BaFin Oversight: What German Audit Firms Must Know

Who oversees what: BaFin, APAS, and the WPK

German audit oversight runs through three distinct bodies, each with a different remit. Confusing them is easy. Getting the wrong one is a problem when you're trying to understand who will actually show up to review your files.

BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) is the federal financial supervisory authority. Its role in audit is narrow but significant: BaFin enforces financial reporting standards for companies whose securities trade on an organised market in Germany. This means BaFin examines whether the company's financial statements comply with accounting rules. BaFin does not inspect audit firms or review audit working papers directly. That distinction matters.

APAS (Abschlussprüferaufsichtsstelle, the Auditor Oversight Body) sits within BAFA (the Federal Office for Economic Affairs and Export Control). APAS directly oversees auditors and audit firms that perform statutory audits of public interest entities (PIEs). Under the amended WPO, APAS's responsibilities include:

• Routine inspections of PIE audit firms
• Enforcement investigations and sanctions for PIE audit failures
• Mandatory review of professional rules issued by the WPK
• Market monitoring under Article 27 of EU Regulation 537/2014

APAS is a member of both IFIAR and CEAOB.

WPK (Wirtschaftsprüferkammer, the Chamber of Public Accountants) handles everything else. The WPK licenses Wirtschaftsprüfer, sets ethical requirements through its Professional Charter, conducts quality assurance reviews for non-PIE auditors, and runs the investigation and discipline system for non-PIE audit failures. All of this happens under APAS oversight: APAS has ultimate supervisory authority over the WPK's activities.

What changed under the FISG

The Finanzmarktintegritätsstärkungsgesetz (FISG) came into force on 1 July 2021, with full operational effect from 1 January 2022. It was Germany's direct legislative response to the Wirecard fraud.

The old two-stage system

Before the FISG, financial reporting enforcement operated through a two-stage system. The Deutsche Prüfstelle für Rechnungslegung (FREP, the German Financial Reporting Enforcement Panel) was a private-sector body that conducted the initial examination. Only if the FREP identified problems, or if the company refused to cooperate, did BaFin step in at stage two.

This structure failed visibly in the Wirecard case. The FREP lacked investigative powers, could not compel third-party evidence, and had no authority to conduct forensic examinations. BaFin, constrained to the second stage, arrived too late.

The new single-stage model

The FISG abolished the FREP entirely. From 1 January 2022, BaFin conducts all financial reporting examinations (both random sampling and ad hoc) as a single-stage process. BaFin now has the authority to:

• Demand information from third parties
• Conduct on-site forensic investigations
• Publish examination results earlier than was previously possible

A dedicated directorate for financial reporting enforcement was established within BaFin's Securities Supervision division in September 2021, staffed partly by former FREP employees.

Expanded APAS enforcement powers

For audit firms, the FISG also expanded APAS's enforcement toolkit. APAS can now impose:

• Reprimands with fines up to €500,000
• Temporary bans on certain activities or on practice itself
• In extreme cases, disqualification from the profession

The Wirecard sanctions illustrate the scale: APAS's Enforcement Panel concluded in March 2023 that EY had breached professional duties across the 2016 to 2018 Wirecard audits, imposing individual fines between €23,000 and €300,000 on five auditors and a €500,000 fine on the firm, plus a two-year ban on newly contracted PIE audits.

Separately, the FISG restricted auditor tenure for PIE engagements to a strict ten-year maximum, aligning Germany with the EU Audit Regulation but removing any national extension option that had previously existed.

How APAS inspections work for PIE auditors

APAS conducts routine inspections of all audit firms that perform PIE statutory audits. The inspection programme covers both firm-level quality management (now ISQM 1 as transposed via the IDW QM Standards, applicable for periods beginning on or after 15 December 2023) and engagement-level audit quality on selected PIE files.

An APAS inspection evaluates:

• Your firm's quality management system
• The content of your latest published annual transparency report
• Individual PIE audit files selected for detailed review

Inspectors assess whether the audit was conducted in compliance with ISAs as adopted in Germany (ISA-DE), the WPO, the WPK's Professional Charter, and applicable EU regulations.

Evidence that triggers non-routine enforcement proceedings can come from inspectors' own findings, communications from BaFin's financial reporting enforcement directorate, complaints, or publicly available information such as media reporting. The APAS directorate responsible for enforcement determines what action to take on an ad hoc basis.

How WPK quality reviews work for non-PIE auditors

Most German Wirtschaftsprüfer audit only non-PIE entities: Mittelstand GmbHs, smaller Aktiengesellschaften, GmbH & Co. KGs, and partnerships that trigger statutory audit requirements under §316 HGB. For these firms, the WPK conducts quality assurance reviews under APAS oversight.

The WPK's QA programme applies to all firms performing statutory audits. The review cycle is typically six years for non-PIE audit firms, though the WPK can shorten this based on risk assessment. Reviews cover the firm's compliance with professional standards, independence requirements, and the quality of selected engagement files.

Since the EU Audit Reform's transposition in June 2016, the WPK has linked unsatisfactory QA review outcomes directly to its investigation and discipline procedures. A failed quality review can now trigger disciplinary proceedings, including reprimand, fine, or referral to professional court proceedings at the Landgericht Berlin.

