fraud and corporate misconduct
TRANSCRIPT
Fraud and Corporate Misconduct
Case Studies and Analysis
Publication Date: May 2020
Fraud and Corporate Misconduct
Case Studies and Analysis
Copyright © 2020 by
DELTACPE LLC
All rights reserved. No part of this course may be reproduced in any form or by any means, without
permission in writing from the publisher.
The author is not engaged by this text or any accompanying lecture or electronic media in the
rendering of legal, tax, accounting, or similar professional services. While the legal, tax, and accounting
issues discussed in this material have been reviewed with sources believed to be reliable, concepts
discussed can be affected by changes in the law or in the interpretation of such laws since this text
was printed. For that reason, the accuracy and completeness of this information and the author's
opinions based thereon cannot be guaranteed. In addition, state or local tax laws and procedural rules
may have a material impact on the general discussion. As a result, the strategies suggested may not
be suitable for every individual. Before taking any action, all references and citations should be
checked and updated accordingly.
This publication is designed to provide accurate and authoritative information in regard to the subject
matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal,
accounting, or other professional service. If legal advice or other expert advice is required, the services
of a competent professional person should be sought.
—-From a Declaration of Principles jointly adopted by a committee of the American Bar Association
and a Committee of Publishers and Associations.
Course Description
A series of corporate misbehavior and scandals where employees, investors, and other stakeholders
suffered tremendous loss have made the world aware of the severity of fraud. While fraud varies in
sophistication, it can reach and impact every business, regardless of size, industry, or length of time in
business. Fraud is a common risk that cannot be ignored and tolerated. A recent study reveals that
organizations typically lose approximately 5% of revenues each year to fraud. Whether due to an
aggressive sales culture, lack of moral leadership, ineffective monitoring systems, or weak internal
controls, questions always beg “why did it happen?”, “why couldn’t it be prevented or detected by the
existing internal controls?”, and “where were the auditors and why didn’t they uncover the fraud?”
This course is designed to help professions better prepare for these questions by examining two
infamous corporate scandals: 1) The Retail Empire: Crazy Eddie, and 2) The King of Cross-Sell: Wells
Fargo. It details how Crazy Eddie applied various techniques to “cook the books” and deceive auditors.
It explains how Wells Fargo employees engaged different types of sales practice misconduct to meet
unrealistic sales targets. It also reviews the factors that led to the end of Crazy Eddie and Wells Fargo’s
widespread customer abuses. Moreover, it discusses lessons learned from both cases that can result
in improved audit processes. It identifies specific mistakes made by Crazy Eddie’s auditors and
discussed what the auditors should have done. It also describes how internal auditors can help prevent
the unethical practice from snowballing in Wells Fargo. Finally, it includes sample audit programs to
provide insights into both financial and corporate culture audits.
Field of Study Auditing Level of Knowledge Overview Prerequisite None Advanced Preparation None
Table Contents
Introduction ................................................................................................... 1
Learning Objectives ........................................................................................ 2
Case 1: Confessions of A Fraudster ................................................................. 3
I. The Masterminds Behind the Craziness .................................................... 3
1. The Rise and Fall of a Retail Empire ................................................................................... 3
2. The Toxic and Close-Knit Culture ....................................................................................... 7
3. The Deceptive Accounting Practice .................................................................................... 8
Artificial Company Growth ............................................................................................................................. 8
False Asset Valuation ................................................................................................................................... 13
Concealed Liabilities ..................................................................................................................................... 13
Attempts to Mislead the Auditors ............................................................................................................... 14
Review Questions - Section 1 ...................................................................................................16
II. Learning from the Scandal ................................................................... 17
1. How to Diagnose the Fraud Symptoms .............................................................................17
Recognize the Warning Signs ....................................................................................................................... 17
Examine the Major Red Flags ....................................................................................................................... 19
2. Where the Audit Went Wrong ..........................................................................................24
3. What the Auditors Should Have Done...............................................................................26
Exercising Professional Skepticism ............................................................................................................... 26
Identifying and Assessing Fraud Risk ........................................................................................................... 27
Obtaining Sufficient Appropriate Audit Evidence ........................................................................................ 32
Performing Analytical Procedures ............................................................................................................... 33
Other Considerations ................................................................................................................................... 34
Review Questions - Section 2 ...................................................................................................43
Case 2: The King of Cross-Sell ........................................................................ 45
I. Examining the Company and Its Environment ......................................... 45
1. Behind the Impressive Performance .................................................................................45
Corporate Profile .......................................................................................................................................... 45
Widespread Illegal Conduct ......................................................................................................................... 47
2. Overview of Federal Regulations ......................................................................................50
The Financial Regulatory Framework ........................................................................................................... 50
The Role of Major Regulators ...................................................................................................................... 53
3. The Pressure-Cooker Environment ...................................................................................61
Review Questions - Section 1 ...................................................................................................65
II. Analyzing the Fake-Account Scandal .................................................... 66
1. A Violation of Public Trust and Confidence .......................................................................66
Consumer Abuses: Deceptive and Abusive Acts .......................................................................................... 66
The Race to Eight: A Misleading Performance Matric ................................................................................. 68
Reckless Behavior: Deficiencies in Oversight of Sales Practices .................................................................. 70
2. The Price of Deceitful Behavior .........................................................................................72
Penalties and Fines ...................................................................................................................................... 72
The Damage to Brand and Reputation ......................................................................................................... 73
Other Regulatory Related Matters ............................................................................................................... 75
Review Questions - Section 2 ...................................................................................................78
III. Learning from the Scandal ................................................................... 79
1. Why the Improper Sales Practices Happened ....................................................................79
The Toxic Sales Culture ................................................................................................................................ 79
Leadership Failure ........................................................................................................................................ 82
Aggressive Incentive Compensation Plan .................................................................................................... 86
Theory of Fraudulent Behavior .................................................................................................................... 90
Review Questions - Section 3 ...................................................................................................97
2. How Internal Auditors Can Help Prevent Misconduct from Snowballing ............................98
Why Corporate Culture Should Be Audited? ............................................................................................... 98
What and How to Measure Culture? ......................................................................................................... 103
Review Questions - Section 4 ................................................................................................. 125
Review Question Answers .......................................................................... 127
Case 1: Review Questions ........................................................................... 127
Section 1 ............................................................................................................................... 127
Section 2 ............................................................................................................................... 129
Case 2: Review Questions ........................................................................... 132
Section 1 ............................................................................................................................... 132
Section 2 ............................................................................................................................... 134
Section 3 ............................................................................................................................... 136
Section 4 ............................................................................................................................... 138
Glossary ...................................................................................................... 141
Index .......................................................................................................... 142
1
Introduction This course is divided into two parts (two cases):
Case 1: Confession of a Fraudster
The Crazy Eddie fraud, lasting from 1969 to 1987, was one of the longest running scandals in modern
times. The case may seem smaller than the high-profile accounting scandals exposed in recent years.
However, a variety of deceptive methods (e.g., skimming money, inflating inventory and sales
numbers, and swindling investors) demonstrate how easily rationalized unethical practices can
escalate into complex conspiracies and damaging schemes.
The content of Case 1 includes:
I. The Masterminds Behind the Craziness
1. The Rise and Fall of a Retail Empire
2. The Toxic and Close-Knit Culture
3. The Deceptive Accounting Practice
II. Learning from the Scandal
1. How to Diagnose the Fraud Symptoms
2. Where the Audit Went Wrong
3. What the Auditors Should Have Done
Case 2: The King of Cross-Sell
Wells Fargo had a systemic sales practices misconduct problem from the early 2000’s. The distortion
of the bank’s sales culture, which, when combined with aggressive sales management, led to a series
of unsound sales practices. The scandal exposed a world of corporate misconduct from unethical
culture, deceptive business practices, to misaligned priorities. As more attention has been paid to
corporate culture and the impact that it has on organizational performance, the accounting
professionals have now entered the corporate culture game.
The content of Case 2 includes:
I. Examining the Company and Its Environment
1. Behind the Impressive Performance
2. Overview of Federal Regulations
3. The Pressure-Cooker Environment
II. Analyzing the Fake-Account Scandal
1. A Violation of Public Trust and Confidence
2
2. The Price of Deceitful Behavior
III. Learning from the Scandal
1. Why the Improper Sales Practices Happened
2. How Internal Auditors Can Help Prevent Misconduct from Snowballing
Learning Objectives After completing this course, you will be able to:
1. Recognize techniques used to manipulate earnings
2. Identify the red flags missed and audit mistakes made
3. Recognize the characteristics of financial statement fraud
4. Recognize the role of auditors in detecting financial statement fraud
5. Identify common fraudulent activities and misconduct
6. Identify the factors that led to Wells Fargo’s widespread customer abuses
7. Recognize how pressure, opportunity, and rationalization facilitate fraudulent activity
8. Cite the importance of and needs for corporate culture audits
9. Recognize the role of internal auditors in auditing corporate culture
10. Identify audit procedures and considerations for corporate culture
3
Case 1: Confessions of A Fraudster This case study draws primarily, and in some instances quotes verbatim, from the confessions of Sam
E. Antar. Additional details are sourced from Crazy Eddie, Inc. Annual Reports, various research papers
and news articles. The case study is intended to be used as a resource for management and accounting
professions of all sizes, so that they may learn from it.
I. The Masterminds Behind the Craziness
1. The Rise and Fall of a Retail Empire
“We committed our crimes at Crazy Eddie for fun and profit and simply because we could. We had no
empathy whatsoever for our victims. During my 16 years at Crazy Eddie and two years spent covering
up our crimes after being terminated from the company, I never had a single conversation with any of
my co-conspirators about morality or the suffering of our victims. Our conversations focused solely on
the successful coldblooded execution of our crimes.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Industry Consumer electronics
Founded Brooklyn, New York in 1969
Status Bankrupt in 1989
The Auditors 1976 - 1983: Penn & Horowitz
1984 - 1986: Main Hurdman
1987: Peat Marwick (Main Hurdman merged with Peat Marwick).
Today Peat Marwick is part of KPMG
Dollar Loss1 Between $500 million and $600 million, in a combination of
investor losses plus the money skimmed from the company
Key Players Eddie Antar, co-founder, president, and CEO
Sam M. Antar, co-founder
Sam E. Antar, CFO
Crazy Eddie, Inc. (Crazy Eddie) was a leading chain of electronics stores based in New York in the late
1970s and 80s, fueled by its popular TV and radio commercials. It also successfully built up customer
loyalty by circumventing fair trade laws and offering deep discounts on popular electronic products.
1 Data on dollar loss are from "Criminal minds”, Journal of Accountancy, with values accessed on January 8, 2020.
4
At its peak, Crazy Eddie had 43 stores in four states and reported more than $300 million in sales2. As
the chain grew, so did Crazy Eddie’s propensity for fraud.
Crazy Eddie went public with cooked books and overpriced stock in 1984, at $8 a share. Within two
years, its stock price hit $79 per share3. However, success was deceptive. Crazy Eddie’s long-lasting
financial statement fraud was not discovered until 1987. The management, Eddie Antar, co-founder,
president and CEO, Sam M. Antar, co-founder, and Sam E. Antar, CFO, orchestrated major frauds by
engaging in a series of deceptive practices for years including cash skimming, falsification of inventory
counts, and the inflation of sales figures of certain stores.
Lesson Note: Consumer electronics retailers were subject to fair trade laws until 1972. Fair trade laws
prohibited retailers from selling products below the suggested retail price. In other words,
manufacturers could insist on one standard retail price for all retailers.
In February 1987, the U.S. Attorney's Office for the District of New Jersey commenced a federal grand
jury investigation into the financial activities of Crazy Eddie. In September 1987, the Securities and
Exchange Commission (SEC) initiated an investigation into alleged violations of federal securities laws
(e.g. insider trading) by certain Crazy Eddie officers and employees. According to the SEC, they
artificially and fraudulently inflated the price of the stock, and then sold their substantial stockholdings
to an unwitting public, while profiting in excess of $20 million.
Crazy Eddie’s 1988 Annual Report included the following message for the shareholders of Crazy Eddie):
“In November 1987, new management commenced an extensive review of the company’s assets and
operations. This review disclosed a shortfall in inventory on hand of approximately $65 million from
recorded book inventory and substantial understatement of accounts payable…New management
believes that portions of the company’s financial statements for periods which include periods prior to
November 6, 1987 are inaccurate and may not be relied upon.”
Eddie Antar (Eddie) fled to Israel as investigators closed in, and was extradited to stand trial in the U.S.
He was sentenced to 12-and-a-half years in prison for his series of crimes. His conviction on fraud
charges was overturned in 1995 on the ground that the trial judge's remarks during sentencing created
an appearance of bias. In 1996, Eddie pleaded guilty to racketeering conspiracy instead of facing retrial.
According to the court document, he admitted the following:
2 Data on Crazy Eddie stores are from "Eddie Antar, "Crazy Eddie" Electronics Store Founder, Dead At 68”, Gothamist, with values accessed on January 8, 2020. 3 Data on the stock prices are from "Eddie Antar, Retailer and Felon Who Created Crazy Eddie, Dies at 68”, The New York Times, with values accessed on January 8, 2020.
5
1. Prior to Crazy Eddie's IPO in September 1984 and continuing up to 1987, he and other members
carried out various schemes to falsify the books and records of Crazy Eddie to make the
company's financial performance appear stronger than it actually was.
2. In 1985, he caused the value of the inventory of Crazy Eddie reported to the auditors to be
falsely overstated by approximately $2 million.
3. He caused the inventory counts to be artificially inflated by the falsification of count sheets or
inventory tickets when Crazy Eddie took a physical inventory at the end of its fiscal year on
March 2, 1986, thereby overstating the inventory by approximately $10 million.
4. Just before year-end 1986, he caused approximately $2 million from outside sources to be
deposited into Crazy Eddie's bank accounts in such a way that the money would be booked as
proceeds of retail sales.
5. He caused an infusion of approximately $2 million into bank accounts of Crazy Eddie
comparable stores to inflate the reported sales in those stores.
6. At the end of fiscal year 1987, when Crazy Eddie took a physical inventory, he caused the
inventory counts to be artificially inflated by the falsification of count sheets, thereby
overstating the inventory by millions of dollars.
7. His primary purpose in perpetrating these fraudulent schemes was to increase the price of
Crazy Eddie stock to public investors.
8. He urged Crazy Eddie employees to destroy business records to conceal the falsification of the
company's business records from the SEC and others.
Eddie was sentenced to eight years and served over six years in prison. He died in 2016, at the age of
68. About $120 million was later recovered in offshore accounts (secret bank accounts in Israel and
around the globe).
To avoid prosecution, Sam E. Antar (Sam) made a deal with the U.S. Attorney. He testified against
Eddie Antar (cousin and boss), and other family members. Sam plead guilty to charges of securities
and mail fraud conspiracy and obstruction of justice. He spent six months under house arrest and 1,200
hours of community service. Today, Sam, a forensic accountant, serves as a consultant to law
enforcement agencies (FBI, SEC, Treasury, Department of Defense) on the issue of white-collar crime.
His other clients include corporations, law firms, accounting firms, hedge funds, and other
organizations.
6
Exhibit A: The Mind of a Former White-Collar Criminal
The following conversations with Sam were extracted from Worth, “Why the CFO of a Famously
Corrupt Company from the 1980s is Working for the Government”, accessed on January 22, 2020.
What happened when you graduated from college?
Eddie had this plan to take the company public one day. And I said, “Eddie, if you’re going to go public,
you’re not showing any profits, and public companies are valued at how much money they make. If
you want to go public, we have to gradually reduce our skimming to zero.”
So now you’ve got the FBI on your tail. Because you’re the CFO.
Right. So in March of 1989 I made a deal and I started negotiating with the feds. Now, when they first
investigated the Crazy Eddie fraud, they only knew the securities fraud—from 1984 to 1987 when we
were inflating the income. They didn’t know about the Panama pump, they didn’t know about the
skimming before we went public or the gradual reduction of skimming. I added a whole new dimension
to the case. And the feds were fascinated by this young guy who knows all of these sophisticated
financial crimes. And they took a liking to me. So of course, I ended working with the feds, and
eventually, Eddie got prosecuted and went to jail.
How did your relationship with the FBI evolve?
They took me under their wing. I was like an orphaned child from the Antar family. It transcended into
a long-term relationship. They started recommended me for work. It helped put me on the right track.
Why do you think the government is less aggressive today than it was in the ’80s?
White-collar crime requires a lot of resources. It requires a long timeframe to investigate. Everybody
thinks that white-collar investigation is like a two-hour movie. It’s not. It’s a two- to four-year
investigation, which might or might not bear fruit. And most of these people that are working in these
positions in the government aren’t going to be there for two to four years.
7
2. The Toxic and Close-Knit Culture
“... this was not a big public corporation where there was a bureaucracy with checks and balances. It
was a close-knit control, Eddie and his father. If they wanted to circumvent procedures and this is
how they wanted, that is how things were done. No questions asked."
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Eddie, a high school dropout, started selling televisions from a small stand at the Port Authority,
grabbing attention by talking fast and eventually wearing customers down. Sam described Eddie as “a
charismatic leader who inspired intense loyalty from his family and employees.” Like any effective
leader, Eddie understood the psychology of people, their needs, desires, and weakness. Sam recalled
that Eddie often said, "People live on hope." He also described that “top management exploited the
hopes and dreams of their victims in the pursuit of money and power.”
Eddie grew a single store in Brooklyn into a retail empire; 43 stores at four states at its height. Due to
his aggressive sale tactics, wild promises of low prices, and frantic television advertising, Eddie became
known as "Crazy Eddie". For example, Eddie would follow customers out of the store to talk them into
deals. Eddie’s salespeople learned from him quickly and used high-pressure sales tactics like bait and
switch, a common deceptive sales practice used in retail sales (e.g. electronic and computer stores,
and car retailers).
Prospective customers are “baited” by the low bargain price of advertised products or services into
the store. When customers attempt to buy the product, they find out that the product is not available.
The idea is that since customers are already in the store, the seller can “switch” the product with
higher-priced items and pressure the customers into buying it. For example, the first salesperson
attempted to sell the customer a more expensive product (the “switch”) by recommending an
alternative, which was a higher margin product but a bad deal for the customer. A second salesperson
took over the customer in an effort to close a deal if the first salesperson could not convince the
customer to purchase the “switch” product. A third salesperson, the "nail at door" person, made the
final effort if the second salesperson failed. Crazy Eddie sometimes repackaged used (e.g. previously
returned) or defective/damaged merchandise as brand new products to resell to unsuspecting
customers.
Lesson Note: Bait and switch advertising, a violation of consumer laws as false advertisement, is illegal.
The consumer can sue for false advertising. Manufacturers or distributors of the product or service
used as bait can also sue the seller for trademark infringement based on the fact that the seller uses
trademarked images in their advertisements with no intention to sell them. However, sellers have not
committed a crime by talking consumers into buying something else as long as the original deal (bait)
is available. Moreover, sellers are not liable if they mention in their advertisements that the products
have limited quantities.
8
According to Sam, the culture of tax evasion was prevalent from the onset at Crazy Eddie. For example,
to avoid paying income and sales taxes, cash proceeds of sales were not recorded on the books and
reported to the government. Instead, it was used for the company’s off-the-books payroll or personal
use as discussed in the next section. This arrangement worked for everyone since employees paid off
the books did not pay income taxes or social security taxes.
Sam also mentioned that to ensure that their crimes went undetected and unreported, Eddie skillfully
established a tightly knit, loyal, company culture. In the early years, to work for the company, the
employee was required to be a relative, a friend of the family, or a friend of a friend of the family. This
demonstrated his inability to trust anyone outside his large extended family. According to Sam, there
were no so-called "employees." Rather, they were "Crazy Eddie people." There was no need to “punch
clocks”. The employee review process did not exist as everyone working at Crazy Eddie was considered
part of the extended family.
3. The Deceptive Accounting Practice
“I am a convicted felon and a former CPA. As the criminal CFO of Crazy Eddie, I helped my cousin
Eddie Antar and other members of his family mastermind one of the largest securities frauds
uncovered during the 1980s. I committed my crimes in cold-blood for fun and profit, and simply
because I could.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Artificial Company Growth
Before going public, Crazy Eddie’s management already engaged in various fraudulent activities. For
example, the company routinely understated its income to avoid taxes by skimming the profits from
cash-paying customers and paying employees under the table. Eddie, motived by greed, decided to
take the company public and plan to dump huge amounts of stock at inflated prices on investors. Thus,
management carried out multiple methods of deceit to inflate the company’s earnings. This section
details how Crazy Eddie conspired to create fictitious earnings growth, escalating from tax evasion to
money laundering.
Cash Skimming
“We did not want to support the government with our tax dollars.
It did not deserve our hard-earned money.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Skimming, an “off-book” fraud, is a popular scheme for tax evasion. For example, to avoid the tax
9
liability, a company intentionally failed to record a transaction in the accounting system and pocked
the cash without reporting the sale taxes and profits. Before Crazy Eddie was a public company, the
Antar family underreported earnings to avoid paying income and sales taxes between 1969 and 1979.
When there was a cash payment, the company not only stole the sales taxes (collected but never
remitted) but also underreported about an 8% profit according to Sam. Some of the cash skimming
was used to pay employees "off the books" to avoid paying full payroll taxes. For example, managers
were paid minimal salary by check and the balance in cash. Other use of the money included lifestyle
improvement for family members. Much of the money was secretly deposited to accounts at the Bank
of Leumi through frequent trips of family members to Israel. Eddie testified that he was skimming
between $5,000 and $10,000 per week in 1974. The Antar family skimmed an estimated $3 to $4
million per year at the height of their fraud.
Gradual Reduction in Skimming
“We needed to report a higher profit before getting a higher public valuation. So from 1980 to 1984,
when we went public, that was my job. You legitimize the business in order to commit bigger fraud.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Crazy Eddie decided to go public around 1980. The company carried out more large-scale frauds to get
a “bigger bang for the buck by inflating earnings as a public company” according to Sam. For example,
all skimming activities were phased out prior to the initial public offering (IPO) in order to falsify a
drastic increase in the company’s growth. Crazy Eddie gradually skimmed less money each year, from
approximately $3 million per year in 1980 to nearly zero in 1984. In other words, the company gave
the appearance of rapid growth by reporting sales which had previously been kept off the books.
Lesson Note: The majority of financial statement frauds and audit failures have traditionally involved
revenue manipulation and misrepresentation.
The Crazy Eddie’s actual trend line would have demonstrated a stable business rather than one with a
rapid growth trend. However, an average investor would have been less likely to invest in the company
had the cash skimming been reported. The following table demonstrates how Crazy Eddie manipulated
the earnings by gradually reducing the cash skimming.
Effect of Gradual Reduction in Skimming on the Overall Growth
FY Ended 05/31/80
FY Ended 05/31/81
FY Ended 05/31/82
FY Ended 05/31/83
FY Ended 05/31/84
A. Reported Income $ 1,709,000 $ 2,273,000 $ 3,404,000 $ 4,637,000 $ 7,975,000
B. Skimming, Net of Cash Used to Pay Certain Expenses Such as Payroll $ 3,000,000 $ 2,500,000 $ 1,500,000 $ 750,000 $ -
C. Actual Income (A+B) $ 4,709,000 $ 4,773,000 $ 4,904,000 $ 5,387,000 $ 7,975,000
Reported Growth (artificial increase via reduction in skimming) 33.0% 49.8% 36.2% 72.0%
Actual Growth (without skimming) 1.4% 2.7% 9.8% 48.0% Note: A and C were income computed before pension contribution and income taxes.
Source: Sam Antar, “Crazy Eddie’s Two Sets of Books”, Whitecollarfraud.com.
10
In the retail industry, analysts often compare individual store performance with prior period data as
well as other stores of the chain. The higher the growth, the better. The following table further
demonstrates how the gradual reduction in skimming created a rosy picture of the individual store
performance.
Effect of Gradual Reduction in Skimming on Average Store Performance
FY Ended 05/31/80
FY Ended 05/31/81
FY Ended 05/31/82
FY Ended 05/31/83
FY Ended 05/31/84
Average Number of Stores Open During Period 7.77 9.22 10.30 11.27 12.91
Reported Income Per Average Number of Stores $ 219,975 $ 246,600 $ 330,610 $ 411,522 $ 617,738
Actual Income Per Average Number of Stores $ 606,122 $ 517,828 $ 476,296 $ 478,083 $ 617,738
Reported Growth (artificial increase via reduction in skimming) 12.1% 34.1% 24.5% 50.1%
Actual Growth (without skimming) -14.6% -8.0% 0.4% 29.2% Note: Average number of stores opened during the period takes into account new store openings and store closings during the year and the average number of days that stores were operating during the year.
Source: Sam Antar, “Crazy Eddie’s Two Sets of Books”, Whitecollarfraud.com.
33.00%
49.80%
36.20%
72.00%
1.40% 2.70%9.80%
48.00%
FY 81 FY 82 FY 83 FY 84
Effect of Gradual Reduction in Skimming on the Overall Growth
Reported Growth (artificial increase via reduction in skimming)
Actual Growth (without skimming)
11
Crazy Eddie had shown consistent growth over the years, from 12.1% to 50.1% resulting from the
reduction in skimming. Moreover, it experienced rapid growth between 1980 and 1984 (180.8%). In
reality, the company only grew from $606,122 per store in 1980 to $617,738 in 1984 (1.9%), it hardly
grew at all. As a result of the cash skimming, however, Crazy Eddie's reported income figures were
materially false and misleading.
Effect of Gradual Reduction in Skimming on Average Store Performance
FY Ended 05/31/80
FY Ended 05/31/84
Reported Income Per Average Number of Stores $ 219,975 $ 617,738
Actual Income Per Average Number of Stores $ 606,122 $ 617,738
Reported Growth (artificial increase via reduction in skimming) 180.8%
Actual Growth (without skimming) 1.9%
Source: Sam Antar, “Crazy Eddie’s Two Sets of Books”, Whitecollarfraud.com.
Since Crazy Eddie gradually lessened its skimming, it could no longer pay the employees off the books.
As a result, the employees’ entire wages were subject to payroll tax and income tax. To make up for
the loss of off-the-books compensation, Crazy Eddie “grossed up” their employees' total check
compensation. For example, a store manager had previously been paid $40,000 in cash (off the books),
and $10,000 in check. He would have take-home pay around $48,500 (40,000 cash plus 10,000 less
payroll and income taxes which is about 1,500). The company increased the store manager’s salary to
$65,000 (in check) to keep his take-home pay at a similar level.
12.10%
34.10%
24.50%
50.10%
-14.60%-8.00%
0.40%
29.20%
FY 81 FY 82 FY 83 FY 84
Effect of Gradual Reduction in Skimming on Average Store Performance
Reported Growth (artificial increase via reduction in skimming)
Actual Growth (without skimming)
12
Money Laundering
“Most kids, they learn how to wash their clothing and use a washer/dryer. I learned how to launder
money. College gave me the tools to help me help the company commit more sophisticated crimes.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Money laundering is the process of disguising illegally obtained money through elaborate financial
transactions often involving foreign banks and legitimate businesses. To conceal the origins of money,
fraudsters usually take the following stages:
1. Placement: Involves putting illegitimate funds (dirty money) into the legitimate financial
system, such as a bank account, which makes the transfer and manipulation of the money
easier.
2. Layering: Carries out a series of transactions and accounting tricks (creating confusion) to
conceal the source of the fund (e.g., using foreign bank accounts, creating shell companies,
buying and selling assets).
3. Integration: Refers to re-introducing the fund into the legitimate economy such as the banking
system so that the fund appears to be normal business earnings,
One of Crazy Eddie’s major schemes was a money-laundering operation. After going public, to meet
analyst sales expectations (about $2.2 million) and maintain an impressive growth, the company
transferred the previously skimmed money ($1.5 million) from the secret offshore account in Bank of
Leumi Israel to Panama branch into “Aeronautics Traders Corporation” as a fake customer. This is also
known as the “Panama Pump”. The money eventually was deposited in the company’s bank accounts
and recorded on its books as sales proceeds (fictitious revenues) in 1986. This allowed Crazy Eddie to
sell stocks at inflated prices by overstating its revenue. The following diagram shows how the scheme
worked.
Dirty Money Skimmed Funds
from Tax Evasion
Placement
Bank of Leumi
Layering
Panama Bank
Integration
Crazy Eddie Sales Proceeds
13
False Asset Valuation
“My family put me through college to help them commit more sophisticated fraud in the future. I was
trained to be a criminal. People have a certain idea of Crazy Eddie. In reality, it was a dark criminal
enterprise."
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
To falsely strengthen a company’s financial performance, management often exaggerates the value of
assets through the manipulation of the accounts receivable, fixed assets, inventory, and business
combinations. In this case, to ensure that earnings for the quarter would be favorable, Sam and Eddie
planned the three-pronged scheme by inflating the inventories in the stores, warehouse, and the
returns department. For example, the store inventory inflation scheme was carried out by the store
managers who altered the count sheets to falsify the merchandise quantities. Sam testified that the
employees volunteered to help the auditors during the inventory counts in the warehouse. They
climbed over big stacks of boxes to count the items to provide the auditors with the inflated numbers.
Then, the auditors recorded the falsified count accordingly. Moreover, the auditors did not take the
copies of inventory counts for the entire store when leaving the sites. Instead, they only took the test
count samples. Thus, Sam easily manipulated (inflated) the inventory counts in these stores that were
not part of the audit test counts. Sam confessed that the company overstated store inventories by $2
to $4 million in 1986. In 1987, they became more aggressive and overstated store inventories by $15
to $20 million.
Lesson Note: The gross profit and net income are overstated as a result of overstating inventory since
not enough of the cost of goods available is being charged to the cost of goods sold.
Concealed Liabilities
“I simply changed two words in the footnotes of our disclosure regarding the treatment of trade
discounts and allowances to being recognized “when earned” rather than “when received”……. I had
discussed this change with the auditors but there was no accounting change adjustment as required
under generally accepted accounting principles (GAAP).”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
A debit memo, commonly called a “reep”, allows Crazy Eddie to return merchandise and offset against
amounts owed to the vendor. According to Sam, prior to 1987, the company did not recognize these
purchase discounts and trade allowances until vendors issued a credit memo to acknowledge
“chargebacks” or “offsets” to accounts payable. Its policy was disclosed in the footnotes as:
"Purchase discounts and trade allowances are recognized when received."
14
Starting in 1987, instead of waiting to receive a credit memo, Crazy Eddie recognized these purchase
discounts and trade allowances when it received a debit memo. Thus, its accounts payable
immediately was reduced by the credit upon the issuance of a debit memo. Its policy was disclosed in
the footnotes as:
"Purchase discounts and trade allowances are recognized when earned."
This change in accounting principle allowed the Antar family to create $20 million in phony debit
memos to claim fictitious purchase discounts and trade allowances that reduced the amount of
accounts payable. Although Sam included the new policy in the financial statements and discussed the
change with the auditors, no prior-year comparison of its impact was provided as required by ASC 250
Accounting Changes and Error Corrections. The auditor should have added an explanatory paragraph
or a modification of wording for a lack of consistent application of GAAP.
Lesson Note: According to the court document, the complaints allege that the Peat Marwick partner
knew about the overstated debit memos and failed to examine them. Moreover, Peat Marwick failed
to indicate that the accounts payable in 1987 were not reported in a manner consistent with the
reporting of accounts payable in 1986, in violation of the GAAP.
Crazy Eddie also pressured its vendor, Wren Distributors, to ship merchandise before year-end and
hold the billing until after the auditors completed the year-end audit. Therefore, the company was
able to understate its accounts payable and include the merchandise in the year-end inventory count.
Attempts to Mislead the Auditors
“We always appeared to be cooperative with the auditors. However, from the day the auditors set
forth on Crazy Eddie premises until the day the audit was completed, we did our best to distract them
from their fieldwork.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Opportunities to commit fraud often occurs because the fraudster knows what, when, and how much
the auditor will do. For example, if the fraudster expects that the auditor always tests only large
transactions from June, the fraudster can commit the fraud on small transactions in other months. The
fraudster may form a cozy relationship with the auditors attempting to distract them from scheduled
work or prevent them from conducting an effective audit.
The Antar family paid for Sam’s accounting degree so that his skills and knowledge could help them
carry out more sophisticated schemes. Between 1981 and 1984, Sam worked for Penn & Horowitz,
Crazy Eddie’s accounting firm, to not only meet the CPA license requirements but also to learn how to
stay ahead of the audit. For example, Sam made sure that the auditors did not have enough time to
properly complete its audit fieldwork and appropriately examine the company’s books and records.
