Analysing Wirecard Case from Fraud Risks, Independent Audit and Corporate Governance Perspective - July 2020

The full text of the interview that Mr. Fikret Sebilcioğlu gave to the website of Mr. Alı Ilıcak, News from the Markets, on 27 July 2020 is as follows.

We are still following up the Wirecard Scandal. I have written about the case before, regarding the context of magazine and political economy. Later, we discussed the issue with Dr. Muzaffer Eroğlu from a legal perspective, especially corporate management.  This time, we will talk with Fikret Sebilcioğlu (CPA, CFE, TRACE Anti-Bribery Specialist), the managing partner of Cerebra CPAs & Advisors, about the aspects of the case related to fraud investigations and independent auditing. I have many questions to ask since I have found the expert, and I highly recommend you read the interview to the end.

Fikret Sebilcioğlu has more than 25 years of experience in accounting, financial reporting, internal control systems, internal audit, forensic accounting, fraud investigations and compliance programs. At Cerebra, they provide services in the fields of white-collar crime, misappropriation of assets, bribery, kickbacks, financial statement fraud, compliance with the Foreign Corrupt Practices Act and UK Bribery Act and complicated forensic accounting cases. Fikret previously worked at the PwC Istanbul and Rotterdam offices in independent audit projects for 15 years. Currently, he is a board member of the Ethics and Reputation Society (TEID) and Transparency International Turkey (Transparency International Association), and an advisory board member of ACFE (Association of Certified Fraud Examiners) Turkey.

"It is difficult for independent auditors to detect fraud in companies with their current approach."

Ali: Hello, Fikret. The Wirecard Scandal has brought up issues again that you have been continuously drawing attention on many platforms for years, as a professional who specializes in fraud investigations in companies and works actively in non-governmental organizations related to transparency and ethics. In this case, I think CEO Markus Braun and COO Jan Marsalek, who are at the top of the company management, acted out with bad intentions since the very beginning. Braun was detained and released on bail and detained again two days ago. Marsalek, who is on the run, is suspected to be in Belarus or Russia. When the top executives of the company have such an intent, is it possible to keep them from doing so? Or is it a case of “what is to be will be”?

Fikret: Hello Ali. First of all, thank you for this interview. If the top manager has an intention to defraud, he will conduct this fraud. There are two main reasons for this: (1) the environment of ethics and compliance is shaped by those in charge of corporate governance, (2) even though there are well-designed and working internal controls in the company, top managers know where and for what purpose these controls work and can easily override them. In short, if the fish rots from the head down, there is no escape.

"It is company shareholders or top managers who conduct the biggest frauds."

The Wirecard scandal looks like a pretty complicated fraud case. When I read the information the Financial Times (FT) received from the whistleblower, I understand that it is a multidimensional case that is not focusing only on a financial statement but also involving other types of fraud. According to the research published by ACFE (International Association of Fraud Investigators), of which I am a member, in April 2020, the type of misconduct with the highest potential loss among the types of fraud is "financial statement fraud". According to another finding, the misconducts causing the highest financial loss are committed by the company's shareholders or top managers. In short, the Wirecard case is very parallel to what we know.

Ali: How would you classify the Wirecard case? Is it a case of corruption? Or is it fraud? Or would you describe this case as an example of the evil corporation in the future?

Fikret: We deal with occupational fraud in three main categories: (a) corruption (bribery, conflict of interest, bid-rigging, economic extortion) (b) misappropriation of assets (such as theft), and (c) financial statement fraud (creating a beautiful world by playing games on expenses and income) The Wirecard scandal mainly looks like a financial statement fraud. Because, as the main finding, we are talking about a cash amount of 1.9 billion Euros recorded in the bank accounts on the balance sheet does not exist. 

"No third party will be part of the fraud without getting their commission."

However, when I read the information disclosed by FT, I understand that Wirecard management uses third parties in financial statement fraud a lot. Third party risks are the new phenomenon of the fraud universe. It was always important but now, in every case we work on, we see fraudsters at the victim company and the rotten third parties that collaborate with them. The top ten cases that FCPA's (US Foreign Corrupt Practices Act) dealt with involve fraud committed through third parties. As the Wirecard case is further analysed, we can see both the misappropriation of assets and corruption and bribery committed through third parties. Remember, no third party will be part of the fraud without getting their commission.

