment.

• Existing employees are provided with

updated copies of the organization’s

code of ethics and code of business

conduct at least yearly, and receive

periodic retraining on the application of

these guidelines to the organization’s

business environment.

• Customers, vendors, and other external

parties receive a copy of the

organization’s code of business conduct

at least yearly, by inclusion in other

mailings to these parties. Contractual

arrangements with these parties should

include requirements for adherence to

the organization’s code of ethics and

code of business conduct.

• Review the signed employee

representation that they have read and

understood the codes of ethics and

business conduct and, for existing

employees, their certification that they

have not violated the codes during the

past year and are aware of no other such

violations (or, if they are aware of such

violations, they have 1) communicated

these violations as directed by their

compliance or ethics office training and 2)

if based on their perspective the violations

have not been resolved, communicated

the potential violations via their

company’s ethics hotline.

• Review organization training courses,

including the process for ensuring that all

employees attend these courses on the

codes of ethics and business conduct.

• Review the organization’s policy for

including the code of business conduct in

a yearly mailing to customers, vendors,

119

and other external parties. Verify that the

code of business conduct is included in

mailings.

Reinforced — the

importance of

integrity and ethical

values is

communicated and

reinforced to all

employees in a

manner suitable for

the organization.

The organization’s newsletter (and other

internal communication devices) highlights:

a. Ethical dilemmas often arising in the

organization’s industry and how

management expects employees to act

in these situations.

b. Ethical failures (with names disguised)

and the consequences of these failures

for both the organization and the

employees involved.

c. Ethical successes (with names retained

and highlighted) with the situation

described, the employee behavior, and

why the behavior was consistent with

organization guidelines.

Review editions of the organization’s

newsletter during the year to examine whether

coverage of ethical dilemmas, ethical failures,

and ethical successes are included.

Monitored —

processes are in place

to monitor the

organization’s

compliance with

principles of sound

integrity and ethical

values.

• All new employees are required to sign

the code of ethics and business conduct

indicating that they have read and

understand these codes.

• All existing employees are required to

sign an annual contract acknowledging

that they have read the most recent

versions of the code of ethics and

business conduct and that they

understand and are in compliance with

these codes.

• HR or hiring department management

monitor whether new and existing

employees have completed the required

training on the codes of ethics and

business conduct.

• The organization has established a

hotline — a reporting mechanism that

permits anonymity, and preferably

staffed by an internal group with a direct

reporting relationship to the board or by

an outside vendor — for receiving

reports of suspected violations of the

organization’s codes of ethics and

business conduct and publicizes the

existence of the hotline.

• Review the signed employee

representation that they have read and

understood the codes of ethics and

business conduct and, for existing

employees, their certification that they

have not violated the codes during the

past year and are aware of no other such

violations (or, if they are aware of such

violations, they have communicated these

violations via the hotline).

• Review organization training courses,

including the process for ensuring that all

employees attend these courses, on the

codes of ethics and business conduct.

• Review the existence of the hotline —

including the organizational unit

responsible for managing and overseeing

the hotline. Examine the organization’s

efforts to publicize the hotline. Review a

sample of calls received on the hotline and

examine the appropriateness of

investigation and resolution of allegations.

Deviations Addressed

— deviations from

sound integrity and

ethical values are

identified timely and

• A senior executive, preferably with a

direct reporting relationship to the

board, is responsible for oversight of the

organization’s ethics and compliance

function.

• Review the organizational unit, and

related reporting relationships,

responsible for oversight of ethics and

compliance.

120

are addressed and

remediated at

appropriate levels

within the

organization.

• Allegations of violations of the

organization’s codes of ethics and

business conduct are appropriately

investigated, and the necessary

corrective, disciplinary, and remedial

actions happen timely. This includes

hotline reported matters.

• Examine the appropriateness of

investigations of allegations of violations

of the organization’s code of ethics and

business conduct, including corrective,

disciplinary, and remedial actions taken.

• Review the organization’s investigation

policies and practices to ensure that

appropriately qualified personnel are

performing the investigations. Evaluate

the qualifications of the investigators and

ascertain that there is good segregation of

duties between investigations, operating

management, and the discipline decision-

makers.

Source: The IIA, IPPF − Practice Guide: Auditing the Control Environment, April 2011.

Other Considerations

The effectiveness of Internal Audit depends on several factors, including:

Support from the Board, the Audit Committee, and Senior Management

Without support from the board, the audit committee, and executives, it can be very difficult to carry

out an effective audit of culture. Leadership should provide clear support for Internal Audit and its

activities to convey their importance to the organization. To secure the support, the CAE needs to

communicate the significance of culture audits in light of increased regulatory scrutiny, media

coverage, and stakeholder expectations. Specifically, culture audits can provide valuable

reinforcement in the maintenance of corporate culture by:

1. Providing assurance that consistent behavior and conduct are aligned with organization value.

2. Establishing the root cause of poor behavior that helps organizations address cultural issues.

3. Adding value in the middle of cultural change by giving management a high degree of comfort

that investment is being made wisely.