15
According to Sam, he intentionally had female employees to distract the auditors from their tasks by
engaging in small talk. He also constantly invited them out for coffee and lunch. Audit issues were
often discussed over lunch and dinner on Crazy Eddie’s tab. The auditors often ran out of time to
perform key procedures (e.g. testing of internal controls, cut-off tests) and rushed to complete the
audit. Finally, Sam established a close relationship with the auditors. The close relationship definitely
clouded the auditors’ judgment and professional skepticism. For example, when the audit partner
questioned Sam about the unusual increased inventories at the store level, Sam convinced him to sign
off on the audit without a re-count of inventories, even though major tests were not completed yet.
Sam stated that “Regarding both the small and large accounting firms, as criminals taking advantage
of human nature, we believed our largess made them (auditors) less likely to ask the tough questions.”
16
Review Questions - Section 1
1. Crazy Eddie salespeople used which of the following sales tactics to lure customers into its
stores?
A. Premium pricing
B. Scarcity marketing
C. Bait and switch
D. Side agreements
2. To artificially inflate the company’s profit, Sam Antar committed all of the following fraud
schemes EXCEPT:
A. Gradual reduction in cash skimming
B. Inflation of inventory through the inclusion of fictitious inventory
C. Improper capitalization of expenses as fixed assets
D. Understating payables through manipulation of purchase discounts
3. Which of the following techniques is often used for tax evasion?
A. Check tampering
B. Skimming money
C. Procurement fraud
D. Billing scheme
4. What is the process of disguising illegally obtained money through elaborate financial
transactions often involving foreign banks and legitimate businesses?
A. False claims
B. Business email compromise
C. Money laundering
D. Contractor fraud
5. What are the stages of money laundering?
A. Placement -> Layering -> Integration
B. Integration -> Layering -> Placement
C. Layering -> Placement -> Integration
D. Placement -> Integration -> Layering
17
II. Learning from the Scandal
1. How to Diagnose the Fraud Symptoms
Recognize the Warning Signs
Fraudsters often display certain behaviors or characteristics that may suggest red flags. To detect
fraud, the auditors must understand and recognize red flags and fraud symptoms and pursue them
until they obtain evidence that proves fraud is or is not occurring. The American Institute of Certified
Public Accountants (AICPA) identifies the following symptoms of financial statement fraud:
1. A company has a culture of arrogance fostering an atmosphere in which bad behavior can
flourish. It leads people to believe that they can handle increasingly greater risk without
encountering any danger. Thus, this type of culture usually encourages employees taking
excessively high risks and applying aggressive accounting methods to meet targeted plans.
2. A highly domineering senior management accompanied by either an ineffective board of
directors or by compensation tied to reported performance.
3. Deterioration of earnings quality, as evidenced by a decline in sales volume or quality or by
excessive interest of senior management in the effect of accounting alternatives on earnings
per share.
4. Business conditions that may create unusual pressures, such as inadequate working capital,
major investment in a volatile industry, and debt restrictions with little flexibility (e.g., required
working capital ratios and limitations on additional borrowings).
Nearly all members of the extended Antar clan worked for the company, dominated by Eddie. The
Antar clan ruled Crazy Eddie. All key positions were filled by relatives and friends as shown in the
following table. As Sam described, “It was us against them - "Them" being customers, the government,
insurance companies, the auditors, and everyone else who did not serve the company's interests.”
Although the collusion of key personnel made it challenging for the auditors to detect the fraud. A risk
assessment would have helped the auditors identify a risk with many family members employed at
the company.
Officers Board of Directors
Eddie Antar
Chairman of the Board President,
Chief Executive Officer
Sam Antar
Executive Vice President
Mitchell Antar
Executive Vice President Marketing
Eddie Antar
Chairman of the Board President,
Chief Executive Officer
Sam Antar
Executive Vice President
Mitchell Antar
Executive Vice President Marketing
18
David Pardo
Executive Vice President Purchasing
Mort Gindi
Vice President Operations
David V. Panoff
Vice President Consumer Service
Operations
Eddy Antar
Treasure
Sam E. Antar
Controller
Solomon E. Antar
Secretary and General Counsel
Eddy Antar
Treasurer
James H. Scott, Jr.*
Professor of Finance at Columbia
University
Carl G. Zimel*
Senior Vice President
Midland Bank and Trust Co.
*Audit Committee
Source: Crazy Eddie 1985 Annual Report
Exhibit B: Indicators of Financial Crime
Source: Adapted from “Investigative Methods in Forensic Accounting” by Tom O'Connor.
Unrealistic Performance Compensation Packages: The organization will rely almost exclusively
(and to the detriment of employee retention), on executive pay systems linked to the
organization's profit margins or share price.
Inadequate Board Oversight: There is no real involvement by the Board of Directors, Board
appointments are honorariums for the most part, and conflicts of interest, as well as nepotism
(the second cousin to corruption), are overlooked.
Unprofitable Offshore Operations: Foreign operation facilities that should be closed down are
kept barely functioning because this may be where top management fraudsters have used
bribes to secure a "safe haven" in the event of a need for swift exit.
Poor Segregation of Duties: The organization does not have sufficient controls on who has
budget authority, who can place requisitions, or who can take customer orders, and who settles
or reconciles these things when the expenses, invoices, or receipts come in.
Poor Computer Security: The organization doesn't seem to care about computer security, has
slack password controls, hasn't invested in antivirus, firewalls, IDS, log files, data warehousing,
data mining, or the budget and personnel assigned to internet security. Simultaneously, the
organization seems over-concerned with minor matters, like whether employees are
downloading music, chatting, playing games, or viewing porn.
19
Low Morale, High Staff Turnover, and Whistleblowers: Low morale and staff shortages go
hand-in-hand, employees feel overworked and underpaid, frequent turnover seems to occur in
key positions, and complaints take the form of whistleblowing.
Examine the Major Red Flags
Many symptoms of fraud at Crazy Eddie went unnoticed, or recognized symptoms were not vigorously
pursued. If symptoms were timely and properly addressed, many frauds could be detected earlier. This
section examines some red flags that the auditors allegedly failed to recognize and investigate.
Too Good to Be True
“If it sounds too good to be true, it probably is too good to be true”
Without the reduction in skimming, the company’s pro forma earnings increased from $4.7 million in
1980 to about $8.0 million in 1984, indicating that the company grew 69% in five years. To attract
investors by appearing very profitable and gaining high valuation, Crazy Eddie reported that the pro
forma earnings grew from $1.7 million in 1980 to about $8.0 million in 1984 (with a 367% increase) by
simply reducing its skimming to give the appearance that the company was rapidly growing. According
to the U.S. Commerce Department, the retail sales growth for October 2019 was 3.10%. Although the
data only indicated the current periods, 367% growth was a red flag of an artificially increased growth.
Effect of Gradual Reduction in Skimming on the Overall Growth
FY Ended 05/31/80
FY Ended 05/31/84
A. Reported Income $ 1,709,000 $ 7,975,000
B. Skimming, Net of Cash Used to Pay Certain Expenses Such as Payroll $ 3,000,000 $ -
C. Adjusted Income (A+B) $ 4,709,000 $ 7,975,000
Reported Growth (artificial increase via reduction in skimming) 367%
Adjusted Growth (without skimming) 69%
Source: Sam Antar, “Crazy Eddie’s Two Sets of Books”, Whitecollarfraud.com, accessed on January 8, 2020.
Moreover, for the three years prior to becoming a public company, the company’s reported income
increased between 33% and 50%. As it became public in 1984, Crazy Eddie grew at the rate between
72% and 96%. Its sales grew at a rate of approximately 25% between 1984 and 1985. In 1987, it
increased by 57% when its established competitors were experiencing periods of weak performance.
The growth should have raised concern, especially since the industry experienced a slowdown during
that time.
20
Unexplained Anomalies
“They (the auditors) did not want to believe we were crooks. They believed whatever we told them
without verifying the truth. You can steal more with a smile!”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Fraud, by its nature, is hidden. Unusual data in financial statements may or may not be indicative of
potential fraud. However, many schemes are detected simply because the numbers do not make sense
through financial analysis. This section discusses several anomalies missed by the auditors.
33.0%
49.8%
36.2%
72.0% 74.8%
95.9%
FY 81 FY 82 FY 83 FY 84 FY 85 FY 86
Crazy Eddie Reported Income GrowthFY 1981 to FY 1986
26.6% 24.4%
56.9%
FY 84 FY 85 FY 86
Crazy Eddie Sales GrowthFY 1984 to FY 1986
21
Unusually High Pay Raises
As discussed in “Gradual Reduction in Skimming”, since Crazy Eddie gradually reduced its skimming,
the company stopped paying its employees in cash. In an attempt to make up for the loss of the off-
the-books compensation, the company significantly increased more than 100 employees’ salaries in
the years prior to going public. According to Sam, employees who were previously paid with very low
wages considering their positions and responsibilities had received a salary increase in multiples of
three to as many as 20 times their previously reported salaries. For example, some employees who
had been paid only $5,000 per year were suddenly being paid $50,000 or more per year. Although
both accounting firms (Penn and Horowitz in 1980-83, and Main Hurdma in 1984) identified these
variances, the unusual salary increase was not properly addressed.
High Amount of Sales at Year-End
The funds from Panama were converted into $25,000, $50,000, $75,000, and $100,000 amounts and
deposited into store bank accounts a day after the fiscal year ended. Thus, it appeared that the
company had an increase of over 90% in comparable-store sales in the last two days of the fiscal year.
Sam stated that “Crazy Eddie’s average sales were about $300 per customer. The auditors did not
examine our bank deposits for unusual transactions in large dollar amounts, and these unusual
transactions weren't even backed up by false invoices.”
Significant Inventory Increase
Inventory drastically increased while accounts payable significantly reduced
Inventory grew at a faster pace than sales
Crazy Eddie’s accounts payable decreased from 1986 ($51 million) to 1987 ($50 million) for only 3%.
However, its inventory increased by 82% within the same period. The change was unusual since the
inventory and accounts payable should be correlated. The more inventory a company purchased
should reflect higher year-end accounts payable. Inventory balances growing significantly faster than
accounts payable may indicate possible signs of fraud (e.g. phantom inventory). The auditors should
further investigate the unusual trends.
Before the company went public, its inventory increased by about 21%. Since it became public, its
inventory drastically increased by 126% from 1985 to 1986, and by 82% from 1986 to 1987. If the
auditors had properly conducted the analytical procedures and followed up on the unexpected
discrepancies, the inventory fraud could have been detected.
FY 85 FY 86 FY 87
Accounts Payable $ 23,078,000 $ 51,723,000 $ 50,022,000 % Change 26.9% 124.1% -3.3% Inventory $ 26,543,000 $ 59,864,000 $ 109,072,000 % Change 20.8% 125.5% 82.2%
Source: Sam Antar, “Crazy Eddie Documents”, Whitecollarfraud.com, accessed on January 8, 2020.
22
Inventory turnover is a measure of the number of times that a company sells its average level of
inventory during the year. The ratio establishes the relationship between the volume of goods sold
and inventory. The inventory turnover for businesses in different industries and within industries can
vary widely. A grocery store may have an average turnover of 20, for all items. A furniture store would
normally have a much smaller turnover. The inventory turnover is computed as:
Cost of Goods Sold
Average Inventory
A high turnover indicates an ability to sell the inventory (better), while a low number shows an
inability. As the company’s sales increase, one expects that inventories would be turning over faster.
26.9%
124.1%
-3.3%20.8%
125.5%
82.2%
FY 85 FY 86 FY 87
Crazy Eddie Trend Analysis Accounts Payable vs. Inventory
FY 1985 to FY 1987
Accounts Payable Inventory
21.6% 20.8%
125.5%
82.2%
FY 84 FY 85 FY 86 FY 87
Crazy Eddie Inventory % Change FY 1984 to FY 1987
23
The days sales of inventory measures how many days it takes for inventory to turn into sales. It is
calculated as:
365
Inventory Turnover
A lower day’s sales of inventory is better since it would translate to fewer days needed to turn
inventory into cash. Since Crazy Eddie demonstrated its ability to grow, one expects that its days sales
of inventory would be reduced. However, the ratio showed that the age of inventories increased from
69 days to 81 days in 1987.
Finally, Crazy Eddie’s sales increased by 57% from 1985 to 1986 and by 34% from 1986 to 1987.
However, its inventory increased significantly faster than sales. Between 1985 and 1986, the inventory
increased by 126%. In general, inventory balances growing significantly faster than sales or cost of
goods sold may indicate obsolete, slow-moving merchandise or possible signs of fraud (e.g. overstated
inventory). The auditors should have further investigated the unusual trends.
FY 85 FY 86 FY 87
Sales $ 167,147,000 $ 262,268,000 $ 352,523,000 % Change 24.4% 56.9% 34.4% Inventory $ 26,543,000 $ 59,864,000 $ 109,072,000 % Change 20.8% 125.5% 82.2% Inventory turnover 5.2622 5.2618 4.4989 Average number of days inventory outstanding 69.3622 69.3668 81.1297
Source: Sam Antar, “Crazy Eddie Documents”, Whitecollarfraud.com, accessed on January 8, 2020.
24.4%56.9%
34.4%20.8%
125.5%
82.2%
FY 85 FY 86 FY 87
Crazy Eddie Trand Analysis Sales vs. Inventory FY 1985 to FY 1987
Sales Inventory
24
Changes in Accounting Policy
As discussed in “Concealed Liabilities”, Crazy Eddie changed its accounting policy for purchase
discounts and trade allowances to conceal $20 million in fictitious debit memos or chargebacks in
order to reduce the accounts payable. According to the court document, the complaints suggest that
any trained auditor would have detected the debit memo fraud, given the size of the scheme and the
inherent risk of fraud posed by the immediate recognition of debit memos. However, the Peat Marwick
partner willfully ignored unmistakable evidence of such fraud.
Pressure of Meeting Expectations
“Crazy Eddie’s high stock price was based on large increases in same store sales growth. We believed
that a failure to meet analysts’ projections would have substantially dropped the price of our stock.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
The attractiveness of a particular stock is primarily determined by a company's ability to generate
profit. Companies with poor earnings prospects will typically have lower share prices than those with
good prospects. Thus, the need to meet or exceed investor and analyst expectations can create
pressure to commit fraud. In this case, Crazy Eddie management deliberately manipulated the
company's earnings to achieve a designated growth level. According to the SEC, the most commonly
cited motivations for fraudulent financial reporting include:
The need to meet internal or external earnings expectations
An attempt to conceal the company’s deteriorating financial condition
The need to increase the stock price
The need to bolster financial performance for pending equity or debt financing
The desire to increase management compensation based on financial results
An attempt to cover up misappropriate assets
2. Where the Audit Went Wrong
“An “A/P status report” simply lists all invoices owed to vendors and offsetting debit memos.
Therefore, the debit memos were traced to a report listing the phony debit memos. Our auditors
simply traced the phony debit memos to the books and records that reflected them, but did not do
any follow-up work to confirm their validity.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
An audit ultimately aims at providing trust among its intended parties. It focuses on both the truth of
the records and the question of whether or not the statements were faithfully prepared from those
25
records. All companies that wish to access the U.S. capital markets must obtain an audit, and auditors
have a unique responsibility. Auditors, an independent guarantor of financial information, validate a
company’s transactions and verify the integrity of accounting entries (e.g. sales, expenses). Since
auditors work on behalf of investors and the public interest by providing an objective opinion on the
integrity of financial statements, they must follow auditing standards to form an opinion of whether
the financial statements are free of material misstatement, whether caused by error or fraud.
The auditors, for failure to detect Crazy Eddie’s large-scale fraud, were sued for malpractice. Apart
from failure to notice red flags, there were many fraudulent activities that the auditors should have
caught. Crazy Eddie inflated the inventory levels, falsified and altered documents, understated
accounts payable, and overstated sales. Sam bragged "Our fraud was never uncovered by auditors."
and identified the biggest mistakes of Crazy Eddie’s auditors:
Under-educated, underskilled, and under-experienced auditors
Lack of forensic accounting skills or background in fraud
Lack of understanding of the business operation environment
Failure to exercise due professional care and the appropriate level of professional skepticism
Inappropriate close relationship with the client
Allowing company personnel to have access to audit paperwork during the audit process
Inability to ask proper, tough and follow-up questions
Failure to secure audit paperwork
Failure to perform key audit procedures:
• Test of internal control procedures
• Deposits in transit at year-end
• Sales cut-off testing
• Age of accounts payable
• Inventory test count
• Inventory observations
Failure to perform all required analytical testing and investigate significant variances
26
3. What the Auditors Should Have Done
"The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about
whether the financial statements are free of material misstatement, whether caused by error or
fraud.”
PCAOB AS 1001: Responsibilities and Functions of the Independent Auditor
“PMM (Peat Marwick Main) had already signed off on Crazy Eddie’s audit on April 28, 1987, and the
young inexperienced auditor started his test work that same day.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Exercising Professional Skepticism
“Since evidence is gathered and evaluated throughout the audit, professional skepticism should be
exercised throughout the audit process.”
PCAOB AS 1015: Due Professional Care in the Performance of Work
“the gullible auditors accepted our silly explanation that our employees had sacrificed many years
working at below-average wages for the opportunity to be part of what they hoped might become a
growing public company.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Auditing standards require that appropriate professional skepticism be applied in the exercise of
professional judgment. Professional skepticism, a foundation of the auditing profession, is an attitude
that includes a questioning mind and a critical assessment of audit evidence. For example, instead of
blindly accepting what the client provides, the auditors should have a questioning mind throughout
the planning and performance of the audit. Professional skepticism includes a mindset in which the
auditors assume neither that management is dishonest nor of unquestioned honesty. Maintaining
professional skepticism throughout the audit is necessary if the auditor is, for example, to reduce the
risks of:
1. Failing to identify unusual circumstances/events/transactions
2. Over-generalizing when drawing conclusions from audit observations
3. Using inappropriate assumptions in determining the nature, timing, and extent of the audit
procedures and assessing the results
In general, the auditor should have an attitude of professional skepticism by being alert to the
following situations:
• Audit evidence contradicts other audit evidence obtained
27
• The information raises a question of the reliability of documents
• Responses to inquiries used as audit evidence
• Conditions may indicate possible fraud (e.g., red flags, inconsistencies)
• Circumstances suggest the need for additional audit procedures or follow-up
The PCAOB reminds the auditors that skepticism is especially critical when considering transactions
outside the normal course of business, such as:
1. Nonrecurring transactions
2. Financing activities
3. Related-party transactions that might be motivated solely or in large measure by an expected
or desired accounting outcome
Identifying and Assessing Fraud Risk
The Nature of Financial Statement Fraud
“Fraud is a broad legal concept and the auditors do not make legal determinations of whether fraud
has occurred. Rather, the auditor's interest specifically relates to acts that result in a material
misstatement of the financial statements.”
PCAOB AS 2401: Consideration of Fraud in a Financial Statement Audit
Although there is no universal definition of fraud, fraud essentially involves using deception to make
a personal gain for oneself dishonestly and/or create a loss for another. That is, fraud includes any
intentional or deliberate act to deprive another of property or money by deception or other unfair
means.
The auditor is primarily concerned with fraud that causes a material misstatement in the financial
statements. Misstatements can result from errors or fraud. Some examples of misstatements due to
errors or fraud include:
An inaccuracy in gathering or processing data from which financial statements are prepared.
A difference between the amount, classification, or presentation of a reported financial
statement element, account, or item and the amount, classification, or presentation that
would have been reported under GAAP. For example, finance cost is included within cost of
sales in the income statement.
The omission of a financial statement element, account, or item.
A financial statement disclosure that is not presented in accordance with GAAP. For example,
a contingent liability disclosure is missing or inadequately described in the notes to the
financial statements.
28
The omission of information required to be disclosed in accordance with GAAP.
An incorrect accounting estimate arising, for example, from an oversight or misinterpretation
of facts.
Management's judgments concerning an accounting estimate or the selection or application
of accounting policies that the auditor may consider unreasonable or inappropriate.
The difference between fraud and error is intent. Financial statement fraud (“cooking the books”) is a
scheme in which individuals deliberately carry out the following acts in order to create a rosy picture
of the company's financial position, performance, and cash flows:
• Altering or destroying documents (e.g., records, terms) to manipulate outcomes or hide
unusual transactions.
• Creating fictitious transactions and false journal entries to manipulate operating results.
• Deliberately applying biased assumptions and judgments to estimate accounting balances.
• Making unsupported adjustments to amounts reported in the financial statements.
• Misapplying accounting principles relating to classification and presentation, or disclosure.
Lesson Note: According to Sam, Crazy Eddie’s document retention policy was to destroy all evidence
of wrongdoing as soon as possible. They destroyed copies of all falsified documents (to the extent
possible) to cover up their crimes.
Financial statement fraud is sometimes referred to as management fraud because it almost always
occurs with the knowledge or consent of management. It is perpetrated by an intentional override by
upper-level management of what might otherwise appear to be effective internal control. This is
because management has the ability to override controls, or to influence others to perpetrate or
conceal fraud. Moreover, executives and managers are entrusted with access to nearly all data and
employees. Power and access within a company make it possible for larger frauds to be committed
and covered up.
The SEC and PCAOB have identified the following common fraud risk factors accumulated from the
scandalous fraudulent behavior of various companies:
1. Threatened financial stability or profitability such as:
− High degree of competition or sales saturation
− High vulnerability to rapid changes (e.g., technology, interest rates)
− Decline in customer demand, business failures in industry
− Operating losses
− Negative cash flows from operations
− Rapid growth or unusual profitability
− New accounting, statutory, or regulatory requirements
2. Excessive pressure on management to meet requirements or third-party expectations due to:
29
− Profitability or trend level expectations
− Need for additional debt or equity financing
− Marginal ability to meet exchange listing requirements
− Likely poor financial results on pending transactions
3. Management or directors’ financial situation threatened by:
− Significant financial interests in the company
− Significant portions of compensation contingent on results of the company
− Personal guarantees of debts of the company
4. Excessive pressure to meet financial target set up by directors or management.
Intentional overstatement of financial information, such as revenue and/or assets, is only one example
of common fraudulent financial reporting. The auditor must consider all the potential fraud risk
factors which might be relevant for their client through team brainstorming sessions, and should
develop procedures to address identified fraud risk(s).
Lesson Note: All organizations face some degree of fraud risk. The absence of fraud does not indicate
that fraud risk does not exist. Therefore, organizations of all sizes should have controls to prevent and
detect fraud.
Causes of Financial Statement Fraud
“Three conditions generally are present when fraud occurs.”
PCAOB AS 2401: Consideration of Fraud in a Financial Statement Audit
To identify a company’s vulnerability to fraud, the auditor should always recognize that errors or
events could be the result of a deliberate act designed to benefit the fraudster. It involves
brainstorming with the team by asking questions such as:
• What could go wrong?
• Why would someone (internal and external) commit fraud?
• Where is the company vulnerable? (opportunities already existed)
• How might a fraudster exploit weakness in the system of controls?
• How might a fraudster override or circumvent controls? (e.g. transaction approval)
• What could a fraudster do to conceal the fraud? (e.g. creating fraudulent physical documents)
• What types of assets are susceptible to fraud? What are their locations?
• Which personnel have control over or access to tangible or intangible assets?
In order to answer these questions, the auditors must first be familiar with the concepts of the fraud
model. Various theories have attempted to explain the causes of fraud and the most cited theory is
the fraud triangle theory, which identifies the elements that lead fraudsters to commit fraud.
30
According to Donald R. Cressey, a criminologist, all three following drivers must be present for an act
of fraud to occur.
Pressure or incentive is what causes a person to commit fraud. Fraud is not always the result of a
grand plan or conspiracy. It may begin with pressure to meet financial expectations and a fear that
failure to meet these expectations will be viewed as unforgivable. This pressure forces management
to manipulate financial statements to show the expected business results. For example, in the
conditions of the financial crisis, management is often pressured to achieve as good results as possible.
The Public Company Accounting Oversight Board (PCAOB) explains that an individual may hold
incentives to manipulate earnings when any of the following four conditions occurs:
✓ Financial stability or profitability is threatened by economic, industry, or company operating
conditions (e.g., high degree of competition, operating losses, and significant declines in
demand).
✓ Excessive pressure exists for management to meet the requirements or expectations of third
parties (e.g., shareholders, analysts).
✓ Available Information indicates that management or the board of directors' personal financial
situation is threatened by the company’s financial performance.
✓ Excessive pressure on management or operating personnel to meet financial targets set up by
the board of directors or management, including sales or profitability incentive goals.
Opportunity is the ability to commit or conceal fraud and convert the theft or misrepresentation to
personal gain. Although the opportunity is often the most challenging to spot, it is fairly easy to control
through improvements to internal controls and organizational or procedures. Failure to establish
adequate controls to detect fraudulent activity increases the opportunities for fraud to occur.
Opportunities often result from circumstances that provide chances to commit financial fraud, such
as:
The Fraud
Triangle
Developed by Donald R. Cressey
Opportunity
The Ability to Commit Fraud
Rationalization
The Justification to Commit Fraud
Pressure
The Motive to Commit Fraud
31
Inadequate monitoring of controls, including automated controls and controls over interim
financial reporting.
Insufficient auditing.
An unstable organizational structure.
Ineffective accounting and information systems, including situations involving reportable
conditions.
High percentage of complicated transactions.
High percentage of estimates required significant subjective judgment by management.
The neglectful behavior of the oversight functions (e.g. passive oversight by the audit
committee).
Domination of management by a single person or small group (in a nonowner-managed
business) without compensating controls.
Unclear policies regarding acceptable behavior.
Lack of financial expertise (e.g., insufficient knowledge or lack of ability).
Lack of an audit trail.
Lesson Note: According to the Association of Certified Fraud Examiners (ACFE), Report to the Nations:
2018 Global Study on Occupational Fraud and Abuse, in 30% of cases, lack of controls was the main
factor that enabled the fraud to occur. Another 19% of cases occurred because the fraudster was able
to override the controls that had been put in place.
In this case, opportunity also occurred because the fraudster knew the auditor’s procedures. If the
fraudster expects that the auditor always tests only large transactions in June, the fraudster can
commit the fraud on small transactions in other months. As Sam recalled, “Knowing exactly what our
auditors were doing, it was relatively easy for us to falsify inventory and accounts payable numbers in
excessive amounts.”
Example: Opportunity of Fraud
Many Crazy Eddie’s fraudulent activities could have been detected or prevented by removing the
opportunity. For instance, the lax audit procedures (insufficient auditing) provided an opportunity to
carry out the inventory fraud over the years. According to Sam,
“The auditors simply did not observe the inventory counts in all of the Crazy Eddie stores. In 1986 they
observed the inventory counts in roughly 50% of the stores. When leaving the store premises after the
inventory was observed the auditors only took their "test counts" with them and not copies of the entire
store inventory. We simply inflated the inventory counts in the stores of which the auditors did not
observe the inventory counts at year-end.”
Sam further explained “A credible audit cannot be made in the absence of good internal controls. A so-
called strong audit and strong internal controls are not mutually exclusive.”
32
Rationalization is known as a justification of fraudsters’ crime to make the act acceptable. It also refers
to behavior, character or ethical values allowing individuals to justify their reasons for committing
fraud. There are two aspects of rationalization:
• The fraudster concludes that the gain to be realized from fraudulent activities outweighs the
possibility for detection.
• The fraudster needs to justify committing the fraud. Justification can relate to job
dissatisfaction or perceived entitlement, or saving one’s family, possessions, or status.
Sometimes, managers may rationalize the appropriateness of a misstatement as an aggressive rather
than an indefensible interpretation of complex accounting rules. Or they may consider it as a
temporary solution, to be corrected later when operational results improve, or as something that is in
the best interests of the company or the employees. Whatever the rationalization, these individuals
intend to mislead financial statement users.
Example: Elements of Fraud
Fraud Schemes: Crazy Eddie skimmed cash sales from customers to avoid income and sales taxes.
Pressure: Crazy Eddie gained a great competitive advantage by failing to report cash purchases and
keeping the sales tax.
Opportunity: Cash skimming is a particular concern in retail operations where most of the daily sales
are in cash. Sam stated that since most customers paid for electronic products with cash during the
70s, Crazy Eddie took full advantage of that.
Rationalization: The philosophy at Crazy Eddie was that the government did not deserve their hard-
earned money.
Obtaining Sufficient Appropriate Audit Evidence
“The auditor must plan and perform audit procedures to obtain sufficient appropriate audit evidence
to provide a reasonable basis for his or her opinion.”
PCAOB AS 1105: Audit Evidence
“The audit partner approved the year-end audit number for public release at a board meeting before
the accounts payable audit was completed.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Audit evidence means the information obtained by the auditor in arriving at the conclusions on the
audit opinion. The auditor must plan and perform audit procedures to obtain sufficient appropriate
audit evidence to provide a reasonable basis for his or her opinion. According to the PCAOB:
33
• Sufficiency is the measure of the quantity of evidence used to support the findings and
conclusions related to the audit objectives.
• Appropriateness is the measure of the quality of evidence that encompasses the relevance
and reliability of evidence used for addressing the audit objectives and supporting findings and
conclusions.
Audit evidence includes both information that supports and corroborates management's assertions
(e.g., existence, completeness, disclosure). Thus, the auditors should design proper tests for
management’s assertions. For example, the auditors should perform:
1. Walk-through procedures that allow them to trace a transaction (e.g. sale) step-by-step
through the accounting system from its inception to the final disposition.
2. Sales cut-off procedures to ensure that transactions are recorded in the proper period. Funds,
especially large amount transactions, are traced to supporting documents (e.g., invoices or
sales contracts).
Performing Analytical Procedures
“A basic premise underlying the application of analytical procedures is that plausible relationships
among data may reasonably be expected to exist and continue in the absence of known conditions to
the contrary.”
PCAOB AS 2305: Substantive Analytical Procedures
It is very important to compare a company’s ratios to those of competing companies in the industry
or with industry standards. This comparison will allow the auditors to answer the questions "how does
this business fare in the industry?" and “is its gross margin or out of line with industry trends?” The
inconsistency between the company performance and industry statistics may indicate a possible
manipulation.
Analytical procedures involve comparisons of recorded amounts to expectations developed by the
auditor. The auditor develops such expectations by identifying and using plausible relationships that
are reasonably expected to exist based on the auditor's understanding of the client and of the industry
in which the client operates. For example, the auditor should:
✓ Compare current and prior period sales, returns and allowances, discounts, and gross profit
percentages.
✓ Compare the current period items referred to above to anticipated results (i.e. budgeted
amounts).
✓ Compare company statistics (e.g. gross profit percentage) to industry standards.
✓ Investigate any significant differences from expected results or unexplained fluctuations.
34
Variability in these relationships can be explained by, for example, unusual events or transactions,
business or accounting changes, misstatements, or random fluctuations. In this case, the auditors
could have detected the anomalies through analytical procedures since an unusual growth in business
did not make any commercial sense. Warning signs, such as unexplained anomalies, are a signal to
start asking questions.
Other Considerations
Cash in the Bank
“The auditors should have performed tests of internal control procedures by tracing funds deposited
in our store bank accounts back to the source, which was supposed to be actual customer invoices, to
determine if adequate controls were in place to insure accurate reporting of sales. Obviously, we had
no invoices backing up the $1.5 million funds transferred from Panama and the $500,000 in cash
deposited into store bank accounts reported as "revenue."
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Although auditing cash tends to be straightforward, cash is an inherently risky asset that can be easily
manipulated. The next section provides an audit program of cash in the bank to help the auditors
ensure that all important areas are considered.
Sample Audit Program: Cash in the Bank
I. Audit Objectives:
A. Determine that cash recorded in books exists and is owned by the company (Existence and
Right).
B. Determine that cash transactions are recorded in the correct accounting period at appropriate
values, i.e., that there is a proper cut-off of cash receipts and disbursements (Completeness and
Valuation).
C. Determine that balance sheet amounts include items in transit as well as cash on deposit with
third parties (Completeness).
D. Determine that cash is properly classified in the balance sheet and that relevant disclosures are
presented in the financial statement notes (Presentation and Disclosure).
