What lessons can be learned from the Wirecard debacle?

The debacle surrounding Wirecard has been going on for some time now. The end is not yet in sight, with the CEO (Markus Braun) already imprisoned awaiting trial and one of the other prime suspects (COO Jan Marsalek) still on the run at the time of writing.

Many articles, columns and blogs have already been published about Wirecard. Through this blog I try to draw a number of lessons and indicate things that have struck me. Hopefully this will help Directors, Risk Managers, (Internal) Auditors, Accountants and other stakeholders to prevent scandals like this in the future.

Background

What was the Wirecard debacle about again? Founded in 1999, Wirecard provided online payment services. In the beginning mainly for porn and gambling websites, but through acquisitions and a very strong growth curve Wirecard became a well-respected, listed company that even offered banking services at one point. The unusually strong growth, however, attracts attention, because in 2008 the first rumors of accounting fraud came through a shareholders association. An investigation by Ernst & Young (who is appointed as an accountant shortly afterwards) does not reveal anything. In 2011-2014, Wirecard takes over a number of dubious payment service firms in Asia, contributing to the strong growth that attracts a lot of investors. In 2015, the Financial Times (FT) begins a series of articles on Wirecard, again disputing accounting practices. From that point on, such rumors continue to grow, with Wirecard defending itself on the grounds that this is done to benefit short shellers. Audits by EY produce unqualified auditors’ reports time and again, increasing the number of investors and enabling the company to make more acquisitions. At the beginning of 2019, however, whistleblowers pointed to irregularities in the Singapore office. The Financial Times also finds out that about half of Wirecards business has been outsourced and the relevant third parties do not appear to exist. FT continues to report in 2019 that Wirecard sales and clears have been blown (particularly in local entities) and customers appear not to exist. Under pressure from the outside world, Wirecard is having an investigation carried out by KPMG in early 2020. The outcome is that KPMG cannot verify that the figures are indeed correct. It also appears that 1.9 billion euros have been “lost”. A police investigation has now begun and the CEO is arrested in June. Shortly afterwards, Wirecard goes bankrupt.

Below I explain what strikes me about this case and matters concerning the internal control of Wirecard and what can be learned from this.

Unusual matters (related to internal control)

Management override / tone at the top: A good “tone at the top” is of course crucial for the proper functioning of (the internal control of) an organization. The Wirecard case clearly shows that the top of this organization was “all-in”themselves, deliberately committed this fraud and deliberately misled stakeholders. There is little that can be done about this, in contrast to, for example, individuals who commit fraud (see, for example, Nick Leeson at Barings and Jerome Kerviel at SocGen).

Accountant who does not perform the audit properly: It has become apparent that EY failed not asking for a third-party account where the relevant 1.9 billion euros would be located. Earlier signals and warnings from whistleblowers have also been ignored. EY has since apologized for this, but it has once again become apparent that an audit of such a large company that does a lot of business with third parties is not easy.

Doubtful role of entities in other countries: An aspect more often seen in Frauds. Local entities in remote locations that are difficult to monitor. I think it is crucial that this aspect is included in the Internal Audit planning of organizations and that at least 1 visit per year to entities in other countries is planned.

Failing Regulator: This is a tricky and painful aspect. It seems that employees of the German regulator BaFin even held shares in Wirecard. This teaches us that internal compliance rules regarding restrictions on the holding and trading of shares and options are crucial to ensure the independence of supervisory functions. This is also confirmed in the ESMA (European Securities Markets Authority) “Peer Review Report”, which indicates that trading in Wirecard shares by employees of the supervisory department jeopardized BaFin’s independence.

Culture in the organization: This point is of course related to “Management override / tone at the top: The fact that the Top management of Wirecard itself was involved says a lot about the culture and integrity of this organization. But perhaps that the German, generally somewhat hierarchical culture also played a role and subordinates did not dare to raise or report any wrongdoing.

Signals that were not used for a long time: Despite the fact that rumors and articles about the course of affairs at Wirecard had been published for a long time, various people involved in this case (EY, BaFin, various banks) did nothing with these signals. It turns out that if there are persistent rumors somewhere, it is advisable to investigate.

Revenues and Profits That Were Too Good to Be True: This is of course a classic with frauds like this one. In order to live up to the expectations of top management and investors, revenues and profits were inflated through forged invoices and non-existing customers to create a fictitious flow of money in a remote entity (Singapore). Naturally, this will result in higher share prices and bonuses. It is nice when an organization shows a very large turnover growth, but if this seems too good to be true, the challenge is not to let yourself be blinded by higher share price and bonuses, but to be critical and verify whether the revenue increase is valid and explainable.

Use of Questionable Third Parties: At one point, Wirecard used a number of third parties who transacted in the name of Wirecard for customers for which Wirecard then paid a commission. It turned out that at some point even half of Wirecards revenue and almost all of the profit was generated through these parties. And these parties were not transparent in their business operations and were not properly audited by accountants. It is therefore always very important to thoroughly investigate the parties you do business with before entering into a relationship, but also during the collaboration to always ensure that there is good supervision and control and that attention is paid to the integrity of the Directors and organization.

Recapitulation

The above points seem like open doors. Unfortunately, this is more often the case with fraud, and yet new fraud cases always arise. Still, some common threads can be seen with the Wirecard case. Starting with attention to Integrity in the Board. Tone at the top is of vital importance to organizations. In addition, improving internal supervision is important, especially in local entities. Even though the company is still so successful, this case has again shown that in the event of inadequate internal supervision, a company can be destroyed in a very short time. Finally, it is good if even more attention is paid to the quality and depth of the external audits. Major steps have of course been taken in recent years, but it has now become apparent that this remains a point of attention.

This blog is written by Remco Spruyt, co-founder of INTERMEDIATE Interim Professionals. After reading this blog and you are interested to discuss improving internal supervision or internal control at your own organization further, feel free to contact me. INTERMEDIATE can provide qualified Risk Managers and Auditors who can help take this to the next level in your organization.