Ali: Then, as the investigation proceeds, we will hear the names of these third parties who have a critical role in the fraud. I find the situation of public companies against fraud very interesting. Among the shareholders of public companies, many shareholders have no say in management by definition, and the laws introduce a series of measures to protect the interests of these shareholders. It is still not enough as we witness new cases after each scandal. You also have an independent audit background. Could you explain a little bit that what independent auditing is supposed to do about the subject? Can the independent audit fulfill these expectations?

"There are (were) seemingly perfect corporate management practices in companies that are experiencing these scandals."

It would be better to give a piece of brief technical information to comment on the subject: Companies defend themselves with three bodies: (1) Senior management and operation managers, (2) support units (such as risk, compliance, financial control), (3) internal audit. The board and its committees are not a line of defence due to their high-level monitoring role. There are also two external bodies monitoring: (1) independent external auditors, (2) regulators.Fikret: The concept and tools of corporate governance already have emerged from this need you mentioned. As in the Enron Scandal, managers who did not own the company (C-level) were able to pretend to own it and deceive shareholders with asymmetrical information. Strangely, these companies that experienced these scandals seem to have perfect corporate governance practices. Yet, this mechanism doesn’t work somewhere.

Ali: Now, let us talk more specifically. The auditor of Wirecard, EY (formerly Ernst & Young), had approved the financial statements of the company from 2009 to 2019. The process that brought the end of Wirecard began after the Financial Times reported in January 2019 about an incident of fraud covered at the company. To appease investors, CEO Markus Braun asked KPMG, whom he once worked as a consultant, to conduct a special audit. Perhaps as a result of this, EY failed to approve its 2019 financial reports. The fact that two rival firms are conducting audits prompted the auditors to be more careful, no doubt. Why do you think EY counted non-existent bank accounts - at least we know it’s in that way for 2018 - as if they existed? EY defended itself by saying that, "we faced with a complicated case of fraud, we were deceived", when it comes to an end. To what extent are audit companies responsible for such cases? Can they elude it by saying, “We were deceived, God forgive”?

"The audit procedure for the bank confirmation letter is one of the ABC’s of the independent audit."

Fikret: I have to answer the question you asked, based on the Wirecard's independent auditor EY’s negligence in this case, in two ways. First: The issue with EY in the Wirecard scandal is not the inadequate audit procedures of the independent auditor for specific fraud risks. EY did not send the bank confirmation letter directly to the bank, which is said to have this fake account, for three consecutive years, and naturally, it does not independently verify these balances. Instead, it confirms the balance with screenshots and other documents taken directly from Wirecard management and third parties. Seriously! The audit procedure for the bank confirmation letter is one of the ABC’s of the independent audit. It was one of the first things that they taught us when we were assistant auditors. Therefore, this lack of control seems to be an extraordinary error and carelessness.

EY said that “they had faced a very complicated case of fraud,” which I think is true, but the first detection of even the most complicated ones can be possible by a very simple professional scepticism. For example, if EY tried to confirm the bank balances and the bank responded as “I do not have these balances”, then it would detect this complicated fraud long before. Also, I do not think that there is a convention of "to be deceived” in Germany like ours. If EY has negligence in this case, which seems to exist, the regulatory authorities impose a penalty on it.

Furthermore, the relationship between the relevant EY partners and management should also be evaluated. EY has been auditing Wirecard for ten years, and I am sure the audit fee is pretty high. On the other hand, since there were real or unreal allegations about Wirecard for a long time, the audit risk was very high, and so EY should have had to audit in a way that would provide more assurance than usual audit engagement.

Ali:  Do you think there will be a result like the dissolution of Enron’s auditor Arthur Andersen by surrendering its license after the Enron Scandal?

Fikret: The financial loss is at least 1.9 billion Euros now. We will see where this will evolve for EY, but it seems unlikely to me that the Big 4 [the four largest auditing companies operating globally] will fall into Big 3. Something else will happen.

