Among the most startling revelations of the alleged accounting fraud that has led to the collapse of German fintech company Wirecard is that the company’s auditors, Ernst & Young, may have failed, for three years running, to confirm money Wirecard said was in a Singapore bank account actually existed.
That shocking nugget, first reported by the Financial Times citing anonymous sources with firsthand knowledge of the interaction, led one senior auditor at a rival accounting firm to note that confirming bank balances was “equivalent to day-one training at audit school.”
But Brian Fox, a former CPA who is the founder and president of Confirmation, a network that enables auditors and banks to electronically certify account balances, says he’s not surprised that EY may have failed to correctly verify the bank balances.
While verifying bank balances is indeed Auditing 101, Fox says, the problem is that too often auditors simply rely on the contact information for the bank that the client supplies. “When I was an auditor, I never checked a mailing address or fax or an email, and no one ever told me to do that,” he says.
Confirmation fraud
Confirmation fraud has been at the heart of most of the largest corporate fraud cases of the past several decades, Fox says. It was at the center of the fictional $9 billion that led to the collapse of Italian beverage company Parmalat in 2003, which, even with Wirecard, remains Europe’s biggest financial fraud to date. In that case, Parmalat directed its auditors, accounting firm Grant Thornton, to send requests for confirmation for an account to an address that in reality belonged to one of its lawyers, Gian Paolo Zini. (Zini was eventually convicted, and sentenced to two years in jail for his role in the fraud.)
In the case of Wirecard, the FT reported that, between 2016 and 2018, Ernst & Young auditors relied on screenshots and documents provided by Wirecard itself, and by a third party trustee, to verify the existence of funds at Singapore’s OCBC Bank. That bank was, according to Wirecard, used to settle balances between the German payments company and several partners in Asia that conducted business for it in countries where Wirecard did not have payment processing licenses. In 2019, Wirecard said those balances had then been shifted to a bank in the Philippines. And EY said it was shown statements from these Philippine accounts.
OCBC Bank later said neither Wirecard nor its Singapore-based trustee ever had an escrow account at the bank. Meanwhile, accounting firm KPMG, which was brought in last year to conduct a special forensic audit of Wirecard, said it could not confirm that the $2.1 billion Wirecard claimed to have deposited in the Philippines ever existed. The Philippine banks told EY the account statements they had previously viewed were spurious.
EY has said that Wirecard employees engaged in “an elaborate and sophisticated fraud, involving multiple parties around the world in different institutions, with a deliberate aim of deception.” It said that “even the most robust audit procedures may not uncover this kind of fraud.”
‘Inside man’
Fox says that in many confirmation fraud cases, paper confirmation documents are either completely forged, or an “inside man” at a bank or financial institution is bribed or coerced into providing a false confirmation statement on real bank letterhead, or from a bank e-mail address. But, he says, this conspirator is rarely the person at the bank who is authorized to provide legitimate confirmation, so the fraud typically involves misdirecting the auditors to send the confirmation request to the person at the bank who is involved in the conspiracy.
“The standards require the auditor to both validate the bank account balance and validate the authority of the person who is responding to the confirmation request,” Fox says. “But very rarely does the auditor actually do that.”
One problem, he says, is that, in the 21st century, auditors still sometimes rely on 19th-century means of verifying that the cash the company says it has in the bank is really there: the postal system. This is particularly true when trying to confirm money held in foreign bank accounts, he says. Other times, they send faxes or emails.
It was the quest to find a better, less easily manipulated, system that led Fox to found Confirmation in 2000. The company has an electronic network that acts as the trusted intermediary between 5,000 banks around the world and most of the world’s auditing firms. Confirmation, which was purchased by Thomson Reuters last year for an undisclosed amount, uses this network to create a secure communication channel between the auditors and the authorized confirmation officer at each bank. It guarantees that a confirmation request is securely delivered to that individual and that the response is securely delivered back to the audit firm. The network also allows the auditor to ask the verified confirmation officer at the bank additional questions about transactions on the account or whether there are any liabilities registered against the funds.
The use of Confirmation led to the uncovering of the $215 million fraud at Peregrine Financial Group, the commodities broker in Cedar Falls, Iowa. The group’s CEO, Russell Wasendorf, was eventually convicted and sentenced to 50 years in federal prison for his role in the scam.
Fox says he’s aware of several cases where corrupt executives, in an effort to hide a fraud from auditors, have purposefully selected obscure foreign banks that are not part of Confirmation’s network. The banks Wirecard said held its funds are not part of Confirmation’s network.
More must-read finance coverage from Fortune:
- Why black-owned businesses were hit the hardest by the pandemic
- George Floyd protests force Britain to reckon with its role in slavery, leading some companies to pay reparations
- This influential crypto CEO warns that hyperinflation will be “the next big problem”
- Looking to invest in companies that care about equality? This NAACP-backed ETF may be the answer
- 6 reasons Boeing’s financial picture may be brighter than most assume