II. Procedures:
A. Perform analytical procedures to identify obvious discrepancies or errors before conducting
tests of details. These types of procedures include:
35
• Compare cash balances with forecasts and budgets. For example, when cash balances
greatly exceed or fall below expectations for the year, it should alert the auditor for items
to look for during the tests of details.
• Review company policies regarding minimum cash balances and the investment of surplus
cash.
B. With respect to the bank reconciliations prepared by accounting personnel:
• Verify that proper segregation of duties between custodian, accounting and approving
personnel exist.
• Trace book balances to general ledger control totals.
• Compare ending balances from the bank statements to the ending balances on the bank
reconciliation.
• Verify the mathematical and clerical accuracy including checking extensions.
• Trace deposits in transit and outstanding checks to subsequent months’ bank statements
which are intercepted before accounting personnel have access to them.
• Inspect canceled checks for dates of cancellation in order to identify checks which were not
recorded in the proper accounting period.
• Ascertain that checks listed as outstanding are in fact: (1) recorded in the proper time
period, and are (2) checks that have not cleared. Scrutinize data when outstanding checks
have cleared to see if the books have been held open to improve ratios.
• Identify and investigate checks that are: (1) above limits prescribed by management, (2)
drawn to “bearer,” and (3) drawn payable to cash.
• Determine if unusual reconciling and long outstanding items are followed up and proper
disposition of such items is made.
• If balances have been confirmed with banks, compare confirmed balances with bank
balances per the year-end bank statements.
C. With respect to listings of cash investments:
• Trace book balances to general ledger control accounts.
• Verify the accuracy of all extensions and footings.
• Consider confirming balances directly with bank personnel.
• Obtain and inspect passbooks and certificates of deposit.
• Recalculate income derived from cash investments and trace the income amounts to the
books of original entry. Also, reconcile (for reasonableness) the interest revenue amounts
to the amount of cash investments.
• Consider using a custodian to maintain physical custody for safekeeping and to guard
against forgeries.
D. Prepare a bank transfer schedule which identifies:
• Name of disbursing bank
• Check number
• Dollar amount
• Date disbursement is recorded in books
36
• Name of receiving bank
• Date receipt is recorded in books
• Date receipt is recorded by bank
E. Perform cut-off test wherein transactions for the last few days of the year and the first few days
of the next year are scrutinized.
F. Inspect bank statements in order to identify obvious erasures or alterations.
G. Inspect debit and credit memos and trace them to the bank statements.
H. Read financial statements and investment certificates for appropriate classification of cash
balances.
I. With respect to cash on hand (i.e. petty cash funds):
• Determine the identity of all funds.
• Select funds to be counted and list currency and coins by denomination, account for
vouchers, stamps, and checks, trace fund balances to general ledger control accounts.
J. Investigate the reasons for delays in deposits.
K. Note unusual activity in inactive accounts since it may be indicative of cash being hidden.
L. In a cash-basis entity, reconcile sales with cash receipts.
M. List unusual cash receipts (e.g. currency receipts).
N. Examine third-party endorsements by reviewing canceled checks.
Inventory
“Inflation of store inventories was particularly easy since the auditor did not supervise the counting of
more than 40% of the store units or store inventory values.”
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Due to the materiality of inventory, the auditors should consider the inventory cycle as a high-risk
account balance. Especially when inventory constitutes a substantial portion on the balance sheet for
a manufacturing or merchandising company, it has a direct impact on profit. The following table lists
examples of assertions for inventory with common auditing procedures.
Assertions Examples of Common Auditing Procedures
Completeness • Perform analytical procures (e.g., inventory turnover ratio, budgetary analysis) to test
inventory reasonableness.
• Trace the physical inventory to the general ledger.
37
Valuation & Allocation
• Review the pricing method used.
• Review the overhead allocations and rates.
Existence • Observe the year-end inventory count on an unannounced basis.
• Trace the inventory records to physical inventories.
Occurrence & Cutoff
Examine supporting documentation (e.g. receiving and shipping documents) to determine if transactions were recorded in the proper period and account (receiving - into inventory, shipping - out of inventory).
Rights & Obligations
• Confirm inventories held at public warehouses and that the audit entity owned them
(direct written confirmation from the third party).
• Review inventories on consignment to determine that the audit entity owned them.
The next section provides an audit program of inventory to help the auditors ensure that all important
areas are considered.
Sample Audit Program: Inventory
I. Audit Objectives:
A. Determine that inventory quantities properly include products, materials, and supplies on hand,
in transit, in storage, and out on consignment to others (Existence, Completeness, and Valuation
or Allocation).
B. Determine that inventory items are priced consistently in accordance with U.S. GAAP (Valuation
or Allocation).
C. Determine that inventory listings are accurately compiled, extended, footed, and summarized
and determine that the totals are properly reflected in the accounts (Existence, Completeness,
and Valuation or Allocation).
D. Determine that excess, slow-moving, obsolete, and defective items are reduced to their net
realizable value (Valuation or Allocation).
E. Determine that the financial statements include disclosure of any liens resulting from the
pledging or assignment of inventories (Presentation and Disclosure).
II. Audit Procedures:
A. Review management’s instructions pertaining to inventory counts and arrange to have
sufficient internal audit personnel present to observe the physical count at major corporate
locations. Keep in mind that all locations should be counted simultaneously in order to prevent
the substitution of items.
B. At each location where inventory is counted:
• Observe the physical inventory count, record test counts, and write an overall observation
memo.
38
• Determine that pre-numbered inventory tags are utilized.
• Test the control of inventory tags.
• Test shipping and receiving cut-offs.
• Discuss obsolescence and overstock with operating personnel.
• Verify that employees are indicating obsolete items with inventory tags.
• Note the condition of inventory.
• Note pledged or consigned inventory.
• Determine if any inventory is at other locations and consider confirmation or observation
of material.
• Determine that inventory marked for destruction is actually destroyed and is destroyed by
authorized personnel.
C. Follow up all points that might result in a material adjustment.
D. Trace recorded test counts to the listings obtained from management, list all exceptions and
value the total effect.
E. Trace the receiving and shipping cut-offs obtained during the observation to the inventory
records, accounts receivable records, and accounts payable records. Also, trace inventory to
production and sales.
F. Obtain a cut-off of purchases and sales subsequent to the audit date and trace to accounts
receivable, accounts payable, and inventory records.
G. Note any sharp drop in market value relative to book value.
H. “Red flag” excessive product returns which might be indicative of quality problems. Returned
merchandise should be warehoused apart from finished goods until quality control has tested
the items. Are returns due to the salesperson overstocking? Returns should be controlled as to
actual physical receipt, and the reasons for the returns should be noted for analytical purposes.
I. Trace for possible obsolete merchandise that is continually carried on the books. For example,
the author had a situation in which a company continued to carry obsolete goods on the books
even though it wrote off only a small portion of similar goods.
J. With respect to price tests of raw materials:
• Ascertain management’s inventory pricing procedures.
• Schedule, for a test of pricing, all inventory items in excess of a prescribed limit and sample
additional items.
• Inspect purchase invoices and trace to journal entries.
• Inquire and investigate whether trade discounts, special rebates, and similar price
reductions have been reflected in inventory prices.
• Determine and test treatment of freight and duty costs.
• If standard costs are utilized:
39
1. Determine whether such costs differ materially from actual costs on a first-in, first-out
basis.
2. Investigate variance accounts and compute the effect of the balances in such accounts
on inventory prices.
3. Ascertain the policy and practice as to changes in standards.
4. With respect to changes during the period, investigate the effect on inventory pricing.
5. If process costs are used, trace selected quantities per the physical inventory to the
departmental cost of production reports and determine that quantities have been
adjusted to the physical inventory as of the date of the physical counts.
K. With respect to work-in-process and finished goods:
• Ascertain the procedures used in pricing inventory and determine the basis of pricing.
• Review tax returns to determine that the valuation methods conform to those methods
used for financial statement purposes.
• On a test basis, trace unit costs per the physical inventory to the cost accounting records
and perform the following:
1. Obtain, review, and compare the current period and prior period’s trial balances or
tabulations of detailed components of production costs for the year, note explanations
for apparent inconsistencies in classifications and significant fluctuations in amounts,
ascertain that the cost classifications accumulated as production costs and absorbed in
inventory are in conformity with U.S. GAAP.
2. Review computations of unit costs and costs credited against inventory and charged to
cost of sales.
3. Review activity in the general ledger control accounts for raw materials, supplies, and
work-in-process and finished goods inventories and investigate any significant and
unusual entries or fluctuations.
4. Review labor and overhead allocations to inventory and cost of sales compare to actual
labor and overhead costs incurred and ascertain that variances appear reasonable in
amount and have been properly accounted for.
5. Trace who obtains the funds received from the sale of scrap.
Accounts Payable
“The auditors reconciled the accounts payable of only three major vendors. There were significant
reconciling items for all of them, most of which were the bogus debit memos. For a certain vendor,
that company had said Crazy Eddie owed it $17 million while we said Sony was owed $7 million and
most of the $10 million difference was bogus debit memos……..The auditors never contacted any of
the companies they reconciled. The person for the auditors who handled the accounts payable part of
the audit never had retail accounts payable audit experience.”
40
Sam E. Antar, Former CFO of Crazy Eddie, Inc.
Regardless of the reasons for audit and the size of the operation, the auditors should always apply
various audit procedures to ensure that the accounts payable account represents authentic obligations
of the company. The following table lists examples of assertions for accounts with common auditing
procedures.
Assertions Examples of Common Auditing Procedures
Existence
• Review the reconciliations of vendor statements with recorded accounts payable.
• Examine supporting documentation for recorded payables.
• Special attention is paid to invoices dated just before year-end and quarter-end dates.
Completeness
• Search for unrecorded accounts payable by:
− Scanning vouchers payable subsequent to the balance sheet date, and
− Reviewing files of unmatched receiving reports and unpaid invoices
• Perform analytical procures to test inventory reasonableness.
Valuation & Allocation
Assess reasonableness of payable amounts and budget totals at year-end in relation to expenditure totals.
Rights & Obligation
Review documents that create financial responsibilities for the company such as contracts and vendor invoices.
Presentation & Disclosure
• Review all significant reclassification and adjustments related to payables.
• Determine that the method of estimation and significant assumptions used are
properly disclosed.
The next section provides an audit program of accounts payable to help the auditors ensure that all
important areas are considered.
Sample Audit Program: Accounts Payable
I. Audit Objectives:
A. Determine that accounts payable, in fact, exist (Existence or Occurrence).
B. Determine that accounts payable represents authorized obligations of the entity (Existence or
Occurrence).
C. Determine that accounts payable are properly classified in the financial statements
(Presentation and Disclosure).
D. Determine that recorded accounts payable are complete (Completeness).
E. Determine that the appropriate disclosures are included in the financial statements
(Presentation and Disclosure).
41
II. Audit Procedures:
F. With respect to the schedule of accounts payable prepared by accounting personnel:
• Verify mathematical accuracy of extensions and footings.
• Trace totals to general ledger control accounts.
• Trace selected individual accounts to the accounts payable subsidiary ledger.
• Trace individual account balances in the subsidiary ledger to the accounts payable schedule.
• Investigate accounts payable which are in dispute.
• Investigate any debit balances.
• Read minutes of board meetings to ascertain the existence of pledging agreements.
G. Prepare a trend line of invoices (e.g., by year and by month or by year and by quarter) in order
to determine the reasonableness of amounts. Special attention should be paid to invoices dated
just before year-end and quarter-end dates.
H. Run a basic test for duplicate invoice payments (e.g., searching for any pairs of invoices which
have the same vendor number, invoice number and amount) and potential invoice errors (e.g.,
searching for same vendor number, same invoice number, but different amounts).
I. Consider confirming accounts payable if there is: (1) poor internal control structure, or (2)
suspicion of misstatement.
J. Search for unrecorded liabilities:
• Examine receiving reports and matching them with invoices.
• Inspect unprocessed invoices.
• Inspect vendor’s statements for unrecorded invoiced amounts.
• Examine cash disbursements made in the period subsequent to year-end and examine
supporting documentation in order to ascertain the appropriate cut-off for recording
purposes.
K. With respect to obligations for payroll tax liabilities:
• Examine payroll tax deposit receipts.
• Examine cash disbursements in the period subsequent to year-end to identify deposits that
relate to prior period.
• Reconcile general ledger control totals to payroll tax forms.
• Trace liabilities for amounts withheld from employee checks to payroll registers, journals,
and summaries.
• Perform analytical procedures by comparing payroll tax expense to liabilities for payroll
taxes, and liability to accrued payroll taxes.
• Reconcile calendar year payroll returns to fiscal year financial statements for payroll
amounts.
L. Reconcile vendor statements with accounts payable accounts.
42
M. Compare vendor invoices with purchase requisitions, purchase orders, and receiving reports for
price and quantity.
N. Investigate unusually large purchases.
O. With respect to accrued expenses:
• Consider the existence of un-asserted claims.
• Obtain a schedule of accrued expenses from accounting personnel.
• Recalculate accruals after verifying the validity of assumptions utilized.
• Perform analytical procedures by comparing current- and prior period accrued expenses.
• Ascertain that accrued expenses are paid within a reasonable time after year-end.
• Ask management and indicate all details of contingent or known liabilities arising from
product warranties, guarantees, contests, advertising promotions, and dealer
“arrangements or promises”.
• Determine liability for expenses in connection with pending litigation:
1. Ask management.
2. Confirm in writing with outside legal counsel.
43
Review Questions - Section 2
1. Which of the following trends appear unusual and require the auditor’s attention?
A. Sales and cost of goods sold decreased at the same pace.
B. Inventory grew significantly faster than sales.
C. Sales and accounts receivable increased at the same rate.
D. Inventory turnover increased with the growth of business.
2. Which of the following ratios helps an auditor establish the relationship between the volume of
goods sold and inventory?
A. Quick ratio
B. Asset turnover
C. Current ratio
D. Inventory turnover
3. Which of the following terms measures the quantity of audit evidence?
A. Appropriation
B. Sufficiency
C. Significance
D. Reasonable Assurance
4. According to Sam, it was easy to inflate store inventories because the auditor did not supervise
enough inventory counts at stores. Which fraud element best explains his behavior?
A. Concealment
B. Opportunity
C. Rationalization
D. Pressure
5. Which of the following assertions indicates that inventories are included in the financial
statements at appropriate amounts?
A. Rights & Obligations
B. Completeness
C. Existence
D. Valuation & Allocation
44
6. An auditor reviews the supporting documentation to validate the recorded payable amounts in
support of which of the following assertions?
A. Rights & Obligations
B. Completeness
C. Existence
D. Valuation & Allocation
7. The objective of performing analytical procedures in planning an audit is to identify the existence
of which of the following scenarios?
A. Unusual transactions and events
B. Illegal acts that went undetected because of internal control weaknesses
C. Undisclosed related party transactions
D. Recorded transactions that were not properly authorized
45
Case 2: The King of Cross-Sell This case study draws quotes primarily (and in some instances) verbatim from the report of Wells
Fargo’s investigation of sales practices and court documents. Additional details are sourced from Wells
Fargo Annual Reports, and various research papers and news articles. The case study is intended to be
used as a resource for management and accounting professions of all sizes, so that they may learn
from it.
I. Examining the Company and Its
Environment
1. Behind the Impressive Performance
“If anyone tells you it’s easy to earn more business from current customers in financial services, don’t
believe them. We should know. We’ve been at it almost a quarter century. We’ve been called, true or
not, the “king of cross-sell.”
Wells Fargo 2010 Annual Report
Corporate Profile
Vision
We want to satisfy our customers’ financial needs
and help them succeed financially.
Goals
We want to become the financial services leader in
these areas:
• Customer service and advice
• Team member engagement
• Innovation
• Risk management
• Corporate citizenship
• Shareholder value
Values
• What’s right for customers
• People as a competitive advantage
• Ethics
• Diversity and inclusion
• Leadership
Wells Fargo & Company, headquartered in San Francisco, is a financial and bank holding company
(BHC) with $1.9 trillion in assets. In the U.S., most banks are operated under BHCs. According to the
Bank Holding Company Act, a BHC, a company that owns a controlling interest in one or more banks,
must meet the following criteria:
1. Directly or indirectly owns, controls, or holds at least 25% of the voting shares of the bank.
2. Controls the election of a majority of the board of directors of the bank, or
3. Directly or indirectly influences the management or policies of the bank.
46
In other words, BHCs do not provide banking services and engage in banking activities, but they do
exercise a controlling influence over management and company policies. For example, they can hire
and fire management, approve strategies and policies, oversee the risk management processes, and
monitor the bank’s performance. The company was founded by Henry Wells and William Fargo in 1852
during the California Gold Rush. It remains one of the “Big Four Banks” in the U.S. alongside Bank of
America, JPMorgan Chase and Citigroup that are all are operated by BHCs. It was ranked fourth in
assets and third in the market value of its common stock among all U.S. banks at December 31, 20184.
Wells Fargo & Company has offices in 32 countries and territories to support customers in the global
economy. With approximately 259,000 active, full-time equivalent team members, Wells Fargo &
Company serves approximately 70 million customers; one in three households in the U.S and was
ranked No. 29 on Fortune’s 2019 rankings of America’s largest corporations 5.
• 3rd in Total Deposits (2019) FDIC data
• 5th Most Profitable Company in the U.S. (2019) Fortune
• 6th in Total Assets (2019) Fortune
• 10th Largest Public Company in the World* (2019) Forbes
• 19th Biggest Employer in the U.S. (2019) Fortune
• 29th Biggest Company by Revenue in the U.S. (2019) Fortune
*Based on sales, profits, assets, and market value. Source: Wells Fargo, 4th Quarter 2019
In 2019, Wells Fargo & Company generated $19.5 billion in net income6. The company is organized for
management reporting purposes into three operating segments:
1. Community Banking offers the everyday banking products targeted to individuals and small
businesses including checking and savings accounts, credit and debit cards, and automobile,
student, mortgage, home equity and small business lending. The Community Bank unit is the
largest operating segment, and consistently generated more than half of the company’s
revenue (and in some years more than two-thirds) from 2007 through 2016. The Community
Bank managed the U.S. branches.
2. Wholesale Banking provides financial solutions to businesses across the U.S. and globally with
annual sales generally in excess of $5 million.
3. Wealth and Investment Management provides personalized wealth management,
investment, and retirement products and services to clients across U.S.-based businesses.
4 The Wells Fargo statistics are from “2018 Annual Report,” with values accessed on February 21, 2020. 5 The Wells Fargo statistics are from “Form 8-K,” February 21, 2020. 6 The Wells Fargo financial result is from “News Release | January 14, 2020,” with values accessed on March 3, 2020.
47
Wells Fargo Bank, N.A., a wholly-owned subsidiary of Wells Fargo & Company, designates its main
office as Sioux Falls, South Dakota. Wells Fargo Bank, N.A. operates as a bank. Wells Fargo & Company
provides banking, insurance, investments, mortgage, and consumer and commercial finance through
Wells Fargo Bank, N.A. in more than 7,400 locations, 13,000 ATMs, the internet (wellsfargo.com) and
mobile banking.
Lesson Note: Wells Fargo in its current form is a result of a merger between Wells Fargo & Company
and Norwest Corporation in 1998 and the subsequent 2008 acquisition of Charlotte-based Wachovia.
Widespread Illegal Conduct
“The Bank (Wells Fargo) had better tools and systems to detect employees who did not meet
unreasonable sales goals than it did to catch employees who engaged in sales practice misconduct.”
The OCC Notice of Charges N20-001
Wells Fargo, a self-identified sales organization, had a long history of strong performance. For years,
Wells Fargo has developed its obsession with cross-selling products. Beginning in 1998, Wells Fargo
increased its focus on sales volume and reliance on year-over-year sales growth. A core part of this
business model was the “cross-sell strategy.” Wells Fargo has been the leader for its ability to sell
multiple products and services to its existing customers. The banking industry considered Wells Fargo
to be “the king of cross-sell.”
Cross-sell is a common and accepted business practice when the strategy is based on strong customer
satisfaction and excellent customer service. However, Wells Fargo’s cutthroat sales culture with
unreasonable or unattainable sales targets eventually led to the 2016 fake-account scandal. Under
pressure to meet aggressive sales quotas, employees opened millions of savings and checking accounts
without customers’ knowledge or consent. The Community Banking division was at the center of the
fake-accounts scandal. Approximately 5,300 employees had been terminated for sales practice
violations between 2011 and 2016.
Further details of Wells Fargo’s sales scandal are discussed in “Analyzing the Fake-Account Scandal”.
Wells Fargo had a systemic sales practice misconduct problem from the early 2000s. For example,
from 2006 through 2014, total EthicsLine (Wells Fargo’s hotline) complaints received from employees
increased year-over-year. As early as 2007, lack of customer consent was a main allegation in
EthicsLine complaints from employees. Moreover, each year, nearly half of all EthicsLine cases
investigated by Corporate Investigations related to employee sales integrity violations. Specifically,
from December 2013 through September 2015, Wells Fargo received at least 5,000 customer
complaints related to lack of consent7. Management bullied employees to meet unrealistic sales goals
7 The Wells Fargo widespread consumer abuses information is from the OCC Notice of Charges N20-001, January
48
year after year, including by monitoring employees daily or hourly and reporting their sales
performance to their managers. Employees were actually being terminated for failure to meet the
goals.
“The Toxic Sales Culture” and “Aggressive Incentive Compensation Plan” explain how Wells Fargo’s
cross-sell model and compensation plan contributed to the widespread sales integrity violations.
Lesson Note: The Wells Fargo’s Sales Quality Manual defined sales integrity violations as
“manipulations and/or misrepresentations of sales, service or referrals and reporting of sales, service
or referrals in an attempt to receive compensation or to meet sales and service goals.”
John Stumpf became Wells Fargo’s Chief Operating Officer in 2005 and served in that role until he
became Chief Executive Officer (CEO) in June 2007, (2007 − 2016). Stumpf joined the Board of
Directors in 2006 and became Chairman of the Board in January 2010. In 2015, Stumpf's total
compensation was $19.3 million with a base salary of $2.8 million, $4 million in a cash bonus, and
$12.5 million in stock granted8. In light of the fake-account scandal, Stumpf was subject to a hearing
before the Senate Banking Committee as shown in Exhibit A.
Exhibit A: The Regulatory Response of Wells Fargo’s Fraudulent Accounts
The following are excerpts from a hearing on September 20, 2016 of the Committee on Banking,
Housing, and Urban Affairs into the Wells Fargo’s unauthorized accounts.
Ms. Warren (Elizabeth Warren, Senator of Massachusetts): You know, here’s what really gets me
about this, Mr. Stumpf. If one of your tellers took a handful of $20 bills out of the cash drawer, they’d
probably be looking at criminal charges for theft. They could end up in prison. But you squeezed your
employees to the breaking point so they would cheat customers and you could drive up the value of
your stock and put hundreds of millions of dollars in your own pocket. And when it all blew up, you
kept your job, you kept your multimillion-dollar bonuses, and you went on television to blame
thousands of $12-an-hour employees who were just trying to meet cross-sell quotas that made you
rich. This is about accountability. You should resign. You should give back the money that you took
while this scam was going on, and you should be criminally investigated by both the Department of
Justice and the Securities and Exchange Commission.
Following the hearings, in recognition of his accountability for sales practices misconduct, Stumpf
agreed with the Board to forfeit all of his unvested equity awards in the approximate amount of $41
million. Carrie Tolsted, Head of the Community Banking, was asked to forfeit her unvested equity
awards valued at $19 million. The Board also revoked both executives’ 2016 bonus. According to the
23, 2020. 8 Stumpf’s compensation data is from “2016 Proxy Statement,” Wells Fargo Media, accessed on March 6, 2020.
49
Harvard Law School Forum on Corporate Governance, this was one of the largest claw backs of CEO
pay in history and the largest of a financial institution.
“Leadership Failure” explains how leaders distorted the sales model, fostering an atmosphere that
prompted low-quality sales and improper and unethical behavior.
In September 2016, the Board conducted a comprehensive investigation to understand the root causes
of improper sales practices and identify remedial actions. The investigation included 100 interviews,
the review of more than 1,000 existing and past investigations, and the examination of more than 35
million documents. The Independent Directors of the Board of Wells Fargo & Company Sales Practices
Investigation Report concluded that the bank’s sales culture, leadership, organizational structure, and
performance management systems put excessive pressure on employees to engage in improper sales
practices. The key findings are addressed throughout the course.
In addition to imposing forfeitures, clawbacks and compensation adjustments on senior leaders, the
Board has made fundamental changes to Wells Fargo’s leadership, governance, processes, controls,
and culture to address sales integrity issues:
✓ Replacing and reorganizing the leadership of the Community Bank.
✓ Eliminating sales quotas and reforming incentive compensation focused on customer service,
branch primary customer growth, household relationship balance growth, and risk
management.
✓ Modifying performance management metrics to balance quantitative factors with qualitative
ones, such as good customer service.
✓ Centralizing monitoring and controls that enhance oversight of sales practices.
✓ Considering new methods for determining and measuring employee engagement and
satisfaction.
Banks build and maintain trust, while the regulators enforce this trust through deposit insurance, laws
and regulations, and oversight. Bank regulation subjects banks to certain requirements, restrictions,
and guidelines. Various agencies took actions against Wells Fargo’s misconduct. According to the court
documents, Wells Fargo:
Violated the Consumer Financial Protection Act
Misled investors about the success of its core business strategy
Failed to address deficiencies in its compliance risk management program
Wells Fargo’s regulatory architecture is discussed in the next section.
50
2. Overview of Federal Regulations
Since Wells Fargo’s extensive improper sales practices were revealed, it had been under increased
scrutiny from Congress, financial regulators, and the public. This section provides highlights of the
federal regulations of Wells Fargo. First, it sets out the basic framework and the major federal
regulators. Then, it discusses the role of each major federal regulatory agency.
The Financial Regulatory Framework
The banking industry, a key driver of the financial system, is one of the most highly regulated industries
due to the interconnectedness (financial, capital, and insurance) of the banking industry and the
reliance that the economy has on banks. For example, commercial banks accept currency deposits,
offer various payment services ranging from the interbank association (e.g., operate ATM, clear
checks), point of sale to credit/debit card network, and an electronic funds transfer system. Banking
also plays a key role in the global and U.S. economy. For the 5,177 FDIC-insured commercial banks and
savings institutions, full-year 2019 net income totaled $233.1 billion9. The Big Four of U.S. banking—
JPMorgan Chase, Bank of America, Citigroup, and Wells Fargo—have a combined $8.8 trillion in assets
or half the U.S. total10. As a result, banks are subject to safety and soundness regulation that most
other financial firms are not subject to at the federal level.
Bank regulation is designed to promote accountability, create market transparency, and maintain the
safety and stability of the banking industry, the financial sector as a whole, and the payments system.
For example, mandatory deposit insurance was introduced in order to avoid bank runs. Capital
adequacy requirements make sure that banks do not become too exposed. According to the
Congressional Research Service (CRS), regulators regulate financial institutions, markets, and products
through different methods including licensing, registration, rulemaking, supervisory, enforcement,
and resolution powers detailed in the following table:
Licensing,
Chartering,
or
Registration
− Each type of charter, license, or registration granted by the respective regulator governs the
sets of financial activities that the holder is permitted to engage in.
− For example, a firm cannot accept federally insured deposits unless it is chartered as a bank,
thrift, or credit union by a depository institution regulator. To be granted a license, charter, or
registration, the recipient must accept the terms and conditions that accompany it.
− Depending on the type, those conditions could include regulatory oversight, training
requirements, and a requirement to act according to a set of standards or code of ethics.
− Failure to meet the terms and conditions could result in fines, penalties, remedial actions,
license or charter revocation, or criminal charges.
9 The FDIC statistics are from “Statistics At A Glance,” the FDIC, with values accessed on March 10, 2020. 10 The Big Four Banks data is from “America's Best And Worst Banks 2019,” Forbes, with values accessed on March 11, 2020.
51
Rulemaking
− Regulators issue rules (regulations) through the rulemaking process to implement statutory
mandates.
− Statutory mandates usually provide regulators with a policy goal in general terms, and
regulations fill in the specifics.
− Rules lay out the guidelines for how market participants may or may not act to comply with
the mandate.
Oversight
and
Supervision
− Regulators ensure that their rules are adhered to through oversight and supervision. This
allows regulators to observe market participants’ behavior and instruct them to modify or
cease improper behavior.
− Supervision may entail active, ongoing monitoring (as for banks) or investigating complaints
and allegations ex post (as is common in securities markets).
− In some cases, such as banking, supervision includes periodic examinations and inspections,
whereas in other cases, regulators rely more heavily on self-reporting.
− Regulators explain supervisory priorities and points of emphasis by issuing supervisory letters
and guidance.
Enforcement
− Regulators can compel firms to modify their behavior through enforcement powers.
− Enforcement powers include the ability to issue fines, penalties, and cease and desist orders,
to undertake criminal or civil actions in court, or administrative proceedings or arbitrations,
and to revoke licenses and charters.
− In some cases, regulators initiate legal action at their own bequest or in response to consumer
or investor complaints.
− In other cases, regulators explicitly allow consumers and investors to sue for damages when
firms do not comply with regulations or provide legal protection to firms that do comply.
Resolution
− Some regulators have the power to resolve a failing firm by taking control of the firm and
initiating conservatorship (i.e., the regulator runs the firm on an ongoing basis) or receivership
(i.e., the regulator winds the firm down).
− Other types of failing financial firms are resolved through bankruptcy, a judicial process.
Source: The Congressional Research Service, Who Regulates Whom? An Overview of the U.S. Financial Regulatory Framework,
March 10, 2020
52
The following diagram sets out the regulatory oversight of Wells Fargo customer accounts.
Source: Congressional Research Service, Wells Fargo Customer Account Scandal: Regulatory Policy Issues, September 28, 2016
The regulators are categorized into the following areas:
Depository Regulator
• Office of the Comptroller of the Currency (OCC)
• Federal Reserve
• Federal Deposit Insurance Corporation (FDIC)
Securities Markets Regulators • The Securities and Exchange Commission (SEC)
Consumer Protection Regulator • The Consumer Financial Protection Bureau (CFPB)
Wells Fargo & Company, a BHC, is regulated by the Federal Reserve. As a public company, it must
comply with the securities laws and the Securities and Exchange Commission (SEC) regulations related
to corporate governance, executive pay, and investor protection. Wells Fargo Bank, N.A. operates as
a large federally chartered depository bank, and is also subject to comprehensive federal regulatory
oversight and examination including:
• The Office of the Comptroller of the Currency (OCC) for enforcing its responsibilities for the
safety and soundness of nationally chartered banks,
• The Federal Deposit Insurance Corporation (FDIC) as an insured depository,
• The Consumer Financial Protection Bureau (CFPB) for regulating and supervising consumer
protection compliance.
53
In response to the financial crisis of 2008, the Dodd-Frank Wall Street Reform and Consumer
Protection Act (Dodd-Frank Act), a comprehensive financial reform legislation, was signed into law on
July 21, 2010, by President Barack Obama. The Dodd-Frank Act of 2010 created the CFPB and the
Financial Stability Oversight Council (FSOC). FSOC is responsible for identifying risks and responding to
emerging threats to the financial stability of the U.S. As a consultative council, the FSOC is charged
with facilitation of communication among financial regulators.
The next section provides an overview of each federal regulatory agency. A summary of the functions
of various agencies is addressed in Exhibit B.
The Role of Major Regulators
Office of the Comptroller of the Currency
The Office of the Comptroller of the Currency (OCC), created in 1863, is an independent bureau of the
U.S. Department of the Treasury. The OCC charters, regulates, and supervises all national banks and
federal savings associations as well as federal branches and agencies of foreign banks. To ensure that
national banks and federal savings associations operate in a safe and sound manner, provide fair
access to financial services, treat customers fairly, and comply with applicable laws and regulations,
the OCC carries out the following actions11:
✓ Issuing banking rules and regulations and providing legal interpretations and guidance on
banks' corporate decisions that govern their practices.
✓ Visiting and examining the banks it oversees for safety and soundness.
✓ Evaluating applications for new bank charters or branches, for other proposed changes in the
corporate structure of banks or their activities, and from foreign banks that wish to operate in
the U.S under an OCC charter.
✓ Imposing corrective measures, when necessary, on OCC-governed banks that do not comply
with laws and regulations or that otherwise engage in unsafe or unsound practices.
✓ Protecting consumers by making sure banks give fair access and equal treatment to customers,
and comply with consumer banking laws.
