BaFin Oversight: What German Audit Firms Must Know

Q: What changed under the FISG for German audit firms?

The FISG (Finanzmarktintegritaetsstaerkungsgesetz), effective 1 January 2022, abolished the private-sector FREP and gave BaFin sole responsibility for financial reporting enforcement as a single-stage process. It also expanded APAS's enforcement powers, allowing fines up to 500,000 euros on individual audit firms, temporary activity bans, and professional disqualification. Auditor tenure for PIE engagements was restricted to a strict ten-year maximum.

The Wirecard collapse didn’t just take down a DAX company. It dismantled Germany’s entire audit oversight architecture. Since January 2022, BaFin has held sole responsibility for financial reporting enforcement of listed companies, the private-sector FREP has been abolished, the Auditor Oversight Body (APAS) can now impose fines of up to €500,000 on individual audit firms, and auditor rotation rules for PIE engagements have been tightened to a strict ten-year limit. If your firm audits any entity with securities on an organised market, the regulatory framework governing your work changed at its foundations less than four years ago.

BaFin oversees financial reporting enforcement for publicly traded companies in Germany, while APAS (housed within BAFA) directly inspects audit firms and individual auditors of public interest entities under the Wirtschaftsprüferordnung (WPO) as amended by the FISG, effective 1 January 2022.

APAS sanction on EY (March 2023)

€500,000

Firm-level fine plus a two-year ban on newly contracted PIE audits for the 2016–2018 Wirecard engagements.

Key takeaways

How BaFin’s single-stage enforcement model (post-FISG) differs from the abolished two-stage FREP system and what it means for your audit files
Which oversight body actually inspects your firm (APAS for PIE auditors, WPK for non-PIE auditors) and what triggers an inspection
How to prepare your quality management system for an APAS or WPK review, with a worked example of a mid-sized German firm
What the Wirecard-era sanctions (including EY’s two-year PIE audit ban and €500,000 fine) signal about APAS’s current enforcement posture

Who oversees what: BaFin, APAS, and the WPK

German audit oversight runs through three distinct bodies, each with a different remit. Confusing them is easy. Getting the wrong one is a problem when you’re trying to understand who will actually show up to review your files.

BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) is the federal financial supervisory authority. Its role in audit is narrow but significant: BaFin enforces financial reporting standards for companies whose securities trade on an organised market in Germany. This means BaFin examines whether the company’s financial statements comply with accounting rules. BaFin does not inspect audit firms or review audit working papers directly. That distinction matters.

APAS (Abschlussprüferaufsichtsstelle, the Auditor Oversight Body) sits within BAFA (the Federal Office for Economic Affairs and Export Control). APAS directly oversees auditors and audit firms that perform statutory audits of public interest entities (PIEs). Under the amended WPO, APAS’s responsibilities include routine inspections of PIE audit firms, enforcement investigations and sanctions for PIE audit failures, mandatory review of professional rules issued by the WPK, and market monitoring under Article 27 of EU Regulation 537/2014. APAS is a member of both IFIAR and CEAOB.

WPK (Wirtschaftsprüferkammer, the Chamber of Public Accountants) handles everything else. The WPK licenses Wirtschaftsprüfer, sets ethical requirements through its Professional Charter, conducts quality assurance reviews for non-PIE auditors, and runs the investigation and discipline system for non-PIE audit failures. All of this happens under APAS oversight: APAS has ultimate supervisory authority over the WPK’s activities.

The practical consequence is straightforward. If your firm audits a listed company, a credit institution, or an insurance undertaking (i.e., a PIE), APAS will inspect you directly. If your firm audits only non-PIE entities (the vast majority of German Wirtschaftsprüfer), the WPK conducts your quality review, but APAS retains supervisory authority over that process.

What changed under the FISG

The Finanzmarktintegritätsstärkungsgesetz (FISG) came into force on 1 July 2021, with full operational effect from 1 January 2022. It was Germany’s direct legislative response to the Wirecard fraud.

Before the FISG, financial reporting enforcement operated through a two-stage system. The Deutsche Prüfstelle für Rechnungslegung (FREP, the German Financial Reporting Enforcement Panel) was a private-sector body that conducted the initial examination. Only if the FREP identified problems, or if the company refused to cooperate, did BaFin step in at stage two.

This structure failed visibly in the Wirecard case. The FREP lacked investigative powers and could not compel third-party evidence. It had no authority to conduct forensic examinations. BaFin, constrained to the second stage, arrived too late.

The FISG abolished the FREP entirely. From 1 January 2022, BaFin conducts all financial reporting examinations (both random sampling and ad hoc) as a single-stage process. BaFin now has the authority to demand information from third parties, conduct on-site forensic investigations, refer matters directly to its enforcement division, and publish examination results earlier than was previously possible. BaFin established a dedicated directorate for financial reporting enforcement within its Securities Supervision division in September 2021, staffing it partly with former FREP employees.