Ali: Do audit companies have professional liability insurance?

Fikret: EY certainly has professional liability insurance, but the compensation payment for this type of insurance can be quite troublesome. Compensation may not be paid if the damage is due to negligence. It's a technical issue, but I'm sure the insurance company will do a detailed investigation.

Now, let us get to the most critical point by summing up these questions about independent auditing. The responsibility issue of the independent auditor for detecting fraud is a highly sensitive matter. We have an independent audit standard titled, “International Standard on Auditing 240 – The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements”. Independent audits should be carried on according to this standard. The independent auditor also states in the Auditor’s Opinions page, ”We give reasonable assurance whether the financial statements are free from material misstatement, whether due to fraud or error.” This statement tells me that any material error caused by fraud can be detected by applying this standard. In other words, if the auditor could not detect a material fraud, it means that the audit procedure was not adequate to detect it.

"The rate of fraud detected during the independent audit process: 4%. This is even a lower rate than those identified by accident."

Here, some interesting statistics. According to the latest report of the ACFE, 43% of the 2.504 cases which are involved in the study were detected by tips, whereas 15% of the cases were detected by internal audit, 12% by management review, and 5% by accident. What is the percentage detected during the independent audit process, can you guess? Only 4 %. I think it is hard for independent auditors to detect material misstatements caused by fraud with their current approach, and the research shows this. So, there must be a more effective audit.
I am referring to an audit where challenging questions are asked, and that does not say "I only look at what you give to me". The more effective audit means both competence and time, and this means higher audit fees.

Ali: What is the scope of the company's self-auditing and control? Would it be possible for internal control processes to reveal management misconduct as in our example? It may be difficult for the CEO to cover internal controls nowadays, but wouldn't he be able to manipulate it?

Fikret: Companies sell products and services to gain profit and earn money with integrity. In a sense, organizations establish a defence system to manage their risks and protect their assets to ensure their sustainability. This mechanism is called the "internal control system". The internal control system consists of a wide framework and five elements expected to work in harmony with each other: Control environment, risk assessment, control activities, information and communication, and monitoring. As an answer to your question, I can easily say that a system consisting of well-designed and effective controls can detect all kinds of errors and misconduct in a short time.

"In 18% of the cases, fraud occurred as a result of the override of existing internal controls by the company managers."

The CEO and other C-level managers have a critical role in the implementation of internal controls. We frequently deal with the fraud cases resulting from the misconduct of this direct influence of senior executives on internal controls. While reading the Wirecard news, I caught many clues that CEO Markus Braun and COO Jan Marsalek were using their power on the control environment negatively. The answer to this problem can be found in the ACFE report. In 18% of the 2,504 fraud cases subject to research, fraud occurred as a result of the override of existing internal controls by the company managers. It is a profound and difficult problem to overcome. Because the executives we mentioned are the senior management entrusted to the management by the company's shareholders, and even some of them have shares as in the Wirecard case. The case we are talking about is a principle-agent problem, and there must be no conflict of interest within the company, and there must be independent mechanisms to solve this problem.

Ali: Well, what would you do if Wirecard management assigned Cerebra to investigate fraud? Could you give us an overview of how an investigation is carried out in a smoking crime scene as in this example?

Fikret: I can list the main steps as follows:

  • First of all, since we will be a part of an investigation team, we get to know the investigation team well, create a communication plan, and coordinate mainly with lawyers.
  • We analyse all tips in detail, and if possible, we stay in communication with the whistleblower in the format he/she wants (which would probably be “anonymous”) and receive the utmost information / documents. We examine the credibility of these claims and prepare an investigation plan accordingly.
  • We ensure that the relevant data sources are secured with forensic experts so that the data related to claims would not be altered or deleted. It may be of critical importance in possible criminal and civil lawsuits in the future.
  • To conduct data collection and admission-seeking interviews, we learn who hear about the allegations or are suspicious (including the CEO and COO at Wirecard), and we talk with these people in due course.
  • We obtain accounting records, data, and documents regarding the allegations and initiate a forensic accounting review on these data. We examine the critical information given by the whistleblower on the accounting data, and if these transactions actually occur, we examine the supporting documents behind them and the business rationale of the transactions.
  • We conduct e-discovery on hard drives and phone messages, including the emails of all critical persons. In places where the keyword does not work, like photos, we try to capture patterns/relationships that show. In this study, we understand the suspicious correspondences and follow the suspicious transactions in the accounting records. Significant findings are usually identified in these procedures.
  • Third parties have a significant role in the Wirecard scandal. Therefore, we conduct a detailed intelligence gathering study on all critical third parties. (Who is the partner? When was it established? What are their references and reputation? What and how is the service provided? etc.) We evaluate the due diligence conducted when the first onboarding decision is made, regarding the third parties mentioned in the case. We make site visits and conduct audits in third parties, using the possible "right to audit" clause in Wirecard's contracts with third parties.

