Steinhoff: Fraud Detection Failures in Group Audits

What happened at Steinhoff

PwC’s forensic investigation, released in March 2019, found that Steinhoff had recorded fictitious transactions amounting to €6.5 billion between 2009 and 2017. A small group of former executives, led by CEO Markus Jooste, created fake transactions with entities that appeared to be independent third parties but were not. These transactions inflated both profit and asset values across the group.

Most of the fraud was concentrated in Steinhoff Europe, audited by Commerzial Treuhand GmbH. Deloitte Netherlands signed the consolidated opinion. The AFM charged the former Deloitte audit partner, Patrick Seinstra, with failing to obtain sufficient and appropriate audit evidence, and the Accountantskamer found him guilty.

What makes Steinhoff relevant for your practice is not the scale. Few non-Big 4 clients operate at this level. What’s relevant is the mechanism: a fraud that exploited the structural gap between a group auditor and a component auditor. That gap exists in every group audit, regardless of size.

Deloitte Netherlands stated publicly that its auditor had been deliberately misled by both Steinhoff’s management and the component auditor responsible for the European group unit. The Accountantskamer did not accept this as a defence. The expectation was clear: the group engagement partner must evaluate the component auditor’s work with sufficient rigour to identify when that work is inadequate, even when the component auditor has also been deceived.

Where the group audit failed

The AFM’s charges and the Accountantskamer’s ruling identify specific failures that map directly to ISA 600 requirements. These are not abstract governance failures. They are working paper failures.

Insufficient evaluation of the component auditor’s work

ISA 600.42 (under the pre-revision standard applicable at the time) required the group engagement team to evaluate the component auditor’s communication, including the adequacy of audit evidence obtained. The group engagement team accepted the component auditor’s conclusions on Steinhoff Europe’s transactions without adequately verifying the evidence underneath them. When a component reports on entities responsible for the majority of group revenue, accepting summary conclusions without reviewing the component auditor’s workpapers on high-risk areas is insufficient.

Under ISA 600 (Revised), this requirement is even more explicit. ISA 600 (Revised).43 requires the group engagement team to evaluate whether sufficient appropriate audit evidence has been obtained from the work performed by the component auditor, and to review the component auditor’s documentation for significant matters. The ciferi ISA 600 guide covers the full scope of these requirements.

Failure to address related-party transaction risk at the group level

The PwC forensic investigation revealed that Steinhoff’s fictitious transactions involved a small network of individuals with ties to Jooste, many sharing the same addresses. Steinhoff’s own annual reports disclosed several pages of related-party transactions. ISA 550.11 requires the auditor to make inquiries about related-party relationships and transactions. ISA 240.32 requires the auditor to evaluate whether the business rationale of significant transactions outside the normal course suggests fraudulent financial reporting.

A group audit adds a layer of complexity. Related-party transactions that cross component boundaries require the group engagement team to assess the risk at the group level, not delegate the assessment entirely to component auditors who may only see their own piece. Under ISA 600 (Revised).25, the group engagement team must understand the group and its environment, including intercompany transactions and the consolidation process. This understanding must be sufficient to identify risks of material misstatement at the group financial statement level.

At Steinhoff, the fictitious transactions were designed to look like transactions with independent third parties. Identifying them required someone to stand back and ask whether the pattern of transactions across the group made commercial sense.

That was the group engagement team’s job. Component auditors in individual jurisdictions could not see the full picture.

Over-reliance on a single component auditor for the highest-risk area

Steinhoff Europe was where PwC found the bulk of the fraudulent entries. For the group engagement team to delegate primary responsibility for auditing this area to a single component auditor, and to accept that auditor’s conclusions without independent verification of the underlying evidence, represents exactly the kind of over-reliance that ISA 600 (Revised) was designed to prevent.

The FSCA’s investigator, Alex Pascoe, stated publicly that the group’s size meant the company was subject to a fragmented audit, and that minimal control aided the fraud. ISA 600 addresses exactly this structural risk. Under the 2009 version of the standard, a component-classification model led to mechanical scoping decisions in practice. Its replacement (effective for periods beginning on or after 15 December 2023) takes a top-down, risk-based approach. “Significant component” as a concept has been removed entirely. Scoping decisions are now driven by assessed risks of material misstatement at the group financial statement level, not by whether a component crosses a size threshold.

What ISA 600 (Revised) now requires differently

The IAASB revised ISA 600 partly in response to recurring regulatory findings about group audit quality. Steinhoff is not cited by name in the Basis for Conclusions, but the pattern it represents (insufficient oversight of component auditors, failure to consider aggregation risk, mechanical scoping) is exactly what the revision targets.

Risk-based scoping replaces size-based classification

Under the previous standard, a group engagement team might classify Steinhoff Europe as a “significant component” based on size and request an audit of its complete financial information. Under the revised standard, the group engagement team starts with the group-level risks of material misstatement. If intercompany transactions with related parties are assessed as a significant risk at the group level, the group engagement team must determine what work is needed at each component to address that specific risk (ISA 600 (Revised).30). That work might be performed by a component auditor, but the group engagement team retains responsibility for the risk assessment and for evaluating whether the evidence obtained is sufficient.

