Exploring the Wirecard scandal: A Financial Fraud Unveiled
The Wirecard scandal exposed systemic weaknesses in audit planning, evidence collection and documentation that legal auditors, accountants and audit firms — especially those applying ISA and SOCPA — must address. This article breaks down what failed, why it matters to your audit files and working papers, and gives practical guidance on improving audit methodologies, sampling in auditing, risk and control assessment, and documenting evidence and findings so you can close files confidently and defensibly.
Why this topic matters for audit and accounting firms
The Wirecard scandal is a watershed moment for firms that prepare or review audit workpapers and manage end-to-end audit programs. When auditors fail to apply appropriate risk and control assessment, insufficient sampling in auditing, or inadequate documentation under ISA 230, the consequences are reputational damage, regulatory sanctions, and client losses. For firms operating under ISA and SOCPA regimes, Wirecard highlights the practical gap between written audit methodologies and what happens in working papers and files.
Practical stakes include: deficient audit planning and closing procedures, weak documentation of evidence and findings, failure to challenge management assertions, and overreliance on third-party representations without corroborating evidence — all items directly reflected in Files and Working Papers.
Core concept: what went wrong — definitions, components and examples
What happened at a high level
Wirecard AG reported phantom cash balances and revenue that did not exist. External auditors relied heavily on confirmations and management-provided documentation from third-party entities in Asia, without sufficiently corroborating those confirmations with primary evidence (bank statements under auditors’ control, independent banking contacts, or on-site inspections). The missing €1.9 billion is a widely cited figure; the core failure was not a single mistake but a set of audit weaknesses.
Key components that define the failure
- Risk and control assessment (ISA 315): Incomplete identification of fraud risk factors and inadequate linking of identified risks to specific audit procedures.
- Sampling in auditing (ISA 530): Inadequate sample sizes and selection methods for high-risk assertions (cash, revenue, receivables).
- Documenting evidence and findings (ISA 230 & 500): Poorly documented procedures, unindexed working papers and missing evidence trail for key balances.
- Audit methodologies & professional skepticism: Overreliance on management and external confirmations without triangulation.
Concrete example
Example: If bank balances for a €2 billion cash line are reported as held in trustee accounts in Asia, an auditor should (a) obtain direct, original bank statements from the bank to auditor, (b) perform independent confirmation (not via management), (c) visit the banks or obtain authenticated printouts, and (d) reconcile confirmations to ledger. In Wirecard, confirmations were routed through intermediaries and there was insufficient primary-source evidence.
Practical use cases and scenarios for audit teams
Below are recurring audit scenarios where lessons from Wirecard are directly applicable, with practical actions for audit teams and file owners.
1. Bank and cash confirmations for high-value clients
Scenario: Client reports significant cash balances held in multiple jurisdictions. Action: Use a confirmation strategy that requires bank-to-auditor direct confirmations (digitally signed where possible), perform independent bank reconciliations and consider physical or electronic inspection of bank statements with authentication metadata.
2. Third-party receivables and related-party transactions
Scenario: Revenue includes large transactions with obscure counterparties. Action: Expand risk assessment: request contracts, bank flows, shipment documentation, and apply sample-based substantive procedures. Increase sampling in auditing for high-risk accounts; where population is small, test 100% rather than sample.
3. Financial statement closing and management override risk
Scenario: Close schedule shows significant manual adjusting entries just before audit sign-off. Action: Investigate the rationale, obtain source documents and obtain explanations from those charged with governance. Document findings and assess fraud risk under ISA 240.
Impact on audit decisions, performance and outcomes
Properly addressing Wirecard-style risks improves audit quality and firm resilience. The measurable impacts include:
- Quality & defensibility: More complete working papers reduce regulatory risk and increase defensibility of auditor opinions.
- Efficiency: Structured audit methodologies and standardized templates reduce rework; fewer open queries at closing.
- Profitability: Early identification of high-risk areas allows reallocation of senior resources to critical tasks rather than late-stage firefighting.
- Client relations: Demonstrable diligence increases trust with governance bodies and can deter client misconduct.
For firms under ISA and SOCPA, strengthening files and working papers translates into lower exposure to sanctions for inadequate documentation and failure to detect material misstatement due to fraud.
Common mistakes and how to avoid them
- Poorly documented confirmations: Avoid routing confirmations through client-controlled channels. Require confirmations sent directly to the auditor and retain proof in the working papers.
- Insufficient professional skepticism: Apply ISA 240 proactively. If third-party behavior or unusual balances exist, escalate and apply forensic procedures.
- Inadequate sampling for high-risk assertions: Use risk-based sampling. For high-value or high-risk items, increase sample size or test the entire population.
- Incomplete linkage between risk assessment and procedures: Document how each identified risk leads to specific audit steps and evidence. Cross-reference working papers to the risk register.
