EY and Wirecard: anatomy of a flawed audit
In December 2018, just weeks before doubts about one of its most high-profile clients began to circulate widely, the auditor EY Germany decided to investigate Wirecard’s operations more closely. It wanted to scrutinise the German fintech group’s internal processes for payments settled by outsourcing partners in Asia — an integral part of the business once valued at €24bn.
EY staff began shopping with online merchants identified as clients of Wirecard’s Asian partners. The auditors splashed out on a €9.95 seven-day-subscription to an Asian porn site, bought “coins” for the football video game Fifa 19 worth $23.08, ordered a breathalyser for €33.45 and spent ¥1,000 on bitcoin.
The shopping trip gave a clean bill of health to the Munich-based group — one of many that EY provided to Wirecard during a decade of working for it. Unfortunately the merchants did not exist. All had been set up by Wirecard executives to dupe the auditors and help disguise what Munich prosecutors now call “a fraud in the billions”.
A Dubai-based Wirecard executive at the centre of the fraud had helped identify the merchants to be used by EY to test the system — something that should have set off alarm bells at the auditor, says Martin Wambach, the special investigator for a German parliamentary inquiry into the scandal. The EY staff used prepaid cards supplied by Wirecard for the shopping exercise. That enabled executives at the payments group to manipulate the transactions, a separate inquiry found.
It would be another 18 months before EY finally realised that half of Wirecard’s revenue and €1.9bn of company cash linked to the so-called third party acquiring business (TPA) did not exist. The revelations forced the once high-flying German payments provider into insolvency and plunged the Big Four accountancy firm into one of the worst auditing scandals in recent history.
Wambach, a senior auditor at Rödl & Partner, found that EY’s work, over several years, violated a number of accounting standards. In a damning report, he said that it could have done more: “Numerous fraud risk indicators with regard to the TPA business . . . could have triggered further audit acts”.
Yet, just months before the collapse, EY had vigorously defended the outsourced Asian business in internal meetings, according to documents seen by the Financial Times. That was despite a draft forensic audit commissioned by Wirecard’s supervisory board that was unable to conclusively confirm that those operations existed. The audit, carried out by KPMG, had been triggered by a 2019 FT investigation into whether Wirecard’s Asian business was real.
In late April 2020, EY Germany audit partners Andreas Budde and Martin Dahmen told Wirecard that KPMG’s draft description of the TPA business lacked “context” according to documents seen by the FT.
Daniel Steinhoff, Wirecard’s former head of compliance who is now working with the company’s court-appointed administrator, told MPs during the parliamentary inquiry that EY Germany had been “highly convinced” about the existence of the outsourcing business and repeatedly told KPMG “with inner conviction” that it existed.
Not everyone was convinced. One week after the devastating KPMG report was published, EY Global stepped in and put the Wirecard audit, conducted by its German “member firm” under closer scrutiny.
Yet, the confidence displayed by EY Germany appears to be at the heart of the still unanswered question: why did its audit of Wirecard go so badly wrong?
The FT has scrutinised hundreds of pages of internal documents and emails and interviewed more than a dozen people at the heart of the failed audit to try and find the answer. Combined, the documents and first-hand testimony paint a picture of missed opportunities to uncover the fraud earlier, a failure by EY to properly scrutinise the business it was auditing and a reluctance to challenge its client in public even when Wirecard’s chief executive made highly misleading statements to investors.
Several EY Germany partners are now under investigation by both the Munich criminal prosecutors and the country’s audit watchdog Apas. EY is also facing an avalanche of lawsuits from Wirecard shareholders who in total lost billions on their investments.
“It is the nature of auditing that frauds can occur as we’ve seen across the profession in the last 10 years,” says Andy Baldwin, EY Global’s managing partner. He insists that the auditor has learned the lessons of the Wirecard scandal.
EY denies any wrongdoing. It argues that its staff fell victim to an elaborate fraud which involved corrupt bank employees, fake online shops and potentially even mock-up bank branches in the Philippines. But, says Baldwin, the firm “deeply regrets that we didn’t find the fraud sooner”, adding that against EY’s own quality standards, “this audit is not one we could be proud of”.
When the numbers don’t add up
EY’s work for the disgraced payments company was painstakingly dissected by the parliamentary inquiry, which laid bare a series of shortcomings in the audits.
For years EY had failed to request crucial account information from Singapore’s OCBC Bank — where Wirecard claimed it had up to €1bn in cash. Instead, the auditors relied on documents provided by a Singapore-based trustee which have been labelled “forgeries” by prosecutors in the city-state, according to materials seen by the FT.