MIS Training Institute suggests that Internal Audit needs to find common ground when obtaining the

support and sponsorship of the board and/or the chief executive for the audit. That is, there should

be a shared desire to identify culture breakdowns and prevent significant damages to the company

(e.g., financial losses, diminished reputation, regulatory action). The CAE may initiate the discussion

and define expectations through the following actions:43:

43 The keys to finding common ground are based on “The Why and How of Auditing Corporate Culture,” MIS Training Institute, accessed on April 8, 2020.

121

✓ Have formal and informal discussions around the topic of culture to identify internal sponsors

and potential audit areas (e.g. regions with high violation of culture).

✓ Co-develop the scope and frequency of the culture audit. For example, will culture be audited

at the entity level or embedded into individual audits? Should the culture audit be one annual

audit or one audit occurring periodically every few years?

✓ Identify an executive sponsor and key influencers to support the effort.

✓ Clearly explain the methodology used (e.g., surveys, self-assessments, interviews, facilitated

workshops) to perform the assessment.

✓ Articulate, communicate and agree on evaluation criteria and benchmark rating as the basis

of measuring an organization’s culture.

✓ Develop an organizational communications plan to explain the added audit focus and its

importance.

✓ Once approved by management, share with the audit committee for final consensus.

✓ Formalize the mandate by incorporating it into the audit committee charter.

Organizational Independence

“The chief audit executive must report to a level within the organization that allows the internal audit

activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least

annually, the organizational independence of the internal audit activity.”

International Standards for the Professional Practice of Internal Auditing 1110: Organizational

Independence

Since Internal Audit is uniquely positioned to help management to enhance and protect organization

values and accomplish objectives, it must be structured with organizational independence to provide

unbiased and objective assessments. The more independent the internal auditor is from management,

the more likely his or her work will serve the organization’s needs.

Lesson Note: Impairment to organizational independence and individual objectivity may include, but

is not limited to, personal conflict of interest, scope limitations, restrictions on access to records,

personnel, and properties, and resource limitations, such as funding.

Organizational independence is effectively achieved when the CAE reports functionally to the board

and/or the most senior levels of management. For administrative purposes, in most circumstances,

the CAE should report directly to the chief executive officer of the organization. In addition, internal

auditors should be free from interference from operational management in determining the scope of

auditing, performing work, and communicating results. Finally, to maintain independence and

objectivity of an Internal Audit, it should not participate directly in the management decision-making

process.

122

Unrestricted Access

Internal auditors have unlimited access to information, people, and assets as appropriate for the

performance of audit activities. This is clearly stated in the audit charter. The internal audit manual

should clarify in which circumstances this right is valid(e.g. only in the case of the execution of an audit

mission). The manual should also clarify what to do in case this right is being denied by an auditee.

• Concerning unlimited access to information, internal auditors must respect the confidentiality

principle of the code of ethics. Note that access does not necessarily mean that Internal Audit

has the right in all situations (e.g. military) to download or copy (sensitive or classified)

information.

• Concerning unlimited access to people, although internal auditors have the right to interview

employees without formally respecting the hierarchical lines, they should always demonstrate

respect for the organization’s culture.

• Concerning assets, internal auditors need to respect the organization’s procedures to access

assets. For instance, in the case of liquid assets (cash), the organization may require access

only if accompanied by another member of staff.

Skills Development and Training

“Internal auditors must possess the knowledge, skills, and other competencies needed to perform

their individual responsibilities. The internal audit activity collectively must possess or obtain the

knowledge, skills, and other competencies needed to perform its responsibilities.”

International Standards for the Professional Practice of Internal Auditing 1210: Proficiency

Auditors are expected to maintain a level of competence to meet the profession’s technical and ethical

standards. Auditing corporate culture requires internal auditors to exercise the same good practices

they exercise throughout any audit engagement such as:

Audit Committee

Chief Audit Executive

Information Techhnology Audits

Finance & Operations Audits

Compliance Audits

Chief Financial

Officer or

Chief Executive

Officer

123

• Proficiency: Possessing the necessary knowledge, skills, and other competencies to conduct

the engagement appropriately.

• Due Professional Care: Applying the care and skill expected of a reasonably prudent and

competent auditor.

• Professional Skepticism: Having an attitude that includes a mindset in which auditors assume

neither that management/employee is dishonest nor of unquestioned honesty.

• Objectivity: Maintaining an attitude of impartiality, having intellectual honesty, and being free

of conflicts of interest.

• Integrity: Performing the work with honesty, diligence, and responsibility.

• Confidentiality: Be prudent in the use and protection of information acquired in the course of

their duties.

• Competency: Internal auditors apply the knowledge, skills, and experience needed in the

performance of internal audit services.

Although most internal auditors possess the core skills required to conduct audits of culture, they will

need to develop creative solutions by thinking outside the box as behaviors and attitudes sometimes

can be difficult to interpret. Besides the required knowledge of hard controls, internal auditors need

to step outside their traditional comfort zones and focus on the development of the following skills to

build confidence in order to lead culture audits:

✓ A basic knowledge of behavioral sciences (e.g., organizational psychology, organizational

behavior).

✓ Root cause analysis.

✓ Understanding of cultural differences (employees from different countries).

✓ Advanced interview techniques (e.g. asking open questions).

