Wells Fargo investors have learned a lot about the bank’s worsening issues recently, but they should be watching carefully over the next couple of weeks for possibly more bad news — from the bank’s auditors, KPMG.
KPMG must opine on Wells Fargo’s WFC, +1.32% internal controls by around March 1, and investors might not like the answer: the very real possibility of an adverse opinion from the auditors identifying material weaknesses in the bank’s controls.
On Feb. 2, the Federal Reserve Board released a consent cease-and-desist order that requires the bank to improve its governance and risk-management processes, including strengthening the effectiveness of oversight by its board of directors. The Federal Reserve Board stated that the “firm did not have an effective firm-wide risk management framework in place that covered all key risks.”
That Wells Fargo is in a dark place right now should be a surprise to no one. Recent reporting by The Wall Street Journal, a review of filings with the SEC and other public disclosures have raised significant concerns about material weaknesses in its internal control over financial reporting at the end of 2017.
Read: Fed says Wells Fargo isn’t allowed to grow after wave of scandals
The question now is what will the bank auditors do?
Wells Fargo’s well-documented recent troubles include inappropriate sales practices resulting in the creation of 3.5 million accounts using fictitious or unauthorized customer information; requiring 600,000 customers to purchase auto insurance coverage they didn’t need; and improperly charging fees to mortgage applicants.
Wells Fargo’s cumulative regulatory and internal-control-related issues create a major challenge for its external auditor. KPMG is required to audit and issue an opinion on the effectiveness of the bank’s internal control over financial reporting as of the end of each fiscal year. That opinion is required to be either a thumbs-up (the bank’s controls are operating effectively) or thumbs-down (they’renot adequate). As part of this process, the auditor is required to identify and test what are referred to as “entity-level controls,” which include controls relating to the bank’s control environment, risk-assessment process, monitoring controls as well as policies that address significant business control and risk-management policies.
Wells Fargo has stated that it is in the process of making numerous changes in corporate governance “across our risk management functions and line of business operations” to address its problems, including changes in top executives and its board of directors — all in the context of “still work to be done”. For example, four board members must be replaced in 2018, and the bank’s chief risk officer is in the process of retiring.
For KMPG, Wells Fargo’s continuing problems raise concerns that the bank’s entity-level controls and control environment weren’t operating effectively at Dec. 31, 2017. The bank has begun to remediate control issues, but it appears the remediation isn’t complete. Auditing standards require that control issues must be fixed, with adequate time for the auditor to test the new controls, by year end in order to conclude that internal controls were operating effectively on the date of evaluation.
The bank disclosed in its Sept. 30 Form 10-Q that “Wells Fargo is unable to determine whether the ultimate resolution of either the mortgage related regulatory investigations or the sales practices matters will have a material adverse effect on its consolidated financial condition”.
The red flags are right in front of the auditor. There is at least a reasonable possibility that a material error in the financial statements could occur due to weaknesses in entity-level controls, including risk management functions, which likely remain not fully remediated or tested by year end.
In addition to investors, the Public Company Accounting Oversight Board and other regulators including the SEC (and certain interested U.S. senators) should be watching carefully and, if warranted, require the auditors to defend their ultimate decision.
It would be big news if KPMG were to issue an adverse opinion on Wells Fargo’s internal control over financial reporting at Dec. 31. These bad opinions are rare if a restatement of previous numbers has not already occurred. It is a difficult and complex analysis for an auditor when evaluating a company’s control environment and the reasonable possibility that material errors in the financial statements “could” occur.
Looking in from the outside, it is not possible to know or consider all available information necessary in making this determination. However, there is enough publicly available evidence to conclude that a determination that there do exist material weaknesses in Wells Fargo’s internal controls is a valid potential outcome, requiring the issuance of an adverse opinion by the external auditor. The most recent consent cease-and-desist order likely makes the evidence overwhelming.
Jeff Johanns is a lecturer in the accounting department at the McCombs School of Business at The University of Texas at Austin and previously was a partner and U.S. Assurance Risk Management Leader at PricewaterhouseCoopers LLP. Follow him on Twitter @JohannsAudit.