A probe on behalf of Wirecard’s administrator found that OCBC’s total reported euro deposits were smaller than the amount of cash that it was said to have been holding in Asian escrow accounts on behalf of Wirecard — something that did not add up.
Yet nobody noticed. EY argued that confidentiality laws blocked it from going directly to the bank. But, independent auditing experts disagree. “EY grossly violated its professional duties with regard to the balance confirmation,” says Hansrudi Lenz, professor of accounting at Würzburg university, calling its explanations for not doing so “unconvincing excuses”.
The auditor’s decision to treat the money listed on the Asian escrow accounts as Wirecard’s cash also drew criticism from KPMG and Wambach. That decision was key to preserving the veneer of a highly profitable and cash-rich company, which was in turn critical to perpetuating the fraud, says Lenz.
After the damning KPMG report was published EY hired external lawyers to advise on whether it could resign mid-audit, according to people familiar with the matter. The auditors in Germany had been horrified by a public statement that the Wirecard chief executive Markus Braun made hours after the KPMG report was published on April 28, 2020. Braun claimed on an investor call that “EY informed us this morning they have no problems at all to sign off the audit 2019”.
Braun’s comments were fictitious. In a terse memo to Wirecard chair Thomas Eichelmann and Braun, EY came close to calling the chief executive a liar, pointing out that “at no point” had EY given such an assurance. The auditor called on Wirecard to issue a “corrective statement” — a demand the company ignored.
The financial cost of walking away from the Wirecard audit would have been relatively small in comparison with some of EY’s other clients including Siemens and Volkswagen. In 2018, the firm earned €2.3m in audit and advisory fees from Wirecard. But, people close to the decision say, EY was warned by the lawyers that resigning the mandate mid-audit would have been very difficult, if not impossible, under German law.
Instead, after the KPMG report was published, EY demanded that Wirecard transfer €110m from each of the four separate Asian escrow accounts to Germany and gave the fintech group just a few days to deliver the €440m. Some inside EY note that 110 is the emergency police number in Germany, and say it was a disguised call for help by the auditor.
“Jan Marsalek [Wirecard’s chief operating officer] was highly apologetic when the money did not arrive instantly,” one person familiar with the details inside EY says.
When the money failed to arrive in the German accounts, an exasperated EY turned to the management of the Asian banks. In separate statements two of those banks told EY that the confirmations provided by Wirecard as evidence that the €1.9bn of corporate cash existed were “spurious”.
Hours before it was due to reveal its annual results on June 18 2020, Wirecard disclosed this fact to the financial markets. Its share price collapsed. Within days Braun was ousted and arrested, Marsalek boarded a private jet to Minsk in Belarus after which he disappeared and Wirecard filed for insolvency.
“The overall assessment of EY’s audit actions supports only one conclusion,” wrote the parliamentary inquiry committee, “EY refrained from key audit procedures or was satisfied with poor audit evidence.”
Four years earlier EY had missed an opportunity to act. In 2016, its anti-fraud unit had been commissioned by Wirecard to investigate allegations against some of the fintech’s senior staff in Munich which were raised by a whistleblower. The probe, codenamed Project Ring, quickly found “red-flag indicators” which pointed to potential balance sheet manipulations.
However, Wirecard’s management board stonewalled a thorough investigation and in mid-2017 told EY that it wanted to abandon the probe. In an email, Marsalek briefed his fellow board members that “[EY was] a bit surprised about our decision but did accept it as expected”. Some of those Wirecard staff are now at the centre of the criminal investigation.
EY has subsequently said the anti-fraud unit’s work was independent of the audit. But documents seen by the FT show that in March 2017, EY warned Wirecard that it was close to refusing to give an unqualified audit for the 2016 fiscal year, stressing that all forensic work on Project Ring needed to be finished.
Yet, one year later, EY in its 2017 audit report neither addressed the “red-flag indicators” found by its anti-fraud team nor the board’s decision to abandon the probe. It declared that Project Ring had been “completed” without delivering “any evidence indicative of flawed accounting or other violations of law”.
Christian Muth, the forensic expert who led Project Ring and who left EY this year to join rival PwC, told MPs that his “professional honour” had been hurt after its findings were discounted by his audit colleagues, adding that he found this decision “incomprehensible”.
After Wirecard’s insolvency, EY began an extensive “integrity review” into its work for the payment processor. The investigation was conducted by the law firm Allen & Overy working with EY auditors who had previously not been involved in the Wirecard account. They sifted through more than 40,000 internal documents and grilled the responsible EY staff. “We clearly asked ourselves: ‘Was this a systemic problem?’ We do not believe it was,” says Baldwin.
