For any meaningfully sized company, two billion dollars missing from the balance sheet should be pretty noticeable. But WireCard, despite plenty of reports of accounting irregularities going back years, made headlines in June 2020 when EY (WireCard’s auditor) said it had been provided false information, could not sign off on the the company’s 2019 accounts, and could not confirm whether two billions dollars (¼ of the balance sheet) even existed.
Unfortunately, WireCard will not be the last financial scandal we’ll see in 2020 as COVID-19 has created a perfect storm of pressure and opportunity for fraud. However, the audit community can take a few lessons from WireCard’s failure, including why companies shouldn’t conflate compliance and controls, how to evaluate fraud risk profiles post-COVID, and how technology can prioritize and automate controls to ensure they’re met.
It will be some time before all the details about WireCard’s fraud come to light. Though it currently appears as though the revenue never existed, we don’t know concretely if it existed but was stolen. One thing we do know for certain—there was a serious failure of internal controls.
This exposes a common misstep by audit teams: assuming the system of internal controls equals compliance itself. Instead of critically evaluating the controls and having reasonable assurance that the financials were accurate, the auditors checked the controls, everything worked, they got signoff and went on their way.
Many will point the finger at the external auditors when it comes to this sort of oversight, but it’s very easy to skip over fundamentals internally if internal audit, SOX (Sarbanes–Oxley) compliance managers, or finance assume compliance mitigates fraud risk and don’t credibly evaluate the risk of fraud. For example, if a company is SOX compliant, they may be lulled into a false sense of security when they haven’t really reassessed or addressed fraud risk.
This is an important warning for all internal control owners or auditors, because the risk of fraud has drastically increased since the COVID outbreak. Many still think that rolling over the controls they tested last year will be enough to protect the organization. However, the risk profile for fraud has drastically changed in 2020.
Since the outbreak, the three elements required for fraud to occur—pressure, opportunity and rationalization—are heightened. Organizations need to update their controls to meet all of the challenges thrown at us by 2020, and test them accordingly.
Like we said earlier, the WireCard scandal won’t be the last major fraud we see this year. The reason for this is twofold. First, the economic downturn has created pressure for floundering companies to fake performance in order to stay afloat. In this situation, companies usually start out with the best of intentions. They rationalize the fraud as a stopgap to make it through to the next reporting period. But this is difficult to sustain, especially if the economic situation does not improve.
The second reason is because economic downturns often bring pre-existing fraud to the surface. If a company has committed a smaller scale version of a fraud like WireCard’s, an economic downturn makes it much harder to recover the non-existent revenue or other value. This creates a situation that is too difficult for companies to dig out of, and exposes the fraud.
To address the new risk profile of fraud and ensure that internal controls weaknesses are not overlooked, many companies use GRC (governance, risk management, and compliance) software to automate controls. As we saw with WireCard, human error or misbehavior causes missteps. Using purpose-built software and automation tools can dispassionately enforce strong internal control.
For instance, such tools can be used to directly aggregate data from banking systems or electronic bank statements, and automate cash account reconciliations accordingly. Not only does this enforce proper reconciliation every time, it also adds segregation of duties as resolving unreconciled amounts (like fictitious the $2B on WireCard’s books) will require review by the internal control professionals maintaining the automation. Key control automation is a simple step companies can take to ensure fraud schemes like WireCard’s are not committed, even on a smaller scale.
Beyond basic control automation, machine learning is able to evaluate transactions and use statistical models to determine if financial activity appears unusual. This is especially important in the COVID landscape, as many organizations have changed their spending habits in order to reopen offices or accommodate remote work. Auditors may know what to look for under normal circumstances, but machine learning is able to discern new patterns when conditions change, as is the case since the outbreak.
The WireCard scandal was a stark reminder that the fundamentals of auditing can easily be overlooked. In order to prevent clients from facing fraud-driven scandals, it’s important that auditors critically assess new risk profiles, and consider how technology can ensure controls are met and organizations are kept safe.
Dan Zitting is Chief Product and Strategy Officer for Galvanize, a platform for audit, risk and compliance management.