Your cart is currently empty!
Wells Fargo Cease and Desist
The January OCC enforcement actions included two Wells Fargo audit executives for failing to plan and manage audit activity to detect sales practices misconduct. The Chief Audit Executive and the Executive Audit Director were fined $7 million and $1.5 million, respectively. It’s not every day we see third-line professionals receive cease-and-desist orders and large fines.
The OCC came out with a variety of identified audit failure points that were interesting to read. Scrutiny of a bank’s risk-based audit plan when comparing IIA standards to OCC standards, failure to live into the audit charter, audit plan risk assessments, continuous business monitoring, and scoping of audits were some of the highlighted deficiency points.
One way auditors stay up to date on assigned business lines/auditable entities is through continuous business monitoring, risk committee presentations, and external event monitoring. These touchpoints across the organization are meant to inform and direct the risks and sufficiency of controls associated with auditable entities. In this case, Wells Fargo failed to make updates to the audit plan to account for increased sales practice misconduct that the auditors were made aware of through corporate investigations, risk committee metrics, communication from senior leaders, and MRAs highlighting misconduct. These should all lead to a review of the risk rating and control effectiveness regarding sales practices. The addition of a sales practices audit to the plan would have been a logical action to take. The failure to identify the increased risk and failing controls resulted in an audit not being added to the plan to identify the deficiencies.
The report also highlights potential audits in which the deficiencies could have been found. A variety of reports were listed but none of them covered the key processes that were deficient. When scoping an audit it is critical to identify all business processes that are available for coverage. There should be sound logic listed for why a process is included or excluded from the scope of an audit. An audit coverage strategy should be considered when deciding to include or exclude processes. This ensures that sales practices are being covered across all auditable entities. Control testing is critical to ensure these processes are being performed appropriately.
Sales practice misconduct should have been considered one of the bank’s highest risks. Failure to incorporate risk committee material, continuous monitoring, and external monitoring led to an inappropriate risk rating. Failure to cover the bank’s highest risks resulted in the bank failing to develop an audit plan based on those risks. This is in turn led the bank to not live into the audit charter. Food for thought when looking at your audit plans this year. It is good to stay on top of regulators.
OCC Imposes Civil Money Penalties Against Three Former Executives of Wells Fargo | OCC
Search
Latest Posts
Latest Comments
No comments to show.
Categories
Archives
- March 2025 (1)
- January 2025 (1)
- December 2024 (1)
- November 2024 (5)
- October 2024 (2)
Tags
Newsletter
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
Insert the contact form shortcode with the additional CSS class- "wydegrid-newsletter-section"
By signing up, you agree to the our terms and our Privacy Policy agreement.