✓ The performance of surveys (compilation, analysis, statistics).

✓ The ability to interpret non-verbal behavior and know how to deal with it.

Example: Audit Team Knowledge and Skills

Interviewees feel that auditors need specific knowledge and skills for auditing soft controls properly:

• Training time can often be reduced if auditors involved in a soft controls audit have a social

sciences background. During their studies, they have often gained sufficient tools for analyzing

soft controls. Auditors with a different background can also be coached in this aspect, though.

• It is important for auditors to be prepared not to restrict themselves to the paradigm that a

thorough foundation can only be gained on the basis of hard controls. The auditor must be

prepared to explore the reliability of the information gained from other research methods (such

as a survey). If the information this produces is not accepted by the auditee or the management

124

to serve as a solid foundation, there is no point in the auditor following up the soft controls audit

without first giving further explanation and discussing the information.

• If audit findings are based on soft controls, it is important for the auditor to have a certain maturity.

The ability to continue questioning and persevere is important, as discussions are often held with

senior or higher management.

• It can happen that management disagrees with the findings. There are sometimes even negative

feelings towards the findings. In such cases, it is important for auditors to stand their ground.



125


1. According to the Three Lines of Defense model, Internal Audit is responsible for which of the

following activities?

A. Designing, implementing, monitoring, and reporting the internal controls

B. Setting, communicating, and modeling desired values and conduct

C. Developing procedures to prevent or detect violations of internal policies

D. Assessing the overall culture and identifying areas where the culture is weak

2. Which of the following components of internal control includes an organization’s culture, beliefs,

and values?

A. Monitoring

B. Control environment

C. Risk assessment

D. Control activities

3. Which of the following is an example of soft controls?

A. Change management procedures

B. Ethical climate

C. Segregation of duties

D. Input controls

4. Which of the following procedures help auditors determine whether processes are in place to

monitor an organization’s compliance with principles of sound integrity and ethical values?

A. Review the backgrounds, including education and experience, of board members

B. Inspect job descriptions for key employees including the process for updating job descriptions

C. Review the existence of the hotline and examine the efforts to publicize the hotline

D. Inquire of employees as to their perception of the importance of internal control objectives

5. Which of the following principles ensures that internal auditors perform their work with honesty,

diligence, and responsibility?

A. Competence

B. Integrity

C. Objectivity

D. Confidentiality

126

6. Instead of blindly accepting what the management provides, the internal auditor has a questioning

mind throughout the audit. This attitude is referred to as:

A. Proficiency

B. Objectivity

C. Professional skepticism

D. Supervision

127

Review Question Answers

Case 1: Review Questions

Section 1

1. Crazy Eddie salespeople used which of the following sales tactics to lure customers into its stores?

A. Incorrect. Premium pricing is a type of pricing strategy which involves establishing a price

higher than the competitors to achieve a premium positioning (e.g., Mercedes, Land Rover).

However, Crazy Eddie successfully built up customer loyalty by circumventing fair trade laws

and offering deep discounts on popular electronic products.

B. Incorrect. Scarcity marketing is a marketing strategy based on the principle that people want

what is difficult to obtain.

C. Correct. Crazy Eddie salespeople used high-pressure sales tactics; bait and switch, a common

deceptive sales practice used in retail sales (e.g., electronic and computer stores, and car

sales).

D. Incorrect. Side agreements indicate that management enters into side agreements with

customers that modify the terms and conditions of the store’s standard sales contracts.

2. To artificially inflate the company’s profit, Sam Antar committed all of the following fraud schemes

EXCEPT:

A. Incorrect. Sam Antar gradually skimmed less money each year, from approximately $3 million

per year in 1980 to nearly zero in 1984. In other words, the company gave the appearance of

the rapid growth by reporting sales which had previously been kept off the books.

B. Incorrect. Sam and Eddie planned the three-pronged scheme by inflating the inventories in

the stores, warehouse, and the returns department. For example, the store inventory inflation

scheme was carried out by the store managers who altered the count sheets to falsify the

merchandise quantities.

C. Correct. Companies may falsely boot their financial condition through improper

capitalization of expenses as fixed assets to avoid recognizing the full amount of the expense

in the current period. However, Sam Antar did not particularly use this technique to cook

the books.

D. Incorrect. The change in accounting principle (from received to earned) allowed the Antar

family to create $20 million in phony debit memos to claim fictitious purchase discounts and

trade allowances that reduced the amount of accounts payable.

128

3. Which of the following techniques is often used for tax evasion?

A. Incorrect. Check tampering is committed by a person who steals his or her employer’s funds

by forging or altering a check on the entity’s bank accounts.

B. Correct. Skimming is a popular scheme for tax evasion. It means that a business intentionally

fails to record a transaction and pockets the cash without reporting the profit.

C. Incorrect. Procurement fraud is when a company uses bribes to win a contract even when it

did not submit the lowest or best bid.

D. Incorrect. Billing scheme is committed by a person who causes his or her employer to issue a

payment by creating and submitting invoices for fictitious goods or services, inflated invoices,

or invoices for personal purchases.

4. What is the process of disguising illegally obtained money through elaborate financial

transactions often involving foreign banks and legitimate businesses?

