Webster Financial finds weaknesses in control over 2022 financial reporting

Stamford, Conn.-based Webster Financial Corp. identified material weaknesses in its internal control over financial reporting as of year-end 2022, related to its acquisition of Sterling Bancorp.

An assessment conducted by the company's management found that Webster did not have effective general IT controls related to Sterling, which Webster acquired in January 2022. Based on the evaluation, Webster President and CEO John Ciulla and CFO Glenn MacInnes concluded that the company's disclosure controls and procedures were not effective as of Dec. 31, 2022.

Webster's independent registered public accounting firm, KPMG LLP, also issued an adverse opinion on the effectiveness of the company's internal control over financial reporting as of Dec. 31, 2022.

After finding the weaknesses, Webster completed procedures leading Ciulla and MacInnes to certify that the financial statements in the company's 2022 annual report "fairly present in all material respects the financial condition, results of operations, and cash flows," the company said in its Form 10-K filing for 2022. The material weaknesses did not lead to any identified misstatements in the financial statements in the company's annual report or in previously released financial results.

Webster said in the filing that it intends to implement measures that will make sure the control deficiencies are remediated.

The remediation is expected to be complete before the end of 2023, but the weaknesses will not be considered remediated until the applicable controls operate for a sufficient period of time. Also, management needs to conclude, by testing, that the controls are operating effectively.

Specifically, the assessment found that Webster did not design and implement appropriate logical access controls, including deprovisioning, privileged access and user access reviews, related to Sterling.

The deficiencies were caused by "ineffective risk assessment associated with the IT environment and individuals with insufficient knowledge and training associated with designing and implementing the controls," the company said in the filing. As a result, process-level automated controls and manual controls that depend on the information from the affected IT systems are considered ineffective.

The remediation efforts "will place a burden on management and result in additional technology and other expenses," the company said in the filing.