Sanctions that become final are published on the WPK or APAS website for five years, generally including the name of the sanctioned auditor or firm unless publication would be disproportionate. This publication regime was strengthened by the FISG.

For non-Big 4 firms, the WPK review is the primary regulatory touchpoint. Your firm's ISQM 1 documentation, engagement quality reviews (where applicable under ISA 220-DE as revised), and independence monitoring are the areas most likely to receive attention. The WPK's own annual disciplinary oversight reports (published in German since 2001) provide useful context on the types of findings that most commonly lead to formal proceedings.

Worked example: preparing for a WPK quality review

Client scenario: Richter & Wenzel WP GmbH is a two-partner Wirtschaftsprüfungsgesellschaft in Stuttgart with 14 staff. The firm audits 28 non-PIE statutory engagements annually, primarily medium-sized GmbHs in manufacturing and logistics with revenues between €20M and €80M. The firm's last WPK quality review was in 2020. The next review is scheduled for Q3 2026.

1. Map the current quality management system against ISQM 1 (IDW QM-1)

The firm's existing QS-1 manual was designed under the previous IDW quality standards. ISQM 1 (as transposed into IDW QM Standards) applies to all firms for periods beginning on or after 15 December 2023. Richter & Wenzel must document their quality objectives, identify quality risks, design responses to those risks, and establish a monitoring and remediation process.

2. Review independence monitoring across all 28 engagements

The WPO and WPK Professional Charter require documented independence assessments for every statutory audit engagement. Richter & Wenzel maintains a spreadsheet tracking partner rotation (not required for non-PIE engagements but good practice), fee dependency ratios, and service conflicts. For a two-partner firm where one partner generates 62% of total audit fees, fee dependency on individual clients needs particular attention.

3. Select two completed engagement files for internal pre-review

Before the WPK reviewer arrives, the partners should select the two most complex completed files (by audit risk, not revenue) and walk through them as though conducting a cold file review. Common WPK findings include:

• Insufficient documentation of the going concern assessment (ISA 570-DE)
• Inadequate audit evidence for related party transactions (ISA 550-DE)
• Missing or generic risk assessments at the assertion level

4. Verify that the transparency report (if applicable) and WPK filings are current

Richter & Wenzel does not audit PIEs, so the annual transparency report under Article 13 of EU Regulation 537/2014 does not apply. However, the firm must verify that WPK registration details, professional indemnity insurance, and CPD records for both partners and all staff are current.

What the WPK reviewer would see in this scenario: a firm that has implemented ISQM 1 in its current form, documented independence with a specific flag on the highest-risk engagement, performed a self-assessment on two complex files, and maintained administrative compliance. The file demonstrates a quality management system that functions, not just one that exists on paper.

Practical checklist for German audit firms

1. Confirm whether your firm falls under APAS (PIE auditor) or WPK (non-PIE auditor) oversight and verify your next scheduled review date by checking your WPK correspondence or contacting the WPK directly.
2. Complete ISQM 1 (IDW QM-1) implementation documentation covering all components (governance, ethics, acceptance, engagement performance, resources, information and communication, monitoring and remediation). If your firm still operates under the previous QS-1 regime, the transition is overdue.
3. Calculate the §319 HGB fee dependency ratio for every statutory audit client as a percentage of total firm revenue. Flag any client above 10% for documented monitoring. Act on any client at or above 15%.
4. Run an internal cold file review on your two highest-risk completed engagements before the next external review cycle. Document findings and corrective actions in a monitoring memo, not just in the working papers.
5. Check that all Wirtschaftsprüfer at the firm have current CPD records, that professional indemnity insurance is adequate and filed with the WPK, and that the firm's WPK registration details reflect the current partnership structure.
6. If your firm audits any PIE engagement, verify compliance with the strict ten-year auditor rotation limit under the FISG. No national extension option exists post-FISG.

Common mistakes

Firms that previously relied on the two-stage FREP/BaFin enforcement model sometimes assume BaFin will not examine a listed client's financial statements proactively. Since January 2022, BaFin conducts random sampling examinations on its own initiative. Audit teams working on PIE engagements should assume BaFin may review the financial statements independently of any complaint or trigger.

Non-PIE firms often treat the WPK quality review as an administrative exercise rather than a substantive file review. The WPK's expanded I&D procedures (strengthened since the EU Audit Reform's transposition in June 2016) now directly link unsatisfactory QA results to disciplinary proceedings. A quality review finding is no longer a suggestion to improve; it is a potential first step in a formal sanctions process.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• Finanzmarktintegritätsstärkungsgesetz (FISG): the primary legislation restructuring German audit oversight, effective 1 July 2021 with full operational effect from 1 January 2022.
• Wirtschaftsprüferordnung (WPO): the German Public Accountant Act governing auditor licensing, oversight, and the respective roles of APAS and the WPK.
• EU Regulation 537/2014: the EU Audit Regulation governing PIE audits, including transparency reporting, auditor rotation, and prohibited non-audit services.
• IDW QM Standards: the German transposition of ISQM 1 and ISQM 2, applicable for periods beginning on or after 15 December 2023.
• WPK Annual Disciplinary Oversight Reports: published in German since 2001, providing context on common findings that lead to formal proceedings.