A. Incorrect. False claims usually pertain to Social Security, defense contractors, healthcare

company fraud, or other instances in which a company or individual attempts to be paid by

the government for an invalid reason.

B. Incorrect. Business email compromise (BEC) is a sophisticated scam targeting businesses

working with foreign suppliers and/or businesses that regularly perform wire transfer

payments. BEC involves taking over an email account or spoofing an email address in order to

initiate theft via unauthorized ACH or wire transfers.

C. Correct. Money laundering is the process of disguising illegally obtained money through

elaborate financial transactions often involving foreign banks and legitimate businesses.

D. Incorrect. Examples of contractor fraud include billing the government for incomplete work,

inflating the cost of labor or supplies, and issuing kickbacks.

5. What are the stages of money laundering?

A. Correct. Money laundering is the process of disguising illegally obtained money through

elaborate financial transactions. There are three stages involved in money laundering:

placement, layering, and integration. The placement stage is the initial entry of the "dirty"

cash into the financial system. The second stage involves layering that conceals the source

of the money through a series of transactions and accounting tricks (creating confusion). The

third stage (final step) of money laundering is integration. It refers to re-introducing the

funds into the legitimate economy such as the banking system so that the funds appears to

be normal business earnings.

129

B. Incorrect. Before the illegitimate funds are integrated into the financial system, the fraudster

must place (placement) them into the legitimate financial system.

C. Incorrect. Before the money is moved around to create confusion (layering), the fraudster

must place (placement) it into the legitimate financial system.

D. Incorrect. The final step of the money laundering process is termed the integration stage

where the money is returned to the fraudster from what seem to be legitimate sources.

Section 2

1. Which of the following trends appears unusual and requires the auditor’s attention?

A. Incorrect. When a company sells its merchandise, it generates sales. The merchandise must

be manufactured, purchased, or both. Thus, there is always a cost associated with each sale.

If sales decrease, the cost of goods sold usually decreases proportionally.

B. Correct. To meet the demands, a company’s inventory usually ties to anticipated future sales

by having an adequate supply of inventory. Thus, inventory generally reflects a growth in

sales. If sales increase, inventory should increase proportionally. Inventory that grows at a

faster pace than sales might indicate fraud (e.g. overstated inventory).

C. Incorrect. A company usually ships the merchandise to the customer before the customer pays

resulting in accounts receivable. Thus, if sales increase, accounts receivable should increase at

approximately the same rate.

D. Incorrect. Inventory turnover is a measure of the number of times a company that sells its

average level of inventory during the year. A higher inventory turnover ratio is generally

considered more favorable. As a company’s sales increase, one expects that inventories would

be turning over faster.

2. Which of the following ratios helps an auditor establish the relationship between the volume of

goods sold and inventory?

A. Incorrect. The quick ratio measures a company’s ability to meet its short-term obligations with

its most liquid assets. The ratio places greater emphasis on receivables than on inventory,

since the inventory may not be readily convertible into cash. The ratio is computed as (Current

Assets − Inventory) ÷ Current Liabilities.

B. Incorrect. The total asset turnover ratio is helpful in evaluating a company’s ability to use its

asset base efficiently to generate revenue. The ratio is computed as Net Sales ÷ Average Total

Assets.

130

C. Incorrect. The current ratio is a valuable indicator of a company’s ability to meet its current

obligations as they become due. The ratio is computed as Current Assets ÷ Current Liabilities.

D. Correct. Inventory turnover is a measure of the number of times a company sells its average

level of inventory during the year. The ratio establishes the relationship between the

volume of goods sold and inventory. The ratio is computed as Cost of Goods Sold ÷ Average

Inventory.

3. Which of the following terms measures the quantity of audit evidence?

A. Incorrect. Appropriation is the measure of the quality of evidence that encompasses the

relevance, validity, and reliability of evidence used for addressing the audit objectives and

supporting findings and conclusions.

B. Correct. Sufficiency is the measure of the quantity of evidence used to support the findings

and conclusions related to the audit objectives.

C. Incorrect. Significance is the relative importance of a matter within the context in which it is

being considered.

D. Incorrect. The auditors obtain reasonable assurance that the evidence they have gathered

supports the findings and conclusions in relation to the audit objectives.

4. According to Sam, it was easy to inflate store inventories because the auditor did not supervise

enough inventory counts at stores. Which fraud elements best explain his behavior?

A. Incorrect. Concealment is not part of the fraud triangle. Concealment means hiding the fraud.

Examples of concealment include creating false journal entries, falsifying invoices, or

destroying files.

B. Correct. Opportunity is the ability to commit fraud or to conceal it. Opportunities often

result from circumstances that provide chances to commit financial fraud, such as weak

internal controls over financial reporting, insufficient auditing, and an unstable

organizational structure. The inadequate audit procedure provided an opportunity to carry

out the inventory fraud over the years.

C. Incorrect. Rationalization is the ability for a person to justify a fraud which involves a person

reconciling his/her behavior, such as stealing, with some common excuses.

D. Incorrect. Pressure indicates a need that an individual attempts to satisfy by committing fraud,

such as a high degree of competition, operating losses, and significant declines in demand.