Banks must receive a full-scope, on-site examination every 12 or 18 months. According to the
Comptroller’s Handbook, a full-scope, on-site examination must consist of examination activities
performed during the supervisory cycle that:
11 The mission and scope of the OCC are from the Office of the Comptroller of the Currency website, accessed on March 8, 2020.
54
1. Satisfy the core assessment and are sufficient in scope to assign the bank’s regulatory ratings,
except the Community Reinvestment Act (CRA) ratings.
(Wells Fargo’s recent CRA rating is discussed later in “CRA Performance Evaluation”.)
2. Result in conclusions about the bank’s risk profile.
3. Review the bank’s Bank Secrecy Act compliance program.
4. Assess the bank’s compliance with the National Flood Insurance Program, if the bank is an
insured depository institution.
The OCC also conducts the consumer compliance examination to review a bank’s compliance with
consumer protection-related laws and regulations and the adequacy of its compliance management
system (CMS) as it pertains to consumer compliance. The bank’s CMS must be reviewed by examiners
at least once per supervisory cycle. According to the Comptroller’s Handbook, the review of a bank’s
CMS for assigning the bank’s consumer compliance component rating should include a risk-based
assessment of the following components:
1. Board and management oversight, which includes:
− Oversight and commitment, including third-party risk management.
− Change management.
− Comprehension, identification, and management of risk.
− Self-identification and corrective action.
2. Consumer compliance program, which includes:
− Policies and procedures.
− Training.
− Monitoring and audit.
− Consumer complaint response.
Lesson Note: The OCC employees who are responsible for the supervision and regulation of banks are
called examiners.
The OCC may take enforcement actions for violations of laws, rules or regulations, final orders or
conditions imposed in writing, unsafe or unsound practices, and for breach of fiduciary duty by
institution-affiliated parties.
55
Federal Reserve
The Federal Reserve, the central bank system, was created in 1913 with the enactment of the Federal
Reserve Act. The Federal Reserve provides the nation with a safer, more flexible, and more stable
monetary and financial system by performing the following five functions12:
1. Conduct the nation’s monetary policy to promote maximum employment, stable prices, and
moderate long-term interest rates in the U.S. economy.
2. Promote the stability of the financial system and seek to minimize and contain systemic risks
through active monitoring and engagement in the U.S. and abroad.
3. Promote the safety and soundness of individual financial institutions and monitor their
impact on the financial system as a whole.
4. Foster payment and settlement system safety and efficiency through services to the banking
industry and the U.S. government that facilitate U.S.-dollar transactions and payments.
5. Promote consumer protection and community development through consumer-focused
supervision and examination, research and analysis of emerging consumer issues and trends,
community economic development activities, and the administration of consumer laws and
regulations.
The Federal Reserve has supervisory and regulatory authority for all BHCs. The Federal Reserve also
supervises state member banks, savings and loan holding companies, foreign banks operating in the
U.S, and other entities. In overseeing the institutions, the Federal Reserve seeks primarily to promote
their safe and sound functioning and their compliance with all applicable laws and regulations that
govern their activities. Since the financial crisis, the Federal Reserve has substantially enhanced its
supervisory program for large institutions. For example, the Federal Reserve takes a risk-focused
approach by scaling its supervisory work based on the size and complexity of the institution.
Federal Deposit Insurance Corporation
In response to the thousands of bank failures during the Great Depression, Congress created the
Federal Deposit Insurance Corporation (FDIC) in 1933 to maintain stability and public confidence on
deposits in the nation's financial system by13:
1. Insuring deposits (for at least $250,000).
2. Examining and supervising financial institutions for safety and soundness and consumer
protection.
12 The five functions of the Federal Reserve are from “About the Fed,” the Federal Reserve Board website, accessed on April 8, 2020. 13 The mission of the FDIC is from “2018-2022 Strategic Plan,” the FDIC, accessed on March 10, 2020.
56
3. Making large and complex financial institutions resolvable.
4. Managing receiverships.
In the U.S., there are two agencies that provide deposit insurance to depositors. The FDIC provides
deposit insurance to depositors in U.S. commercial banks and savings banks. The National Credit Union
Administration regulates and insures credit unions. According to the FDIC, since the start of the FDIC
insurance on January 1, 1934, no depositor has lost a single cent of insured funds as a result of a failure.
The FDIC is the primary federal supervisor for all state-chartered banks that are not members of the
Federal Reserve System and state-chartered thrifts. As of December 31, 2019, the FDIC provided
deposit insurance at 5,177 institutions and supervised about 3,338 banks and savings institutions for
operational safety and soundness, more than half of the institutions in the banking system14. The FDIC
also examines banks for compliance with consumer protection laws, such as the Fair Credit Billing Act,
the Fair Credit Reporting Act, the Truth-In-Lending Act, and the Fair Debt Collection Practices Act.
Finally, the FDIC examines banks for compliance with the Community Reinvestment Act (CRA) which
requires banks to help meet the credit needs of the communities they were chartered to serve.
Details of CRA are discussed in “Other Regulatory Related Matters”.
Lesson Note: The Office of Thrift Supervision (OTS) was established by Congress in 1989 as the primary
federal regulator of all federal and state-chartered savings institutions across the nation that belong
to the Savings Association Insurance Fund (SAIF).
Consumer Financial Protection Bureau
The Dodd-Frank Act of 2010 created the Consumer Financial Protection Bureau (CFPB) to enhance
consumer protection in the financial market. The CFPB, an independent agency within the Board of
Governors of the Federal Reserve System, centralizes the regulation of various financial products and
services. The CFPB has supervision authority for depository institutions with more than $10 billion in
assets and has examination and enforcement powers for financial industry participants that offer
consumers financial products.
To protect consumers in the financial marketplace, the CFPB promotes fairness and transparency for
mortgages, credit cards, and other consumer financial products and services. For instance, the CFPB
administers rules that protect consumers by setting disclosure standards, setting suitability standards,
and banning abusive and discriminatory practices. The CFPB also ensures that the federal consumer
financial laws are enforced consistently. Examples of the CFPB’s legal actions include suing credit card
companies for engaging in unfair, deceptive and abusive practices, prosecuting banks for charging
14 The FDIC statistics are from “Statistics At A Glance,” the FDIC, with values accessed on March 10, 2020.
57
overdraft fees to consumers who had not agreed to overdraft services, and bringing lawsuits against
payday lenders15.
Lesson Note: In some areas where the CFPB does not have jurisdiction, the Federal Trade Commission
(FTC) retains consumer protection authority. State regulators also retain a role in consumer protection.
The Securities and Exchange Commission
The Securities and Exchange Commission (SEC) is a U.S. government agency whose main mission is to
protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. In the
wake of the 1929 Great Depression, the SEC was created by the Securities Exchange Act of 1934 to
protect investors and restore investor confidence through enforcing securities laws and regulating the
securities industry. Joseph P. Kennedy, President John F. Kennedy's father, served as the first Chairman
of the SEC.
The SEC administers the key participants in the securities world, including securities exchanges,
securities brokers and dealers, investment advisors, and mutual funds. The SEC is concerned primarily
with promoting the disclosure of important market-related information, maintaining fair dealing, and
protecting against fraud. The SEC is organized into five divisions and supported by a staff of
approximately 4,600 people, spread out between 11 Regional Offices throughout the country. The five
divisions are:
1. Division of Corporation Finance: Ensure that investors are provided with material information
in order to make informed investment decisions, both when a company initially offers its
securities to the public and on an ongoing basis as it continues to give information to the
marketplace.
2. Division of Enforcement: Conduct investigations into possible violations of the federal
securities laws and litigate the SEC's civil enforcement proceedings in the federal courts and
in administrative proceedings.
3. Division of Trading and Markets: Establish and maintain standards for fair, orderly, and
efficient markets. For example, it regulates the major securities market participants, including
broker-dealers, self-regulatory organizations (such as stock exchanges, FINRA, and clearing
agencies), and transfer agents.
4. Division of Investment Management: Administer the Investment Company Act of 1940 and
Investment Advisers Act of 1940, which includes developing regulatory policy for investment
companies (e.g. mutual funds) and for investment advisers.
15 Examples of CFBP’s legal actions are from “Consumer Financial Protection Act,” Investopedia, accessed on March 3, 2020.
58
5. Division of Economic and Risk Analysis: Integrate financial economics and rigorous data
analytics into the core mission of the SEC. For example, it is involved across the entire range
of SEC activities, including policy-making, rule-making, enforcement, and examination.
The SEC is mainly responsible for:
• Interpreting and enforcing federal securities laws.
• Issuing new rules and amend existing rules.
• Overseeing the inspection of securities firms, brokers, investment advisers, and ratings
agencies.
• Overseeing private regulatory organizations in the securities, accounting, and auditing fields.
• Coordinating U.S. securities regulation with federal, state, and foreign authorities.
Its main areas of enforcement include insider trading, accounting fraud, and false or misleading
investment information. For example, the Division of Corporate Finance (CF) selectively reviews public
filings to monitor and enhance compliance with the applicable disclosure and accounting
requirements. The CF selectively reviews transactional filings, such as registration statements, when
issuers engage in public offerings, business combination transactions, and proxy solicitations.
Accordingly, the CF may review a company more frequent than every three years if it files a registration
statement for an offering of securities, or if the SEC is monitoring compliance with a new or existing
rule, or a specific industry.
Lesson Note: The CF began reviewing the periodic reports of large financial institutions on an ongoing
basis following the 2008 financial crisis.
The Enforcement Division’s Financial Reporting and Audit (FRAud) Group is strengthening the agency’s
efforts to identify and prosecute securities law violations related to financial reporting and audit
failures. The work of the FRAud Group has led to a number of matters undertaken across the Division,
including inquiries, investigations, and filed enforcement actions. In short, the SEC promotes full public
disclosure, protects investors against fraudulent and manipulative practices in the market, and
monitors corporate takeover actions in the U.S.
59
Exhibit B: Federal Regulators and Who They Supervise
The CRS (Congressional Research Service) lays out the current federal financial regulatory structure
presented in the following table. According to the CRS, regulators are mainly divided into the three
main areas of finance—banking (depository), securities, and insurance (where state, rather than
federal, regulators play the key role). There are also targeted regulators for specific financial activities
(consumer protection; CFPB) and markets (agricultural finance and housing finance; FCA).
The following table does not include interagency-coordinating bodies, standard-setting bodies,
international organizations, or state regulators, which are described later in the report.
Regulatory
Agency Institutions Regulated
Other Notable
Authority
Depository Regulators
Federal
Reserve
• Bank holding companies and certain subsidiaries (e.g.
foreign subsidiaries), financial holding companies,
securities holding companies, and savings and loan
holding companies.
• Primary regulator of state banks that are members of the
Federal Reserve System, foreign banking organizations
operating in the United States, Edge Corporations, and
any firm or payment system designated as systemically
significant by the FSOC.
Operates discount
window (“lender of last
resort”) for
depositories, operates
payment system,
conducts monetary
policy.
Office of the
Comptroller of
the Currency
(OCC)
• Primary regulator of national banks, U.S. federal branches
of foreign banks, and federally chartered thrift
institutions.
Federal
Deposit
Insurance
Corporation
(FDIC)
• Federally insured depository institutions.
• Primary regulator of state banks that are not members of
the Federal Reserve System and state-chartered thrift
institutions.
Operates deposit
insurance for banks,
resolves failing banks.
National
Credit Union
Administration
(NCUA)
• Federally chartered or federally insured credit unions. Operates deposit
insurance for credit
unions, resolves failing
credit unions.
Securities Markets Regulators
Securities and
Exchange
Commission
(SEC)
• Securities exchanges, broker-dealers, clearing and
settlement agencies, investment funds, including mutual
funds, investment advisers, including hedge funds with
assets over $150 million, and investment companies.
• Nationally recognized statistical rating organizations.
Approves rulemakings
by self-regulated
organization.
60
• Security-based swap (SBS) dealers, major SBS
participants, and SBS execution facilities.
• Securities sold to the public.
Commodity
Futures
Trading
Commission
(CFTC)
• Futures exchanges, futures commission merchants,
commodity pool operators, commodity trading advisors,
derivatives clearing organizations, and designated
contract markets.
• Swap dealers, major swap participants, swap execution
facilities, and swap data repositories.
Approves rulemakings
by self-regulated
organizations.
Government-Sponsored Enterprise Regulators
Federal
Housing
Finance
Agency (FHFA)
• Fannie Mae, Freddie Mac, and Federal Home Loan Banks Acting as conservator
(since Sept. 2008) for
Fannie and Freddie.
Farm Credit
Administration
(FCA)
• Farm Credit System, Farmer Mac
Consumer Protection Regulator
Consumer
Financial
Protection
Bureau (CFPB)
• Nonbank mortgage-related firms, private student lenders,
payday lenders, and larger “consumer financial entities”
determined by the CFPB.
• Statutory exemptions for certain markets.
• Rulemaking authority for consumer protection for all
banks; supervisory authority for banks with over $10
billion in assets.
Source: The Congressional Research Service, Who Regulates Whom? An Overview of the U.S. Financial Regulatory Framework,
March 10, 2020
61
3. The Pressure-Cooker Environment
"That's the whole foundation of Wells Fargo is cross-sell, cross-sell, cross-sell."
Former Employee, Wells Fargo
“A standard line we hear is ‘I can play by the rules and get fired for not making unrealistic goals or I
can cheat and hope I don’t get caught’.”
Manager of Corporate Investigations, Wells Fargo
Wells Fargo is known for its intense cross-sell model. Cross-sell, a critical strategy for banks to expand
business and generate profits, involves offering multiple services/products to existing customers. For
example, as a way to increase its customer base, the bank can offer an existing checking account
customer with different products such as mortgage, line of credit, and credit and debit cards based on
need, behavior or demography. Customer value is enhanced by holding multiple products. In general,
the more products sold to existing customers, the more money the bank would earn from each
relationship and the less likely those customers would exit their relationship with the bank. That is,
the deeper the relationship, the stronger the relationship, and the more revenue banks can expect to
generate.
Lesson Note: Cross-sell is often confused with up-sell. Cross-sell is the act of selling a different product
that provides an additional benefit to the customer. Up-sell is the practice of encouraging customers
to buy a comparable higher-end product than the current one. While cross-sell is offering a
complementary product, up-sell is offering another upgrade or premium product.
The cross-sell model has been at the heart of growth in Wells Fargo. In 1998, Wells Fargo merged with
Norwest Corporation in a $34 billion deal. Although the merged bank operated under the Wells Fargo
name, Norwest’s management culture was directing the combined company. For example, Richard
Kovacevich, the top executive at Norwest, was given the positions of president and CEO (1998 − 2005)
at the merged bank. Kovacevich determined to bring Norwest's sales culture to Wells Fargo by
promoting the cross-sell strategy, establishing the long-held, and infamous, goal of eight products per
household.
Lesson Note: Wells Fargo’s sales-oriented culture was also transferred to former Wachovia branches
and retail bank operations following the merger with Wachovia.
Kovacevich considered financial instruments, such as checking accounts, credit cards, and loans, as
consumer products that were no different from light bulbs sold by Walt-Mart. According to Fortune
magazine, in his lingo, bank branches were “stores,” and bankers were “salespeople” whose job was
to “cross-sell,” which meant getting “customers” not “clients,”— to buy as many products as possible.
In 1999, Kovacevich launched an initiative called “Going for Gr-Eight,” a sales-focused business model,
aimed to sell at least eight separate products to every customer. Management had been pushing the
62
“Gr-Eight Initiative” sales targets that could reach as high as 20 products a day or more. In context,
most big banks aim to have two to three per customer. Cross-sell is a common and accepted sales
practice when the strategy is based on strong customer satisfaction and excellent customer service.
However, under Wells Fargo’s high-pressure goal of eight products per household, employees were
pushed to cross-sell customers by persuading them to open new accounts and obtain new credit cards
that were unneeded and unwanted.
According to the Board Report, in many instances, leadership recognized that their sales targets were
unachievable. They were referred to as “50/50 plans”. That is, there was an expectation that only half
the regions would be able to meet them. Typically, there were minimum requirements for products
sold per day, daily profit, packages sold per quarter, quarterly partner referrals and/or the number of
loans made per quarter. One former employee said she could not meet sales goals in any ethical way.
She reported the concern to the Wells Fargo’s ethics hotline and was eventually fired16.
The “Jump into January”, created in 2003, initially was designed to motivate employees to achieve and
exceed January goals. From 2003 through 2013, the bank imposed higher daily sales targets from
January through March and emphasized and rewarded higher sales activity levels. The monthly sales
goal during “Jump into January” was set as high as 12% of the yearly total. To meet the sales goals and
incentives, employees intentionally held off on opening accounts in December, until January, also
known as “sandbagging”.
Example: Emphasis on Meeting Aggressive Sales Goals
The following are excerpts from the OCC Notice of Charges N20-001.
An email exchange between Tolstedt, Head of the Community Bank, and one of her managers:
The executive proposed a plan that provided for a 4% increase in sales. Tolstedt told the executive in
an email marked as high importance: “the front end guidance was a minimum of 10%.” She further
stated: “[w]ould you do me a huge favor and change your sales plan to reflect a growth rate of between
10% and 15%.” Tolstedt forwarded the email to the CEO stating: “[j]ust so you know I won’t let them
get away with this!!! … we need to ensure they [referring to the sales plans] are equally hard across
all regions.”
Source: The OCC Notice of Charges N20-001
Many former employees reported that mornings usually began with a huddle where managers pressed
them to meet their “solutions goals.” Each credit card or home equity loan or other product was called
16 The former employee’s statement is from “Wells Fargo Fraud,” McCombs Business School, accessed on February 28, 2020.
63
“a solution.” Employees were told to sell solutions all day long17. The aggressive sales targets put
significant sales pressure on employees. Some employees signed up customers for online access by
creating fake emails. They also accessed personal customer account information, such as customer
phone numbers, home addresses, and email addresses, without authorization. Others enrolled
customers in online banking and online bill-pay without consent, known as “pinning”.
According to a former Chief Administrative Officer (2005-2015), it was common knowledge within the
bank that employees who could not meet sales goals could and would be terminated. Employees often
and consistently complained that the sales goals were unrealistic and unreasonable in numerous ways,
by sending emails, calling the EthicsLine, holding protests, and even approaching newspapers.
However, management failed to adequately perform their responsibilities with respect to the sales
practices misconduct problem which persisted for many years.
“Leadership Failure” explains how leaders distorted the sales model, fostering an atmosphere that
prompted low-quality sales and improper and unethical behavior.
The Board Report indicated that employees below the branch manager level — lower level in-branch
managers and non-managers — frequently cited branch managers as actively directing misconduct or
offering inappropriate guidance to subordinates on what constituted acceptable conduct. Non-
managers, in particular, attributed sales pressure from branch managers, and occasionally to district
managers, who incessantly pushed employees to meet aggressive sales goals. The high turnover rate
(35% annually) in the Community Bank indicated that sales pressure was excessive and was driving
employee separations.
For years, Wells Fargo has developed its obsession with cross-sell products. According to the Board
Report, Wells Fargo identified itself as a sales organization, such as retail stores or departments, rather
than a service-oriented financial institution. This provided justification for a relentless monitoring of
sales, abbreviated training, and high employee turnover. Wells Fargo’s sales-oriented culture
eventually led to the widespread unsound sales practices discussed in “Analyzing the Fake-Account
Scandal”.
17 The statements from former Wells Fargo employees are from “Former Wells Fargo Employees Describe Toxic Sales Culture, Even At HQ,” NPR, accessed on February 24, 2020.
64
Exhibit C: Wells Fargo’s Cutthroat Sales Culture
The following are excerpts from the OCC Notice of Charges N20-001.
The Community Bank implemented the following philosophy to drive sales results: “A whole bunch
of management gurus say you need BHAGs – bold, hairy, audacious goals. That’s a technique of
management – to give troops a goal that looks unattainable and flog them heavily. And according
to that line of thought, you will do better chasing a BHAG than you will a reasonable objective.”
Management within the Community Bank implemented aggressive “flogging” techniques, including:
1. Running the “gauntlet,” wherein local managers were required to run between rows of their
peers and announce their area’s sales performance, subjecting them to criticism and ridicule if
their performance was poor.
2. Threatening direct reports with termination and other corrective actions for not meeting the
unreasonable sales goals: “[y]ou struggle – you’re gone.”, “[s]ome of you truly need a miracle
today to get back on track. Most of you should be embarrassed by your numbers. Your numbers
ARE your measure of success-don’t fool yourselves. You are defined by your goal achievement.
If you are afraid to produce because you think you’re going to get fired, we have a much bigger
problem.”
3. Warning employees that if they did not achieve sales goals, they would be “transferred to a
store where someone had been shot and killed” and if they did not make enough appointments
they would be “forced to walk out in the hot sun around the block.”
4. Having multiple daily calls with management to discuss sales performance. Low performers
typically were called out in front of their peers and asked to explain how they would improve
their sales performance: “Be adults and get your asses on our calls. It’s pathetic that I have to
remind you all. And everyone se[ems] to have an excuse. Go work at Walmart if you cannot
handle any of the aforementioned. Thank you.”
Source: The OCC Notice of Charges N20-001
65
Review Questions - Section 1
1. Which of the following is NOT a primary function of the Federal Reserve?
A. Conducting the nation’s monetary policy
B. Promoting the stability of the financial system
C. Fostering payment and settlement system safety and efficiency
D. Requiring public companies to disclose meaningful financial to the public
2. Which of the following situations is under the jurisdiction of the Consumer Financial Protection
Bureau (CFPB)?
A. Activating unauthorized lines of credit on consumers’ accounts
B. Selling unapproved and misbranded drugs
C. Failing to make accurate and complete disclosure to investors
D. Dumping illegal disposal of hazardous waste
3. The Securities and Exchange Commission (SEC) performs all of the following tasks EXCEPT:
A. Maintaining standards for fair, orderly, and efficient markets
B. Investigating possible violations of the federal securities laws
C. Developing generally accepted accounting principles
D. Ensuring that investors are provided with material information
4. Pacific West, a life insurance company, suggests its customers sign up for car, home, and health
insurance. Pacific West uses which of the following sales techniques?
A. Inside sales
B. Cross-sell
C. Bait-and-switch
D. Up-sell
5. Tom works for a local bank. To meet his sales goals and incentives, he intentionally held off on
opening accounts in December until January. Which unsound sales practices was he committing?
A. Sandbagging
B. Pinning
C. Bundling
D. Simulated funding
66
II. Analyzing the Fake-Account Scandal
1. A Violation of Public Trust and Confidence
“Lack of trust and confidence in the banking sector creates material costs to society. Fixing culture in
banking is now a public trust—as well as an economic—imperative.”
Group of Thirty, Banking Conduct and Culture, July 2015
Trust is vital to the conduct of all businesses. For example, we trust grocery stores to provide safe food.
We trust airlines to deliver our luggage to the right destination on time. The core of the banking
industry is trust. Banks have traditionally recognized their duty to act in a manner of public trust and
confidence and maintain high standards of conduct. The most strategic dimension of trust is
relationship building, such as a banks’ willingness and ability to do what is right for its customers. This
level of trust indicates a bank’s commitment to keep its promise and deliver products and services that
contribute to its customer’s financial well-being.
Trust takes years to establish. However, it can be destroyed in a moment through failures caused by
poor ethics, values, and behaviors. This section examines how Wells Fargo violated the trust the bank
had with its customers.
Consumer Abuses: Deceptive and Abusive Acts
“Spurred by sales targets and compensation incentives, employees boosted sales figures by covertly
opening accounts and funding them by transferring funds from consumers’ authorized accounts
without their knowledge or consent, often racking up fees or other charges.”
CFPB Newsroom September 8, 2016
Between 2011 and 2016, employees created about 2.1 million fraudulent accounts, more than 1.5
million unauthorized checking and savings accounts, and about 565,000 fraudulent credit cards, to
meet aggressive sales quotas. As a result of the fake-account scandal, the bank fired 5,300 mostly
lower-level workers for engaging in these reckless unsafe banking practices, including the opening and
manipulation of customer accounts without the customer’s consent.
In 2017, Wells Fargo uncovered additional 1.4 million fake bank accounts and credit card accounts
opened between 2009 and 2016. This brings the total number of fake accounts to 3.5 million. Former
Wells Fargo Branch Manager Susan Fischer told CNN18 “These practices were going on way before
18 The former Wells Fargo’s employee interview is from “Wells Fargo workers: Fake accounts began years ago” CNN Business, accessed on March 1, 2020.
67
2011.” Fischer said she remembers her district manager instructing her in 2007 to make the employees
reporting to her open unauthorized accounts.
Having multiple credit card inquiries can affect a credit score, especially if they occur over a short
period of time. Thus, the consequential opening, closing, and reopening of credit card accounts
harmed customers’ credit scores. If the account had an annual fee and it was left unpaid and the
account termed delinquent, the customer credit score would suffer from the long-term consequences.
In 2016, The CFPB determined that Wells Fargo violated the Consumer Financial Protection Act of
2010, 12 U.S.C. §§ 5531 and 5536(a)(1)(B) by engaging in the following unsound banking practices19:
1. Opened unauthorized deposit accounts for existing customers and transferred funds to those
accounts from their owners’ other accounts, all without their customers’ knowledge or
consent.
2. Submitted applications for credit cards in consumers’ names using consumers’ information
without their knowledge or consent.
3. Enrolled consumers in online-banking services that they did not request.
4. Ordered and activated debit cards using consumers’ information without their knowledge or
consent.
Consumer Financial Protection Act of 2010:
12 U.S.C. §§ 5531: PROHIBITING UNFAIR, DECEPTIVE, OR ABUSIVE ACTS OR PRACTICES.
12 U.S.C. §§ 5536(a)(1)(B): IN GENERAL.—It shall be unlawful for— (1) any covered person or service
provider—(B) to engage in any unfair, deceptive, or abusive act or practice.
19 The consent order from the CFPB are from “Consent Order 2016-CFPB-0015,”CFPB, September 8, 2016.
68
The Race to Eight: A Misleading Performance Matric
“Because of the centrality of the cross-sell metric to Wells Fargo’s investor narrative, Company
executives were focused on maintaining cross-sell growth from at least 2007 through 2016. The
compensation of certain Company executives was impacted by cross-sell growth.”
The SEC Settled Administrative Order No. 3-19704
Wells Fargo had a long history of strong performance as a self-identified sales organization. The bank
used the cross-sell metric, the ratio of the number of accounts and products per retail bank household,
to measure its success at executing this core business strategy. It is considered as a driver of future
revenue. From at least 2000 until the third quarter of 2016, Wells Fargo published a Community Bank
“cross-sell metric” in its annual reports and SEC Forms 10-Q, 10-K, and 8-K.
Wells Fargo has been a master of cross-sell over the years. In 1998, Wells Fargo’s retail banking cross-
sell ratio was 3.2 products per household. For the next 10 years, it increased the ration each year, up
to 5.95 products per household. In 2010, the ratio was reduced to 5.7 because Wells Fargo combined
its cross-sell ratio with recently acquired Wachovia Bank.
By 2012, its cross-sell ratio had reached to 6.05, almost triple the banks average of 2.3 products used
by customers. Wells Fargo has sought to distinguish itself in the marketplace as a leader in “cross-sell”
of products and services to existing customers who did not already have them. The sales-oriented
culture helped the bank's bottom line. Wells Fargo expanded the number of products it sold to millions
of customers and from 2006 to 2015 the banks stock rose 67%20.
Note: In 2010, Wells Fargo began to combine Wachovia and Wells Fargo cross-sell numbers, lowing the overall ratio.
Source: Public Citizen, The “King of Cross-Sell” and the Race to Eight, 2016
20 The Wells Fargo stock information is from “Former Wells Fargo Employees Describe Toxic Sales Culture, Even At HQ,” NPR, accessed on February 21, 2020.
3.2 3.43.7 3.8
4.2 4.34.6 4.8
5.25.5
5.735.95
5.705.92 6.05 6.16 6.176.11
3.0
4.0
5.0
6.0
7.0
1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Wells Fargo Retail Banking Cross -Sell Ratio(Annual Report 1998 - 2015)
69
According to the SEC, Wells Fargo characterized its cross-sell strategy to investors as a key component
of its financial success and routinely discussed its efforts to achieve cross-sell growth during investor
presentations and analyst conferences. It represented to investors that the bank’s ability to execute
successfully on its cross-sell strategy provided the company with a competitive advantage that caused
an increase in revenue. For example, CNN Business reported that the key message Wells Fargo wanted
to drive home to its shareholders: the bank averaged an impressive 6.1 products per household, far
better than the rest of the industry.
In February 2020, the SEC charged Wells Fargo for misleading investors about the success of its core
business strategy, the cross-sell model. Wells Fargo induced investors to continue relying on its cross-
sell metric even though it was inflated by low-quality accounts and services that were unused,
unneeded, or unauthorized. The unauthorized products and services inflated the cross-sell metric and
resulted in enhanced stock prices.
Lesson Note: To protect investors from dangerous or illegal financial practices or fraud, the Securities
and Exchange Act of 1934 requires public companies to disclose full and accurate financial and other
information to the public. This provides a common pool of knowledge for all investors to use to judge
for themselves whether to buy, sell, or hold a particular security.
According to the SEC order, Wells Fargo violated Section 10(b) of the Securities and Exchange Act of
1934 and Rule 10b-5 by engaging in the following fraudulent activities21:
1. Thousands of Wells Fargo’s employees participated in the extensive sales practices
misconduct to attain sales through fraud, identity theft, and the falsification of bank records.
As a result, Wells Fargo opened millions of accounts or financial products that were
unauthorized or fraudulent between 2002 and 2016. During the same period, Wells Fargo also
opened significant numbers of low-value products (e.g., unneeded, unwanted).
2. Accounts and financial products opened without customer consent or pursuant to “gaming”
practices were included in the Community Bank cross-sell metric until such accounts were
eventually closed for lack of use.
3. Wells Fargo failed to disclose to investors that the Community Bank’s sales model had caused
widespread unlawful and unethical sales practices misconduct from 2012 to 2016.
4. Wells Fargo characterized the cross-sell metric as a ratio of “products used by customers in
retail banking households” in response to an SEC Comment Letter that asked how the cross-
sell metric was calculated, and in its 2014 and 2015 Annual Reports. Management knew that
21 The Wells Fargo improper sales practices information is from the SEC Settled Administrative Order No. 3-19704, February 21, 2020.
70
the metric included many products that were not used by customers. Wells Fargo’s inclusion
of the word “used” to describe the accounts was therefore misleading.
Lesson Note: Gaming is defined as the manipulation and/or misrepresentation of sales to receive
compensation or meet sales goals.
Rule 10b-5 is the SEC main basis for investigating possible security fraud claims. The rule applies to any
person who directly or indirectly uses any means to defraud, make false statements, or omit relevant
information in the purchase or sale of any security. For example, the SEC often uses this rule to charge
a person with illegal insider trading. Another violation of this rule includes executives making false
statements or manipulating financial performance results to drive up share prices. These schemes
usually require ongoing, misleading statements in order to perpetrate the fraud.
Rule 10b-5: Employment of Manipulative and Deceptive Practices:
It shall be unlawful for any person, directly or indirectly, by the use of any means or instrumentality of
interstate commerce, or of the mails or of any facility of any national securities exchange,
a. To employ any device, scheme, or artifice to defraud,
b. To make any untrue statement of a material fact or to omit to state a material fact necessary in
order to make the statements made, in the light of the circumstances under which they were
made, not misleading, or
c. To engage in any act, practice, or course of business which operates or would operate as a fraud
or deceit upon any person, in connection with the purchase or sale of any security.
Reckless Behavior: Deficiencies in Oversight of Sales Practices
“The Bank (Wells Fargo) tolerated pervasive sales practice misconduct as an acceptable side effect of
the Community Bank’s profitable sales model, and declined to implement effective controls to catch
systemic misconduct.”
The OCC Notice of Charges N20-001
Although the OCC, Federal Reserve, and FDIC all have safety and soundness authority, the OCC is the
primary prudential regulator of Wells Fargo’s bank subsidiary. The OCC regulates Wells Fargo’s internal
controls, its management of operational and reputational risks, and deposit and lending activities. The
OCC has strong enforcement powers, including the ability to issue cease and desist orders and revoke
federal bank charters. In September 2016, the OCC found22:
Deficiencies and unsafe or unsound practices in Wells Fargo’s risk management and oversight
of its sales practices; and
22 The OCC findings are from the OCC Consent Order AA-EC-2016-66, September 1, 2016.
71
Unsafe or unsound sales practices by the bank.
