I don’t see anything about this anywhere on the SDMB, but this is looking to be a really big deal as far as I am concerned.
The basic idea is that Wirecard, an online payment processor based in Germany, has been inflating its revenue by faking that it has contracts with third parties to let them operate in countries indirectly where they don’t have direct license to work, and all the revenue from that business line from the last 5 years or so has been supposedly sitting in escrow accounts in the Philippines. This year, their auditor (EY, formerly Ernst & Young) refused to sign off on their financial statements when they couldn’t get independent confirmation of the balances of those bank accounts. Without audited financial statements published by last week, they were in violation of their loan covenants, and their line of credit became due immediately. Whenever something like that happens, it’s major bad news, and the stock tanked and they filed for insolvency since they couldn’t repay the line of credit immediately.
Now, it’s “only” a mere $2bn - more like $2.2bn, or 1.9bn euros. That’s nothing compared to the size of other frauds, but it’s still a whole hell of a lot of money, and was a major component of the assets of the corporation the past few years, and I heard it was 1/4 of their assets on their not-actually-released 2019 financial statements. The reason it’s such a big deal to me is exactly how it happened, and what it says about the state of the auditing industry with large firms.
I work at a very small CPA firm (3 CPAs including me), so auditing on the scale of a $2bn company is outside of my direct experience, and the reason I didn’t really want to work at a large firm was exactly things like this. My experiences in learning the auditing process and learning what sorts of things people had pulled past auditors in the past (Enron, WorldCom) did not exactly inspire confidence that they had the investors in mind when they did these audits. Pretty much everything pointed to the fact they wanted to keep client business, since corporations get to choose who audits them, and thus were likely to not shake things up and try to keep billing down by not doing as much work as they really should, and only be able to say that they supposedly followed professional standards. From what I learned of those standards, they might as well not even exist. The most I ever found in any of these standards was the repeated mantra that the auditor must consider factors X, Y, and Z in determining what the risk of material misstatement is, and design audit procedures appropriately. There’s basically nothing that says you have to do something specific in certain cases.
So basically, EY made the professional decision in years past that the risk of material misstatement was low enough such that they didn’t need independent confirmation of the bank account balances. They were satisfied with the fraudulent statements that Wirecard had conjured up, apparently because they seemed to be reasonable. This year they decided to dig deeper only because Financial Times had done a series of articles detailing how there was something sketchy going on at Wirecard that should be looked at further by the auditors. EY (and most of the accounting industry most likely) claims that the audit process is not infallible, and is generally not designed to detect this level of fraudulent activity that required the collusion of multiple people in management. While i certainly understand their point that it’s hard to uncover when people are bald-faced lying to you and you have no reason to suspect anything is wrong, I would have to think that for a public company, one of the main things the audit is supposed to detect is management cooking the books in some way to appear much better off than they actually are, and while I suspect small nudges towards the good would be hard to detect, the amounts involved here were the entirety of their profits the last 5 years basically.
I saw an article in relation to this that said at the big four firms (EY, KPMG, PWC, and Deloitte) that around 25% of peer-reviewed audits show significant problems. At KPMG that number was closer to 50%. And the next tier of accounting firms (Grant Thorton specifically) aren’t any better. And it’s impossible to state enough the problem wherein corporations choose audits them and thus firms have incentive to cut corners and get the “right” answer. There simply is too large of a conflict of interest between accounting firms and their audit clients that can be easily remedied in the current way of doing things. If a company knows it’s lying, it’s not going to choose an auditor that uncovers the truth. Stockholders are supposed to vote out board members who are putting management ahead of the shareholders, but in practically every situation, the shareholders have effectively no power to change anything with respect to the board. It is falling more on journalists to uncover frauds in large corporations. The auditors are just pro-forma rubber stamp machines.
I just finished No One Would Listen about the Bernie Madoff fraud. It ends in 2009 on an optimistic note, with the SEC making major changes, Congress interested in pursing cases of fraud, and proposed changes to the auditing process. It’s pretty depressing to see how much of that faded away, and from the outside it feels like we’re back where we were pre-financial crisis.
I’m sure it’s not as bad now as it was in 2007. Do you see lasting changes that came from that (that haven’t been rolled back in the last few years)?
While I agree about your general diagnosis, I have also heard people in the know say that nowadays it is impossible to completely check an entire company’s books. Most of the data is stored in massive administration databases which cannot be examined minutely by hand. What level of assessment is currently required, and what level of assessment would ensure that major forms of fraud are exposed?
The few times when I had to check the books of a small association I could not do much more than point check the administration and rifle through the bank account. The treasurer could, if he wanted, hide dubious transactions quite easily as long as they involve relatively small amounts.
So even though the accountants seemed to be overly reliant on their customer in the Wirecard case, there is a certain amount of trust that is unavoidable. But it does seem odd that existing guidelines were unfit for detecting fairly obvious kinds of fraud.