None of these factors are identified in this case.

131

5. Which of the following management assertions indicates that inventories are included in the

financial statements at appropriate amounts?

A. Incorrect. The auditors use the Rights & Obligations to determine if the entity holds or controls

the rights to inventories.

B. Incorrect. The auditors apply the Completeness to determine if all transactions and events that

should have been recorded were correctly recorded

C. Incorrect. The auditors use Existence to determine if recorded inventories exist.

D. Correct. The auditors apply the Valuation & Allocation to determine if inventories are

included in the financial statements at appropriate amounts.

6. An auditor reviews the supporting documentation to validate the recorded payable amounts in

support of which of the following assertions?

A. Incorrect. To determine if accounts payable represent liabilities for which the entity has legal

obligations (Rights & Obligations), the auditors usually review documents that create financial

responsibilities for the company such as contracts and vendor invoices.

B. Incorrect. To determine if accounts payable that should be included in the financial statements

are reported (Completeness), the auditors perform certain procedures such as scanning cash

disbursements subsequent to the balance sheet date to search for unrecorded accounts

payable.

C. Correct. To determine if accounts payable reported on the balance sheet exist at that date

(Existence), the auditors usually examine supporting documentation for recorded payables.

D. Incorrect. To determine if accounts payable are included in the financial statements at

appropriate amounts (Valuation & Allocation), the auditors often assess the reasonableness

of amounts payable and budget totals at year-end in relation to expenditure totals.

7. The objective of performing analytical procedures in planning an audit is to identify the existence

of which of the following scenarios?

A. Correct. The objective of analytical procedures is to identify such things as the existence of

unusual transactions and events, and amounts, ratios, and trends that might indicate

matters that have financial statements and audit planning ramifications.

B. Incorrect. The objective of performing analytical procedures to plan the audit is to identify

areas of specific risk, not specific illegal acts.

C. Incorrect. Although the auditor should evaluate disclosures about related party transactions,

analytical procedures performed to plan the audit do not necessarily detect such transactions.

132

D. Incorrect. Tests of controls are necessary to determine whether transactions were properly

authorized.

Case 2: Review Questions

Section 1

1. Which of the following is NOT a primary function of the Federal Reserve?

A. Incorrect. To promote the health of the U.S. economy and the stability of the U.S. financial

system, the Federal Reserve performs five key functions in the public interest. One of the key

functions is to conduct the nation’s monetary policy to promote maximum employment,

stable prices, and moderate long-term interest rates in the U.S. economy.

B. Incorrect. Another key function performed by the Federal Reserve is to promote the stability

of the financial system and seek to minimize and contain systemic risks through active

monitoring and engagement in the U.S. and abroad.

C. Incorrect. The Federal Reserve also fosters payment and settlement system safety and

efficiency through services to the banking industry and the U.S. government that facilitate

U.S.-dollar transactions and payments.

D. Correct. The SEC is responsible for protecting investors, maintaining fair, orderly, and

efficient markets, and facilitating capital formation. For example, to provide a common pool

of knowledge for all investors to use to judge for themselves whether to buy, sell, or hold a

particular security, the SEC requires public companies to disclose meaningful financial to the

public.

2. Which of the following situations is under the jurisdiction of the Consumer Financial Protection

Bureau (CFPB)?

A. Correct. The CFPB promotes fairness and transparency for mortgages, credit cards, and other

consumer financial products and services. For instance, the CFPB administers rules that

protect consumers by setting disclosure standards, suitability standards, and banning

abusive and discriminatory practices. The CFPB also ensures that the federal consumer

financial laws are enforced consistently.

B. Incorrect. The Food and Drug Administration (FDA) is responsible for protecting the public

health by ensuring the safety, efficacy, and security of human and veterinary drugs, biological

products, and medical devices, and by ensuring the safety of our nation's food supply,

cosmetics, and products that emit radiation.

133

C. Incorrect. The SEC was created by the Securities Exchange Act of 1934 to protect investors and

restore investor confidence through enforcing securities laws and regulating the securities

industry. The SEC is concerned primarily with promoting the disclosure of important market-

related information, maintaining fair dealing, and protecting against fraud.

D. Incorrect. The Environmental Protection Agency (EPA) is responsible to protect human health

and the environment by enforcing a variety of environmental requirements related to

pollution by waste and chemicals. For example, the EPA enforces requirements under the

Resource Conservation and Recovery Act regarding the safe handling, treatment, storage, and

disposal of hazardous wastes.

3. The Securities and Exchange Commission (SEC) performs all of the following tasks EXCEPT:

A. Incorrect. The SEC Division of Trading and Markets establishes and maintains standards for

fair, orderly, and efficient markets. For example, it regulates the major securities market

participants, including broker-dealers, self-regulatory organizations (such as stock exchanges,

FINRA, and clearing agencies), and transfer agents.

B. Incorrect. The SEC Division of Enforcement conducts investigations into possible violations of

the federal securities laws and litigates the SEC's civil enforcement proceedings in the federal

courts and in administrative proceedings.