- Closing without resolving open items: Ensure all significant audit differences and unresolved confirmations are documented and cleared before sign-off. Use a tick-and-tie checklist at closing.
Practical, actionable tips and checklists
Use these concrete steps in audit planning, fieldwork and closing — designed for teams following ISA & SOCPA standards.
Audit Planning & Closing checklist (concise)
- Set materiality and performance materiality (document rationale, e.g., 5% of profit before tax or 1% of revenue for public interest entities).
- Create a risk register mapping each risk to specific procedures (link to working papers).
- Require direct bank confirmations for all cash > threshold (e.g., €100,000 or as judged for the client).
- Document sampling methodology (statistical or non-statistical), sample size calculation and selection method following ISA 530.
- Record evidence sources with file references and authentication metadata (digital signature, email headers, retrieval timestamps).
- Escalate unusual items to engagement partner and governance; document discussions and decisions.
- Perform a final tick-and-tie that reconciles the financial statements to the lead schedule and working papers before signing the file.
Documenting Evidence and Findings — practical approach
- Create a master evidence log in the workpapers index: date received, source, method (e.g., bank confirmation, scanned statement), authenticity level.
- Where confirmations are received indirectly, attach a documented rationale and alternative procedures performed (ISA 505 & 500).
- Use templates for significant findings that include risk, evidence, implication, recommendation, and file reference.
- Archive audit trails: save original emails, multimedia and digitally-signed documents in a tamper-evident repository tied to the audit file.
Sampling in Auditing — example calculation
For a population of 10,000 transactions with tolerable misstatement per transaction of €2,000 and expected error rate 1%, a risk-based sample size may be calculated using statistical tables or software. As a rule-of-thumb for high-risk populations, increase sample by 50–100% over routine sizes, or perform 100% testing for material or related-party transactions.
Risk and Control Assessment — quick procedure
- Identify inherent risk factors (complex structures, cross-border operations, secrecy).
- Evaluate control design and operating effectiveness (walkthroughs, re-performance).
- Document residual risk and tailor substantive procedures accordingly.
KPIs / success metrics
- Files and Working Papers completeness rate (%) — target ≥ 98% before partner review.
- Average time from fieldwork completion to file closure (days) — target ≤ 10 days.
- Open significant findings at sign-off — target 0 (documented and accepted difference/resolution only).
- Percentage of bank confirmations sent direct to auditor — target 100% for high-value banks.
- Proportion of high-risk items tested 100% vs sampled — target depends on risk; aim to eliminate sampling for top 5% by dollar value.
- Rework hours per file (hours spent correcting documentation) — target decrease year-on-year; track monthly.
FAQ
Q1: How should auditors respond if a confirmation comes via a third-party intermediary?
A: Treat the confirmation as a red flag. Perform alternative procedures per ISA 505 and ISA 500: obtain direct bank statements from the bank to auditor, test intercompany flows, inspect authenticated contracts, and consider on-site bank visits or use of SWIFT-like confirmations where available. Document why the original confirmation is unreliable and list all alternative procedures performed.
Q2: What sample size adjustments are prudent when fraud risk is suspected?
A: Increase sample size substantially or move to 100% testing for affected populations. Use stratified sampling to focus on high-value items, and rely more on substantive analytical procedures and forensic testing rather than routine statistical sampling.
Q3: Which ISAs are most relevant to preventing a Wirecard-like failure?
A: Key ISAs include ISA 230 (Audit Documentation), ISA 240 (Fraud), ISA 315 (Risk Assessment), ISA 500 (Audit Evidence), ISA 505 (External Confirmations), ISA 530 (Sampling) and ISA 540 (Accounting Estimates). Ensure your firm’s methodology maps procedures to these standards explicitly.
Q4: How can audit firms improve working papers quality at scale?
A: Implement standardized templates, mandatory metadata fields, digital evidence repositories with version control, training on professional skepticism, and targeted quality reviews focusing on high-risk engagements. Automate tick-and-tie reconciliations where possible.
Next steps — practical action plan & CTA
To translate these lessons into better audit files and working papers: (1) review your firm’s audit planning templates against ISA 315 and ISA 230, (2) implement direct confirmation requirements and enhanced evidence logs, (3) pilot risk-based increased sampling and forensic procedures on one high-risk client this quarter, and (4) require partner sign-off only after all high-risk findings are cleared and documented.
Try auditsheets to streamline Files and Working Papers, enforce mandatory confirmation workflows, and maintain tamper-evident evidence logs across engagements. Start with a 30-day pilot to measure improvements in documentation completeness and reduction in rework hours.
Reference pillar article
This article is part of a content cluster examining audit failures and how to prevent them. For broader context and historical lessons, see the pillar article The Ultimate Guide: The Enron collapse story – how audit failed to reveal the truth.