The OCC stated that the incentive compensation program and plans within the Community Bank
fostered the unsafe or unsound sales practices. Thus, the OCC found that employees were pressured
to sell products by engaging the following fraudulent activities:
1. The selling of unwanted deposit or credit card accounts.
2. The unauthorized opening of deposit or credit card accounts.
3. The transfer of funds from authorized, existing accounts to unauthorized.
4. Unauthorized credit inquiries for purposes of the conduct described in 1 and 2.
The OCC also cited that the bank did not have a sufficient Enterprise-Wide Sales Practices Oversight
Program. As a result, the bank failed to prevent and detect the sales practices misconduct described
above and failed to mitigate the risks that resulted from such malpractices. Finally, the OCC identified
deficiencies in the bank’s customer complaint monitoring process that hindered the bank from:
Assessing customer complaint activity across banks.
Adequately monitoring, managing, and reporting on customer complaints; and
Analyzing and understanding the potential sales practices risk.
The OCC order also requires the bank to take corrective action to establish an enterprise-wide sales
practices risk management and oversight program to detect and prevent unsafe or unsound sales
practices.
72
2. The Price of Deceitful Behavior
“Without a culture that insists on high standards of values and conduct, it is difficult to generate and
sustain trust and reputation, which are the bedrock of a safe and effective financial system.”
Group of Thirty, Banking Conduct and Culture, July 2015
Penalties and Fines
In September 2016, Wells Fargo had been hit with total of $185 million in penalties by the CFPB ($100
million), the OCC ($35 million), and the City and County of Los Angeles ($50 million) for its pervasive
improper sales practices that harmed customers in a variety of ways (e.g., secretly opening
unauthorized accounts, transferring funds among unauthorized accounts) as previously noted. In
addition to the civil monetary penalties, Wells Fargo was required to take action to identify, correct,
and prevent deficiencies in the bank’s sales practices.
In February 2020, the bank agreed to pay an additional $3 billion in settling criminal and civil
investigations with the Justice Department and the SEC regarding the fake-account scandal. Wells
Fargo has agreed to pay $500 million to settle the charges, which will be returned to investors. The
$500 million payment is part of a combined $3 billion settlement with the SEC and the Department of
Justice23. The $3 billion fine is about 15% of Wells Fargo’s 2019 profits ($19.5 billion).
Table 1 identifies Wells Fargo’s top 10 primary offense types between 2000 and 2019. Table 2 lists
Wells Fargo’s most recent offenses (2016 - 2019).
Table 1
Top 10 Primary Offense Types (2000-2019) Penalty Total
mortgage abuses $5,625,783,671
toxic securities abuses $3,637,750,000
banking violation $3,541,932,386
investor protection violation $1,633,122,646
False Claims Act and related $1,200,000,000
consumer protection violation $634,199,965
wage and hour violation $214,903,723
anti-money-laundering deficiencies $163,500,000
price-fixing or anti-competitive practices $148,000,000
benefit plan administrator violation $130,775,000 Source: Good Jobs First, Violation Tracker Parent Company Summary, with values accessed on March 11, 2020.
23 The Wells Fargo settlement data is from “Wells Fargo to Pay $500 Million for Misleading Investors About the Success of Its Largest Business Unit,” SEC Press Release 2020-38, with values accessed on February 28, 2020.
73
Source: Good Jobs First, Violation Tracker Parent Company Summary, with values accessed on March 11, 2020.
The Damage to Brand and Reputation
“Rebuilding trust became our top priority when I became CEO last October. That’s when we began
our recovery from the reputation damage we sustained from unacceptable retail sales practices in
the Community Bank.”
Tim Sloan, Former CEO (2016 − 2019), Wells Fargo
A bank’s reputation is mainly built on trust, a strong predictor of loyalty. Banks consider trust a
strategic imperative as they need trust to retain customers and expand their business. Thus, building
and maintaining trust with consumers over the long term is vital. We trust banks to protect our money.
We trust banks to keep our private information confidential. We trust banks to provide us with
accurate information and access to the deposits on request. We trust banks to recommend the right
Parent Company Penalty Amount Penalty Year Primary Offense Agency
Wells Fargo $14,475,000 2019 investor protection violation Commodity Futures Trading Commiss ion
Wel ls Fargo $283,697 2019 employment discrimination Office of Federa l Contract Compl iance Programs
Wel ls Fargo $812,500 2019 investor protection violation Securi ties and Exchange Commiss ion
Wel ls Fargo $17,363,847 2019 investor protection violation Securi ties and Exchange Commiss ion
$32,935,044
Wells Fargo $500,000,000 2018 consumer protection violation Consumer Financia l Protection Bureau
Wel ls Fargo $17,250,000 2018 toxic securi ties abuses Il l inois Attorney Genera l
Wel ls Fargo $2,090,000,000 2018 toxic securi ties abuses Justice Department Civi l Divis ion
Wel ls Fargo $575,000,000 2018 banking violation Multis tate Attorneys Genera l Case
Wel ls Fargo $65,000,000 2018 investor protection violation New York Attorney Genera l
Wel ls Fargo $500,000,000 2018 banking violation Office of the Comptrol ler of the Currency
Wel ls Fargo $5,108,441 2018 investor protection violation Securi ties and Exchange Commiss ion
Wel ls Fargo $27,500,000 2018 wage and hour violation
Wel ls Fargo $9,500,000 2018 wage and hour violation
$3,789,358,441
Wells Fargo $5,400,000 2017 Servicemembers Civi l Rel ief Act Justice Department Civi l Rights Divis ion
Wel ls Fargo $5,400,000 2017 workplace whis tleblower reta l iation Occupational Safety & Health Adminis tration
Wel ls Fargo $577,500 2017 workplace whis tleblower reta l iation Occupational Safety & Health Adminis tration
Wel ls Fargo $3,500,000 2017 anti -money-laundering deficiencies Securi ties and Exchange Commiss ion
Wel ls Fargo $13,000,000 2017 wage and hour violation
Wel ls Fargo $3,500,000 2017 wage and hour violation
Wel ls Fargo $685,000 2017 wage and hour violation
Wel ls Fargo $3,900,000 2017 wage and hour violation
Wel ls Fargo $35,500,000 2017 employment discrimination
$71,462,500
Wells Fargo $8,500,000 2016 privacy violation Cal i fornia Attorney Genera l
Wel ls Fargo $400,000 2016 data submiss ion deficiencies Commodity Futures Trading Commiss ion
Wel ls Fargo $100,000,000 2016 banking violation Consumer Financia l Protection Bureau
Wel ls Fargo $4,010,000 2016 student loan abuses Consumer Financia l Protection Bureau
Wel ls Fargo $1,200,000,000 2016 False Cla ims Act and related Justice Department Civi l Divis ion
Wel ls Fargo $4,100,000 2016 Servicemembers Civi l Rel ief Act Justice Department Civi l Rights Divis ion
Wel ls Fargo $11,874 2016 Fami ly and Medica l Leave Act Labor Department Wage and Hour Divis ion
Wel ls Fargo $50,000,000 2016 consumer protection violation Los Angeles (CA) Ci ty Attorney
Wel ls Fargo $35,000,000 2016 banking violation Office of the Comptrol ler of the Currency
Wel ls Fargo $70,000,000 2016 banking violation Office of the Comptrol ler of the Currency
Wel ls Fargo $20,000,000 2016 Servicemembers Civi l Rel ief Act Office of the Comptrol ler of the Currency
Wel ls Fargo $440,000 2016 investor protection violation Securi ties and Exchange Commiss ion
Wel ls Fargo $8,000,000 2016 consumer protection violation West Virginia Attorney Genera l
Wel ls Fargo $12,000,000 2016 employment screening violation
$1,512,461,874
Total Penalities
(2016 - 2019) $5,406,217,859
Wells Fargo Penalities 2016 - 2019
Table 2
74
products and solutions for our needs. Ultimately, we trust the bank to be there to help. The actions
that Wells Fargo undertook violated the public trust and confidence on the most basic levels.
There is evidence that the scandal has inflicted serious damage on the Wells Fargo reputation.
According to American Banker’s reputation survey, Wells Fargo’s score dramatically fell from 67.3
(average) in 2016 to 48.6 (weak) in 2017, by far the lowest of any bank24. American Banker also
reported that Wells Fargo experienced a sharp decrease in new account openings in 2017 since the
scandal broke in 2016. Following Wells Fargo’s announcement of the 2016 settlements with the OCC,
the CFPB, and the City of Los Angeles, Wells Fargo’s stock experienced three significant stock drops
that translated into an approximately $7.8 billion decrease in market capitalization25.
Lesson Note: According to the American Banker, a score under 50 is considered "weak." Scores
between 60 and 69 are "average" between 70 and 79, "strong" and above 80, "excellent."
In May 2018, Wells Fargo launched a new, integrated marketing campaign called “Re-Established” to
emphasize the company’s commitment to re-establish trust with stakeholders. One key component of
this campaign is a commercial called “Trust” which aired nationwide and signaled Wells Fargo’s intent
in a bold way. In January 2019, the bank launched another integrated marketing campaign called “This
is Wells Fargo,” which followed the 2018 “Re-established” campaign. “This is Wells Fargo” which was
focused on changes the bank made to its operations and culture in order to deliver exceptional service
and rebuild trust with customers.
Followed by the campaign, Wells Fargo issued a Business Standards Report as part of its commitment
to transparency while it works to rebuild trust with stakeholders and transform the company. The
report, titled “Learning from the past, transforming for the future,” represents an important milestone
in Wells Fargo’s work to rebuild trust. It details the changes Wells Fargo has made since 2016 to
address the causes of past issues and provides updates on the company’s businesses, practices, and
progress on its goals.
24 The Wells Fargo reputation survey scores are from “2017 reputation survey: Banks avoid the Wells Fargo drag,” American Banker, accessed on March 11, 2020. 25 The Wells Fargo’s decreased market capitalization data is from the SEC Settled Administrative Order No. 3-19704, February 21, 2020.
75
Other Regulatory Related Matters
CRA Performance Evaluation
The Community Reinvestment Act (CRA) was enacted in 1977 (12 U.S.C. 2901). The CRA requires the
federal financial supervisory agencies (e.g., FDIC, OCC) to assess the institutions' record of helping
meet the credit needs of its entire community, including low- and moderate-income neighborhoods,
consistent with the safe and sound operation of the institution. A financial institution's CRA
performance in helping to meet the credit needs of its community is evaluated in the context of
information about the institution (capacity, constraints and business strategies), its community
(demographic and economic data, lending, investment, and service opportunities), and its competitors
and peers26.
OCC's responsibilities under the CRA include:
• Assessing a national bank's record of helping to meet the credit needs of its entire community,
including low- and moderate-income neighborhoods, and
• Considering that record in evaluating a bank's application for new branches, relocation of an
existing branch, mergers and consolidations, and other corporate activities.
In March 2017, the OCC downgraded Wells Fargo’s most recent CRA rating, from “Outstanding” to
“Needs to Improve” due to the bank’s sales practices abuses. This is Wells Fargo’s lowest level since
1994. According to the OCC report27, Wells Fargo demonstrated “an extensive and pervasive pattern
and practice of violations across multiple lines of business within the bank”. The OCC report further
explained that:
The bank failed to implement an effective compliance risk management program designed to
properly prevent, identify and correct violations.
Bank management instituted policies, procedures and performance standards that
contributed to several of the violations for which evidence has been identified.
26 The CRA purpose and criteria are from “CRA Rating Search Frequently Asked Questions (FAQs)”, the Federal Financial Institutions Examination Council's (FFIEC), accessed on March 9, 2020. 27 The Wells Fargo’s CRA information is from “COMMUNITY REINVESTMENT ACT PERFORMANCE EVALUATION- September 30, 2012,” Wells Fargo Media, accessed on March 18, 2020.
76
Lesson Note: Interstate banks receive an overall rating as well as an evaluation based on their CRA
performance in each state and metropolitan statistical area in which they have branches. An overall
CRA rating is assigned using a four-tiered rating system including “Outstanding”, “Satisfactory”, “Needs
to Improve”, and “Substantial Noncompliance”.
The rating, which is usually reviewed every five years, imposes regulatory restrictions and limitations
on the bank’s ability to engage in mergers/acquisitions and open branches. The rating also requires
the bank to seek prior regulatory approval for certain financial activities such as issuing or prepaying
debt and opening bank branches. Moreover, a “Needs to Improve” rating could potentially prevent
the bank from investing in certain government business that requires a higher rating.
The OCC assigns a rating for a large bank assessed under the lending, investment, and service tests.
The following table demonstrates the rating of “Needs to Improve” for lending performance.
Large Bank CRA Lending Performance Ratings
Rating Criteria
Needs to
Improve
• Poor responsiveness to credit needs in its assessment area(s), taking into
account the number and amount of home mortgage, small business, small
farm, and consumer loans, if applicable, in its assessment area(s).
• Small percentage of its loans is made in its assessment area(s).
• Poor geographic distribution of loans, particularly to low- or moderate-
income geographies, in its assessment area(s).
• Poor distribution, particularly in its assessment area(s), of loans among
individuals of different income levels and businesses (including farms) of
different sizes, given the product lines offered by the bank.
• Poor record of serving the credit needs of highly economically disadvantaged
areas in its assessment area(s), low-income individuals, or businesses
(including farms) with gross annual revenues of $1 million or less, consistent
with safe and sound operations.
• Little use of innovative or flexible lending practices in a safe and sound manner
to address the credit needs of low- or moderate-income individuals or
geographies.
• Low level of community development loans.
Source: The OCC, Comptroller’s Handbook − Examination Process: Bank Supervision Process, September 2019.
77
Asset Cap: The Growth Restriction
In early 2018, the Federal Reserve imposed an unprecedented order to cap Wells Fargo’s asset growth
as a penalty for its widespread consumer abuses and other lapses to the regulator's satisfaction. The
restriction barred Wells Fargo from increasing total assets beyond its level at the end of 2017 ($1.95
trillion). According to Federal Reserve Board Chair Janet Yellen28:
“We cannot tolerate pervasive and persistent misconduct at any bank and the consumers harmed by
Wells Fargo expect that robust and comprehensive reforms will be put in place to make certain that
the abuses do not occur again. The enforcement action we are taking today will ensure that Wells
Fargo will not expand until it is able to do so safely and with the protections needed to manage all of
its risks and protect its customers.”
The growth restriction will not be lifted until Wells Fargo proves that it has remedies to its risk
management and controls and implemented to the regulator’s satisfaction.
28 The Federal Reserve press release is from “Responding to widespread consumer abuses and compliance breakdowns by Wells Fargo, the Federal Reserve Board…announced that it would restrict the growth of the firm until it sufficiently improves its governance and controls. Concurrently, with the Board’s action, Wells Fargo will replace three current board members by April, and a fourth board member by the end of the year.” Federal Reserved, February 2, 2018.
78
Review Questions - Section 2
1. By engaging unsound banking practices (e.g., sandbagging, pinning), Wells Fargo violated which of
the following regulations?
A. Expedited Funds Availability Act of 1987
B. Sarbanes-Oxley Act of 2002
C. Consumer Financial Protection Act of 2010
D. Foreign Corrupt Practices Act of 1977
2. To protect investors from dangerous or illegal financial practices or fraud, which of the following
laws requires companies to disclose full and accurate financial and other information to the
public?
A. The Securities and Exchange Act of 1934
B. The Investment Advisers Act of 1940
C. The Freedom of Information Act
D. The Private Securities Litigation Reform Act of 1995
3. Which of the following regulations encourages depository institutions to meet the credit needs of
low- and moderate-income neighborhoods?
A. Fair Credit Reporting Act of 1970
B. SAFE Banking Act of 2019
C. Community Reinvestment Act of 1977
D. Truth-In-Lending Act of 1968
79
III. Learning from the Scandal “The root cause of sales practice failures was the distortion of the Community Bank’s sales culture
and performance management system, which, when combined with aggressive sales management,
created pressure on employees to sell unwanted or unneeded products to customers and, in some
cases, to open unauthorized accounts.”
Independent Directors of the Board of Wells Fargo & Company - Sales Practices Investigation Report
1. Why the Improper Sales Practices Happened
“The Community Bank’s business model and the senior leaders of the Bank presented a stark dilemma
to employees every day for 14 years: they could engage in sales practice misconduct—much of which
was illegal—to meet their goals, or they could struggle to meet their goals and face adverse
consequences, including losing their jobs.”
The OCC Notice of Charges N20-001
The Toxic Sales Culture
Wells Fargo maintained an ethics program to instruct employees on recognizing and addressing
conflicts of interest. It also implemented a whistleblower hotline to alert senior management of
violations. However, under the overbearing sales culture, with increased pressure to meet the
unreasonable sales targets, employees inevitably were driven to engage in widespread fraudulent and
illegal activities to sell more, more, and more. This section explains how Wells Fargo’s undesirable
subculture (contradictive to the corporate values) led to the fake-account scandal.
The Intended Culture
“We want to satisfy our customers’ financial needs and help them succeed financially.”
Wells Fargo’s Vision
Wells Fargo has a reputation of serving customers through trusted relationships and products and
services that help customers succeed financially. Wells Fargo published a 44-page “Vision and Values”
brochure that explained, at length, how the bank built the journey toward the customer-centric, not a
product-centric path. The brochure used the word “trust” 56 times. In the brochure, the bank
emphasized that:
“Our vision has nothing to do with transactions, pushing products or getting bigger for the sake of
bigness. It’s about building lifelong relationships one customer at a time.”
“We start with what the customer needs—not with what we want to sell them.”
80
Moreover, Wells Fargo’s Code of Ethics explains that the bank’s aim is to promote an atmosphere in
which ethical behavior is well recognized as a priority and practiced on a day-to-day basis. The Code
of Ethics contains basic principles and additional guidance to help their employees make the best
decisions and to comply with the laws, rules, and regulations. The Code of Ethics also sets a clear
employee expectation that:
“We have a responsibility to always act with honesty and integrity. When we do so, we earn the trust
of our customers. We have to earn that trust every day by behaving ethically, rewarding open, honest
communication, and holding ourselves accountable for the decisions we make and the actions we
take.”
Specifically, the Code of Ethics reminds employees to always remember:
✓ Products provided to our customers should be in the customer’s best interest, must be
explained in a way that the customer can understand, and the terms and conditions must be
thoroughly and accurately disclosed.
✓ Steering a customer to an inappropriate or unnecessary product to receive sales credit may
harm the customer and is a violation of the Code.
✓ Manipulating or misrepresenting sales, reporting, or customer information is a violation of the
Code.
✓ Know the sales referral and compensation guidelines that are applicable to your role.
✓ Never engage in unfair, deceptive, or abusive acts or practices.
Finally, in its 2015 Annual Report, Wells Fargo emphasized that:
“Our approach to cross-sell is needs-based as some customers will benefit from more products, and
some may need fewer.”
Conflicts of Interest and Ethics
“Ethics and integrity are as critical as ever to our work to build a better bank for all of our stakeholders.”
Wells Fargo’s Code of Ethics – A Message from the CEO
As previously noted, Wells Fargo’s vision is clearly focused on acting in the best interests of their
customers to help them succeed financially. However, there was a growing conflict in the Community
Bank between Wells Fargo’s Vision Statement and its emphasis on sales goals. The Board Report found
that:
“Corporate control functions were constrained by the decentralized organizational structure and a
culture of substantial deference to the business units.”
81
The Board Report cited that the bank’s decentralized structure gave too much authority and autonomy
to the Community Bank’s senior management, who “were unwilling to change the sales model or even
recognize it as the root cause of the problem.” That is, the decentralized operation aided by a culture
of strong deference to management of the lines of business had an adverse impact on how the control
environment functioned.
Moreover, according to its 1999 Annual Report, Wells Fargo was: “Going for gr-eight product
packages29,” known internally as the “Gr-Eight Initiative” discussed earlier. In its 2010 Annual Report,
Wells Fargo sent out the following message clearly focused on sales volume:
“Even when we get to eight, we’re only halfway home. The average banking household has about 16.
I’m often asked why we set a cross-sell goal of eight. The answer is, it rhymed with “great.” Perhaps
our new cheer should be: “Let’s go again, for ten!”
In contrast to Wells Fargo’s Vision Statement, Code of Ethics, and disclosures about needs-based
selling, the Community Bank implemented this volume-based sales model in which employees were
directed, pressured, or caused to sell large volumes of products to existing customers, often with little
regard to actual customer need or expected use30. For example:
1. To meet the sales goals, employees engaged in “simulated funding” by transferring funds from
existing accounts to unauthorized accounts. This widespread practice gave the employees
credit for opening the new accounts. Thus, they were able to earn additional compensation.
Consumers, in turn, were sometimes harmed because they were charged for insufficient funds
or overdraft fees since the money was not in their original accounts.
2. During the sales push "Jump into January", former employees said they were expected to sell
20 products a day. Customers were sold unnecessary or unwanted services and products. For
instance, employees misrepresented to customers that certain products were available only
in packages with other products, known as “bundling”.
One of Wells Fargo’s primary values is that employees are committed to the highest standards of
integrity, transparency, and principled performance. There was a clear breakdown between the values
articulated in the corporate headquarters with those out in the field, in the branch offices selling
consumer banking products.
29 The 1999 annual report information is from “The “King of Cross-Sell” and the Race to Eight,” Public Citizen, 2016. 30 The Wells Fargo improper sales practices information is from the SEC Settled Administrative Order No. 3-19704, February 21, 2020.
82
Examples of Wells Fargo Perpetual Sales Integrity Violations
The following are excerpts from the OCC Notice of Charges N20-001.
In February 2013, the Team Member Misconduct Executive Committee—including Respondent
Julian (Chief Auditor)—received a presentation that showed that “sales integrity violations” was
the second-most common category of employee investigations.
In August 2013, the Team Member Misconduct Executive Committee—including Respondent
Julian —received data that approximately half of the over 7,000 EthicsLine complaints investigated
by Corporate Investigations related to sales integrity violations and that the number of sales
integrity cases was increasing.
The Chief Security Officer and Head of Corporate Investigations reported to the Ethics Committee,
including Respondent Julian, in August 2013 that “Sales Integrity issues are most prevalent – there
needs to be continued focus in this area” and that most EthicsLine reports are “associated with
Sales Integrity Issues.”
Source: The OCC Notice of Charges N20-001
Leadership Failure
Lack of Risk Awareness
“Over time, even as senior regional leaders challenged and criticized the increasingly unrealistic sales
goals — arguing that they generated sales of products that customers neither needed nor used — the
Community Bank’s senior management tolerated low quality accounts as a necessary by-product of a
sales-driven organization.”
Independent Directors of the Board of Wells Fargo & Company - Sales Practices Investigation Report
As previously noted, Wells Fargo had a systemic and well-known problem with sales practices
misconduct that persisted for at least 14 years (2002 − 2016). Early problems with Wells Fargo’s sales-
focused culture date back to at least 1999 when the “Going for Gr-Eight” sales model was
implemented. Deceptive practices were widespread across the bank, and many former employees
stated that their managers knew about them. Senior executives chose profits and other market
rewards over taking action to stop the systemic issuance of unauthorized products and services to
customers. As a result, hundreds of thousands of employees engaged in numerous types of sales
practices misconduct.
According to the SEC, from at least as early as 2002 to approximately 2013, Wells Fargo management
directly and/or indirectly encouraged, caused and approved sales plans that called for aggressive
annual growth in a number of basic banking products, such as checking and savings accounts, debit
83
cards, credit cards, and bill pay accounts. Widespread misconduct has caused damage, including
downgraded credit ratings, reduced shareholder return, and reputational harm.
The Board Report pointed out that Stumpf was aware of aggressive sales goals, sales practice issues
(gaming) and associated incentive compensation plan over the years. For instance, Stumpf was
notified of the incident involving the branch in Colorado in 2002. Almost an entire branch in Colorado
engaged in a form of gaming to meet sales targets in connection with a promotional campaign. Sales
practice misconduct included issuing debit cards without customer consent and improper teller
referral credits. Moreover, Stumpf received numerous customer and employee complaints about sales
practices and sales pressure, which he or his assistants referred on to appropriate subordinates
without further follow-up. In short, Stumpf did not engage in investigation and critical analysis to fully
understand the sales practice issues. The Board Report concluded that:
“The former Chief Executive Officer, relying on Wells Fargo’s decades of success with cross-sell and
positive customer and employee survey results, was too slow to investigate or critically challenge sales
practices in the Community Bank. He also failed to appreciate the seriousness of the problem and the
substantial reputational risk to Wells Fargo.”
Exhibit D: Independent Directors of the Board of Wells Fargo & Company − Sales Practices
Investigation Report
The following are excerpts from the Board Report.
John Stumpf
After decades of success, Stumpf was Wells Fargo’s principal proponent and champion of the
decentralized business model and of cross-sell and the sales culture. His commitment to them
colored his response when sales practice issues became more prominent in 2013 and subsequent
years and led him to stand back and rely on the Community Bank to fix the problem, even in the
face of growing indications that the situation was worsening and threatened substantial
reputational harm to Wells Fargo. Because it was the responsibility of Community Bank leadership
to run the business “like they owned it,” Stumpf did not engage in investigation and critical analysis
to fully understand the problem.
Stumpf’s commitment to the sales culture also led him to minimize problems with it, even when
plausibly brought to his attention. Stumpf was by nature an optimistic executive who refused to
believe that the sales model was seriously impaired. His reaction invariably was that a few bad
employees were causing issues, but that the overwhelming majority of employees were behaving
properly. He was too late and too slow to call for inspection of or critical challenge to the basic
business model.
Stumpf was ultimately responsible for enterprise risk management at Wells Fargo, but was not
perceived within Wells Fargo as someone who wanted to hear bad news or deal with conflict. In
accordance with the decentralized model, a deferential culture existed whereby there was limited
84
encouragement for the management of different businesses to challenge each other or comment
on significant issues in the other lines of business. Under Stumpf, weekly Operating Committee
meetings generally did not serve as a forum for discussion, engagement or challenge among its
members.
Source: Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report
In light of the fake-account scandal, Stumpf was subject to a hearing before the Senate Banking
Committee on September 20, 2016, in an effort led by Senator Elizabeth Warren. Senators criticized
the bank for perpetrating a fraud on its customers, putting excessive pressure on low-level employees,
and failing to hold senior management responsible. On September 29, 2016, in testimony before the
House Financial Services Committee, Stumpf stated that he is “fully accountable for all unethical sales
practices in our retail banking business” and acknowledged his failure for “not doing more sooner to
address the causes of this unacceptable activity.”
In October 2016, Stumpf resigned as CEO and Chairman. Stumpf stepped down with a $134 million
retirement package. In April 2017, the Board determined that the bank will claw back approximately
$28 million of Stumpf’s incentive compensation paid in March 2016. In 2020, The OCC also issued a
prohibition order that included a lifetime ban on participation in the banking industry and a $17.5
million civil money penalty for the widespread sales scandal. In October 2016, Tim Sloan became CEO
and resigned at the end of March 2019. In September 2019, Charles Scharf was appointed as the CEO
of Wells Fargo. Wells Fargo separated the roles of Chairman and CEO and changed the company by-
laws to reflect the separation.
Lesson Note: According to Group of Thirty, Banking Conduct and Culture, if the Chair and CEO positions
are not split, boards should ensure that the lead independent director spends adequate time in the
effective challenge role to the CEO on values and conduct issues.
Weak Management Oversight
Although Stumpf admitted that he made significant mistakes and helped create the culture that
resulted in sales practice abuses, senior management had a deep-seated adherence to its sales model,
fostering an atmosphere that prompted low-quality sales and unethical behavior. The Board Report
faulted management for:
Failing to address the unreasonable or unrealistic sales goals resulted in low quality accounts
and improper behavior:
As the senior leaders mainly focused on the financial performance, they were worried that
tightening up too much on quality would risk reducing sales of products. Thus, they tolerated
low quality accounts as an acceptable side effect of the bank’s profitable sales model. They
viewed these low quality accounts as a necessary by-product of a sales-driven organization.
Specifically, they failed to take necessary actions to examine the issues relating to improper
85
sales practices because they believed such actions could have a negative impact on the
financial performance.
Failing to recognize the significant risk to the bank’s brand and reputation from sales
practices misconduct and identify the potential for financial or other harm to customers:
Employee misconduct had increased over time under the relentless pressure to meet the
higher and higher daily sales targets. For instance, according to a memorandum issued by
Wells Fargo’s Internal Investigations group, annual sales gaming cases increased from 63 in
2000 to a projected 680 in 2004. That is, between 2000 and 2004, gaming cases increased
979%. The memorandum also identified a similar increase in terminations, from 21 in 2000 to
a projected 223 in 2004, increasing by 962%31.
Management failed to make meaningful changes to address the increasing scope of sales
practice violations and their association with sales incentives. For example, the Law
Department, particularly at its senior levels, did not discuss or address the seriousness and
scale of sales practice issues or fully consider whether there might be a pattern of illegal
conduct involved. Moreover, management did not conduct sufficient investigation to identify
and assess the impact of violations on customers. In general, management did not consider
reputational risk associated with and nonfinancial harm to customers resulting from the
misuse of personal information or the opening of accounts without their authorization.
Failing to escalate issues to the Board regarding the sales practice issues by ignoring
warnings and minimizing the seriousness and scope of problems for years:
Prior to 2014, sales integrity issues were not identified as “noteworthy risks” either to the
Board as a whole or to any committee (e.g. Audit & Examination Committee, Risk Committee).
Following the Los Angeles Times article criticizing Wells Fargo’s sales practices, sales practice
issues was reported as a “noteworthy risk” to the Board and Risk Committee beginning in 2014
and thereafter. Although the Board regularly monitored the issue throughout 2015 and 2016,
management reports that minimizing the sales practice violations did not accurately convey
the scope of the problem.
For example, the Board only realized that thousands of employees had been terminated for
sales practices misconduct from the September 2016 settlements with the Los Angeles City
Attorney, the OCC and the CFPB. Although management’s report usually lacked details and
was not accompanied by concrete action plans and metrics to track plan performance, the
31 The internal investigation information is from “Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report,” Wells Fargo Media, accessed on February 24, 2020.
86
Board Report cited that the Board and Risk Committee should have requested more
information (e.g. action plans).
In January 2020, to reinforce the OCC’s expectations that management and employees of national
banks and federal savings associations provide fair access to financial services, treat customers fairly,
and comply with applicable laws and regulations, the OCC issued the Notice of Charges N20-001
(Notice of Charges) against the following former senior executives for their role in the systemic sales
practices misconduct.
Name Former Position Report to Civil Money Penalty
Carrie Tolstedt Head of the Community Bank CEO $25,000,000
Claudia Russ
Anderson
Community Bank Group Risk
Officer
Head of the
Community Bank $5,000,000
James Strother General Counsel CEO $5,000,000
David Julian Chief Auditor
Audit and Examination
Committee of the
Board and
administratively to the
CEO
$2,000,000
Paul McLinko Executive Audit Director Chief Auditor $500,000
Source: The OCC Notice of Charges N20-001
The Notice of Charges alleged that these executives failed to address the root cause of systemic
improper conduct across the entire Community Bank for at least 14 years (2002-2016). The pervasive
misconduct affected millions of customers including compromised accounts, misuse of personal
information, and actual financial harm. The Notice of Charges conclude that:
“It took a massive failure on the part of the senior management of the Community Bank, the Law
Department, and Audit for the sales practices misconduct problem to become as severe and pervasive
as it was and last as long as it did.”
Lesson Note: According to the OCC, as of November 2019, Wells Fargo has refunded at least $42.9
million to customers in connection with its review of sales practices.
Aggressive Incentive Compensation Plan
The Obsession with Sales Goals
“As this investigation confirmed, the only way definitively to address the broken sales model and the
root cause of sales practice abuses was to emphasize other metrics for performance and to abandon
exerting pressure through sales goals and sales-driven incentive programs.”
Independent Directors of the Board of Wells Fargo & Company - Sales Practices Investigation Report
87
An incentive compensation plan drives the employees’ performance. It also supports key business
goals and helps an organization to produce targeted results (e.g. increased revenue) by rewarding
employees who are responsible for those results. When properly implemented and monitored,
reasonable incentives can benefit consumers and the organization as a whole. For instance, companies
may be able to attract and retain high-performing employees to improve their overall competitive
performance. Consumers may also benefit if these programs lead to enhanced customer service or
introduce them to products or services that are beneficial to their financial interests. However, when
a plan develops aggressive, unreasonable, or impossible sales goals tied to reward structures, it can
encourage widespread bad behavior.
