Wells Fargo & Company is a diversified financial services company providing banking, insurance, investments, mortgage and consumer finance to customers through 6,000 stores, the Internet and other distribution channels across North America and internationally. Headquartered in San Francisco, Wells Fargo has $482 billion in assets and 158,000 team members across more than 80 businesses. The bank is one of the top 40 largest private employers in the United States.
Kevin McCabe has been executive vice president and chief auditor at Wells Fargo since January 2003. McCabe worked for a Big Eight accounting firm for six years and obtained his CPA, then moved to Bankers Trust Company where he became proficient in money center banking, especially auditing trading floors. He spent 15 years in Asia and Europe, and credits that time overseas with when he learned how to operate a team away from headquarters – an important ability for the leader of an audit team. “When you are 12 time zones away, you have to make decisions and defend them on your own,” he says.
Wells Fargo’s main business lines are regional banking, which includes stores, ATMs and cards; home mortgages; a finance company; and wholesale banking. While the bank has offices in Canada and the Caribbean, and small offices in Asia and Europe, approximately 98 percent of Wells Fargo’s business is in the United States.
The Wells Fargo Audit and Security (WFAS) group comprises an audit services team of 300 fulltime employees and a corporate security team of 300 professionals. The reporting line in audit services is a formal, documented, four-page process that has been approved by the audit committee: McCabe’s functional line is to the audit committee – including approval of the audit plan and budget, as well as his performance appraisal and compensation – while his administrative line is to the CEO and chairman. “Both are important,” he says. “Without the CEO line, it would be easy to be excluded from key meetings or distribution lists, and without the audit committee it would be harder to be independent.”
The Rotational & Training program
To build and maintain an effective internal audit function, WFAS embarks on an active college recruiting effort, hiring graduates from top schools. These candidates will enter the team’s Rotational & Training (R&T) program, an initiative that, over the past four years, WFAS has expanded, from five hires a year to an intended 20 in 2007. “We want our R&T program to be firstrate and we want to reach a point where all our new hires can take and pass the CIA within one year of hire,” says McCabe. “We will be designing our Year Two objectives this year, and have hired a full-time learning and development manager to head the R&T program to help ensure its success.”
At the more senior levels, Wells Fargo hires candidates either through an employee referral program that rewards existing staff for referrals, or through a Web post that announces jobs both internally and externally. “As a result, we have hired more than 50 team members the last two years at a recruitment cost of less than $3,000 per employee,” McCabe says. “We have promoted almost all of the team’s managers and above from within the group the last four years.”
Vision and values
During the past two years, McCabe has devoted a significant amount of time and energy to his team’s vision and values, which are modeled after Wells Fargo’s. “After making many significant improvements to our policies and processes, we are able to rate ourselves ‘good’ against The IIA, SAS 65, and OCC standards,” McCabe says. “We now need to find a way toward ‘great’ and we have decided the way to jump up performance is to have everyone on the same page as to what really are the most important objectives. Then, we need to make sure that all our initiatives and our communications tie into these objectives.”
To accomplish this, the five strategic objectives WFAS has identified are:
- Risk management as great as our company
- Business partners value and trust us
- One Wells Fargo audit team
- A great place to build a career
- Prudent management of resources
Each strategic objective is assigned a series of performance measurements, as well as a person or team accountable for monitoring and managing its progress. “All of our department communications, projects and compensation are tied into our five strategic objectives,” McCabe says.
He adds, “These objectives define where we want to be and what we need to do over the next several years to make us a great audit department.”
RCSA
Several key audit services initiatives are underway at Wells Fargo and many of them are tied to companywide change. For example, the bank is implementing an Enterprisewide Risk and Control Self-Assessment (RCSA) tool, which every group will populate with risk and control data using the same risk-loss standard language. “This powerful tool will allow Wells Fargo to aggregate the top risks and control weaknesses,” McCabe says. “Once completed and audited, the RCSA will replace our own risk assessment process that we use for planning our audit cycles. It will be easier and better than anything audit could have done. It will also drive our business monitoring program by allowing us to analyze changes each quarter. We will evolve from 300 auditors looking for change to 2,000 to 3,000 business team members updating changes.”
The RCSA will help auditors to examine operational risk, which WFAS defines as financial, operational, technology and compliance risks. RCSA captures the inherent risk using an enterprisewide risk scale and the control rating to derive a residual risk. The information can be rolled up and aggregated for review at each level in the bank, including the board of directors. WFAS will be able to focus its work on the highest residual risks and monitor negative changes quarterly, determining if additional coverage is warranted.
