Wirecard: The Audit Failure That Changed European Regulation

What happened at Wirecard

Wirecard AG was a German payment processor that entered the DAX 30 in September 2018 with a peak market cap of €24 billion. By June 2020, the company disclosed that €1.9 billion in cash reported on its balance sheet probably didn’t exist. Wirecard filed for insolvency three days later.

The Financial Times had been publishing investigative reports (the “House of Wirecard” series) since April 2015, raising questions about balance sheet inconsistencies. A whistleblower from Wirecard’s own Singapore legal team contacted the FT in October 2018 with thousands of internal emails documenting suspect transactions. BaFin, Germany’s financial regulator, investigated the FT for market manipulation instead of investigating Wirecard. Singapore’s regulator raided Wirecard’s offices in February 2019.

KPMG was brought in for a special forensic audit in late 2019. KPMG’s 2020 report stated it could not verify the majority of Wirecard’s profits from 2016 to 2018 due to lack of cooperation from the company and its partners. The €1.9 billion was reportedly held in trustee accounts at banks in Singapore and the Philippines. OCBC Bank in Singapore later confirmed that neither Wirecard nor its trustee had ever held an escrow account there. The Philippine banks told EY the account statements they had previously viewed were fabricated.

EY had been Wirecard’s auditor since taking over from RP Richter after a 2008 special audit engagement. EY audited the company for the 2009 through 2018 financial years, issuing unqualified opinions every PY. For the 2019 FS, EY withheld its opinion.

Where the audit failed

The German accounting oversight body APAS (Abschlussprüferaufsichtsstelle) investigated EY’s audit work on the 2016–2018 engagements. APAS concluded that EY’s audit opinions were, in its words, objectively inaccurate, and identified repeated failures in internal quality controls.

The most damaging finding centred on external confs. Between 2016 and 2018, EY relied on screenshots and documents provided by Wirecard itself (and by a third-party trustee) to verify the existence of funds at OCBC Bank in Singapore. ISA 505.7 requires the auditor to maintain control over external conf requests, including determining the information to be confirmed and selecting the appropriate confirming party. Accepting client-provided screenshots of bank balances isn’t a conf. It’s accepting management’s assertion as evidence of management’s assertion. This is the kind of finding that ends careers.

A German parliamentary review in 2021 found that EY had failed to spot signs of fraud risk, did not follow professional guidelines, relied on verbal assurances from executives on key questions, and did not request crucial account information from a Singapore bank where Wirecard claimed it held large amounts of corporate cash. The KPMG forensic report also revealed that an internal EY whistleblower raised fraud allegations against Wirecard in May 2016 and reported an attempted bribe of an auditor in India. EY investigated internally, but Wirecard’s own management oversaw (and shut down) that investigation rather than the supervisory board.

ISA 240.24 requires the auditor to maintain professional scepticism throughout the engagement, recognising the possibility that a material misstatement due to fraud could exist regardless of the auditor’s past experience. EY’s decade-long tenure without rotation created familiarity risk. After a few PYs of clean opinions, teams slide into SALY with better narratives and the WPs stop challenging anything. The 2021 APAS ruling classified EY’s conduct as grossly negligent, though it stopped short of finding criminal intent. APAS fined EY €500,000 and imposed a two-year ban on accepting new public-interest entity audit clients in Germany.

The presiding judge in the criminal trial of former Wirecard CEO Markus Braun publicly criticised EY’s approach, stating that the firm could have handled things differently and the fraud would have been uncovered earlier. EY’s insolvency administrator sued EY for €1.5 billion in damages.

How Germany rewrote audit regulation in response

Germany’s legislative response was the FISG (Finanzmarktintegritätsstärkungsgesetz), the Act on Strengthening Financial Market Integrity, effective 1 July 2021. The FISG made four structural changes to German audit regulation that affect every PIE engagement.