According to the Los Angeles City Attorney complaint32, Wells Fargo imposed “an ambitious and strictly
enforced sales quota system” in which “those failing to meet sales quotas are approached by
management, and often reprimanded and/or told to ‘do whatever it takes’ to meet their individual
sales quotas.” The Los Angeles City Attorney also found that “managers constantly hound, berate,
demean and threaten employees to meet these unreachable quotas.” Moreover, the OCC Notice of
Charges found that “the incentive compensation plans in the Community Bank were based upon these
unreasonable sales goals.”
The Wells Fargo’s compensation plan emphasized cross-sell as a performance metric for awarding
incentive pay to employees. By creating an incentive compensation program rooted exclusively in sales
(e.g. number of new accounts), combined with unattainable sales goals and sales management, Wells
Fargo adopted an environment that perpetuated improper and illegal conduct. Compensation plans
for branch bankers were structured such that bankers had to meet certain threshold requirements to
be eligible for incentive compensation. Employees were ranked against one another on their
performance relative to goals, and their incentive compensation and promotional opportunities were
determined relative to those goals.
The Board Report indicated that the reward system created intense pressure to perform and, in certain
areas, local or regional managers imposed excessive pressure on their subordinates. For example, the
bank published scorecards that ranked individual branches on sales metrics (e.g. cross-sell). Scorecards
were updated daily, and employees and managers could check their progress against the sales plan at
any time and were encouraged to do so. In some cases, senior managers called their subordinates
several times a day to check in on sales performance and chastised those who failed to meet sales
goals. Certain managers made meeting scorecard goals their sole objective, a tactic referred to as
“managing to the scorecard”33.
32 The statements of Los Angeles City Attorney are from, “Complaint for Equitable Relief and Civil Penalties”, The People of the State of California, September 6, 2016. 33 The reward system information is from “Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report,” Wells Fargo Media, accessed on February 24, 2020.
88
The Board Report further identified that after 2010, Wells Fargo integrated performance management
and recognition with sales goals. As a result, incentive compensation and performance rating were
both linked with sales. That is, bankers, branch managers and district managers who did not meet sales
goals could miss out on opportunities to earn incentive compensation and were also at risk of poor
performance reviews.
The Amended Incentive Compensation Plan
“Our company is committed to developing and executing incentive compensation arrangements that
align with and reinforce our Vision, Values & Goals and comply with all applicable statutes and
regulations.”
Wells Fargo, Business Standards Report, December 2018
In general, recognition and reward systems should not send the message that standards are less
important than results. For example:
A company should ensure that its performance management does not reward individuals who
do not meet acceptable behavior in alignment with company values and conduct expectations.
Employees should be reviewed by both what they do and how they do it.
Promotions, compensation, recognition, and rewards should not mainly and directly tie to
short-term financial targets. Instead, they are consistent with productivity measures, desired
values, and behaviors, personal or group performance goals or other key performance
indicators.
Wells Fargo no longer reports the cross-sell metric. In 2017, the bank modified its compensation plan
that is aligned with performance and promotes accountability. Compensation programs are designed
in accordance with the following principles34:
1. Pay for performance by linking compensation to company, business line, and individual
performance.
2. Promote a culture of risk management consistent with our Vision, Values & Goals, and avoid
unnecessary or excessive risk-taking.
3. Attract, motivate, and retain people with the skills, talent, and experience to drive superior
long-term company performance.
4. Align team members’ interests with shareholders’ interests and encourage behavior
consistent with long-term shareholder value creation.
34 The Wells Fargo compensation principles are from “Learning from the past, transforming for the future − Business Standards Report,” Wells Fargo, December 31, 2018.
89
Key aspects of the reformed incentive compensation plan include35:
• No product sales goals: Retail bankers who serve customers in bank branches and call centers
are instead focused on the customer experience.
• Primary customer growth and feedback: A larger allocation of incentives is associated with
direct customer feedback and growing the number of primary customer relationships.
• Longer-term view: Metrics in the plan take a longer-term view of customer relationships and
incorporate the quality of customer experiences and customer retention.
• Balance of performance: Incentive plans include a balance of team and individual
performance.
• Greater participation: A significantly higher percentage of team members will have the
opportunity to earn incentive pay under the plan, which is expected to drive greater alignment
across the Community Bank.
• Stronger oversight, governance, and risk controls: Stronger controls have been put in place
at the local, regional, and corporate levels to monitor behavior. Additional reporting is built
into the plan to provide enhanced oversight of the sales process
The CFPB issued a compliance bulletin entitled “Detecting and Preventing Consumer Harm from
Production Incentives” that describes the risk of significant harm to consumers posed by incentive
programs to employees or service providers. Details are included in Exhibit E.
Exhibit E: Detecting and Preventing Consumer Harm from Production Incentives
Following are excerpts from the CFPB Compliance Bulletin 2016-03: Detecting and Preventing
Consumer Harm from Production Incentives.
Depending on the facts and circumstances, such incentives may lead to outright violations of Federal
consumer financial law and other risks to the institution, such as public enforcement, supervisory
actions, private litigation, reputational harm, and potential alienation of existing and future
customers. Specific examples of problems include:
• Sales goals may encourage employees, either directly or indirectly, to open accounts or enroll
consumers in services without their knowledge or consent. Depending on the type of account,
this may further result in, for example:
− Improperly incurred fees,
− Improper collections activities, and/or
35 The Wells Fargo’s reformed incentive compensation plan information is from “Learning from the past,
transforming for the future − Business Standards Report,” Wells Fargo, December 31, 2018.
90
− Negative effects on consumer credit scores.
• Sales benchmarks may encourage employees or service providers to market a product
deceptively to consumers who may not benefit from or even qualify for it.
• Paying compensation based on the terms or conditions of transactions (such as interest rate)
may encourage employees or service providers to overcharge consumers, to place them in less
favorable products than they qualify for, or to sell them more credit or services than they had
requested or needed.
• Paying more compensation for some types of transactions than for others that were or could
have been offered to meet consumer needs, which could lead employees or service providers
to steer consumers to transactions not in their interests, and
• Unrealistic quotas to sign consumers up for financial services may incentivize employees to
achieve this result without actual consent or by means of deception.
Source: CFPB Compliance Bulletin 2016-03: Detecting and Preventing Consumer Harm from Production Incentives,
November 28, 2016
Theory of Fraudulent Behavior
Fraud does not just “happen.” Typically, various circumstances combine to create a situation favorable
to fraudulent activity. As previously noted, the fraud triangle usually starts with pressure (what
motivates the crime in the first place) followed by an opportunity, and finally a process of internal
rationalization. The prevailing corporate culture can directly produce one or more of these conditions.
The fake-account scandal was not an isolated incident, nor was it perpetrated by an individual
employee. The illegal conduct was pervasive throughout the Community Bank. All three elements
were present, laying the groundwork for the occurrence of systemic fraud that persisted for many
years. The following sections examine how pressure, opportunity, and rationalization facilitated
fraudulent activity in Wells Fargo.
Pressure
“A 2012 employee complaint sent to Respondents Tolstedt and Strother explained: When employees
are required to meet unreasonable numbers, they are forced into inappropriate activity to keep their
jobs. … Wells Fargo is playing a shell game – they are rewarding employees for fake accounts and will
terminate them if they find out this is the case. Yet management will chastise and come very close to
verbal abuse and put employees on written notice if they are honest and do not open fake accounts
to meet these unreasonable goals.”
The OCC Notice of Charges N20-001
91
As previously noted, pressure (also known as incentive or motivation) is what causes a person to
commit fraud. In simpler terms, motivation is typically based on greed or need. Pressure can come
from almost anywhere, from inside the workplace (e.g. unrealistic performance goals) to completely
unrelated to the person’s employment (e.g., financial distress, substance abuse, overspending,
addiction problems). Personality and temperament, including how frightened people are about the
consequences of taking risks, also influence their decisions. Finally, if employees have an incentive or
are under pressure, it provides a reason to commit fraudulent activities.
In Wells Fargo, employees’ incentive compensation and promotional opportunities in connection with
their ability to meet the unrealistic expectations and untenable sales quotas fostered an atmosphere
that perpetuated improper and illegal conduct. The poorly designed incentive compensation plan led
to pressure and caused a boiler room effect. According to the OCC Notice of Charges36, pressure on
Wells Fargo’s employees was exacerbated by stack ranking (which ranked from best to worst
performing in sales), aggressive sales campaigns, and demoralizing and hazing management
techniques. Examples of how Wells Fargo’s intense sales culture created excessive pressure on
employees include:
Unrealistic and unattainable sales goals
A relentless monitoring of sales performance
Subjecting employees to hazing-like abuse
Threatening to terminate and actually terminating employees for failure to meet the sales
goals
Performance management in connection with sales goals
In other words, misconduct does not always start with dishonesty. Instead, it may begin with pressure
to meet expectations and a fear that failure to meet these expectations will be viewed as unforgivable.
This pressure forced employees to engage in various unsound sales practices that caused customer
harm and inflicted serious damage on the Wells Fargo brand. The Board Report found that as sales
targets became harder to meet, the number of allegations and terminations increased, and the quality
of accounts declined. Moreover, a majority of terminated employees, whether branch bankers or
managers, admitted to engaging in misconduct. They often claimed that sales pressure was the reason.
Exhibit F: How Wells Fargo Put Excessive Pressure on Employees
The following are excerpts from the OCC Notice of Charges N20-001.
A store manager received a formal warning in July 2011 because her store achieved only 98% and
90% of her store’s sales goals in the first two quarters of that year, respectively. The formal warning
36 The Wells Fargo’s aggressive sales model information is from the OCC Notice of Charges N20-001, January 23, 2020.
92
stated: “If your sales performance does not improve to an acceptable level, further action up to and
including termination of employment may result.”
An employee complaint to senior leadership: “[T]he noose around our necks ha[s] tightened: we
have been told we must achieve the required solutions goals or [we] will be terminated. This type of
practice guarantees high turnover, a managerial staff of bullying taskmasters, [and] bankers who
are really financial molesters [and] cheaters . . . .”
Another employee wrote to the CEO’s office and a senior leader in the Community Bank in 2013
that “I was in the 1991 Gulf War …. This is sad and hard for me to say, but I had less stress in the
1991 Gulf War than working for Wells Fargo.”
A 2013 employee complaint sent to senior leadership explained employee sentiments: “Make your
goals at any cost to the team member or customer – this is our environment. . . . I can't [sic] sleep at
night or look in the mirror. Too much pressure, feels like we have to treat team members poorly or
walk a very grey line to meet expectations.”
An investigation manager wrote in a 2009 email: “[W]e are hearing the [local regional president]
has told or insinuated that everyone must make 120% of their goals, no exceptions. We have been
made aware that some team members have actually be[en] form[ally] counseled for making [104%]
and 110% of their goals. In addition we discovered that one manager was getting ready to terminate
a banker for being at 105%.”
Source: The OCC Notice of Charges N20-001
Opportunity
“The Bank’s Head of Corporate Investigations testified before the OCC that there was nearly a 100%
chance an employee’s boss would know if she failed to meet her sales goals, but the chances were
very small that an employee would be caught for issuing an unauthorized product or service.”
The OCC Notice of Charges N20-001
As previously noted, opportunity often results from circumstances that provide chances to commit
fraud. Thus, opportunities to commit fraud are more commonly present in organizations with weak
internal controls that provide a low-risk environment for getting caught. For example, an employee
may see an opportunity to open a fake checking account. However, the fake account may be identified
during the verification and review process by the system or the manager, and the employee would be
caught. Although an opportunity for unsound sales practice is present, there is no opportunity to
engage in such an act without being caught. If the control environment is weak, the employee has a
93
perceived opportunity to commit fraud. However, if the risk of getting caught is too high, the employee
will likely not exploit the perceived opportunity.
Lack of a positive workplace also creates more opportunities for poor employee morale, which can
affect an employee's attitude about committing fraud against an organization. This is because a
positive workplace environment improves teamwork, promotes business ethics, increases
productivity, enhances quality, reduces employee stress, and improves retention of the workforce.
Examples that provide opportunities for employees’ misconduct and violation of culture include:
Poor tone at the top
Ethics and cultural issues
Deficient internal controls and audit system (e.g. absence/inadequate of controls)
Little fear of exposure
Low probability of detection
Lack of supervision
Failure to discipline fraudsters
No consequence/punishment of fraudsters
Insufficient anti-fraud programs
Ineffective board of directors or audit committee oversight
Wells Fargo’s control environment was ineffective to prevent and detect the majority of customer
abuses providing opportunities for committing fraud. For example:
1. Poor tone at the top: According to the OCC, senior management failed to address the actual
root cause of the widespread unethical behavior and downplayed the problem’s seriousness
and scope. Specifically, the OCC found that “to avoid upsetting a financially profitable business
model, senior executives, including Respondents (senior management), turned a blind eye to
illegal and improper conduct across the entire Community Bank.”
2. Weak internal controls: When processing off-site applications, employees were not required
to obtain complete paperwork or provide authorization at the branch. Thus, these applications
often lacked customer consent or relevant customer information, such as drivers’ license
details. Besides, the bank’s system did not require evidence of customer consent when
employees issued products. For example, employees were not required applicants’ consent
before pulling a credit report.
3. Ethics and cultural issues: Employees were allowed to open accounts for family or friends,
who were often complicit in fraudulent activities. The Board Report cited that employees often
described opening accounts for family and friends in order to meet sales goals. A branch
manager had a teenage daughter with 24 accounts, an adult daughter with 18 accounts, a
husband with 21 accounts, a brother with 14 accounts and a father with 4 accounts.
4. Little fear of exposure: The process was not designed to proactively identify fraudulent
activities. For most types of misconduct, an employee could only get caught for improper sales
94
practices if another employee knew about the misconduct and blew the whistle, or if a
customer became aware of the unauthorized accounts and complained. According to the
Board Report, the bank began monitoring a few types of sales practices misconduct only after
2012.
5. No consequence of fraudsters: According to the OCC, between 2012 and 2016, the Chief
Auditor was well-informed of sales practices misconduct issues, volumes, and trends. The
Chief Auditor routinely received information on sales practices through the Team Member
Misconduct Executive Committee, the Ethics Committee, and the Enterprise Risk Management
Committee. However, the Chief Auditor failed to take actions within with their respective
responsibilities to identify, correct, and/or escalate the sales practices misconduct problem.
Lesson Note: Off-site applications, associated with initiatives in which Wells Fargo bankers would
collect product applications at events or workplaces outside a Wells Fargo branch.
In summary, failure to establish adequate controls to prevent and detect fraudulent activity increases
the opportunities for fraud to occur. According to various surveys, a weak internal control system is a
significant issue for organizations victimized by fraud, and the problem is growing. Organizations must
establish processes, procedures, and controls that do not put employees in a position to commit fraud,
as demonstrated in the following example.
Example: Wells Fargo’s Internal Meeting
The following are excerpts from the OCC Notice of Charges N20-001.
At the same Team Member Misconduct Executive Committee meeting, Respondent Julian (Chief
Auditor) received a presentation that highlighted important misconduct considerations, including
whether the controls were “allowing to[o] much opportunity” for employees to commit misconduct
and whether the line of business “creat[ed] an environment whereby the [employee] must commit
misconduct.” At that meeting, the former Chief Security Officer and Head of Corporate Investigations
warned: “[t]oo much opportunity or too much personal or business pressure can sway most anyone.”
Source: The OCC Notice of Charges N20-001
Rationalization
“Employees were much more likely to be disciplined or fired for failing to meet their sales goals—
against which they were tracked daily and measured in real time—than for engaging in sales
practices misconduct.”
The OCC Notice of Charges N20-001
As previously noted, a justification of fraudsters’ crime to make the act acceptable is known as
rationalization. It also refers to behavior, character or ethical values allowing individuals to justify their
95
reasons for committing fraud. Even honest individuals can commit fraud in an environment that
imposes sufficient pressure on them. The greater the incentive or pressure, the more likely an
individual will be able to rationalize the acceptability of committing fraud. The Chartered Institute of
Management Accountants (CIMA) concluded that people rationalize fraudulent actions as:
1. Necessary − especially when it is done for the business (e.g., meeting work expectations,
achieving sales targets)
2. Harmless − because there is no “real” victim (e.g. secretly opening an account that will be
closed later)
3. Justified − because it has to be done to keep everyone happy (e.g. inflating number of
products sold to meet targeted sales goal)
Examples of common excuses given by fraudsters to explain their misconduct include:
It is the only way or I will lose my job
Everyone is doing it
I deserve this
I am just trying to help
My manager does not care
The company owes it to me
We have always done this way
No one will know
It is not really a serious matter
The company can afford it
Nobody will get hurt
As previously noted, Wells Fargo had a very intense sales culture that could lead to the following
justifications by employees:
It is the only way, or I will lose my job or be punished.
Employees often witnessed that the individuals most likely to be praised, rewarded, and held
out as models for success were high sales performers. They believed that their future at Wells
Fargo depended on how many products they sold37.
Many employees felt that failing to meet sales goals could lead to shaming, career-hindering
criticism by their supervisors, or termination as the incentive compensation model overly
emphasized sales performance.
37 The interviews of Wells Fargo employees are from “Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report,” Wells Fargo Media, accessed on February 24, 2020.
96
Everyone is doing it
Thousands of employees engaged in secretly opening bank and credit card accounts for
customers without their consent.
I am just trying to help
Branch-level managers often cited the need to help branch employees meet individual goals
or reach branch goals.
My manager does not care
Certain managers explicitly encouraged their subordinates to sell unnecessary products to
their customers in an effort to meet the sales goals.
Nobody will get hurt
Transferring customer funds between accounts without customer authorization (simulated
funding) does not cause any financial harm.
In general, fraud occurs because of a combination of opportunity, pressure, and rationalization. An
opportunity arises, the person feels that the act is not entirely wrong, and has pressure pushing them
to commit the fraud. Thus, all organizations face a wide range of threats. However, the likelihood that
a fraud will be committed is greatly decreased if the potential fraudsters believe that the rewards will
be modest, that they will be detected, or that the potential punishment will be unacceptably high. The
main way of achieving such a goal is to establish an effective control environment which aims to
prevent fraud, and where fraud is not prevented, increases the likelihood of detection and increased
cost to the fraudster.
97
Review Questions - Section 3
1. To meet the unattainable sales targets, Wells Fargo employees engaged in all of the following
schemes EXCEPT:
A. Transferring customer funds between accounts without customer consent
B. Stealing of the check after it has been recorded on the bank’s system
C. Delaying the opening of requested accounts to the next sales reporting period
D. Enrolling customers in online banking and online bill-pay without consent
2. To address the sales integrity issues, Wells Fargo reformed its incentive compensation plan by
implementing all of the following procedures EXCEPT:
A. Incentive paid based on types of transactions
B. Elimination of product sales goals in the retail bank
C. Greater participation in the compensation plan
D. Longer-term view of customer relationships
3. Lack of supervision, no consequence of fraudsters, and insufficient monitoring all describe what
element of the fraud triangle?
A. Pressure
B. Concealment
C. Rationalization
D. Opportunity
4. Identify the element of the fraud triangle in the following example: A&E Inc. did not employ a
proactive monitoring system to detect fraudulent activities.
A. Concealment
B. Opportunity
C. Rationalization
D. Pressure
98
2. How Internal Auditors Can Help Prevent
Misconduct from Snowballing
“It’s not enough to have policies. It’s not enough to have procedures. It’s not enough to have good
intentions. All of these can help. But to be successful, compliance must be an embedded part of your
firm’s culture.”
Lori A. Richards, Office of Compliance Inspection and Examinations, the SEC
Why Corporate Culture Should Be Audited?
“In the absence of active management, a culture will develop which may not align to the aims of the
overall business.”
Grant Thornton, Auditing culture, 2017
The number of corporate scandals due to poor corporate culture continues to rise. Boeing,
Volkswagen, Toshiba, and Wells Fargo faced public scrutiny for breakdowns in internal culture. Despite
the growing need to draw attention to a company’s culture, culture is often not part of internal or
external audit. Forbes magazine called culture the most overlooked element of audits. This section
explains why an Internal Audit should consider including a cultural review of the organization within
its plan of activities.
A Role for Internal Auditors: Protector and Helper
"Internal audit, acting as the eyes and ears of the board but independent of management is in a
unique position to judge and advise whether the tone from the top is being adhered to across an
organization.”
Dr. Ian Peters, Chief Executive, the Chartered Institute of Internal Auditors, July 2015
Effective organizational governance requires a robust internal audit function, a very necessary part of
healthy and successful business practices. As employees of the organization, despite the independent
role, internal auditors are fully vested in the organization’s successes by improving the organization's
operations on a continuous basis. Internal Audit partners with management and the board, and
evaluates the complete health of the organization, focusing on present and future events of the
organization, and ensures the accomplishment of goals and objectives.
The Institute of Internal Auditors (IIA) definition of internal audit is:
“An independent objective assurance and consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplished its objectives by bringing a
99
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.”
Internal Audit represents a key element of organizations’ corporate governance, risk management and
the structure of internal control. For example, internal auditors identify the risks that could keep an
organization from achieving its goals, alert leaders to these risks, and proactively recommend
improvements to help reduce the risks. Toxic culture and unethical behavior ultimately put an
organization at risk and can be placed at the heart of many corporate failures, collapses, and damaged
reputations. The following Three Lines of Defense model clarifies the roles and responsibilities for
achieving desired values and culture38.
The First Line of Defense: All employees and all levels of management should adhere to values,
conduct, and behavioral expectations. However, business line management is primarily responsible
for setting, delivering, and modeling desired values and conduct.
The Second Line of Defense: The second line, an oversight function, monitors and provides advice to
the first line. In the second line of defense, there are legal, ethics, compliance and risk management
functions, and a human resources department. They help ensure that the first line of defense is well
designed and functions well by monitoring culture-related risks and compliance with culture-related
policies and procedures.
The Third Line of Defense: This responsibility is usually discharged by Internal Audit. Internal auditors
perform an objective, independent review of the business culture to provide assurance that both the
first and second lines’ efforts are consistent with the expectations of the board and senior
management. Internal auditors may carry out the following activities:
1. Evaluating adherence to the organization’s stated and expected standards and evaluates
whether the corporate culture supports the organization’s purpose, strategy, and business
model, and
2. Assessing the overall culture and identifies areas where the culture is weak.
Addressing cultural issues must, of necessity, be the responsibility of the board and management. The
board and management need to rely on their internal audit functions to provide assurance and
advisory services that help them monitor and strengthen its culture, and to sound an alarm when
things may go wrong.
38 The Three Lines of Defense model information is based on “Global Perspectives and Insights; Auditing Culture – A Hard Look at the Soft Stuff,” IIA, February 2016, and “Banking Conduct and Culture,” Group of Thirty, July 2015.
100
The Power of Tone at the Top
“Establishing the right tone is essential to fortifying the organization’s reputation and its relationship
with all stakeholders.”
Deloitte, Tone at the top: The first ingredient in a world-class ethics and compliance program, 2014
Research in moral development strongly suggested that honesty can best be reinforced when a proper
example is set, sometimes referred to as the tone at the top. Tone at the top is the attitude of the
management toward maintaining integrity and ethical values demonstrated through their directives
and behavior. A proper tone at the top refers to the ethical and cultural atmosphere created by the
organization's leadership. It demonstrates management’s commitment towards openness, honesty,
integrity, and ethical behavior. It also sets an organization’s guiding values and ethical climate and
influences the control consciousness of the officers and employees.
The Board and c-suite executives are ultimately responsible for creating and maintain an ethical
environment that integrates an organization’s core values, motivates employees in doing what is right.
They reinforce the importance of building a culture of honesty and integrity. When leaders pressure
their employees to meet unreasonable sales goals to make profits for the company, they basically
force employees to do whatever it takes to achieve those goals, whether it is unethical or not.
The cross-sell strategy is not an unethical practice. On the contrary, cross-sell is an effective way to
increase revenue and average lifetime customer value. However, when leaders in Wells Fargo sent
inconsistent messages about company priorities, the sales culture open the door to unethical
behavior. Senior executives’ strong desire for growth and obsession about cross-sell can be spotted in
Wells Fargo 2011 Annual Report:
“Even if we get to eight products per retail bank household, we still have room to grow. We believe the
average American household has between 14 and 16 financial services products.”
In summary, there is a constant interplay between corporate culture and leadership as the
characteristics of a company are influenced by the characters of the person in it. The tensions between
the tone at the top and the employee conduct is demonstrated by the Wells Fargo fake-account
scandal.
The Connection to the Occurrence of Fraud
“The organization’s culture either discourages doing the right things, is blind to bullying behavior,
and/or rewards those who employs a “win at all costs” attitude. These types of “open secrets”
become fertile ground for fraudulent and unethical activity.”
Protiviti, Creating a Strong Corporate Culture Begins With Managing Fraud Risk, 2018
101
Fraud, especially fraud on behalf of an organization, tends to come with a certain corporate culture.
Corporate culture is a driving force in how a company conducts its business and manages its conflicts
of interest. Researchers suggest that businesses with poor company cultures are more likely to be
investigated for deceptive accounting practices. The connection between the corporate culture and
fraud of an organization is increasingly under public scrutiny.
Many case studies indicate that when companies foster a safe and ethical environment, they are more
resistant to misconduct of all kinds. In other words, unethical or illegal misconduct occurs less
frequently when employees work in a positive work environment than when they feel ignored, bullied,
or threatened. A strong ethical culture establishes standards and sets an expectation to do what is
right, thereby overcoming all three sides of the fraud triangle. For example:
• Pressure: Incentives and performance management based on a financial metric create
pressure for employees to meet targets which, in turn, may cause them to commit fraud to
achieve the goal. In other words, to lessen pressure and incentives to commit fraud,
companies should create an ethical culture (e.g. positive tone at the top, appropriate reward
system) that does not encourage a high-pressure environment.
• Opportunities: A strong ethical culture supports effective controls and oversight that limit
opportunities for fraud, which in turn will increase the likelihood that fraud will be detected
promptly.
• Rationalization: A culture of integrity prevents dishonest behavior because it limits the
fraudster’s ability to rationalize misconduct. It can become more difficult for fraudsters to
rationalize or justify their behavior if a company has an effective ethical culture that
discourages fraudulent actions.
Companies can be characterized as ethical or unethical companies based on their corporate culture.
After almost every major fraud scandal, news stories and congressional hearings discussed how
corporate culture encouraged and enabled fraud and its impact on financial outcomes. For example,
the Enron executives created a culture of greed and dishonesty that led to fraud and ultimate
breakdown. Wells Fargo’s cutthroat culture led to a series of unsound sales practices. The stories
exposed a world of corporate misconduct from unethical culture, deceptive business practices, to
misaligned priorities.
The Foundation of the Control Environment
“The corporate culture is the most powerful control in any organization.”
Jim Roth, Author Best Practices: Evaluating the Corporate Culture
Although there are no particular guidelines for auditors to conduct an audit of corporate culture, the
2013 COSO Internal Control – Integrated Framework (COSO Framework) provides guidance to auditors
on how to identify, measure, and report on corporate culture. The COSO Framework is a leading
102
framework for designing, implementing, and conducting internal control and assessing the
effectiveness of internal control. The COSO Framework consists of five integrated components:
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring
Corporate culture manifests itself in the control environment − how the leaders articulate, govern,
and maintain integrity and ethical values within the organization through their directives, attitude, and
behavior. The control environment provides an atmosphere in which people perform their activities
and carry out their control responsibilities. According to the COSO:
“The control environment is an organization’s culture, beliefs, and values. It includes the integrity,
ethical beliefs, and competencies of its people, which are visible in management’s operating style, how
management assigns authority and responsibility, and how management organizes and develops its
employees. Another indication of the control environment is the degree of involvement from its board
of directors.”
The control environment, the most important of the five elements, sets the tone of an organization,
influencing the control consciousness of its people. The effectiveness of the other four elements
ultimately will depend upon it because it:
✓ Reflects the board of directors’ and management’s commitment to internal control.
✓ Sets the tone of an organization and influencing control consciousness.
✓ Provides discipline and structure for achieving the objectives of the system of internal control.
Under the COSO Framework, culture is addressed in Principle 1 of the control environment: the
organization demonstrates a commitment to integrity and ethical values. Examples of responsibility
for Principle 1 assigned to Internal Audit include39:
1. Assesses the state of the organization’s ethical climate and the effectiveness of its strategies,
tactics, communications, and other processes in achieving the desired level of legal and ethical
compliance.
2. Evaluates the design, implementation, and effectiveness of the organization’s ethics-related
objectives, programs, and activities.
39 Examples of internal audit’s responsibilities relating to Principle 1 are from “Leveraging COSO Across the Three Lines of Defense,” the Institute of Internal Auditors, 2015.
103
3. Provides assurance that ethics programs achieve stated objectives, key risks are effectively
managed, and controls continue to operate effectively.
4. Provides consulting services to help the organization establish a robust ethics program and
improve its effectiveness to the desired performance level.
In the absence of a demonstrably healthy corporate culture, no level of controls, procedures, and
processes can provide meaningful assurance to stakeholders of the integrity in an organization.
Because corporate culture is critical to a company’s long-term success and viability, it should be
examined thoroughly and regularly.
What and How to Measure Culture?
“A culture audit sheds light on a company’s core DNA, that which guides decision-making, problem-
solving, and cross-functional communication processes.”
Forbes Magazine, Culture: The Most Overlooked Element of Audit, September 29, 2014.
Culture as a Soft Control
“Internal control is a process, effected by an entity’s board of directors, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives
relating to operations, reporting, and compliance.”
The COSO Framework
Management is primarily responsible for the design, implementation, monitoring, and reporting of the
controls. Management’s performance is subject to oversight by the organization’s governing board.
Thus, even management is primarily responsible for internal controls, and the governing board is
ultimately responsible for ensuring that management fulfills this duty. Internal Audit is responsible for
examining, evaluating and reporting on the adequacy and application of internal controls. Therefore,
internal auditors need to understand the different nature of hard and soft controls and select the most
appropriate techniques.
Hard controls are tangible, such as the organization structure, systems, assignment of authority and
responsibility, policies, procedures, laws, and regulations. Soft (intangible) controls are relating factors
that influence attitudes, values, and behaviors of management and employees and their impact on
achieving organizational goals. An effective internal control system involves the application of both
hard and soft controls. For example, hard controls elicit the proper employee behavior through
defined policies and procedures. Soft controls can influence the behavior of the employees and have
a significant impact on the success of a company. Thus, soft controls, essential for the well-being of
organizations, are considered as the foundation of efficient hard controls.
104
Culture aligns goals, values, values, behaviors, and systems throughout the organization. It reflects an
organization’s objectives, management strategies, employee communication and relations, approach
to customers and investors, work environment, and attitude. Therefore, an audit of corporate culture
usually includes a review of soft controls such as:
✓ Morale
✓ Tone at the top
✓ Leadership
✓ Attitude
✓ Management philosophy
✓ Management operating style
✓ Ethical climate
✓ Shared values
✓ Enforcement
✓ Integrity
✓ Competence
✓ Trust and openness
✓ Employee motivation
✓ Transparency and accountability
✓ Sense of responsibilities
✓ Involvement and commitment
✓ Expectations
✓ Communication
The following table summarizes the differences between hard controls and soft controls.
Hard Controls Soft Controls
Nature of
Controls
• Tangible
• Explicit Activates
• Objective
• Intangible
• Implicit attitudes
• Subjective
Impact to
Audit
• Not difficult to obtain reliable
information
• Internal Auditor should have good
experience in analysis skills
• Usually evaluation based on
documents
• Clear recommended action in
internal audit report
• Difficult to obtain reliable
information
• Internal Auditor should have good
experience in interpersonal skills
• Usually evaluation based on results
of distributed survey
• Unclear recommended action in
internal audit report
Examples • Approvals
• Authorizations
• Verifications
• Reconciliations
• Moral
• Ethical climates
• Shared values
• Integrity
Source: KAD Consulting Services Inc., Soft Controls, Cultural and Governance Audits, 2016
105
The IIA provides the following example to demonstrate the different factors used when reviewing hard
controls and soft controls.