“This enterprisewide initiative is pushing management to conduct more self-assessment,” McCabe says. “It is also moving us to a five-tier rating, rather than our current three-tier rating, which gives us more subtlety in our risk descriptions.”
Performance measurement
Annual performance measurement for WFAS takes into account three key metrics:
- 95 percent of the adjusted audit plan must be completed by December 31
- Less than 10 percent of audits are started out of cycle versus audit cycling guidelines (i.e., the audit cycle for high-risk audits is every 12 months; for low-risk audits it is every 36 months)
- Internal quality assurance scores must average 80 percent or higher
“In addition, we target maintaining or improving our satisfactory rating from regulators and we measure the time we spend on our audit work; for example, our fieldwork should take less than 75 days, and reports should be issued in less than 30 days,” McCabe says. “These metrics are reported to the audit committee, but they are not on the same level of importance as the three key metrics in the first group.”
To gather further feedback on performance and expectations, WFAS annually surveys the audit committee members, management committee members, and a sample of line managers, using the Corporate Executive Board – Calibrating Stakeholder Expectations (CASE) survey tool, the results of which are typically positive, but do identify areas that need work.
This type of direct feedback from and involvement with management is important to McCabe. “WFAS is included on every important committee in Wells Fargo,” he says. “We attend non-executive sessions of the board of directors, as well as the audit, finance and credit committees. We are on the management committee, the Sarbanes-Oxley disclosure committee, the Basel II steering committee and the various compliance committees. Communication at these meetings is honest and frequent.”
Corporate governance
Wells Fargo has reviewed, modified or confirmed almost every facet of corporate governance in the bank for the past four years, including the audit committee charter and the reports received by that committee. “In addition, Wells Fargo has helped create a new enterprise risk management (ERM) committee and has significantly increased and improved the corporate compliance policy wording and monitoring techniques. The list is very long,” McCabe says.
Yet, historically, the role WFAS has played in Sarbanes-Oxley work has been light. The bank’s controller runs the process by establishing the scope and setting control documents, standards for testing, and quality assurance results, then drives the process through the business-line controllers. WFAS tests the quality of documentation and results during the normal audit cycle as it audits the business. “Our testing is not geared toward completing any specific sample each year or completing our work in Q4 so that our external auditors can rely upon our findings,” McCabe says. “This might change if the SEC and PCAOB change the rules about the ability of the external auditors to rely upon the work of others.”
According to McCabe, the biggest change his team has faced is in assuming the responsibility to provide all independent testing for compliance efforts in general, and specifically, with regard to the Anti-Money Laundering/Bank Secrecy Act (AML/BSA). “We used to devote five percent of our resources to compliance testing,” he says. “We increased our head count in this area and it now takes up to 15 percent of our FTE.”
Vision for the future
McCabe’s vision for audit services is to become a team that fully leverages all risk management functions to support a strong monitoring process of key risks that emerge between audits, as well as implement effective planning of audit scopes. “Each business line employs some sort of risk management group to perform a variety of functions,” he says. “We have an unprecedented opportunity to work with these groups to improve their scope and processes. We want to increase our team’s use of these groups as they become more consistent.”
McCabe points to four pivotal events that have helped WFAS form this vision:
- Dramatic increase in business line self-testing and reporting (driven in part by the Sarbanes-Oxley Act, especially Section 404)
- Increased regulatory focus (including Basel II), and attention on enterprisewide risk management practices and tools (namely RCSA)
- Improved corporate governance processes for all major business lines and at the board level, and the consolidation of risk managers within the four large business groups: Community Banking, Home Mortgage and Consumer Finance, Wholesale Banking, and the Technology Information Group
- Increased pressure for more consistency in scope, process and reporting from each risk management group
“In banking, I think the big changes will stem from moving out of the top of the credit cycle,” he says. “Regulators have been focused on rules such as the AML/BSA and reputation risk management. With the changing interest rate environment, we will get back to the basic worries about financial strength. We have been increasing our coordination with credit audit for some time, and we will continue to increase our testing of underwriting, exceptions and collections to stay ahead of problems. I have no doubt there will be many new rules coming out as a result of the bad underwriting practices by some companies at the top of the credit cycle.”
(4 pages, 122 KB)