Wirecard: The Audit Failure That Changed European Regulation

What happened at Wirecard

Wirecard AG was a German payment processor that entered the DAX 30 in September 2018 with a peak market capitalisation of €24 billion. By June 2020, the company disclosed that €1.9 billion in cash reported on its balance sheet probably didn’t exist. Wirecard filed for insolvency three days later.

The Financial Times had been publishing investigative reports (the “House of Wirecard” series) since April 2015, raising questions about balance sheet inconsistencies. A whistleblower from Wirecard’s own Singapore legal team contacted the FT in October 2018 with thousands of internal emails documenting suspect transactions. BaFin, Germany’s financial regulator, investigated the FT for market manipulation instead of investigating Wirecard. Singapore’s regulator raided Wirecard’s offices in February 2019.

KPMG was brought in for a special forensic audit in late 2019. KPMG’s 2020 report stated it could not verify the majority of Wirecard’s profits from 2016 to 2018 due to lack of cooperation from the company and its partners. The €1.9 billion was reportedly held in trustee accounts at banks in Singapore and the Philippines. OCBC Bank in Singapore later confirmed that neither Wirecard nor its trustee had ever held an escrow account there. The Philippine banks told EY the account statements they had previously viewed were fabricated.

EY had been Wirecard’s auditor since taking over from RP Richter after a 2008 special audit engagement. EY audited the company for the 2009 through 2018 financial years, issuing unqualified opinions each time. For the 2019 financial year, EY withheld its opinion.

Where the audit failed

The German accounting oversight body APAS (Abschlussprüferaufsichtsstelle) investigated EY’s audit work on the 2016–2018 engagements. APAS concluded that EY’s audit opinions were, in its words, objectively inaccurate, and identified repeated failures in internal quality controls.

The most damaging finding centred on external confirmations. Between 2016 and 2018, EY relied on screenshots and documents provided by Wirecard itself (and by a third-party trustee) to verify the existence of funds at OCBC Bank in Singapore. ISA 505.7 requires the auditor to maintain control over external confirmation requests, including determining the information to be confirmed and selecting the appropriate confirming party. Accepting client-provided screenshots of bank balances is not a confirmation. It’s accepting management’s assertion as evidence of management’s assertion.

A German parliamentary review in 2021 found that EY had failed to spot signs of fraud risk, did not follow professional guidelines, relied on verbal assurances from executives on key questions, and did not request crucial account information from a Singapore bank where Wirecard claimed it held large amounts of corporate cash. The KPMG forensic report also revealed that an internal EY whistleblower raised fraud allegations against Wirecard in May 2016 and reported an attempted bribe of an auditor in India. EY investigated internally, but Wirecard’s own management oversaw (and shut down) that investigation rather than the supervisory board.

ISA 240.24 requires the auditor to maintain professional scepticism throughout the engagement, recognising the possibility that a material misstatement due to fraud could exist notwithstanding the auditor’s past experience. EY’s decade-long tenure without rotation created familiarity risk. The 2021 APAS ruling classified EY’s conduct as grossly negligent, though it stopped short of finding criminal intent. APAS fined EY €500,000 and imposed a two-year ban on accepting new public-interest entity audit clients in Germany.

The presiding judge in the criminal trial of former Wirecard CEO Markus Braun publicly criticised EY’s approach, stating that the firm could have handled things differently and the fraud would have been uncovered earlier. EY’s insolvency administrator sued EY for €1.5 billion in damages.

How Germany rewrote audit regulation in response

Germany’s legislative response was the FISG (Finanzmarktintegritätsstärkungsgesetz), the Act on Strengthening Financial Market Integrity, effective 1 July 2021. The FISG made four structural changes to German audit regulation that affect every PIE engagement.

Audit rotation extension eliminated. German law previously allowed audit engagements to extend beyond the EU Regulation 537/2014 cap of ten years via a member state option. The FISG removed this extension, capping PIE auditor tenure at a hard ten years. Note that EY had audited Wirecard for exactly ten years under the extended rules, so rotation alone would not have prevented this failure. Internal key audit partner rotation was tightened from seven years to five.

Auditor civil liability caps increased substantially. Listed company audits now carry a €16 million cap, up from €4 million. Gross negligence on PIE audits triggers unlimited liability. Non-capital-market PIEs (credit institutions, insurance companies) are capped at €4 million, while all other companies moved from €1 million to €1.5 million.

Audit committees mandated for all listed companies and PIEs. Previously, forming an audit committee was discretionary for supervisory boards. The audit committee must now include at least two financial experts (one with accounting expertise, one with auditing expertise), where previously only one expert was required.

Two-tier enforcement system abolished. Germany dissolved the private-law Financial Reporting Enforcement Panel (DPR) effective 1 January 2022. BaFin now handles financial reporting enforcement directly and gained expanded powers, including the authority to search business premises and confiscate documents.