Ali: Due to the role of Arthur Andersen in the Enron Scandal, the USA Congress accepted the Sarbanes Oxley Act (SOX) enacted the regulation that auditing firms could not provide any consultancy services to their clients from whom they took the independent audit engagement. Do you think the Wirecard Scandal will lead to a new SOX-like rule set?

Fikret: One is the USA and one is continental Europe. The reaction levels of law and regulatory authorities are very different. I think Germany will not react like the USA, and at least the measures it will take will not be as severe as the consequences of the SoX, especially in such a conjuncture. Although the sum of the financial loss caused by the Wirecard scandal is unclear, it is certainly a huge amount. I understand from my readings that trust in European markets is severely damaged. I think that the current laws will be revised when the factors causing this misconduct are better understood.

It has nothing to do with the question you're asking, but there is something else that I would like to add. It is necessary to punish those who commit this fraud most severely to deter such fraudulent behaviour. I wonder what will happen to the CEO and COO, and those who are involved in this scandal and live in other countries. I hope they would not get away with their crime as in our country.

Ali: What would you like to say about what can happen next? What do you think, is there anything that the parties of the game, such as legislators, regulators, companies, shareholders, and audit companies should do?

"I've read so many Wirecard news and I haven't seen the name of the board of directors or the audit committee anywhere."

Fikret: Companies come first. I've read lots of Wirecard news, and I haven't seen the name of the board of directors or the audit committee anywhere. The monitoring role of the board of directors is essential for companies. The competent members who have a seat on that board to protect the assets of the shareholders, must prove their independence from management and monitor the performance of internal controls.

For example, if the board had realized in 2016 that half of Wirecard's consolidated profits came from a third-party service provider called Al Alam Solutions, a brokerage firm based in Dubai; if they had seen that FT had some allegations about that and if they had audited about these third parties, the Wirecard case could have been completely different. FT observes in the Wirecard financial statements that Al Alam Solutions has 34 customers for Wirecard-related payments. Suspecting about this finding, FT contacts these customers without neglecting and asks about Al Alam Solutions. The result is that 15 of the customers have never heard of Al Alam Solutions, 8 of them did not even do business in the relevant period, 6 of them did not comment, and 5 of them were not available. In short, it turns out that Al Alam Solutions is a shell company created or used to perpetrate fraud. The issue is to see the risks and to make sure, by being independent from management, that controls are robustly operating.

It is possible to say many things about the measures to be taken by other institutions. For example, the higher level of professional scepticism should be integrated into the independent audit procedures by senior auditors who are engaged more in the audit activities. They should assess fraud risks in more details, ask difficult questions to management, and take the risk of not being an auditor in the next year while doing these. This part is the hard one!

Speaking of the regulators, I thought of BaFin in this case. BaFin allegedly ignored allegations regarding Wirecard in the past and did not investigate these allegations timely and properly.  It even started an investigation against FT in January 2019, for market manipulation due to its news. Isn't it like a joke? When the dust settled, the European Community was annoyed by the fact that FT was proven to be right and by the announcement of Wirecard's bankruptcy and started an investigation for BaFin. Regulatory agencies such as BaFin, can also be restructured as a result of this investigation.

Ali: Fikret, thank you very much. It was an interview like a lecture on fraud investigation, independent auditing, and corporate governance.