C. Correct. The phrase generally accepted accounting principles (GAAP) is a set of standards

and rules that are recognized as a general guide to financial reporting. GAAP reflects a

consensus of what the accounting profession considers good accounting practices and

procedures. GAAP was developed jointly by the Financial Accounting Standards Board

(FASB) and the Governmental Accounting Standards Board (GASB).

D. Incorrect. The SEC Division of Corporation Finance ensures that investors are provided with

material information in order to make informed investment decisions, both when a company

initially offers its securities to the public and on an ongoing basis as it continues to give

information to the marketplace.

4. Pacific West, a life insurance company, suggests its customers sign up for car, home, and health

insurance. Pacific West uses which of the following sales techniques?

A. Incorrect. Inside sales refers to a process of selling products or services remotely through

phone, email, or internet. Inside sales is also known as virtual sales and remote sales.

B. Correct. Cross-sell, a critical strategy that involves offering multiple services/products to

existing customers. Pacific West offers its existing life insurance customers different

products (e.g., car insurance, home insurance) to earn more revenue from existing

customers.

134

C. Incorrect. Bait and switch, a high-pressure sales tactic, is a common deceptive sales practice

used in retail sales. Prospective customers are “baited” by the low bargain price of advertised

products or services into the store. The idea is that since customers are already in the store,

the seller can “switch” the product with a higher-priced item and pressure the customers into

buying it.

D. Incorrect. Up-sell is the practice of encouraging customers to buy a comparable higher-end

product than the current one. Up-selling increases the value of purchases of the same product

or service to a customer. Pacific West might up-sell a customer from a small life insurance

value to a higher life insurance value.

5. Tom works for a local bank. To meet his sales goals and incentives, he intentionally held off on

opening accounts in December until January. Which unsound sales practices was he committing?

A. Correct. Delaying the opening of requested accounts and other products to the next sales

reporting period is known as sandbagging.

B. Incorrect. Enrolling customers in online banking and online bill-pay without their consent is

known as pinning.

C. Incorrect. Misrepresenting to customers that certain products are available only in packages

with other products is known as bundling.

D. Incorrect. Transferring customer funds between accounts without customer consent is known

as simulated funding.

Section 2

1. By engaging unsound banking practices (e.g., sandbagging, pinning), Wells Fargo violated which of

the following regulations?

A. Incorrect. Congress passed the Expedited Funds Availability Act of 1987, which granted the

Federal Reserve Board the authority to make improvements in the check collection and return

system in the U.S. The Federal Reserve issued Regulation CC, which includes several provisions

designed to improve and accelerate the collection and return of checks among deposit-taking

institutions.

B. Incorrect. The Sarbanes-Oxley Act of 2002 sets enhanced standards for all U.S. public company

boards, management, and public accounting firms. For example, the Act defines stringent

procedures regarding the accuracy and reliability of corporate disclosures, places restrictions

on auditors providing non-audit services and obliges top executives to verify their accounts

personally.

135

C. Correct. The Consumer Financial Protection Act of 2010 authorizes the OCC to take any

action to prevent a covered person or service provider from committing or engaging in an

unfair, deceptive, or abusive act or practice under Federal law in connection with any

transaction with a consumer for a consumer financial product or service, or the offering of

a consumer financial product or service.

D. Incorrect. Federal law-enforcement officials discovered that a number of large American

corporations were illegally paying bribes to foreign officials to facilitate their conduct of

business overseas. To prevent a recurrence of such illegal activities, they assigned corporate

management with the direct legal responsibility for the maintenance of adequate internal

controls. Congress codified the requirement that public companies have internal controls in

the Foreign Corrupt Practices Act of 1977.

2. To protect investors from dangerous or illegal financial practices or fraud, which of the following

laws requires companies to disclose full and accurate financial and other information to the

public?

A. Correct. The Securities Exchange Act of 1934 contains ongoing disclosure requirements

designed to keep investors informed, on a current basis, of information concerning material

changes in the financial condition or operations of the company. The requirements include

an obligation to file periodic reports on Form 10-K and Form 10-Q.

B. Incorrect. The Investment Advisers Act of 1940 defines the role and responsibilities of an

investment advisor/adviser.

C. Incorrect. The Freedom of Information Act states that anyone, U.S. citizen or not, can request

a copy of any federal agency record. Under the Act, all federal agencies must disclose records

requested in writing.

D. Incorrect. The Private Securities Litigation Reform Act of 1995 stems the filing of frivolous or

unwarranted securities lawsuits by increasing the amount of evidence that plaintiffs are

required to present before filing a securities fraud case with the federal courts.

3. Which of the following regulations encourages depository institutions to meet the credit needs of

low- and moderate-income neighborhoods?

A. Incorrect. The Fair Credit Reporting Act of 1970 promotes the accuracy, fairness, and privacy

of information in the files of consumer reporting agencies.

B. Incorrect. The SAFE Banking Act of 2019 creates protections for depository institutions that

provide financial services to cannabis-related legitimate businesses and service providers for

such businesses.

136

C. Correct. The Community Reinvestment Act of 1977 requires the federal financial supervisory

agencies (e.g., FDIC, OCC) to assess the institutions' record of helping meet the credit needs

of its entire community, including low- and moderate-income neighborhoods, consistent

with the safe and sound operation of the institution.