Example: Hard Control Audit vs. Soft Control Audit
Audit Objective: Gaining insight into the hard and soft controls that contribute to client trust
The key soft key success factors that came to the fore in interviews with management were:
• Demonstrating expertise and professionalism
• Empathy
• Showing integrity
• Communication (open, honest, personal)
• Visibly acting in the interest of the client
• Giving clients trust and loyalty
• Living up to expectations
• Taking responsibility for the client
• Client satisfaction
• Learning from experience
The key hard key success factors were:
• Clear, supported case for change
• Sticking to agreements
• Clear priorities/objectives
• Well-trained personnel
• High rate of ‘first time right’
• Focusing on responsible approach to client
• High client satisfaction
• Products meet client requirements
Source: The IIA Netherland, Discussion paper: Soft controls − What are the starting points for the internal
auditor?, June 2015.
The next section explains how to audit the corporate culture through the review of soft controls
including those around ethics, integrity, behaviors, and perceptions.
The Right Approach to Auditing the Culture
“Culture is complex and different within every organization and remains largely abstract. However,
even though a company’s culture may be abstract, one thing is clear: developing the right approach
for auditing an organization’s risk culture takes time and careful planning. And for any business, the
value of undertaking this process is developing a better understanding of the cultural causes that
create risk − in short, human behaviors.”
Brian Christensen, Protiviti Executive Vice President, Global Internal Audit
106
Because corporate culture affects every aspect of a business, it is a critical element in any business’s
ultimate success or failure. Therefore, auditing culture is a logical progression as regulators and
stakeholders hold senior management and boards and audit committees accountable for promoting a
culture of integrity. However, measuring corporate culture and obtaining reliable or concrete evidence
about soft controls often presents a challenge. For example, the Board Report found that “Audit’s
methodology for testing culture was less systematic than its approach to testing processes and
controls: witnesses explained that culture is a “squishy” concept, difficult to quantify and test using the
tools available to Audit.”
This section provides guidance to the internal auditor on the culture audit.
Planning the Audit
“Internal auditors must develop and document a plan for each engagement, including the
engagement’s objectives, scope, timing, and resource allocations. The plan must consider the
organization’s strategies, objectives, and risks relevant to the engagement.”
International Standards for the Professional Practice of Internal Auditing 2200: Engagement Planning
Define the Objectives and Scope
“Objectives must be established for each engagement.”
International Standards for the Professional Practice of Internal Auditing 2210: Engagement Planning
“The established scope must be sufficient to achieve the objectives of the engagement.”
International Standards for the Professional Practice of Internal Auditing 2220: Engagement Scope
Culture, the identity of an organization, encompasses the collective values and behaviors of all of its
employees, managers, and leaders. The key element for determining culture is whether leaders,
managers, and employees will do the right thing, especially when they face integrity and ethics
challenges. Thus, culture is a critical factor in corporate performance.
To provide assurance relating to the overall acceptance, adherence, and understanding of corporate
culture, internal auditors need to periodically evaluate culture or include consideration of culture in
each audit engagement by determining whether:
1. Culture aligns goals, values, values, behaviors, and systems throughout the organization.
2. Leadership promotes, monitors, and assesses the risk culture of the organizations;
3. Senior management is held accountable for creating and maintaining an environment of
integrity, honesty and ethical values.
4. Business activities, behaviors, and tone at the top properly reflect the values and ethics of the
organization.
107
5. Sound integrity and ethical values, particularly of senior management, are developed and set
the standard of conduct for doing business.
Internal auditors cannot successfully assess culture without a deep understanding of the organization’s
culture. As previously noted, corporate culture consists of shared beliefs, values, and standards that
shape and guide the behavior of employees. Thus, obtaining an understanding of culture can be
difficult and complex since culture itself is abstract, subjective, and not easily observable and
measurable. However, corporate culture can be approached in a systematic manner and perceived in
various ways such as:
✓ Organization values and tone at the top
✓ Performance management and incentives systems
✓ Staff development and promotion processes
✓ The effectiveness of the Three Lines of Defense model
Establish an Understanding of Corporate Culture
Internal auditors should obtain an understanding of an organization’s culture to plan the audit and to
determine the nature, timing, and extent of audit procedures to be performed. Internal auditors may
consider performing the following procedures to form an understanding of corporate culture:
1. Observing values and conduct are demonstrated by senior management, setting the tone at
the top, and daily practices of employees such as:
− Are sound integrity and ethical values, particularly of top management, developed,
maintained, and understood?
− What is management’s view as to the nature of the culture?
− Does management's philosophy and operating style promote a culture of honesty and
ethical behavior?
− Does management communicate its views on business practices and ethical behavior to
employees? If so, how?
− What is management’s attitude toward governance?
− How do leaders react to negative events?
− How do employees work and how are they evaluated?
− Do employees feel responsible and accept responsibility for their work?
− Who is hired, promoted, and rewarded?
− How do employees act when managers are not present and when matters of personal
judgment arise?
− How do the compensation plans, programs, and practices reinforce the culture?
− How are the company’s relationships with its customers?
− How does the company behave toward its competitors and within its community?
108
2. Obtaining an understanding of frameworks used to develop, communicate, and evaluate
conformance with the corporate culture indicate that:
− Are control functions valued within the organization?
− Are policy or control breaches tolerated?
− Does the organization proactively seek to identify risk and compliance events?
− Are supervisors effective role models of corporate culture?
− Are sub-cultures (e.g., at a branch office, a trading desk or an investment banking
department) that may not conform to overall corporate culture identified and addressed?
3. Obtaining an understanding of the approaches to identifying and managing conflicts of
interest and ensuring the ethical treatment of customers such as40:
− How does the company handle material breaches of company policies and procedures?
− Does the company promote the ethical and fair treatment of customers?
− Is compliance equipped with the necessary resources to help the company navigate a
complex and changing regulatory and market environment?
− How frequently has the company been faced with legal problems?
− How frequently has the company received negative media coverage?
The understanding of the procedures 1 through -3 will enable internal auditors to identify the
organization’s values and expected behaviors.
Identify the Risks of Cultural Failures
“Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under
review. Engagement objectives must reflect the results of this assessment.”
International Standards for the Professional Practice of Internal Auditing 2210.A1: Engagement
Objectives
As part of obtaining an understanding of the culture, internal auditors need to consider the risks of
cultural failures, which can impose substantial harm on companies themselves such as financial losses,
low productivity, high turnover, penalties, fines, regulatory action, reputation damage, litigation, and
loss of public trust. Examples of risk factors that may lead to cultural failures and unethical behavior
include:
Pressures for short-run performance in decentralized return on investment (ROI) centers may
inhibit ethical behavior.
40 Indicators of a company’s culture listed in 2. and 3. are based on “2016 Regulatory and Examination Priorities Letter”, Financial Industry Regulatory Authority, accessed on March 24, 2020.
109
Emphasis on strict adherence to chain-of-command authority may provide excuses for
ignoring ethics when following orders.
Aggressive or unreasonable sales goals tied to reward structures may encourage widespread
unsound sales practices.
Informal work-group loyalties may subvert ethical behavior.
The board may not provide effective oversight over the conduct of the organization’s
operations.
Committee decision processes may make it possible to abstain from or dodge ethical
obligations.
Pressure of competition may compromise ethics in the interest of survival.
Unethical behavior of others may force a compromise of ethics.
Definitions of ethical behavior may vary from one culture to another. Bribes to overseas
officials or buyers may be consistent with some countries’ customary business practices, but
such a practice is not considered ethical among U.S. purchasing agents. Bribes are now
considered illegal under the Foreign Corrupt Practices Act.
The propriety of superimposing our cultural ethical standards (by refusing to bribe) on another
culture may be controversial.
Poor ethical foundations and cultural failures were major causes of the recent financial crisis and
continue to be factors in the scandals since then. There are three broad categories of cultural failings41:
1. A culture of individualism and short-termism: This type of culture was a key driver of many
of the unsafe and inappropriate values, behaviors, and practices. A series of corporate
misadventures, such as Enron, Toshiba, Volkswagen, and Wells Fargo, have revealed cultural
failures due to a corporate environment that focused excessively on short-term results.
2. A weak risk culture: There are two factors that led to a weak risk culture:
Management did not allocate enough resources to the checks and balances required to
manage the inherent uncertainty of risk models, and
Checks and balances are not effective. For instance, compensation models did not reflect
the underlying risks taken. Thus, risk-takers were able to increase leverage and trading
activities to unsustainable levels.
3. A weak culture of oversight among board members: The Group of Thirty reports identified
several board weaknesses, including:
Underestimation of the time commitment required in serving on a board.
41 The categories of cultural failings are from “Banking Conduct and Culture,” Group of Thirty, July 2015.
110
Insufficient risk and/or financial institution experience.
A lack of understanding of the firm’s strategic position and of the competitive and
regulatory landscape.
The inefficiency and unsuitability of joint chair/CEO roles.
Boards that did not engage frequently enough with their relevant supervisors.
The Financial Stability Board developed Guidance on Supervisory Interaction with Financial Institutions
on Risk Culture: A Framework for Assessing Risk Culture to provide guidelines for financial institutions
in assessing risk culture. However, the guidance could be adapted to assessing overall organizational
culture in any industry or sector. The guidance identifies four areas that can be indicative of a sound
risk culture including tone at the top, accountability, effective communication and challenge, and
incentives.
Finally, the level of risks may vary across geography, business unit, or process. Business units may
create their own subculture that can be contradictive to the company values or the tone at the top.
Thus, the level of risk relating to improper conduct may be higher in some locations or departments
than others. For example, in Wells Fargo, some regional managers encouraged and implemented sales
pressure tactics, leading to a significantly higher number of integrity violations than other regions.
Gather Sufficient Information
“Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the
engagement’s objectives.”
International Standards for the Professional Practice of Internal Auditing 2310: Identifying
Information
There are sources of information that could provide direct evidence of soft controls. For example,
employee engagement surveys that allow anonymity are considered as one of the most effective and
efficient ways to understand and evaluate an organization’s culture. Data associated with ethical
culture provides an opportunity for better insights. For instance, common survey topics used by the
world’s most ethical companies when measuring ethical culture include42:
• Perception of the compliance and ethics function
• If misconduct has been observed
• Perception of the effectiveness of compliance training
• Perception of the effectiveness of the Code
• Awareness of compliance resources
• If pressure is felt to commit misconduct
42 The common topics addressed in ethical culture surveys are from “Leading Practices and Trends from the 2018 World’s Most Ethical Companies®”, Ethisphere Research Report, accessed on March 24, 2020.
111
• Perception of the effectiveness of policies
• Comfort in reporting misconduct
• Perception of organizational justice
• Opinion of executive ethical leadership or tone from the top
• Opinion of manager’s ethical leadership or mood from the middle
• Perception of coworkers
• Recommend someone take a job at the company
Thus, internal auditors may consider reviewing employee surveys or other similar tools and techniques
used by organizations. These surveys provide measurements of the effectiveness of one or more
control environment elements that help internal auditors gain an insight into an organization’s culture.
Other sources of data for internal auditors to consider when obtaining an understanding of culture
include:
✓ Media coverage
✓ Customer surveys
✓ Customer compliant data
✓ Customer activity track
✓ Regulatory (supervisory) reviews
✓ Rewards and incentives structures
✓ Hotline and whistleblower reporting
✓ Compliance and risk management breaches
✓ Continuous controls monitoring
✓ Employee turnover rate
✓ Enterprise risk management
✓ Past audit results over the control environment and the response and remediation
✓ Results of annual Sarbanes-Oxley Act and other compliance testing
Evaluating the Cultural Drivers
“Internal auditors must base conclusions and engagement results on appropriate analyses and
evaluations.”
International Standards for the Professional Practice of Internal Auditing 2320: Analysis and
Evaluation
The National Business Ethics Survey listed four outcomes that help determine the success of an ethics
and compliance program fostering a culture of integrity:
1. Reduced misconduct observed by employees.
2. Reduced pressure to engage in unethical conduct.
3. Increased willingness of employees to report misconduct.
4. Greater satisfaction with organizational response to reports of misconduct.
112
Culture is created by formal drivers which in turn impact the core beliefs and assumptions of the
organization. Thus, internal auditors may consider evaluating the following key drivers that have an
impact on these outcomes and influence an organization’s culture:
✓ Corporate Environment
✓ Leadership
✓ People Management
✓ Ethics and Conduct
Many considerations can be taken into account when determining whether behavior and conduct are
aligned with the values and ethics of the organization. Examples of values and ethics are listed in the
following table. However, the culture aspect of the audit should be tailored for the organization and
focus on its specific environment, opportunities, and challenges.
Drivers Types of Soft Control Evidence of Soft Controls
Corporate
Environment
• Vision, values,
and goals
• Communication
• Alignment
through the
organization
− The organization mission statement, objectives and goals are
communicated to employees at all levels.
− The atmosphere promotes a sense of loyalty and belonging
among employees, and a sense of caring and connection
between the organization and its customers.
− The organization supports values that create a collective sense
of belonging where employees feel that they have a stake in
the success of the company.
− The organizational structure facilitates the flow of information
upstream, downstream, and across all business activities.
− The tone exhibited by management of operating units is
consistent with that set by the board of directors and senior
management.
− There is adequate supervision and monitoring of decentralized
operations.
− Employees feel comfortable to voice their opinion, raise issues,
and discuss dilemmas.
Leadership • Tone at the top
• Attitude
• Management
philosophy
• Management
operating style
• Role modeling
• Communications
− Leadership demonstrates high ethical and behavioral
standards through its attitude, actions, and values, and
communicates this tone to all employees.
− Management fosters open communications and responds
appropriately when employees raise a concern.
− Management proactively seeks, gives, and applies feedback.
− Management shows and maintains a positive and supportive.
attitude toward integrity and ethical values at all times
through both its words and actions.
113
− Management makes sure that people feel included, valued,
and heard.
− Management removes or reduces incentives and temptations
that might prompt personnel to engage in dishonest, illegal, or
unethical acts.
− The extent and depth of conversations regarding risk, controls,
and compliance matters at executive and/or board meetings is
appropriate given the matters facing the organization.
People
Management
• Competence
• Commitment
• Transparency
• Achievability
• Accountability
• Enforcement
• Reward and
Incentives
− Managers and employees should have personal and
professional integrity and should be qualified to perform their
assigned duties.
− Employees feel motivated and engaged to follow the rules.
− Employees’ and management’s behavior are visible to others.
− Goals/targets are realistic. There is no undue pressure to meet
budget, profit, or other financial and operating goals.
− Managers and employees take responsibility for their own
actions.
− Desired behavior rewarded and undesirable behavior
sanctioned.
− There is relatively low turnover of key personnel (e.g.,
operating, accounting, data processing, internal audit).
Ethics
and Conduct
• Accountability
• Clarity
• Communication
• Enforcement
− Managers and employees are being held accountable by
others in the organization for misconduct.
− Management consistently reinforces the ethical and
behavioral standards.
− Management properly and timely addresses red flags that
problems exist such as integrity violations even when the cost
of identifying and solving the problem could be high.
− Management takes appropriate disciplinary action when
necessary to enforce the code of conduct.
− Management views Internal Audit as a vehicle for exercising
control over the organization’s activities.
− Employees are willing to come forward and report misconduct
or unusual activities without fear of retaliation.
− Whistleblower status and rights are protected.
− Board takes appropriate follow-up action when instances of
noncompliance are reported.
Investigative interview techniques combined with a strict interview protocol help the auditors achieve
the audit objectives. The Board Report indicated that Wells Fargo’s internal auditors audited its
incentive compensation plans and concluded that the plans were adequately balanced by customer
service and sales quality-related components. However, internal auditors did not conduct fieldwork
such as banker interviews to determine how the plans were in fact impacting employees. The IIA
114
suggests that the more internal auditors can utilize surveys and structured interview techniques, the
more concrete the evidence will be.
Internal auditors should also consider the implications of the identified weaknesses or gaps.
Undesirable culture (subculture) or weak soft controls often affect multiple areas and are basically
pervasive in nature. For example:
A company that does not build and sustain demonstrable accountability is likely to be
vulnerable to political challenges, and also to a disadvantaged competitive position and its
ability to attract talent.
Cutthroat sales culture focused on growth and profit increase often pushes employees to sell
customers as many products as possible leading to various unsafe sales practices.
The negative attitude and aggressive management style enables violations and obstructs
compliance within an organization.
Internal auditors should communicate the risk of ineffectively operating soft controls to senior
management. The issue is made open to discussion in the organization. As with hard controls,
ineffective soft controls can hinder the achievement of organizational objectives. When the chief audit
executive (CAE) concludes that management has accepted a level of risk that may be unacceptable to
the organization, the CAE must discuss the matter with senior management. If the CAE determines
that the matter has not been resolved, the CAE must communicate the matter to the board.
Moreover, internal auditors should provide persuasive evidence indicating weaknesses or gaps since
soft controls can be highly subjective. Assessing the degree to which soft controls achieve the
established objectives and correspond to the desired behavior is challenging and requires some
guidance by using a growth path or maturity model for the soft controls. The maturity level of each
identified soft control can be described in a growth model. This helps to qualify a soft control as
inadequate, barely adequate, adequate, good, or excellent as demonstrated below.
Example: Growth Path for the Development of Soft Controls
The following example demonstrates how the growth path can help with rating in a soft controls audit.
The Soft Control: Sense of Responsibility
1. Employees do not feel responsible, they do their thing, but others are responsible.
2. Employees feel responsible for reporting on their work, but they consider management or others
to be responsible.
3. Employees feel responsible and assume their responsibility. They have not made this visible,
though. Others cannot be certain that the aforementioned employees are assuming their
responsibility.
4. Employees feel responsible and set down that responsibility clearly and visibly.
5. Employees feel responsible, document this adequately, and explicitly let the organization know
that they are responsible
115
1 = weak and 5 = excellent
Source: The IIA Netherland, Discussion paper: Soft controls − What are the starting points for the internal
auditor?, June 2015.
Finally, communication of audit results should include applicable conclusions, as well as applicable
recommendations and/or action plans. Internal auditors should identify preventive and detective
measures focused on minimizing future occurrences. The Board Report cited that:
“Audit reviewed relevant controls and processes and largely found them to be effective; however, while
it had access to information regarding sales practice concerns, it did not view its role to include
analyzing more broadly the root cause of improper conduct.”
Recommendations in the audit report should address the root cause of the identified
weaknesses/gaps. To properly address the root cause for the deficiencies in soft controls, internal
auditors should ask key questions such as:
✓ How did the breakdowns occur?
✓ Where were management, the board, the audit committee?
✓ Are deficiencies unique to a business unit, department, or geography?
✓ Why did management fail to model appropriate behaviors throughout the organization?
✓ Does the behavior exhibited impose substantial harm on the company?
✓ Do policies and procedures require revision?
Where appropriate, an internal auditors’ opinion should be provided. An opinion must take into
account the expectations of senior management, the board, and other stakeholders and must be
supported by sufficient, reliable, relevant, and useful information.
Lesson Note: The CAE needs to establish a follow-up process to monitor and ensure that management
actions have been effectively implemented or that senior management has accepted the risk of not
taking action.
Exhibit G provides a roadmap for supervisors of the banking system to assess conduct and culture. This
roadmap can be a useful tool for internal auditors who should have clear ideas about what it considers
good or acceptable with respect to conduct and values.
Exhibit G: Roadmap for Assessing Conduct and Culture
The following are excerpts from the Group of Thirty, Banking Conduct and Culture.
• Are the bank board and senior management adequately focused on understanding the culture
that exists and seeing adherence to firm values and conduct as a strategic imperative for the
bank?
116
• Is this evidenced in practices such as transparency for material transgressions, and owning the
responsibility for identifying and dealing with problems?
• Are the bank’s values and conduct statements taken seriously, and is there consistency among
strategy, business model, target returns, risk appetite, incentives, performance assessment,
desired conduct, and values to support the behaviors and outcomes the bank wants?
• Does the board focus adequately on the embedding of values and conduct by devoting
adequate time to these issues, receiving regular comprehensive reporting on these issues from
a variety of sources, acting on those as necessary, and itself participating in the internal
communication of the desired behaviors?
• Do the board and committee charters include oversight of values and conduct?
• And how are these matters reflected in the work of the board and its committees?
• Do the relevant management bodies and committees have charters that explicitly refer to
responsibility for oversight of values, conduct, and culture issues?
− Do the CEO and Executive team demonstrate persistent championing throughout the bank of
the desired conduct and values?
− Are the Executive team and midlevel managers engaged, and are they assessed and
compensated on how well they promote and assess conduct and values issues in their teams?
• Do the CEO and Executive team objectives include conduct, values, and cultural matters?
− Is an important part of the board’s annual evaluation of the CEO and his or her direct reports
championing the desired culture and effectively overseeing embedding of the desired conduct
and values and any remediation program?
− Does the Executive team demonstrate sound understanding of how a chosen remediation
program will achieve results, and does it have ways of measuring progress?
− Does the CEO and Executive team incentive regime have material financial consequences for
managers whose oversight (and living) of desired values and conduct is weak?
• Does the firm celebrate those who live the firm values and desired conduct in difficult
circumstances?
• Is there evidence that the firm is using a balanced scorecard with input from Compliance, Risk
Management, and Human Resources, and with significant weight on how results are achieved?
− Are there robust and comprehensive data to identify alignment with conduct and values by the
business and functional units and individuals?
− Is the Executive team reviewing in detail the top leadership group, and is there use of tools such
as 360-degree assessments?
− Are annual appraisals and penalties applied to breaches of cultural norms, values, and
principles, and not just to breaking specific rules of legal requirements?
− When deficiencies are identified, does the bank look at whether similar issues exist in related
areas of the bank?
117
− Is there evidence of robust internal sanctioning, with material consequences for staff in the
event of poor alignment with conduct and values?
• Do the bank’s promotion and hiring processes (including for senior management and the CEO)
place material weight on compatibility with the desired values and conduct and consistent
demonstration of the desired behaviors?
• Is frontline accountability clear?
− Do the frontline management and staff demonstrate understanding of, and the ability to
identify, values and conduct issues and act accordingly?
− Do frontline management demonstrate the ability to deal with breaches and to assess staff
performance?
− Are training and development programs anchored in cases relevant to the bank, delivered by
management, and regularly refreshed?
• Is there a clear second line of defense for values and conduct issues with demonstrated input
from Human Resources, Compliance, and Risk Management?
− Are second line and third line (that is, internal Audit) providing senior management reporting
to assist in understanding where the bank is at on conduct and values issues and how any
remediation program is working, and to support governance and oversight responsibilities?
− Do Compliance and Human Resources functions have stature and a proactive preventive
mindset in dealing with these issues?
• Is there a culture of welcoming escalation or self-identification of issues, including the
expectation of such conduct, and are there sanctions for willful blindness?
− Have managers been trained in how to constructively deal with escalation?
− Is the board satisfied that whistleblowing is treated seriously, and that staff who raise internal
flags are suitably protected and celebrated?
Source: Group of Thirty, Banking Conduct and Culture, July 2015
Sample Audit Program: Integrity and Ethical Values
The IIA provides guidance on how to audit the control environment. An audit of some elements of the
control environment includes a review of soft controls, such as those around integrity and ethical
values. The principle, elements and attributes are adapted from the COSO Framework control
environment component. The following table lists potential audit procedures created by the IIA that
might be considered in developing an audit of culture.
118
Integrity and Ethical Values: Basic Principle — Sound integrity and ethical values, particularly of senior management, are
developed and set the standard of conduct for doing business.
Elements and
Attributes
Control Design
Methods to Achieve Control Environment
(Principles, Elements, And Attributes) Control Testing Considerations
Developed — senior
management develops
a clearly articulated
statement of values or
ethical behaviors that
are understood by key
executives and the
board.
• Senior management conveys the
message that integrity and ethical values
cannot be compromised, both in words
and in actions.
• Senior management has developed a
code of ethics that emphasizes the
organization’s expectation that
employees will act with integrity in all
actions related to their scope of
employment.
• Senior management has developed a
code of business conduct that
emphasizes the organization’s
commitment to fair and honest dealings
with customers, suppliers, and other
external parties.
• Performance expectations and
incentives are designed so as to not
create undue temptations to violate
laws, rules, regulations, and
organization policies and procedures.
• Conduct periodic, anonymous “pulse”
surveys of employees as to the ethical
attitude communicated by senior
management.
• Review the existence and content of the
organization’s code of conduct and ensure
a process exists for periodic updating of
the code.
• Review the existence and content of the
organization’s code of business conduct
and ensure a process exists for periodic
updating of the code.
• Review the mix between fixed and
variable elements in employee
compensation plans, and the relative
weighting on short-term financial
performance in compensation plans.
• Review senior management’s
compensation system to understand if it
unduly incents excessive risk-taking and
the override of the entity’s system of
internal control.
Communicated —
senior management
communicates its
commitment to ethical
values through words
and actions.
• New employees receive a copy of the
organization’s code of ethics and code of
business conduct and are trained as to
how these guidelines apply to specific
factual situations common to the
organization’s business environment.
• Existing employees are provided with
updated copies of the organization’s
code of ethics and code of business
conduct at least yearly, and receive
periodic retraining on the application of
these guidelines to the organization’s
business environment.
• Customers, vendors, and other external
parties receive a copy of the
organization’s code of business conduct
at least yearly, by inclusion in other
mailings to these parties. Contractual
arrangements with these parties should
include requirements for adherence to
the organization’s code of ethics and
code of business conduct.
• Review the signed employee
representation that they have read and
understood the codes of ethics and
business conduct and, for existing
employees, their certification that they
have not violated the codes during the
past year and are aware of no other such
violations (or, if they are aware of such
violations, they have 1) communicated
these violations as directed by their
compliance or ethics office training and 2)
if based on their perspective the violations
have not been resolved, communicated
the potential violations via their
company’s ethics hotline.
• Review organization training courses,
including the process for ensuring that all
employees attend these courses on the
codes of ethics and business conduct.
• Review the organization’s policy for
including the code of business conduct in
a yearly mailing to customers, vendors,
119
and other external parties. Verify that the
code of business conduct is included in
mailings.
Reinforced — the
importance of
integrity and ethical
values is
communicated and
reinforced to all
employees in a
manner suitable for
the organization.
The organization’s newsletter (and other
internal communication devices) highlights:
a. Ethical dilemmas often arising in the
organization’s industry and how
management expects employees to act
in these situations.
b. Ethical failures (with names disguised)
and the consequences of these failures
for both the organization and the
employees involved.
c. Ethical successes (with names retained
and highlighted) with the situation
described, the employee behavior, and
why the behavior was consistent with
organization guidelines.
Review editions of the organization’s
newsletter during the year to examine whether
coverage of ethical dilemmas, ethical failures,
and ethical successes are included.
Monitored —
processes are in place
to monitor the
organization’s
compliance with
principles of sound
integrity and ethical
values.
• All new employees are required to sign
the code of ethics and business conduct
indicating that they have read and
understand these codes.
• All existing employees are required to
sign an annual contract acknowledging
that they have read the most recent
versions of the code of ethics and
business conduct and that they
understand and are in compliance with
these codes.
• HR or hiring department management
monitor whether new and existing
employees have completed the required
training on the codes of ethics and
business conduct.
• The organization has established a
hotline — a reporting mechanism that
permits anonymity, and preferably
staffed by an internal group with a direct
reporting relationship to the board or by
an outside vendor — for receiving
reports of suspected violations of the
organization’s codes of ethics and
business conduct and publicizes the
existence of the hotline.
• Review the signed employee
representation that they have read and
understood the codes of ethics and
business conduct and, for existing
employees, their certification that they
have not violated the codes during the
past year and are aware of no other such
violations (or, if they are aware of such
violations, they have communicated these
violations via the hotline).
• Review organization training courses,
including the process for ensuring that all
employees attend these courses, on the
codes of ethics and business conduct.
• Review the existence of the hotline —
including the organizational unit
responsible for managing and overseeing
the hotline. Examine the organization’s
efforts to publicize the hotline. Review a
sample of calls received on the hotline and
examine the appropriateness of
investigation and resolution of allegations.
Deviations Addressed
— deviations from
sound integrity and
ethical values are
identified timely and
• A senior executive, preferably with a
direct reporting relationship to the
board, is responsible for oversight of the
organization’s ethics and compliance
function.
• Review the organizational unit, and
related reporting relationships,
responsible for oversight of ethics and
compliance.
120
are addressed and
remediated at
appropriate levels
within the
organization.
• Allegations of violations of the
organization’s codes of ethics and
business conduct are appropriately
investigated, and the necessary
corrective, disciplinary, and remedial
actions happen timely. This includes
hotline reported matters.
• Examine the appropriateness of
investigations of allegations of violations
of the organization’s code of ethics and
business conduct, including corrective,
disciplinary, and remedial actions taken.
• Review the organization’s investigation
policies and practices to ensure that
appropriately qualified personnel are
performing the investigations. Evaluate
the qualifications of the investigators and
ascertain that there is good segregation of
duties between investigations, operating
management, and the discipline decision-
makers.
Source: The IIA, IPPF − Practice Guide: Auditing the Control Environment, April 2011.
Other Considerations
The effectiveness of Internal Audit depends on several factors, including:
Support from the Board, the Audit Committee, and Senior Management
Without support from the board, the audit committee, and executives, it can be very difficult to carry
out an effective audit of culture. Leadership should provide clear support for Internal Audit and its
activities to convey their importance to the organization. To secure the support, the CAE needs to
communicate the significance of culture audits in light of increased regulatory scrutiny, media
coverage, and stakeholder expectations. Specifically, culture audits can provide valuable
reinforcement in the maintenance of corporate culture by:
1. Providing assurance that consistent behavior and conduct are aligned with organization value.
2. Establishing the root cause of poor behavior that helps organizations address cultural issues.
3. Adding value in the middle of cultural change by giving management a high degree of comfort
that investment is being made wisely.
MIS Training Institute suggests that Internal Audit needs to find common ground when obtaining the
support and sponsorship of the board and/or the chief executive for the audit. That is, there should
be a shared desire to identify culture breakdowns and prevent significant damages to the company
(e.g., financial losses, diminished reputation, regulatory action). The CAE may initiate the discussion
and define expectations through the following actions:43:
43 The keys to finding common ground are based on “The Why and How of Auditing Corporate Culture,” MIS Training Institute, accessed on April 8, 2020.
121
✓ Have formal and informal discussions around the topic of culture to identify internal sponsors
and potential audit areas (e.g. regions with high violation of culture).
✓ Co-develop the scope and frequency of the culture audit. For example, will culture be audited
at the entity level or embedded into individual audits? Should the culture audit be one annual
audit or one audit occurring periodically every few years?
✓ Identify an executive sponsor and key influencers to support the effort.
✓ Clearly explain the methodology used (e.g., surveys, self-assessments, interviews, facilitated
workshops) to perform the assessment.
✓ Articulate, communicate and agree on evaluation criteria and benchmark rating as the basis
of measuring an organization’s culture.
✓ Develop an organizational communications plan to explain the added audit focus and its
importance.
✓ Once approved by management, share with the audit committee for final consensus.
✓ Formalize the mandate by incorporating it into the audit committee charter.
Organizational Independence
“The chief audit executive must report to a level within the organization that allows the internal audit
activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least
annually, the organizational independence of the internal audit activity.”
International Standards for the Professional Practice of Internal Auditing 1110: Organizational
Independence
Since Internal Audit is uniquely positioned to help management to enhance and protect organization
values and accomplish objectives, it must be structured with organizational independence to provide
unbiased and objective assessments. The more independent the internal auditor is from management,
the more likely his or her work will serve the organization’s needs.
Lesson Note: Impairment to organizational independence and individual objectivity may include, but
is not limited to, personal conflict of interest, scope limitations, restrictions on access to records,
personnel, and properties, and resource limitations, such as funding.
Organizational independence is effectively achieved when the CAE reports functionally to the board
and/or the most senior levels of management. For administrative purposes, in most circumstances,
the CAE should report directly to the chief executive officer of the organization. In addition, internal
auditors should be free from interference from operational management in determining the scope of
auditing, performing work, and communicating results. Finally, to maintain independence and
objectivity of an Internal Audit, it should not participate directly in the management decision-making
process.
122
Unrestricted Access
Internal auditors have unlimited access to information, people, and assets as appropriate for the
performance of audit activities. This is clearly stated in the audit charter. The internal audit manual
should clarify in which circumstances this right is valid(e.g. only in the case of the execution of an audit
mission). The manual should also clarify what to do in case this right is being denied by an auditee.