Certainly that is not the goal of a financial statement audit. You would have to be doing a forensic audit to completely catch everything. The goal is to avoid material misstatements, and all your procedures are designed to be the easiest ones to do that will catch the most likely such misstatements. Part of deciding on these is determining what sort of things would lead to the misstatements, and how you could go about figuring out if that sort of thing is happening. When you work on the scale of a small association, there’s very little motive to go through the trouble of faking bank statements; when you’re talking about a company worth billions of dollars though, and that valuation is based on revenue amounts of a certain size, and assets of around that size is sitting in a bank account, you really should be doing the most you can to determine if that bank account actually has the balance they claim. When I was in school, one of the instructors shared a story about a company he was auditing in China, where he (or someone he knew) had a suspicion that things weren’t adding up, but with the size of the bank account balance he was given when the clients met him at one of the bank branches, it seemed to add up. But he decided to check again at a random bank branch instead of the one the client told him to meet him at, and there the bank told him not only was there not all that money in their bank account, the bank had loaned the company a bunch of money as well. It turns out that the company had set up an entirely fake bank branch for the auditors to visit. I can’t attest to the truth of the story, only that the instructor claimed it happened.
So as long as the money at stake is large enough, people will commit fraud on a large scale, and so if there’s anything really big on the asset side of the balance sheet, you should be doing as much as you can to confirm that it really exists. The fact that so few companies are willing to commit fraud on this scale means that in general doing that level of digging is not going to matter. But the fact that the shareholders are relying on you to detect management fraud means you have to constantly be thinking about ways the management could be deceiving you. There are too many accounting firm branches that will just pretend to go through the motions of an audit, doing the minimum amount of work necessary, showing that they considered all the possibilities and found them to be unlikely. That’s all you really need to do according to the standards, and if you want to keep the company as an audit client, that’s what you’ll be more likely to do.
Thanks for the clarification. Nice example about the cunning fraud one may encounter and the means to detect it. Indeed, it seems as if in the Wirecard case the accountants could easily have done some checks about the existence of the assets.
Actually this kind of stuff makes accountancy seem much more fun than the bookkeeping image it has.
Yes, bookkeeping is only the lower tier of accountancy. The higher tier of accountancy is the work that goes into verifying that the books are being kept correctly, and to make the adjustments for things that the bookkeepers aren’t trained to know about.
Meanwhile, in other German financial fraud news, a subsidiary of Berkshire Hathaway may have been scammed when it bought a German company that makes pipe for the oil and gas industry. The company was purchased for €800 million but might really be worth only a fifth of that. Among other things, they faked invoices and customers.
There’s an analogous conflict of interest for the ratings agencies (e.g., Moody’s, Fitch) with respect to evaluating bond risk, credit risk, etc., for any financial institution they work for. I don’t know if there is any way to resolve this.
While I can’t speak as much for credit ratings, the approach for audited financial statements is simply for the stakeholders requesting the financial statements choose the firm who is going to be responsible for signing off on them, not the management of the firm being audited. If you’re a firm that has a contract with a bank to work on the audits or reviews of financial statements for companies that are trying to get and maintain loans with a bank, then you have the right incentive to find out what’s really going on, because if you screw up, you may lose that contract. If the audit procedures are well-documented, any additional entity that wants audited financial statements should be able to follow the first audit and not have all too much work to do, plus that would provide automatic peer reviews of audits.
Of course for public companies, that just turns everything over to the stock exchanges, who I presume are the primary source of the requirement for companies that they list to get audited. I also know that there are some tax issues that require an “applicable financial statement” and so to take it to the logical extreme, anyone who wanted to qualify for the favorable tax treatments of being an entity with an applicable financial statement would have to have the government contract out an audit.
If that was how firms were chosen, it would create the right dynamic, but it’s not particularly easy to do it that way now that we’ve been doing it another way for so long. It would likely increase the costs of the audit without all that much to show for it, as most of the time there’s nothing to uncover. So really it becomes one of those things where you do the best you can economically and hope that the really bad case doesn’t happen since preparing for it would simply cost more overall than it would save in that worst case.
My observations have been that there is an audit committee appointed by the board of directors, which includes a couple of independent directors, who are ostensibly in charge of selecting and approving the accountancy firm doing a company’s audit. However, there is a huge amount of influence from either of both of the company’s CEO and CFO towards which audit company is selected. Price plays a factor, but social connections play a much bigger factor. The selection of an auditing company is very much based the relationship between the audited company’s leaders and the auditor’s leaders, rather than any impartial assessment.
Once an auditor has been selected, moving to a different auditor is an absolute pain in the ass for the company being audited. A lot of what an auditor does is to understand a company’s internal reconciliation procedures, and then determine if those procedures are appropriate and can be externally verified. That requires a lot of work from the audited company’s accountancy staff to explain those procedures, and collaborate on the procedures by which those reconciliations can be audited. It’s a lot easier to repeat an established procedure, than to recreate a new one because someone else has come on board.
There’s probably an argument for banks providing large amounts of credit to companies, and institutional investors with a significant stake in companies, to demand an independent assessor of the audit is a member of the audit committee. However, those bodies should already have the power to review the auditors work, and it’s uncertain if having someone on the inside would actually catch mishaps from the auditor.