Two-way communication requirements are stronger

ISA 600 (Revised).41 requires the group engagement team to communicate matters relevant to the component auditor’s work, including identified fraud risks. It also requires the component auditor to communicate matters relevant to the group engagement team’s conclusions, including significant unusual transactions. At Steinhoff, the fictitious transactions involved entities purported to be independent. If the component auditor identified those counterparties as unusual but did not communicate this to the group team (or if the group team did not ask), the two-way communication failed at both ends. Your component auditor instructions need to specify what you want reported back. “Report anything unusual” is not specific enough.

Access to component auditor documentation is explicit

ISA 600 (Revised).43 states that the group engagement team must have access to audit documentation of component auditors, including for the engagement quality review. If a component auditor in another jurisdiction restricts workpaper access, the group engagement team must evaluate whether this restriction prevents them from obtaining sufficient appropriate evidence. Where it does, ISA 600 (Revised).A137 indicates the group auditor should consider the effect on the group audit opinion.

Aggregation risk is now an explicit requirement

ISA 600 (Revised).14 introduces aggregation risk as a required consideration. Consider a group with 20 components. If each component has a misstatement of 4% of group materiality, the aggregate is 80% of group materiality. The previous standard did not explicitly require the group engagement team to consider this. The revised standard does. For a group like Steinhoff, where fictitious transactions were spread across multiple entities and years, aggregation risk was the mechanism by which individually sub-material misstatements at component level combined into a €6.5 billion group-level fraud.

Worked example: applying ISA 600 (Revised) scoping to a multi-jurisdiction group

Client: Van Houten Retail Holding N.V., a Dutch holding company with retail subsidiaries in the Netherlands, Germany, Belgium, and Poland. Consolidated revenue: €185M. One component auditor in Germany audits both the German and Polish entities.

Step 1. Identify group-level risks of material misstatement

At planning, the group engagement team reviews intercompany transaction volumes. Van Houten’s German subsidiary (€68M revenue) reports €14M in management fee income from the Polish entity. On the Polish side (€22M revenue), this appears as an operating expense. Both entries balance, as the German component auditor confirmed.

Step 2. Evaluate whether the component auditor’s work addresses the assessed risk

After requesting the German component auditor’s workpapers on the management fee, the group engagement team reviews the procedures performed. The component auditor tested the fee against the intercompany agreement and confirmed the amount matched. A separate check verified the elimination on consolidation.

A gap emerges: nobody tested whether the management fee had commercial substance. €14M is 7.6% of group revenue. The service agreement describes “strategic advisory services.” No deliverables are specified.

Step 3. Perform additional group-level procedures

During group-level inquiries, the team interviews Van Houten’s group CFO about what strategic advisory services the German entity provides to the Polish entity. The CFO references quarterly board presentations. When the group team requests copies, two of the four quarters have no presentations on file.

Step 4. Conclude

Based on these findings, the group engagement team concludes that the intercompany management fee requires an adjustment or additional disclosure. Without adequate documentation of services rendered, the €14M fee creates a risk of fraudulent financial reporting at the group level. While the component auditor’s work was sufficient for confirming mechanical accuracy, it did not address the fraud risk the group engagement team identified.

Your file checklist for group audit fraud risk

1. Perform a standalone fraud risk assessment at the group level under ISA 240.27 before issuing component auditor instructions. Do not delegate fraud risk identification entirely to component auditors.
2. For every intercompany transaction exceeding 5% of either entity’s revenue, test commercial substance at the group level. Confirm the component auditor tested more than mechanical accuracy.
3. Request and review the component auditor’s workpapers on any related-party transactions identified as significant risks. ISA 600 (Revised).43 makes access to component documentation a requirement, not a courtesy.
4. Include a specific fraud risk communication in your component auditor instructions under ISA 600 (Revised).41. Generic instructions (“perform the audit in accordance with ISAs”) are insufficient.
5. Document aggregation risk explicitly. Model the effect of sub-material misstatements across all components against group materiality under ISA 600 (Revised).14.
6. At the group level, compare the pattern of related-party disclosures across all components. Counterparties that appear in multiple component filings with common addresses or directors require group-level inquiry under ISA 550.11.

Common mistakes in group audit fraud assessments

• The AFM’s disciplinary action against the former Deloitte partner on the Steinhoff engagement centred on accepting summary conclusions from a component auditor without verifying the underlying evidence. If your file contains a component auditor’s clearance letter but no evidence that the group engagement team reviewed the workpapers on high-risk areas, the file has the same gap.
• The FRC’s 2022–23 inspection cycle and the PCAOB’s 2023 inspection findings both identified insufficient group engagement partner involvement in component auditor oversight as a recurring deficiency. The most common form: the group engagement partner sets component materiality and issues instructions but does not participate in evaluating the results.
• IFIAR’s 2017 report noted that deficiency rates for group audits were as high as those for accounting estimates and fair values. The rate has not materially improved in subsequent reports.

Related tools and reading

Put audit concepts into practice with these free tools:

Related reading

Frequently asked questions

Source references

• PwC forensic investigation report – Released March 2019, documenting €6.5 billion in fictitious transactions (2009–2017)
• AFM disciplinary charges and Accountantskamer ruling – Finding against former Deloitte audit partner Patrick Seinstra
• ISA 600 (Revised) – IAASB, effective for periods beginning on or after 15 December 2023
• ISA 550 – Related Parties, IAASB
• ISA 240 – The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, IAASB
• IFIAR 2017 Survey of Inspection Findings – Group audit deficiency rates