First, the audit rotation extension was eliminated. German law previously allowed audit engagements to extend beyond the EU Regulation 537/2014 cap of ten years via a member state option. The FISG removed this extension, capping PIE auditor tenure at a hard ten years. EY had audited Wirecard for exactly ten years under the extended rules, so rotation alone would not have prevented this failure. Internal key audit partner rotation was tightened from seven years to five.

Second, auditor civil liability caps increased substantially. Listed company audits now carry a €16 million cap, up from €4 million. Gross negligence on PIE audits triggers unlimited liability. Non-capital-market PIEs (credit institutions, insurance companies) are capped at €4 million, while all other companies moved from €1 million to €1.5 million.

Third, the FISG mandated audit committees for all listed companies and PIEs. Previously, forming an audit committee was discretionary for supervisory boards. The audit committee must now include at least two financial experts (one with accounting expertise, one with auditing expertise), where previously only one expert was required.

Fourth, Germany abolished its two-tier financial reporting enforcement system. The private-law Financial Reporting Enforcement Panel (DPR) was dissolved effective 1 January 2022. BaFin now handles financial reporting enforcement directly and gained expanded powers, including the authority to search business premises and confiscate documents.

The European Parliament also commissioned studies examining whether EU-level audit oversight reform was needed. ESMA’s Securities and Markets Stakeholder Group proposed joint audits and rotation systems modelled on credit rating agencies, alongside revised liability caps and possible direct ESMA supervision of large audit firms. None of these proposals have become law at the EU level, but they signal a direction of travel toward tighter oversight.

What this means for your engagement files

The Wirecard failures map directly to procedures you perform on every engagement. Two areas deserve particular attention.

On external confs under ISA 505 , the Wirecard case is now the reference point for why the auditor (not the client) must control the conf process end to end. ISA 505.7 requires you to determine the information to be confirmed and to select the confirming party yourself, then design the conf request so responses come directly to the audit team. If a client offers to “help” by providing contact details for a bank or trustee, you need to independently verify those details. In our experience, clients that push back hardest on this step tend to be the ones where the WPs later need to tell a story.

On fraud risk assessment under ISA 240 , long auditor tenure creates familiarity risk that ISA 240 .A11 explicitly identifies. The IAASB’s own post-Wirecard commentary noted that professional scepticism is central to the audit. When you’ve signed clean opinions for multiple PYs, the psychological barrier to questioning management representations climbs. ISA 240.24 requires you to recognise that a material misstatement due to fraud could exist regardless of your past experience with the entity’s honesty.

For group audits, Wirecard’s third-party acquirer structure (where over half of reported volumes flowed through opaque external processors in Asia) raises direct ISA 600 questions about reliance on component auditors and access to component information. If your group audit client routes significant transactions through entities you cannot independently verify, that’s a scope limitation, not a logistics problem.

Worked example: applying Wirecard lessons to a mid-market group audit

Client scenario: Dijkstra Logistics B.V. is a Dutch freight forwarding group with €78M consolidated revenue. It processes 30% of its transaction volume through a third-party logistics partner, Levant Freight FZ-LLC, based in Dubai. The partner holds approximately €4.2M in receivables on Dijkstra’s behalf at any given time. You are the group engagement partner.

Assess fraud risk factors on the third-party relationship ( ISA 240 .A25)

The Dubai entity handles 30% of transaction volume but your firm has no direct access to its records. Dijkstra’s management tells you the partner sends monthly reconciliation statements.

Documentation note: Record in the fraud risk assessment working paper that the third-party partner concentration (30% of volume, €4.2M receivable balance) represents a fraud risk factor under ISA 240 .A25. Note that management representations alone do not constitute sufficient appropriate audit evidence for the existence of the receivable.

Design independent confirmation procedures ( ISA 505.7 )

Contact Levant Freight FZ-LLC directly, using contact details independently verified through the Dubai Chamber of Commerce registry. Request conf of receivable balances as at year-end, transaction volumes for the period, terms of the commercial agreement, and the identity of the bank accounts used for settlement.