For audit firms, the FISG also expanded APAS’s enforcement toolkit. APAS can now impose reprimands with fines up to €500,000, temporary bans on certain activities or on practice itself, and in extreme cases, disqualification from the profession. The Wirecard sanctions illustrate the scale: APAS’s Enforcement Panel concluded in March 2023 that EY had breached professional duties across the 2016 to 2018 Wirecard audits, imposing individual fines between €23,000 and €300,000 on five auditors and a €500,000 fine on the firm, plus a two-year ban on newly contracted PIE audits.

Separately, the FISG restricted auditor tenure for PIE engagements to a strict ten-year maximum, aligning Germany with the EU Audit Regulation but removing any national extension option that had previously existed.

How APAS inspections work for PIE auditors

APAS conducts routine inspections of all audit firms that perform PIE statutory audits. The inspection programme covers both firm-level quality management (now ISQM 1 as transposed via the IDW QM Standards, applicable for periods beginning on or after 15 December 2023) and engagement-level audit quality on selected PIE files.

An APAS inspection evaluates your firm’s quality management system and reviews the content of your latest published annual transparency report. Inspectors then select individual PIE audit files for detailed review. Inspectors assess whether the audit was conducted in compliance with ISAs as adopted in Germany (ISA-DE), the WPO, the WPK’s Professional Charter, and applicable EU regulations.

Evidence that triggers non-routine enforcement proceedings can come from inspectors’ own findings, communications from BaFin’s financial reporting enforcement directorate, complaints, or publicly available information such as media reporting. The APAS directorate responsible for enforcement determines what action to take on an ad hoc basis.

Inspection results for individual firms remain confidential under German law. APAS does not publish firm-specific findings in the way that the FRC (UK) or PCAOB (US) do. The PCAOB publishes results of joint inspections of German firms conducted under its cooperative agreement with APAS, but these are the exception. This lack of public transparency has drawn criticism. As a 2021 WHU research paper noted, German audit oversight has historically given the impression of shielding auditors rather than holding them to public account. The FISG was intended to begin changing that posture.

How WPK quality reviews work for non-PIE auditors

Most German Wirtschaftsprüfer audit only non-PIE entities: Mittelstand GmbHs, smaller Aktiengesellschaften, GmbH & Co. KGs, and partnerships that trigger statutory audit requirements under §316 HGB. For these firms, the WPK conducts quality assurance reviews under APAS oversight.

The WPK’s QA programme applies to all firms performing statutory audits. The review cycle is typically six years for non-PIE audit firms, though the WPK can shorten this based on risk assessment. Reviews cover the firm’s compliance with professional standards, independence requirements, and the quality of selected engagement files.

Since the EU Audit Reform’s transposition in June 2016, the WPK has linked unsatisfactory QA review outcomes directly to its investigation and discipline procedures. A failed quality review can now trigger disciplinary proceedings, including reprimand, fine, or referral to professional court proceedings at the Landgericht Berlin.

Sanctions that become final are published on the WPK or APAS website for five years, generally including the name of the sanctioned auditor or firm unless publication would be disproportionate. The FISG strengthened this publication regime.

For mid-tier firms, the WPK review is the primary regulatory touchpoint. Your firm’s ISQM 1 documentation, engagement quality reviews (where applicable under ISA 220 -DE as revised), and independence monitoring are the areas most likely to receive attention. The WPK’s own annual disciplinary oversight reports (published in German since 2001) provide useful context on the types of findings that most commonly lead to formal proceedings.

Worked example: preparing for a WPK quality review

Client scenario: Richter & Wenzel WP GmbH is a two-partner Wirtschaftsprüfungsgesellschaft in Stuttgart with 14 staff. The firm audits 28 non-PIE statutory engagements annually, primarily medium-sized GmbHs in manufacturing and logistics with revenues between €20M and €80M. The firm’s last WPK quality review was in 2020. The next review is scheduled for Q3 2026.

Map the current quality management system against ISQM 1 (IDW QM-1).

The firm designed its existing QS-1 manual under the previous IDW quality standards. ISQM 1 (as transposed into IDW QM Standards) applies to all firms for periods beginning on or after 15 December 2023. Richter & Wenzel must document their quality objectives, identify quality risks, design responses to those risks, and establish a monitoring and remediation process.

Documentation note: the ISQM 1 implementation file should contain the firm’s quality objectives mapped to each component (governance, ethics, acceptance, engagement performance, resources, information, monitoring), the identified quality risks per component, and the designed responses. This document will be the first thing the WPK reviewer requests.

Review independence monitoring across all 28 engagements.

The WPO and WPK Professional Charter require documented independence assessments for every statutory audit engagement. Richter & Wenzel maintains a spreadsheet tracking partner rotation (not required for non-PIE engagements but good practice), fee dependency ratios, and service conflicts. For a two-partner firm where one partner generates 62% of total audit fees, fee dependency on individual clients needs particular attention.

Documentation note: §319 HGB sets the 15% fee dependency threshold (30% for the prior two years combined). Document the calculation for each client as a percentage of total firm revenue. One engagement (Huber Maschinenbau GmbH, €48,000 fee, 11.2% of total firm revenue of €428,000) is within 4 percentage points of the threshold. Flag this in the monitoring file with a specific action plan (e.g., planned fee diversification, documented assessment of whether the engagement can continue).

