We have all witnessed in the last two months the shocking failures of First Republic, Silicon Valley and Signature banks, the second, third, and fourth largest bank failures in our country’s history.
One of the primary causes of these failures was poor management, risk and internal controls, with the media focusing on mismanagement and breakdowns in Federal Reserve and FCIC regulatory oversight.
However, the Sarbanes Oxley Act (SOX), passed in 2002 after the failures of Enron and Worldcom, specifically addressed internal controls and oversight responsibilities for all publicly-traded companies, including banks. SOX mandates that management must establish and maintain “effective” internal controls and must publish a separate “Internal Controls Report” certifying the effectiveness of its internal controls and certifying that there is no fraud.
And SOX specifically requires the company’s external auditors to issue a separate audit opinion on the company’s internal controls and its annual Internal Controls Report.
Knowing this, it is especially concerning that The Financial Times recently noted the fact that First Republic, Silicon Valley, and Signature banks all had the same external auditor who gave the banks clean audit opinions weeks before their failures – KPMG.
As an accounting professor, I regularly taught the importance of SOX and maintaining effective internal controls, as well as the legal requirement that external auditors must issue a separate audit opinion on the company’s internal controls.
I also have personal experience with banking. I was a business chief underwriter with Citigroup in 2006 and 2007 which, at the time, was the largest bank in the world. I had underwriting responsibility for over $90 billion annually of residential mortgage loans purchased from other banks and mortgage companies which were sold to Fannie Mae, Freddie Mac, or mortgage securitizations. When the mortgages were sold, Citigroup would give its representations to the purchasers that the mortgages sold met Citigroup’s underwriting requirements. However, I issued management warnings, beginning in 2006 through 2007, that up to 80% of the mortgages sold did not meet the underwriting requirements … and Citigroup continued to provide fraudulent representations to the purchasers of those mortgages that the mortgages met the underwriting guidelines.
Knowing that Citigroup executive management must provide SOX certifications on their internal controls, on November 3, 2007, I specifically warned the Citigroup Chief Auditor, Chief Risk Officer, Chief Financial Officer, and Robert Rubin (who was named Chairman of the Board of Directors the next day) that there were “breakdowns in internal controls.”
All my warnings were ignored and the 2007 SOX certifications on internal controls were signed by management, with the external auditor then providing a clean audit opinion on the internal controls, and I was subsequently placed on administrative leave.
It has been speculated that the only reason Citigroup did not fail was that it had been given clean audit opinions and was bailed out by the U.S. government in late 2008 and 2009 in the most expensive bailout in our country’s history … $400 billion in capital and toxic asset and liability guarantees and another $2.5 trillion in secret cumulative loans by the Federal Reserve, with the U.S government ultimately taking ownership in 2009 of 36% of the world’s largest bank.
And the external auditor who gave Citigroup’s clean audit opinions … was KPMG.
I testified for two days before the Enforcement Division of the Securities and Exchange Commission in July of 2008, giving them over 1,000 pages of documents showing the widespread fraud and internal controls breakdowns existing at Citigroup. The SEC enforcement officials were very enthusiastic about my testimony, but the SEC then buried my testimony before the Citigroup bailouts began in October of 2008, and still refuses to release any of the documents I gave to them despite many requests under the Freedom of Information Act.
I also gave nationally televised testimony before the Financial Crisis Inquiry Commission in 2010, where I was forced to remove parts of my written testimony relating to the fraudulent representations given to purchasers of the mortgages sold and the fraudulent management SOX certifications of internal controls.
The CBS show 60 Minutes highlighted the importance of SOX and the certification of internal controls, questioning Citigroup’s management SOX certifications in their November 4, 2011 broadcast of my story, with the story being subsequently re-broadcasted eight times.
While I had no direct interface with KPMG, and their auditors must independently test and get comfortable with the accounting and reporting given to them by management, that’s three bank failures and one near failure in the financial crisis that internal and external auditors held out as viable, even healthy businesses. If we aren’t going to abide by SOX, why keep it on the books at all? A law on paper that we don’t observe in practice provides nothing more than decorative penmanship.