• Concerning unlimited access to information, internal auditors must respect the confidentiality
principle of the code of ethics. Note that access does not necessarily mean that Internal Audit
has the right in all situations (e.g. military) to download or copy (sensitive or classified)
information.
• Concerning unlimited access to people, although internal auditors have the right to interview
employees without formally respecting the hierarchical lines, they should always demonstrate
respect for the organization’s culture.
• Concerning assets, internal auditors need to respect the organization’s procedures to access
assets. For instance, in the case of liquid assets (cash), the organization may require access
only if accompanied by another member of staff.
Skills Development and Training
“Internal auditors must possess the knowledge, skills, and other competencies needed to perform
their individual responsibilities. The internal audit activity collectively must possess or obtain the
knowledge, skills, and other competencies needed to perform its responsibilities.”
International Standards for the Professional Practice of Internal Auditing 1210: Proficiency
Auditors are expected to maintain a level of competence to meet the profession’s technical and ethical
standards. Auditing corporate culture requires internal auditors to exercise the same good practices
they exercise throughout any audit engagement such as:
Audit Committee
Chief Audit Executive
Information Techhnology Audits
Finance & Operations Audits
Compliance Audits
Chief Financial
Officer or
Chief Executive
Officer
123
• Proficiency: Possessing the necessary knowledge, skills, and other competencies to conduct
the engagement appropriately.
• Due Professional Care: Applying the care and skill expected of a reasonably prudent and
competent auditor.
• Professional Skepticism: Having an attitude that includes a mindset in which auditors assume
neither that management/employee is dishonest nor of unquestioned honesty.
• Objectivity: Maintaining an attitude of impartiality, having intellectual honesty, and being free
of conflicts of interest.
• Integrity: Performing the work with honesty, diligence, and responsibility.
• Confidentiality: Be prudent in the use and protection of information acquired in the course of
their duties.
• Competency: Internal auditors apply the knowledge, skills, and experience needed in the
performance of internal audit services.
Although most internal auditors possess the core skills required to conduct audits of culture, they will
need to develop creative solutions by thinking outside the box as behaviors and attitudes sometimes
can be difficult to interpret. Besides the required knowledge of hard controls, internal auditors need
to step outside their traditional comfort zones and focus on the development of the following skills to
build confidence in order to lead culture audits:
✓ A basic knowledge of behavioral sciences (e.g., organizational psychology, organizational
behavior).
✓ Root cause analysis.
✓ Understanding of cultural differences (employees from different countries).
✓ Advanced interview techniques (e.g. asking open questions).
✓ The performance of surveys (compilation, analysis, statistics).
✓ The ability to interpret non-verbal behavior and know how to deal with it.
Example: Audit Team Knowledge and Skills
Interviewees feel that auditors need specific knowledge and skills for auditing soft controls properly:
• Training time can often be reduced if auditors involved in a soft controls audit have a social
sciences background. During their studies, they have often gained sufficient tools for analyzing
soft controls. Auditors with a different background can also be coached in this aspect, though.
• It is important for auditors to be prepared not to restrict themselves to the paradigm that a
thorough foundation can only be gained on the basis of hard controls. The auditor must be
prepared to explore the reliability of the information gained from other research methods (such
as a survey). If the information this produces is not accepted by the auditee or the management
124
to serve as a solid foundation, there is no point in the auditor following up the soft controls audit
without first giving further explanation and discussing the information.
• If audit findings are based on soft controls, it is important for the auditor to have a certain maturity.
The ability to continue questioning and persevere is important, as discussions are often held with
senior or higher management.
• It can happen that management disagrees with the findings. There are sometimes even negative
feelings towards the findings. In such cases, it is important for auditors to stand their ground.
Source: The IIA Netherland, Discussion paper: Soft controls − What are the starting points for the internal
auditor?, June 2015.
125
Review Questions - Section 4
1. According to the Three Lines of Defense model, Internal Audit is responsible for which of the
following activities?
A. Designing, implementing, monitoring, and reporting the internal controls
B. Setting, communicating, and modeling desired values and conduct
C. Developing procedures to prevent or detect violations of internal policies
D. Assessing the overall culture and identifying areas where the culture is weak
2. Which of the following components of internal control includes an organization’s culture, beliefs,
and values?
A. Monitoring
B. Control environment
C. Risk assessment
D. Control activities
3. Which of the following is an example of soft controls?
A. Change management procedures
B. Ethical climate
C. Segregation of duties
D. Input controls
4. Which of the following procedures help auditors determine whether processes are in place to
monitor an organization’s compliance with principles of sound integrity and ethical values?
A. Review the backgrounds, including education and experience, of board members
B. Inspect job descriptions for key employees including the process for updating job descriptions
C. Review the existence of the hotline and examine the efforts to publicize the hotline
D. Inquire of employees as to their perception of the importance of internal control objectives
5. Which of the following principles ensures that internal auditors perform their work with honesty,
diligence, and responsibility?
A. Competence
B. Integrity
C. Objectivity
D. Confidentiality
126
6. Instead of blindly accepting what the management provides, the internal auditor has a questioning
mind throughout the audit. This attitude is referred to as:
A. Proficiency
B. Objectivity
C. Professional skepticism
D. Supervision
127
Review Question Answers
Case 1: Review Questions
Section 1
1. Crazy Eddie salespeople used which of the following sales tactics to lure customers into its stores?
A. Incorrect. Premium pricing is a type of pricing strategy which involves establishing a price
higher than the competitors to achieve a premium positioning (e.g., Mercedes, Land Rover).
However, Crazy Eddie successfully built up customer loyalty by circumventing fair trade laws
and offering deep discounts on popular electronic products.
B. Incorrect. Scarcity marketing is a marketing strategy based on the principle that people want
what is difficult to obtain.
C. Correct. Crazy Eddie salespeople used high-pressure sales tactics; bait and switch, a common
deceptive sales practice used in retail sales (e.g., electronic and computer stores, and car
sales).
D. Incorrect. Side agreements indicate that management enters into side agreements with
customers that modify the terms and conditions of the store’s standard sales contracts.
2. To artificially inflate the company’s profit, Sam Antar committed all of the following fraud schemes
EXCEPT:
A. Incorrect. Sam Antar gradually skimmed less money each year, from approximately $3 million
per year in 1980 to nearly zero in 1984. In other words, the company gave the appearance of
the rapid growth by reporting sales which had previously been kept off the books.
B. Incorrect. Sam and Eddie planned the three-pronged scheme by inflating the inventories in
the stores, warehouse, and the returns department. For example, the store inventory inflation
scheme was carried out by the store managers who altered the count sheets to falsify the
merchandise quantities.
C. Correct. Companies may falsely boot their financial condition through improper
capitalization of expenses as fixed assets to avoid recognizing the full amount of the expense
in the current period. However, Sam Antar did not particularly use this technique to cook
the books.
D. Incorrect. The change in accounting principle (from received to earned) allowed the Antar
family to create $20 million in phony debit memos to claim fictitious purchase discounts and
trade allowances that reduced the amount of accounts payable.
128
3. Which of the following techniques is often used for tax evasion?
A. Incorrect. Check tampering is committed by a person who steals his or her employer’s funds
by forging or altering a check on the entity’s bank accounts.
B. Correct. Skimming is a popular scheme for tax evasion. It means that a business intentionally
fails to record a transaction and pockets the cash without reporting the profit.
C. Incorrect. Procurement fraud is when a company uses bribes to win a contract even when it
did not submit the lowest or best bid.
D. Incorrect. Billing scheme is committed by a person who causes his or her employer to issue a
payment by creating and submitting invoices for fictitious goods or services, inflated invoices,
or invoices for personal purchases.
4. What is the process of disguising illegally obtained money through elaborate financial
transactions often involving foreign banks and legitimate businesses?
A. Incorrect. False claims usually pertain to Social Security, defense contractors, healthcare
company fraud, or other instances in which a company or individual attempts to be paid by
the government for an invalid reason.
B. Incorrect. Business email compromise (BEC) is a sophisticated scam targeting businesses
working with foreign suppliers and/or businesses that regularly perform wire transfer
payments. BEC involves taking over an email account or spoofing an email address in order to
initiate theft via unauthorized ACH or wire transfers.
C. Correct. Money laundering is the process of disguising illegally obtained money through
elaborate financial transactions often involving foreign banks and legitimate businesses.
D. Incorrect. Examples of contractor fraud include billing the government for incomplete work,
inflating the cost of labor or supplies, and issuing kickbacks.
5. What are the stages of money laundering?
A. Correct. Money laundering is the process of disguising illegally obtained money through
elaborate financial transactions. There are three stages involved in money laundering:
placement, layering, and integration. The placement stage is the initial entry of the "dirty"
cash into the financial system. The second stage involves layering that conceals the source
of the money through a series of transactions and accounting tricks (creating confusion). The
third stage (final step) of money laundering is integration. It refers to re-introducing the
funds into the legitimate economy such as the banking system so that the funds appears to
be normal business earnings.
129
B. Incorrect. Before the illegitimate funds are integrated into the financial system, the fraudster
must place (placement) them into the legitimate financial system.
C. Incorrect. Before the money is moved around to create confusion (layering), the fraudster
must place (placement) it into the legitimate financial system.
D. Incorrect. The final step of the money laundering process is termed the integration stage
where the money is returned to the fraudster from what seem to be legitimate sources.
Section 2
1. Which of the following trends appears unusual and requires the auditor’s attention?
A. Incorrect. When a company sells its merchandise, it generates sales. The merchandise must
be manufactured, purchased, or both. Thus, there is always a cost associated with each sale.
If sales decrease, the cost of goods sold usually decreases proportionally.
B. Correct. To meet the demands, a company’s inventory usually ties to anticipated future sales
by having an adequate supply of inventory. Thus, inventory generally reflects a growth in
sales. If sales increase, inventory should increase proportionally. Inventory that grows at a
faster pace than sales might indicate fraud (e.g. overstated inventory).
C. Incorrect. A company usually ships the merchandise to the customer before the customer pays
resulting in accounts receivable. Thus, if sales increase, accounts receivable should increase at
approximately the same rate.
D. Incorrect. Inventory turnover is a measure of the number of times a company that sells its
average level of inventory during the year. A higher inventory turnover ratio is generally
considered more favorable. As a company’s sales increase, one expects that inventories would
be turning over faster.
2. Which of the following ratios helps an auditor establish the relationship between the volume of
goods sold and inventory?
A. Incorrect. The quick ratio measures a company’s ability to meet its short-term obligations with
its most liquid assets. The ratio places greater emphasis on receivables than on inventory,
since the inventory may not be readily convertible into cash. The ratio is computed as (Current
Assets − Inventory) ÷ Current Liabilities.
B. Incorrect. The total asset turnover ratio is helpful in evaluating a company’s ability to use its
asset base efficiently to generate revenue. The ratio is computed as Net Sales ÷ Average Total
Assets.
130
C. Incorrect. The current ratio is a valuable indicator of a company’s ability to meet its current
obligations as they become due. The ratio is computed as Current Assets ÷ Current Liabilities.
D. Correct. Inventory turnover is a measure of the number of times a company sells its average
level of inventory during the year. The ratio establishes the relationship between the
volume of goods sold and inventory. The ratio is computed as Cost of Goods Sold ÷ Average
Inventory.
3. Which of the following terms measures the quantity of audit evidence?
A. Incorrect. Appropriation is the measure of the quality of evidence that encompasses the
relevance, validity, and reliability of evidence used for addressing the audit objectives and
supporting findings and conclusions.
B. Correct. Sufficiency is the measure of the quantity of evidence used to support the findings
and conclusions related to the audit objectives.
C. Incorrect. Significance is the relative importance of a matter within the context in which it is
being considered.
D. Incorrect. The auditors obtain reasonable assurance that the evidence they have gathered
supports the findings and conclusions in relation to the audit objectives.
4. According to Sam, it was easy to inflate store inventories because the auditor did not supervise
enough inventory counts at stores. Which fraud elements best explain his behavior?
A. Incorrect. Concealment is not part of the fraud triangle. Concealment means hiding the fraud.
Examples of concealment include creating false journal entries, falsifying invoices, or
destroying files.
B. Correct. Opportunity is the ability to commit fraud or to conceal it. Opportunities often
result from circumstances that provide chances to commit financial fraud, such as weak
internal controls over financial reporting, insufficient auditing, and an unstable
organizational structure. The inadequate audit procedure provided an opportunity to carry
out the inventory fraud over the years.
C. Incorrect. Rationalization is the ability for a person to justify a fraud which involves a person
reconciling his/her behavior, such as stealing, with some common excuses.
D. Incorrect. Pressure indicates a need that an individual attempts to satisfy by committing fraud,
such as a high degree of competition, operating losses, and significant declines in demand.
None of these factors are identified in this case.
131
5. Which of the following management assertions indicates that inventories are included in the
financial statements at appropriate amounts?
A. Incorrect. The auditors use the Rights & Obligations to determine if the entity holds or controls
the rights to inventories.
B. Incorrect. The auditors apply the Completeness to determine if all transactions and events that
should have been recorded were correctly recorded
C. Incorrect. The auditors use Existence to determine if recorded inventories exist.
D. Correct. The auditors apply the Valuation & Allocation to determine if inventories are
included in the financial statements at appropriate amounts.
6. An auditor reviews the supporting documentation to validate the recorded payable amounts in
support of which of the following assertions?
A. Incorrect. To determine if accounts payable represent liabilities for which the entity has legal
obligations (Rights & Obligations), the auditors usually review documents that create financial
responsibilities for the company such as contracts and vendor invoices.
B. Incorrect. To determine if accounts payable that should be included in the financial statements
are reported (Completeness), the auditors perform certain procedures such as scanning cash
disbursements subsequent to the balance sheet date to search for unrecorded accounts
payable.
C. Correct. To determine if accounts payable reported on the balance sheet exist at that date
(Existence), the auditors usually examine supporting documentation for recorded payables.
D. Incorrect. To determine if accounts payable are included in the financial statements at
appropriate amounts (Valuation & Allocation), the auditors often assess the reasonableness
of amounts payable and budget totals at year-end in relation to expenditure totals.
7. The objective of performing analytical procedures in planning an audit is to identify the existence
of which of the following scenarios?
A. Correct. The objective of analytical procedures is to identify such things as the existence of
unusual transactions and events, and amounts, ratios, and trends that might indicate
matters that have financial statements and audit planning ramifications.
B. Incorrect. The objective of performing analytical procedures to plan the audit is to identify
areas of specific risk, not specific illegal acts.
C. Incorrect. Although the auditor should evaluate disclosures about related party transactions,
analytical procedures performed to plan the audit do not necessarily detect such transactions.
132
D. Incorrect. Tests of controls are necessary to determine whether transactions were properly
authorized.
Case 2: Review Questions
Section 1
1. Which of the following is NOT a primary function of the Federal Reserve?
A. Incorrect. To promote the health of the U.S. economy and the stability of the U.S. financial
system, the Federal Reserve performs five key functions in the public interest. One of the key
functions is to conduct the nation’s monetary policy to promote maximum employment,
stable prices, and moderate long-term interest rates in the U.S. economy.
B. Incorrect. Another key function performed by the Federal Reserve is to promote the stability
of the financial system and seek to minimize and contain systemic risks through active
monitoring and engagement in the U.S. and abroad.
C. Incorrect. The Federal Reserve also fosters payment and settlement system safety and
efficiency through services to the banking industry and the U.S. government that facilitate
U.S.-dollar transactions and payments.
D. Correct. The SEC is responsible for protecting investors, maintaining fair, orderly, and
efficient markets, and facilitating capital formation. For example, to provide a common pool
of knowledge for all investors to use to judge for themselves whether to buy, sell, or hold a
particular security, the SEC requires public companies to disclose meaningful financial to the
public.
2. Which of the following situations is under the jurisdiction of the Consumer Financial Protection
Bureau (CFPB)?
A. Correct. The CFPB promotes fairness and transparency for mortgages, credit cards, and other
consumer financial products and services. For instance, the CFPB administers rules that
protect consumers by setting disclosure standards, suitability standards, and banning
abusive and discriminatory practices. The CFPB also ensures that the federal consumer
financial laws are enforced consistently.
B. Incorrect. The Food and Drug Administration (FDA) is responsible for protecting the public
health by ensuring the safety, efficacy, and security of human and veterinary drugs, biological
products, and medical devices, and by ensuring the safety of our nation's food supply,
cosmetics, and products that emit radiation.
133
C. Incorrect. The SEC was created by the Securities Exchange Act of 1934 to protect investors and
restore investor confidence through enforcing securities laws and regulating the securities
industry. The SEC is concerned primarily with promoting the disclosure of important market-
related information, maintaining fair dealing, and protecting against fraud.
D. Incorrect. The Environmental Protection Agency (EPA) is responsible to protect human health
and the environment by enforcing a variety of environmental requirements related to
pollution by waste and chemicals. For example, the EPA enforces requirements under the
Resource Conservation and Recovery Act regarding the safe handling, treatment, storage, and
disposal of hazardous wastes.
3. The Securities and Exchange Commission (SEC) performs all of the following tasks EXCEPT:
A. Incorrect. The SEC Division of Trading and Markets establishes and maintains standards for
fair, orderly, and efficient markets. For example, it regulates the major securities market
participants, including broker-dealers, self-regulatory organizations (such as stock exchanges,
FINRA, and clearing agencies), and transfer agents.
B. Incorrect. The SEC Division of Enforcement conducts investigations into possible violations of
the federal securities laws and litigates the SEC's civil enforcement proceedings in the federal
courts and in administrative proceedings.
C. Correct. The phrase generally accepted accounting principles (GAAP) is a set of standards
and rules that are recognized as a general guide to financial reporting. GAAP reflects a
consensus of what the accounting profession considers good accounting practices and
procedures. GAAP was developed jointly by the Financial Accounting Standards Board
(FASB) and the Governmental Accounting Standards Board (GASB).
D. Incorrect. The SEC Division of Corporation Finance ensures that investors are provided with
material information in order to make informed investment decisions, both when a company
initially offers its securities to the public and on an ongoing basis as it continues to give
information to the marketplace.
4. Pacific West, a life insurance company, suggests its customers sign up for car, home, and health
insurance. Pacific West uses which of the following sales techniques?
A. Incorrect. Inside sales refers to a process of selling products or services remotely through
phone, email, or internet. Inside sales is also known as virtual sales and remote sales.
B. Correct. Cross-sell, a critical strategy that involves offering multiple services/products to
existing customers. Pacific West offers its existing life insurance customers different
products (e.g., car insurance, home insurance) to earn more revenue from existing
customers.
134
C. Incorrect. Bait and switch, a high-pressure sales tactic, is a common deceptive sales practice
used in retail sales. Prospective customers are “baited” by the low bargain price of advertised
products or services into the store. The idea is that since customers are already in the store,
the seller can “switch” the product with a higher-priced item and pressure the customers into
buying it.
D. Incorrect. Up-sell is the practice of encouraging customers to buy a comparable higher-end
product than the current one. Up-selling increases the value of purchases of the same product
or service to a customer. Pacific West might up-sell a customer from a small life insurance
value to a higher life insurance value.
5. Tom works for a local bank. To meet his sales goals and incentives, he intentionally held off on
opening accounts in December until January. Which unsound sales practices was he committing?
A. Correct. Delaying the opening of requested accounts and other products to the next sales
reporting period is known as sandbagging.
B. Incorrect. Enrolling customers in online banking and online bill-pay without their consent is
known as pinning.
C. Incorrect. Misrepresenting to customers that certain products are available only in packages
with other products is known as bundling.
D. Incorrect. Transferring customer funds between accounts without customer consent is known
as simulated funding.
Section 2
1. By engaging unsound banking practices (e.g., sandbagging, pinning), Wells Fargo violated which of
the following regulations?
A. Incorrect. Congress passed the Expedited Funds Availability Act of 1987, which granted the
Federal Reserve Board the authority to make improvements in the check collection and return
system in the U.S. The Federal Reserve issued Regulation CC, which includes several provisions
designed to improve and accelerate the collection and return of checks among deposit-taking
institutions.
B. Incorrect. The Sarbanes-Oxley Act of 2002 sets enhanced standards for all U.S. public company
boards, management, and public accounting firms. For example, the Act defines stringent
procedures regarding the accuracy and reliability of corporate disclosures, places restrictions
on auditors providing non-audit services and obliges top executives to verify their accounts
personally.
135
C. Correct. The Consumer Financial Protection Act of 2010 authorizes the OCC to take any
action to prevent a covered person or service provider from committing or engaging in an
unfair, deceptive, or abusive act or practice under Federal law in connection with any
transaction with a consumer for a consumer financial product or service, or the offering of
a consumer financial product or service.
D. Incorrect. Federal law-enforcement officials discovered that a number of large American
corporations were illegally paying bribes to foreign officials to facilitate their conduct of
business overseas. To prevent a recurrence of such illegal activities, they assigned corporate
management with the direct legal responsibility for the maintenance of adequate internal
controls. Congress codified the requirement that public companies have internal controls in
the Foreign Corrupt Practices Act of 1977.
2. To protect investors from dangerous or illegal financial practices or fraud, which of the following
laws requires companies to disclose full and accurate financial and other information to the
public?
A. Correct. The Securities Exchange Act of 1934 contains ongoing disclosure requirements
designed to keep investors informed, on a current basis, of information concerning material
changes in the financial condition or operations of the company. The requirements include
an obligation to file periodic reports on Form 10-K and Form 10-Q.
B. Incorrect. The Investment Advisers Act of 1940 defines the role and responsibilities of an
investment advisor/adviser.
C. Incorrect. The Freedom of Information Act states that anyone, U.S. citizen or not, can request
a copy of any federal agency record. Under the Act, all federal agencies must disclose records
requested in writing.
D. Incorrect. The Private Securities Litigation Reform Act of 1995 stems the filing of frivolous or
unwarranted securities lawsuits by increasing the amount of evidence that plaintiffs are
required to present before filing a securities fraud case with the federal courts.
3. Which of the following regulations encourages depository institutions to meet the credit needs of
low- and moderate-income neighborhoods?
A. Incorrect. The Fair Credit Reporting Act of 1970 promotes the accuracy, fairness, and privacy
of information in the files of consumer reporting agencies.
B. Incorrect. The SAFE Banking Act of 2019 creates protections for depository institutions that
provide financial services to cannabis-related legitimate businesses and service providers for
such businesses.
136
C. Correct. The Community Reinvestment Act of 1977 requires the federal financial supervisory
agencies (e.g., FDIC, OCC) to assess the institutions' record of helping meet the credit needs
of its entire community, including low- and moderate-income neighborhoods, consistent
with the safe and sound operation of the institution.
D. Incorrect. The Truth-In-Lending Act of 1968 protects consumers by requiring lenders to
disclose the terms of the loan and total costs to the borrowers.
Section 3
1. To meet the unattainable sales targets, Wells Fargo employees engaged in all of the following
schemes EXCEPT:
A. Incorrect. To meet the sales goals, employees engaged in simulated funding by transferring
funds from existing accounts to unauthorized accounts. This widespread practice gave the
employees credit for opening new accounts.
B. Correct. Larceny schemes often occur at the cash register, cash collection point, or from
deposits in transit through altering cash counts, destroying cash register tapes, reversing
transactions, or manipulating sales records.
C. Incorrect. To meet the sales goals and incentives, employees intentionally held off on opening
accounts in December until January, known as sandbagging.
D. Incorrect. Enrolling customers in online banking and online bill-pay without consent, known
as pinning.
2. To address the sales integrity issues, Wells Fargo reformed its incentive compensation plan by
implementing all of the following procedures EXCEPT:
A. Correct. When employees are paid more compensation for some types of transactions than
for others that were or could have been offered to meet consumer needs, they could steer
consumers to transactions not in their best interests. This program may lead to unsound
sales practices.
B. Incorrect. Under the reformed incentive compensation plan, product sales goals were
eliminated for retail bankers who serve customers in bank branches, and call centers are
instead focused on the customer experience.
C. Incorrect. With the elimination of product sales goals, a significantly higher percentage of
team members have the opportunity to consistently earn incentive pay under the reformed
compensation plan.
137
D. Incorrect. Metrics in the reformed compensation plan take a longer-term view of customer
relationships and incorporate the quality of customer experiences and customer retention.
3. Lack of supervision, no consequence of fraudsters, and insufficient monitoring all describe what
element of the fraud triangle?
A. Incorrect. Pressure (also known as incentive or motivation) is what causes a person to commit
fraud. Pressure can come from almost anywhere, from inside the workplace (e.g. unrealistic
performance goals) to completely unrelated to the person’s employment (e.g. financial
distress, substance abuse, overspending).
B. Incorrect. According to the fraud triangle, the three key elements common to all fraud include
pressure, opportunity, and rationalization.
C. Incorrect. A justification of fraudsters’ crime to make the act acceptable is known as
rationalization. It also refers to behavior, character or ethical values allowing individuals to
justify their reasons for committing fraud.
D. Correct. Failure to establish adequate controls to detect fraudulent activity increases the
opportunities for fraud to occur. In other words, opportunities to commit fraud are more
commonly present in organizations with weak internal controls that provide a low-risk
environment for getting caught. Lack of supervision, no consequence of fraudsters, and
insufficient monitoring are examples of weak internal controls.
4. Identify the element of the fraud triangle in the following example: A&E Inc. did not employ a
proactive monitoring system to detect fraudulent activities.
A. Incorrect. Concealment is not part of the fraud triangle. Concealment means hiding the fraud
act. Examples of concealment include creating false journal entries, falsifying invoices, or
destroying files.
B. Correct. Opportunity often results from circumstances that provide chances to commit
fraud. Thus, opportunities to commit fraud are more commonly present in organizations
with weak internal controls that provide a low-risk environment for getting caught. If the
control environment is weak, the employee has little fear of exposure and the likelihood of
detection. There may be a perceived opportunity to commit fraud. However, if the risk of
getting caught is too high, the employee will likely not exploit the perceived opportunity.
C. Incorrect. Rationalization is the ability for a person to justify a fraud which involves a person
reconciling his/her behavior, such as stealing, with some common excuses.
D. Incorrect. Pressure indicates a need that an individual attempts to satisfy by committing fraud,
such as a high degree of competition, operating losses, and significant declines in demand.
None of these factors are identified in this case.
138
Section 4
1. According to the Three Lines of Defense model, Internal Audit is responsible for which of the
following activities?
A. Incorrect. Management is accountable to the audit committee for designing, implementing,
monitoring, and reporting the system of internal controls and for providing assurance to the
audit committee that it has done so.
B. Incorrect. Business line management is primarily responsible for setting, delivering, and
modeling desired values and conduct.
C. Incorrect. Management is responsible for ensuring the organization adheres to internal
policies by developing procedures to prevent or detect violations of internal policies.
D. Correct. Internal auditors perform an objective, independent review of culture to provide
assurance that both the first and second lines’ efforts are consistent with the expectations
of the board and senior management.
2. Which of the following components of internal control includes an organization’s culture, beliefs,
and values?
A. Incorrect. Monitoring assesses the quality of internal control over time.
B. Correct. Corporate culture manifests itself in the control environment − how the leaders
articulate, govern, and maintain integrity and ethical values within the organization through
their directives, attitude, and behavior.
C. Incorrect. Risk assessment is the identification and analysis of relevant risks.
D. Incorrect. Control activities are the policies and procedures that help ensure that management
directives are carried out. They include performance reviews, information processing, physical
controls, and segregation of duties.
3. Which of the following is an example of soft controls?
A. Incorrect. Change management procedures, an example of IT general controls, are designed
to ensure that changes meet business requirements and are authorized.
B. Correct. Soft (intangible) controls are factors that influence attitudes, values, and behaviors
of management and employees and their impact on achieving organizational goals.
Examples of soft control include tone at the top, ethical climate, transparency, and
competence.
139
C. Incorrect. Segregation of duties, an example of hard (tangible) controls, is designed to reduce
the opportunities that allow any person to be in a position both to perpetrate and to conceal
errors or irregularities (fraud).
D. Incorrect. Input controls, an example of IT application controls, check data for accuracy and
completeness when they enter the system.
4. Which of the following procedures help auditors determine whether processes are in place to
monitor an organization’s compliance with principles of sound integrity and ethical values?
A. Incorrect. Reviewing the backgrounds of board members helps auditors determine whether
the board has one or more members who have financial expertise.
B. Incorrect. To determine whether management maintains an organizational structure that
facilitates effective reporting among various functions, auditors usually inspect job
descriptions for key employees including the process for updating job descriptions.
C. Correct. By reviewing the existence of the hotline and examining the efforts to publicize the
hotline, auditors are able to determine whether processes are in place to monitor an
organization’s compliance with principles of sound integrity and ethical values.
D. Incorrect. Asking employees about their perception of the importance of internal control
objectives help auditors determine whether management’s philosophy and operating style
support achieving effective control.
5. Which of the following principles ensures that internal auditors perform their work with honesty,
diligence, and responsibility?
A. Incorrect. The principle of competence means that internal auditors apply the knowledge,
skills, and experience needed in the performance of internal audit services. For example,
internal auditors should engage only in those services for which they have the necessary
knowledge, skills, and experience.
B. Correct. The integrity of internal auditors establishes trust and thus provides the basis for
reliance on their judgment. Thus, it allows the auditors to perform their work with honesty,
diligence, and responsibility.
C. Incorrect. Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being examined.
D. Incorrect. The principle of confidentiality expects that internal auditors respect the value and
ownership of information they receive and do not disclose information without appropriate
authority unless there is a legal or professional obligation to do so.
140
6. Instead of blindly accepting what the management provides, the internal auditor has a questioning
mind throughout the audit. This attitude is referred to as:
A. Incorrect. Proficiency means that internal auditors possess the necessary knowledge, skills,
and other competencies to conduct the engagement appropriately.
B. Incorrect. Objectivity requires internal auditors to maintain an attitude of impartiality, having
intellectual honesty, and being free of conflicts of interest.
C. Correct. Professional skepticism, a foundation of the auditing profession, is an attitude that
includes a questioning mind and a critical assessment of audit evidence. For example,
instead of blindly accepting what the client provides, internal auditors should have a
questioning mind throughout the planning and performance of the audit.
D. Incorrect. Audit supervision involves providing sufficient guidance and direction to staff
assigned to the audit to address the audit objectives and follow applicable requirements.
141
Glossary Annual report An audited document issued annually by all publicly listed corporations to their
shareholders in accordance with SEC regulation. Contains information on financial results and overall
performance of the previous fiscal year and comments on future outlook.
Cross-sell Refers to the act of selling a different product that provides an additional benefit to the
customer.
Civil money penalty A type of enforcement action that requires monetary payments to penalize a
bank, its directors, or other persons participating in the affairs of the bank for violations, unsafe or
unsound practices, or breaches of fiduciary duty.
Error Refers to unintentional misstatements or omissions of financial statement amounts or
disclosures—for example, misinterpretation, mistakes, and use of incorrect accounting estimates.
Fraud, on the other hand, refers to intentional acts.
Fraud In contrast to error, an illegal act (a crime) committed intentionally.
Internal Audit An audit performed by an employee who examines operational evidence to determine
whether prescribed operating procedures have been followed.
Internal Control A process affected by an organization’s oversight body, management, and other
personnel that provides reasonable assurance that the objectives of an organization will be achieved.
Inventory turnover The number of times inventory is sold during the year. It equals the cost of goods
sold divided by the average dollar balance. Average inventory equals the beginning and ending
balances divided by two.
Money laundering The process of disguising illegally obtained money through elaborate financial
transactions.
Skimming A scheme in which an incoming payment is stolen from an organization before it is recorded
on the organization’s books and records.
Up-sell Refers to the practice of encouraging customers to buy a comparable higher-end product than
the current one.
142
Index
Appropriateness, 33 Bait and switch, 7 Bundling, 81 Completeness, 36 Control environment, 102 COSO Framework, 101, 102, 103, 117 Cross-sell, 45, 61 Existence, 37 Financial statement fraud, 28 Hard controls, 103 Money laundering, 12 Occurrence, 37 Opportunity, 30, 92
Panama Pump, 12 Pinning, 63 Pressure, 30, 91 Professional skepticism, 26, 126, 140 Rationalization, 32, 95 Sandbagging, 62 Simulated funding, 81 Skimming, 8 Soft controls, 103 Sufficiency, 33 The fraud triangle, 30, 90 Tone at the top, 100, 104, 112 Valuation, 37