Documentation note: Record how you independently obtained the confirming party’s contact details. Note that you did not use details provided by client management. File the conf response (or non-response, with alternative procedures performed) as primary evidence.

Evaluate non-responses and exceptions ( ISA 505.12 )

Levant Freight FZ-LLC does not respond to two confirmation requests sent over four weeks.

Documentation note: Record the non-response. Perform alternative procedures: obtain shipping documents, match individual transactions to customs clearance records (independently sourced), and verify cash receipts for settled receivables in Dijkstra’s bank statements. If alternative procedures do not provide sufficient evidence, consider the implications under ISA 705 for the audit opinion.

Assess the impact on the group audit opinion ( ISA 600.49 )

The inability to independently verify €4.2M of receivables (5.4% of consolidated revenue, materially above PM of €390K set at 0.5% of revenue) means the scope limitation cannot be absorbed.

Documentation note: Record the assessment of whether a qualified or disclaimer of opinion is required under ISA 705.13 . Document the discussion with the engagement quality reviewer and the decision rationale.

Practical checklist

1. Verify all bank conf contact details independently of the client (company registry or bank website, cross-checked against a regulatory database). ISA 505.7 requires auditor control over the process.
2. Document your fraud risk assessment for any material transaction flow routed through third parties the firm cannot independently access ( ISA 240 .A25).
3. If you are in year six or later of a PIE audit tenure, record your assessment of familiarity risk and the mitigating measures applied, referencing the IESBA Code Section 540.
4. Confirm that your audit committee communication ( ISA 260.16 ) explicitly addresses any significant difficulties encountered in obtaining external confs.
5. For group engagements, assess whether inability to access component information constitutes a scope limitation under ISA 705.13 before accepting the engagement.

Common mistakes that echo Wirecard findings

• The AFM’s 2023 inspection cycle found that external confirmation procedures remain one of the most frequently cited deficiency areas, specifically the failure to maintain auditor control over the process from request to response ( ISA 505.7 and ISA 505.16 ).
• The FRC’s thematic review of professional scepticism (published 2022) identified that auditors on long-tenure engagements were less likely to challenge management representations, particularly where prior-year audit evidence had been consistent. This is the familiarity effect that ISA 240 .A11 warns about.
• APAS’s own finding that EY relied on client-provided documentation in lieu of independent verification has been cited in multiple subsequent European inspection reports as a case study of what ISA 500 .A31 (reliability of audit evidence) is designed to prevent.
• Failing to reassess fraud risk when external media reports or short-seller allegations raise questions about a client’s reported figures. The Wirecard case showed that ignoring publicly available contradictory evidence (Financial Times investigations published from 2015 onwards) does not protect the auditor from regulatory action.

Related content

• External confirmations ( ISA 505 ). Covers how auditor control over the confirmation process works in practice, with worked examples for bank and receivable confirmations.
• ISA 240 Fraud Risk Calculator. Assess fraud risk factors for your current engagement, including third-party transaction risk and management override indicators.
• ISA 600 group audits guide. Covers component auditor reliance and scope limitations relevant to third-party transaction structures.
• How ISA 240 (Revised) changes your fraud risk assessment from 2026. Covers what the revised standard requires and how to update your files before the effective date.

Related tools and reading

Put audit concepts into practice with these free tools:

Related reading

Frequently asked questions

Source references

• APAS investigation – EY’s 2016–2018 Wirecard audits, ruling of gross negligence
• KPMG forensic audit report – Published 2020, inability to verify majority of 2016–2018 profits
• German parliamentary review – 2021 findings on EY’s audit failures
• FISG (Finanzmarktintegritätsstärkungsgesetz) – Effective 1 July 2021
• ISA 505 – External Confirmations, IAASB
• ISA 240 – The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, IAASB
• EU Regulation 537/2014 – Specific requirements regarding statutory audit of public-interest entities