Select two completed engagement files for internal pre-review.

Before the WPK reviewer arrives, the partners should select the two most complex completed files (by audit risk, not revenue) and walk through them as though conducting a cold file review. Common WPK findings include insufficient documentation of the going concern assessment ( ISA 570 -DE) and inadequate audit evidence for related party transactions ( ISA 550 -DE). Missing or generic risk assessments at the assertion level also appear frequently.

Documentation note: record the internal pre-review findings in a memo. If deficiencies are identified, correct the working paper deficiencies on current-year engagements and document the corrective actions taken. This demonstrates a functioning monitoring process under ISQM 1.

Verify that the transparency report (if applicable) and WPK filings are current.

Richter & Wenzel does not audit PIEs, so the annual transparency report under Article 13 of EU Regulation 537/2014 does not apply. However, the firm must verify that WPK registration details, professional indemnity insurance, and CPD records for both partners and all staff are current.

Documentation note: maintain a compliance checklist with filing dates. The WPK reviewer will verify these administrative requirements as part of the standard review procedure.

Practical checklist for German audit firms

Action items

What to do Monday morning

Confirm whether your firm falls under APAS (PIE auditor) or WPK (non-PIE auditor) oversight and verify your next scheduled review date by checking your WPK correspondence or contacting the WPK directly.
Complete ISQM 1 (IDW QM-1) implementation documentation covering all components (governance, ethics, acceptance, engagement performance, resources, information and communication, monitoring and remediation). If your firm still operates under the previous QS-1 regime, the transition is overdue.
Calculate the §319 HGB fee dependency ratio for every statutory audit client as a percentage of total firm revenue. Flag any client above 10% for documented monitoring. Act on any client at or above 15%.
Run an internal cold file review on your two highest-risk completed engagements before the next external review cycle. Document findings and corrective actions in a monitoring memo, not just in the working papers.
Check that all Wirtschaftsprüfer at the firm have current CPD records, that professional indemnity insurance is adequate and filed with the WPK, and that the firm’s WPK registration details reflect the current partnership structure.
If your firm audits any PIE engagement, verify compliance with the strict ten-year auditor rotation limit under the FISG. No national extension option exists post-FISG.

Common mistakes

Firms that previously relied on the two-stage FREP/BaFin enforcement model sometimes assume BaFin will not examine a listed client’s financial statements proactively. Since January 2022, BaFin conducts random sampling examinations on its own initiative. Audit teams working on PIE engagements should assume BaFin may review the financial statements independently of any complaint or trigger.
Non-PIE firms often treat the WPK quality review as an administrative exercise rather than a substantive file review. The WPK’s expanded I&D procedures (strengthened since the EU Audit Reform’s transposition in June 2016) now directly link unsatisfactory QA results to disciplinary proceedings. A quality review finding is no longer a suggestion to improve; it is a potential first step in a formal sanctions process.

Glossary: Wirtschaftsprüfer (WP). Explains the German public accountant qualification, licensing via the WPK, and the distinction between Wirtschaftsprüfer and vereidigte Buchprüfer.
ISA 320 Materiality Calculator. Document your materiality determination with industry benchmarks and ISA 320 paragraph references for APAS and WPK inspection readiness.
FISG impact on auditor rotation and PIE audit requirements in Germany. A detailed guide to the ten-year rotation limit, cooling-off periods, and transitional rules for engagements that predate the FISG.

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

What is the difference between BaFin and APAS in German audit oversight?

BaFin enforces financial reporting standards for companies whose securities trade on an organised market in Germany. It examines whether the company's financial statements comply with accounting rules but does not inspect audit firms. APAS (the Auditor Oversight Body within BAFA) directly oversees auditors and audit firms that perform statutory audits of public interest entities (PIEs), including routine inspections, enforcement investigations, and sanctions.

What changed under the FISG for German audit firms?

The FISG (Finanzmarktintegritätsstärkungsgesetz), effective 1 January 2022, abolished the private-sector FREP and gave BaFin sole responsibility for financial reporting enforcement as a single-stage process. It also expanded APAS's enforcement powers, allowing fines up to €500,000 on individual audit firms, temporary activity bans, and professional disqualification. Auditor tenure for PIE engagements was restricted to a strict ten-year maximum.

How often does APAS inspect PIE audit firms in Germany?

APAS conducts routine inspections of all audit firms that perform PIE statutory audits. The inspection programme covers both firm-level quality management (under ISQM 1 as transposed via IDW QM Standards) and engagement-level audit quality on selected PIE files. Non-routine enforcement proceedings can be triggered by inspectors' findings, BaFin communications, complaints, or publicly available information.

What is the WPK quality review cycle for non-PIE audit firms?

The WPK conducts quality assurance reviews for non-PIE audit firms on a typical six-year cycle, though the WPK can shorten this based on risk assessment. Reviews cover compliance with professional standards, independence requirements, and the quality of selected engagement files. Since the EU Audit Reform transposition in June 2016, unsatisfactory review outcomes are directly linked to disciplinary proceedings.