D. Incorrect. The Truth-In-Lending Act of 1968 protects consumers by requiring lenders to

disclose the terms of the loan and total costs to the borrowers.

Section 3

1. To meet the unattainable sales targets, Wells Fargo employees engaged in all of the following

schemes EXCEPT:

A. Incorrect. To meet the sales goals, employees engaged in simulated funding by transferring

funds from existing accounts to unauthorized accounts. This widespread practice gave the

employees credit for opening new accounts.

B. Correct. Larceny schemes often occur at the cash register, cash collection point, or from

deposits in transit through altering cash counts, destroying cash register tapes, reversing

transactions, or manipulating sales records.

C. Incorrect. To meet the sales goals and incentives, employees intentionally held off on opening

accounts in December until January, known as sandbagging.

D. Incorrect. Enrolling customers in online banking and online bill-pay without consent, known

as pinning.

2. To address the sales integrity issues, Wells Fargo reformed its incentive compensation plan by

implementing all of the following procedures EXCEPT:

A. Correct. When employees are paid more compensation for some types of transactions than

for others that were or could have been offered to meet consumer needs, they could steer

consumers to transactions not in their best interests. This program may lead to unsound

sales practices.

B. Incorrect. Under the reformed incentive compensation plan, product sales goals were

eliminated for retail bankers who serve customers in bank branches, and call centers are

instead focused on the customer experience.

C. Incorrect. With the elimination of product sales goals, a significantly higher percentage of

team members have the opportunity to consistently earn incentive pay under the reformed

compensation plan.

137

D. Incorrect. Metrics in the reformed compensation plan take a longer-term view of customer

relationships and incorporate the quality of customer experiences and customer retention.

3. Lack of supervision, no consequence of fraudsters, and insufficient monitoring all describe what

element of the fraud triangle?

A. Incorrect. Pressure (also known as incentive or motivation) is what causes a person to commit

fraud. Pressure can come from almost anywhere, from inside the workplace (e.g. unrealistic

performance goals) to completely unrelated to the person’s employment (e.g. financial

distress, substance abuse, overspending).

B. Incorrect. According to the fraud triangle, the three key elements common to all fraud include

pressure, opportunity, and rationalization.

C. Incorrect. A justification of fraudsters’ crime to make the act acceptable is known as

rationalization. It also refers to behavior, character or ethical values allowing individuals to

justify their reasons for committing fraud.

D. Correct. Failure to establish adequate controls to detect fraudulent activity increases the

opportunities for fraud to occur. In other words, opportunities to commit fraud are more

commonly present in organizations with weak internal controls that provide a low-risk

environment for getting caught. Lack of supervision, no consequence of fraudsters, and

insufficient monitoring are examples of weak internal controls.

4. Identify the element of the fraud triangle in the following example: A&E Inc. did not employ a

proactive monitoring system to detect fraudulent activities.

A. Incorrect. Concealment is not part of the fraud triangle. Concealment means hiding the fraud

act. Examples of concealment include creating false journal entries, falsifying invoices, or

destroying files.

B. Correct. Opportunity often results from circumstances that provide chances to commit

fraud. Thus, opportunities to commit fraud are more commonly present in organizations

with weak internal controls that provide a low-risk environment for getting caught. If the

control environment is weak, the employee has little fear of exposure and the likelihood of

detection. There may be a perceived opportunity to commit fraud. However, if the risk of

getting caught is too high, the employee will likely not exploit the perceived opportunity.

C. Incorrect. Rationalization is the ability for a person to justify a fraud which involves a person

reconciling his/her behavior, such as stealing, with some common excuses.

D. Incorrect. Pressure indicates a need that an individual attempts to satisfy by committing fraud,

such as a high degree of competition, operating losses, and significant declines in demand.

None of these factors are identified in this case.

138

Section 4

1. According to the Three Lines of Defense model, Internal Audit is responsible for which of the

following activities?

A. Incorrect. Management is accountable to the audit committee for designing, implementing,

monitoring, and reporting the system of internal controls and for providing assurance to the

audit committee that it has done so.

B. Incorrect. Business line management is primarily responsible for setting, delivering, and

modeling desired values and conduct.

C. Incorrect. Management is responsible for ensuring the organization adheres to internal

policies by developing procedures to prevent or detect violations of internal policies.

D. Correct. Internal auditors perform an objective, independent review of culture to provide

assurance that both the first and second lines’ efforts are consistent with the expectations

of the board and senior management.

2. Which of the following components of internal control includes an organization’s culture, beliefs,

and values?

A. Incorrect. Monitoring assesses the quality of internal control over time.

B. Correct. Corporate culture manifests itself in the control environment − how the leaders

articulate, govern, and maintain integrity and ethical values within the organization through

their directives, attitude, and behavior.

C. Incorrect. Risk assessment is the identification and analysis of relevant risks.

D. Incorrect. Control activities are the policies and procedures that help ensure that management

directives are carried out. They include performance reviews, information processing, physical

controls, and segregation of duties.

3. Which of the following is an example of soft controls?

A. Incorrect. Change management procedures, an example of IT general controls, are designed

to ensure that changes meet business requirements and are authorized.