The European Parliament also commissioned studies examining whether EU-level audit oversight reform was needed. ESMA’s Securities and Markets Stakeholder Group called for a reflection on the mission of auditors and proposed ideas including joint audits, rotation systems modelled on credit rating agencies, appropriate liability caps, and possible direct ESMA supervision of large audit firms. None of these proposals have become law at the EU level, but they signal a direction of travel toward tighter oversight.

What this means for your engagement files

The Wirecard failures map directly to procedures you perform on every engagement. Two areas deserve particular attention.

On external confirmations under ISA 505, the Wirecard case is now the reference point for why the auditor (not the client) must control the confirmation process end to end. ISA 505.7 requires you to determine the information to be confirmed, select the confirming party, and design the confirmation request to ensure responses come directly to you. If a client offers to “help” by providing contact details for a bank or trustee, you need to independently verify those details. The Wirecard auditors relied on contact information supplied by Wirecard itself for years.

On fraud risk assessment under ISA 240, long auditor tenure creates familiarity risk that ISA 240.A11 explicitly identifies. The IAASB’s own post-Wirecard commentary noted that professional scepticism sits at the heart of the audit. When you’ve signed clean opinions for multiple years, the psychological barrier to questioning a client’s representations increases. ISA 240.24 requires you to recognise the possibility that material misstatement due to fraud could exist regardless of your past experience with the entity’s honesty.

For group audits, Wirecard’s third-party acquirer structure (where over half of reported volumes flowed through opaque external processors in Asia) raises direct ISA 600 questions about reliance on component auditors and access to component information. If your group audit client routes significant transactions through entities you cannot independently verify, that’s a scope limitation, not a logistics problem.

Worked example: applying Wirecard lessons to a mid-market group audit

Client scenario: Dijkstra Logistics B.V. is a Dutch freight forwarding group with €78M consolidated revenue. It processes 30% of its transaction volume through a third-party logistics partner, Levant Freight FZ-LLC, based in Dubai. The partner holds approximately €4.2M in receivables on Dijkstra’s behalf at any given time. You are the group engagement partner.

1. Assess fraud risk factors on the third-party relationship (ISA 240.A25)

The Dubai entity handles 30% of transaction volume but your firm has no direct access to its records. Dijkstra’s management tells you the partner sends monthly reconciliation statements.

2. Design independent confirmation procedures (ISA 505.7)

Contact Levant Freight FZ-LLC directly, using contact details independently verified through the Dubai Chamber of Commerce registry. Request confirmation of receivable balances as at year-end, transaction volumes for the period, terms of the commercial agreement, and the identity of the bank accounts used for settlement.

3. Evaluate non-responses and exceptions (ISA 505.12)

Levant Freight FZ-LLC does not respond to two confirmation requests sent over four weeks.

4. Assess the impact on the group audit opinion (ISA 600.49)

The inability to independently verify €4.2M of receivables (5.4% of consolidated revenue, materially above performance materiality of €390K set at 0.5% of revenue) means the scope limitation cannot be absorbed.

A reviewer examining this file would see that you identified the risk, designed procedures to address it independently of management, documented non-responses with alternative procedures, assessed the opinion impact, and recorded the engagement quality review discussion. That is the opposite of what EY’s Wirecard file showed.

Practical checklist

1. Verify all bank confirmation contact details independently of the client (company registry, bank website, regulatory database). ISA 505.7 requires auditor control over the process.
2. Document your fraud risk assessment for any material transaction flow routed through third parties the firm cannot independently access (ISA 240.A25).
3. If you are in year six or later of a PIE audit tenure, record your assessment of familiarity risk and the mitigating measures applied, referencing the IESBA Code Section 540.
4. Confirm that your audit committee communication (ISA 260.16) explicitly addresses any significant difficulties encountered in obtaining external confirmations.
5. For group engagements, assess whether inability to access component information constitutes a scope limitation under ISA 705.13 before accepting the engagement.

Common mistakes that echo Wirecard findings

• The AFM’s 2023 inspection cycle found that external confirmation procedures remain one of the most frequently cited deficiency areas, specifically the failure to maintain auditor control over the process from request to response (ISA 505.7 and ISA 505.16).
• The FRC’s thematic review of professional scepticism (published 2022) identified that auditors on long-tenure engagements were less likely to challenge management representations, particularly where prior-year audit evidence had been consistent. This is the familiarity effect that ISA 240.A11 warns about.
• APAS’s own finding that EY relied on client-provided documentation in lieu of independent verification has been cited in multiple subsequent European inspection reports as a case study of what ISA 500.A31 (reliability of audit evidence) is designed to prevent.

Related tools and reading

Put audit concepts into practice with these free tools:

Related reading

Frequently asked questions

Source references

• APAS investigation – EY’s 2016–2018 Wirecard audits, ruling of gross negligence
• KPMG forensic audit report – Published 2020, inability to verify majority of 2016–2018 profits
• German parliamentary review – 2021 findings on EY’s audit failures
• FISG (Finanzmarktintegritätsstärkungsgesetz) – Effective 1 July 2021
• ISA 505 – External Confirmations, IAASB
• ISA 240 – The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, IAASB
• EU Regulation 537/2014 – Specific requirements regarding statutory audit of public-interest entities