In the last few days, the Wirecard scandal was notably the most present in the business media. The German based company has been accused to allegedly frauded the amount of EUR 1.9 billion in terms of falsifying financial statements and misrepresenting balance sheet items. This scandal is gaining in importance because it was one of the largest German companies with the shares listed on the Frankfurt Stock Exchange in the DAX 30 index, as well as the company that was a pioneer and representative of the so-called Fintech revolution.
It is difficult not to draw a parallel from this case to the case of the US company Enron in 2001, which also falsified its financial statements in a well-designed scheme, which eventually caused the company’s bankruptcy as well as the dissolvement of their auditor company Arthur Andersen. In the U.S., this case led to the introduction of the new federal law, Sarbanes-Oxley Act that brought new and expanded existing requirements for all public companies, management boards and public accounting firms. Parts of this act also regulate privately owned companies. This law is additionally imposing an obligation for the company to implement internal controls that detect and prevent errors within the financial reporting process.
At this point it is unclear who were actually responsible for the fraud and allowed this setup to run for a considerable time. In this article we therefore only highlight factors which contributed to this outcome and how sound risk management practices could have identified this at an earlier stage.
The Wirecard accounting fraud
Over the years there have been news pointing at inconsistencies in the business model and the accounts of Wirecard but as the annual audits never confirmed any of these issues the company successfully managed to attract capital from investors in order to expand and the share price continued to rise. End of 2019, under pressure from investors after a year of negative publicity, a special audit of Wirecard’s accounts was initiated. In April 2020, the special audit revealed that profits for the period 2016-2018 could not be confirmed, leading to a question mark behind EUR 1.9 billionin assets on bank accounts in the Philippines. Wirecard had previously confirmed the existence of these accounts with documents from a trustee in the Philippines but the assets were in June confirmed by Wirecard as “missing” at the same time as the company acknowledged a multiyear accounting fraud.
Lack of focus on internal fraud risk management
How can a financial institution increase its chances of detecting an internal fraud similar to the Wirecard fraud at an early stage, before the magnitude of the fraud becomes too large to handle?
Almost all institutions are exposed to fraud risk and try to deal with it in different ways. In the financial industry there is a special emphasis on fraud risk management, not only because of regulatory requirements but also as financial institutions have realized that this is an area where they can be subject to substantial losses. However, within fraud risk management many financial institutions tend to focus more on detecting and preventing external frauds, for example falsification of loan application documentation and identity theft, while the risk of internal fraud by employees or managers is sometimes neglected. This is evidenced from the fact that most frauds within organizations are detected through the help of whistleblowers, those familiar with the case.
Internal fraud risks are commonly mitigated with internal controls, for example segregation of duties in authorization, processing, recording and reviewing of business transactions. Internal controls for sure mitigate the internal fraud risks but even with strong internal controls in the business there is still a risk of collusion which can go undetected in a weak risk culture without a proper internal governance implemented. Implementation of internal controls must therefore go hand in hand with the implementation of a proper internal governance.
Internal governance and risk culture
As fraud is likely to result from the combination of motivation, opportunity and rationalization, an effective way to reduce the risk of internal fraud is to introduce measures that will decrease either the motivation or opportunity of the fraudster, or preferably both. According to the Chartered Institute of Management Accountants (“CIMA”), fraud is considered to be more likely in companies where there is a weak internal control system, poor security over company property, little fear of exposure and likelihood of detection, or unclear policies with regard to acceptable behavior. Adopting measures to strengthen the internal control system, will therefore decrease the likeliness of fraud to occur.
Germany, among other countries within the EU, has enacted regulations requiring an internal control system for financial institutions. The European Banking Authority (“EBA”) has published guidelines on internal governance (GL11 – EBA/GL/2017/11) for further harmonizing institutions’ internal governance arrangements, processes and mechanisms across the EU. The EBA guidelines specify requirements aimed at ensuring the sound management of risks across all three lines of defense and, in particular, set out detailed requirements for the second line of defense (the independent risk management and compliance function) and the third line of defense (the internal audit function). All internal control functions need to be independent of the business they control and report directly to the management body, as the overall responsibility for the company’s internal control lies with the management body.
After a scandal of this magnitude we anticipate stricter supervision and regulations to be applied in the area of fraud risk management. We strongly recommend financial institutions to strengthen the area of internal fraud risk in their already implemented operational risk self-assessment process. Internal controls, as simple as segregation of duties are extremely powerful and in particular when combined with regular sample testing where a few business transactions are completely evaluated to their sources. We also recommend financial institutions to review their internal governance implementation in the light of GL11. The guidelines require an organization of independent defense lines, measures to strengthen the risk culture of an organization and transparency of complex/non-standard organization and legal structures.
Following these two recommendations will reduce the internal fraud risks considerably. FCG has long experience in these areas and can advise and assist in the strengthening of fraud risk management as well as internal governance. Please contact any of our offices in Frankfurt, Oslo, Helsinki, Copenhagen or Stockholm if you would like to start a discussion on how you can improve fraud risk management.