EY says it will spend $500m on new audit technology over the next three years. And 20,000 staff in its audit business have had additional anti-fraud training. But, says a senior partner at EY Germany, the biggest lesson for the organisation should be to select its clients more carefully.
“We should never have been there in the first place,” he says, raising questions about the firm’s due diligence of clients, arguing that EY should have shunned an electronic payments processor operating in high-risk sectors like pornography and gambling and which had outsourced half of its business to opaque Asian firms. “We never really understood what kind of milieu we were working in.”
€42m loss of business
EY Germany is a relatively small cog in the firm’s global empire that brought in €34.4bn in revenues in 2020-21. However, it is the second-largest Big Four firm in the country and in recent years grabbed market share from both PwC, the market leader, and KPMG, which have historically dominated the audits of German blue-chip companies.
Although he remains a partner, Hubert Barth was ousted as head of EY Germany after the Wirecard scandal and replaced by Jean-Yves Jégourel, EY Global’s vice-chair of assurance, and Henrik Ahlers, the firm’s most senior tax partner in Germany. They are tasked with overhauling the firm’s operations in the country.
EY lost €42m of annual auditing business when a number of prestigious clients, among them Commerzbank, DWS and KfW moved their accounts in the wake of the scandal. Many of those who jumped ship had lost millions over Wirecard and some may sue EY; others are companies like Deutsche Telekom where the German government is the single largest shareholder.
But the vast majority of EY’s clients in Germany have, so far, remained loyal to the €2.2bn business. With Baldwin saying that “a number of new clients” have mandated the firm as auditors.
Wirecard and EY — a longstanding relationship
An EY special audit, commissioned by Wirecard, dismisses allegations of accounting manipulations raised by activist shareholders.
EY audits Wirecard’s annual results for the first time, initially with the payments firm’s previous auditor RP Richter, a small firm.
EY becomes sole auditor of Wirecard.
Start of Project Ring — a forensic audit by EY into fraud allegations following Wirecard’s takeover of payments firms in India.
EY threatens to refuse to give an unqualified audit, citing delays in Project Ring. EY eventually gives Wirecard an ‘all clear’, and the auditor a few months later abandons Project Ring despite red flags that may support allegations.
FT raises doubt over existence of clients in Asia. Wirecard mandates KPMG.
In April, KPMG’s forensic audit is published, Wirecard’s outsourced business in Asia cannot be verified. Two months later, EY learns that bank documents showing €1.9bn of cash purportedly held in Asia are forgeries. On June 18, EY refuses to sign off Wirecard’s accounts. One week later, the company collapses.
However, the saga is far from over for EY. The Wirecard administrator is also expected to take EY to court, even though, under German law, the hurdles for a client or administrator to claim damages from an auditor are high, and any compensation is capped at €4m.
Wirecard shareholders can only expect compensation for their damages if they can prove that EY intentionally broke auditing rules. They also need to show a direct causality between the auditor’s acts and their own losses — in that case, the €4m cap on an auditor’s liability falls away under German law. The first lawsuits by retail investors against EY have already been thrown out by German courts as judges concluded that those conditions were not met.
Munich’s public prosecutors and Apas are focusing their separate investigations on EY’s four main audit partners on the Wirecard business — two of whom still work for the auditor. Documents seen by the FT show that Apas suspects that the four EY partners knowingly issued factually incorrect audits — something the auditor denies — and last year the watchdog filed a criminal complaint to public prosecutors in Berlin claiming that. The four audit partners deny any wrongdoing.
EY expects a ruling by Apas — which can issue heavy fines and disbar individuals — by next spring. The Munich prosecutors are prioritising the investigation against Wirecard’s former executives. Neither investigation has yet led to anyone being charged. Braun, the former chief executive who is in police custody, denies any wrongdoing and any knowledge of misconduct at the payments company.
Quinn Emanuel, a business litigation and arbitration law firm, is expecting to file claims against EY for close to €1bn in damages on behalf of large institutional investors in Wirecard, including Germany’s third largest asset manager Union Investment, which says it lost €243m on its Wirecard investments. The cases are expected to claim that EY was aware that its Wirecard audit violated its professional duties.
“We believe that we have a strong case,” says Rudolf Hübner, a securities lawyer at Quinn Emanuel.
They might find some unexpected support within EY. In June 2020 when the company received evidence that Wirecard was a fraud, some staff were euphoric. “Finally! We nailed them,” a senior EY partner rejoiced, according to people familiar with the situation.
Yet, the question of why EY did not “nail” the Wirecard fraud earlier remains unanswered.