B. Correct. Soft (intangible) controls are factors that influence attitudes, values, and behaviors

of management and employees and their impact on achieving organizational goals.

Examples of soft control include tone at the top, ethical climate, transparency, and

competence.

139

C. Incorrect. Segregation of duties, an example of hard (tangible) controls, is designed to reduce

the opportunities that allow any person to be in a position both to perpetrate and to conceal

errors or irregularities (fraud).

D. Incorrect. Input controls, an example of IT application controls, check data for accuracy and

completeness when they enter the system.

4. Which of the following procedures help auditors determine whether processes are in place to

monitor an organization’s compliance with principles of sound integrity and ethical values?

A. Incorrect. Reviewing the backgrounds of board members helps auditors determine whether

the board has one or more members who have financial expertise.

B. Incorrect. To determine whether management maintains an organizational structure that

facilitates effective reporting among various functions, auditors usually inspect job

descriptions for key employees including the process for updating job descriptions.

C. Correct. By reviewing the existence of the hotline and examining the efforts to publicize the

hotline, auditors are able to determine whether processes are in place to monitor an

organization’s compliance with principles of sound integrity and ethical values.

D. Incorrect. Asking employees about their perception of the importance of internal control

objectives help auditors determine whether management’s philosophy and operating style

support achieving effective control.

5. Which of the following principles ensures that internal auditors perform their work with honesty,

diligence, and responsibility?

A. Incorrect. The principle of competence means that internal auditors apply the knowledge,

skills, and experience needed in the performance of internal audit services. For example,

internal auditors should engage only in those services for which they have the necessary

knowledge, skills, and experience.

B. Correct. The integrity of internal auditors establishes trust and thus provides the basis for

reliance on their judgment. Thus, it allows the auditors to perform their work with honesty,

diligence, and responsibility.

C. Incorrect. Internal auditors exhibit the highest level of professional objectivity in gathering,

evaluating, and communicating information about the activity or process being examined.

D. Incorrect. The principle of confidentiality expects that internal auditors respect the value and

ownership of information they receive and do not disclose information without appropriate

authority unless there is a legal or professional obligation to do so.

140

6. Instead of blindly accepting what the management provides, the internal auditor has a questioning

mind throughout the audit. This attitude is referred to as:

A. Incorrect. Proficiency means that internal auditors possess the necessary knowledge, skills,

and other competencies to conduct the engagement appropriately.

B. Incorrect. Objectivity requires internal auditors to maintain an attitude of impartiality, having

intellectual honesty, and being free of conflicts of interest.

C. Correct. Professional skepticism, a foundation of the auditing profession, is an attitude that

includes a questioning mind and a critical assessment of audit evidence. For example,

instead of blindly accepting what the client provides, internal auditors should have a

questioning mind throughout the planning and performance of the audit.

D. Incorrect. Audit supervision involves providing sufficient guidance and direction to staff

assigned to the audit to address the audit objectives and follow applicable requirements.

141

Glossary Annual report An audited document issued annually by all publicly listed corporations to their

shareholders in accordance with SEC regulation. Contains information on financial results and overall

performance of the previous fiscal year and comments on future outlook.

Cross-sell Refers to the act of selling a different product that provides an additional benefit to the

customer.

Civil money penalty A type of enforcement action that requires monetary payments to penalize a

bank, its directors, or other persons participating in the affairs of the bank for violations, unsafe or

unsound practices, or breaches of fiduciary duty.

Error Refers to unintentional misstatements or omissions of financial statement amounts or

disclosures—for example, misinterpretation, mistakes, and use of incorrect accounting estimates.

Fraud, on the other hand, refers to intentional acts.

Fraud In contrast to error, an illegal act (a crime) committed intentionally.

Internal Audit An audit performed by an employee who examines operational evidence to determine

whether prescribed operating procedures have been followed.

Internal Control A process affected by an organization’s oversight body, management, and other

personnel that provides reasonable assurance that the objectives of an organization will be achieved.

Inventory turnover The number of times inventory is sold during the year. It equals the cost of goods

sold divided by the average dollar balance. Average inventory equals the beginning and ending

balances divided by two.

Money laundering The process of disguising illegally obtained money through elaborate financial

transactions.

Skimming A scheme in which an incoming payment is stolen from an organization before it is recorded

on the organization’s books and records.

Up-sell Refers to the practice of encouraging customers to buy a comparable higher-end product than

the current one.

142

Index

Appropriateness, 33 Bait and switch, 7 Bundling, 81 Completeness, 36 Control environment, 102 COSO Framework, 101, 102, 103, 117 Cross-sell, 45, 61 Existence, 37 Financial statement fraud, 28 Hard controls, 103 Money laundering, 12 Occurrence, 37 Opportunity, 30, 92

Panama Pump, 12 Pinning, 63 Pressure, 30, 91 Professional skepticism, 26, 126, 140 Rationalization, 32, 95 Sandbagging, 62 Simulated funding, 81 Skimming, 8 Soft controls, 103 Sufficiency, 33 The fraud triangle, 30, 90 Tone at the top, 100, 104, 112 Valuation, 37