When I wrote about the opening of the Wirecard trial in December 2022, I focused on the criminal case. Here I want to examine a different question — not who committed the fraud, but why nobody caught it.
The Wirecard fraud, at its core, was not technically sophisticated. The company claimed to have €1.9 billion in cash held in escrow accounts at two Philippine banks. The money did not exist. The bank confirmations were forged. When auditors finally attempted direct verification, the banks said they had never heard of Wirecard.
This is a type of fraud that audit procedures are specifically designed to detect. External confirmation of cash balances at third-party custodians is one of the most fundamental audit steps. It appears in every auditing textbook. It is taught in every audit training programme. And in the case of Wirecard, it failed for over a decade.
Where EY’s audit process broke down
Ernst & Young audited Wirecard from 2009 until the company’s collapse in 2020. For most of that period, EY relied on confirmation letters purportedly from the Philippine banks to verify the existence of the escrowed cash. These letters were forgeries.
The question is how forged bank confirmations defeated the audit process. In standard practice, the auditor sends confirmation requests directly to the bank, using contact information independently verified by the auditor — not provided by the client. The bank responds directly to the auditor. This direct communication channel is supposed to prevent exactly the kind of interception and forgery that occurred at Wirecard.
If the confirmation process was conducted properly — if EY sent requests directly to independently verified contacts at the Philippine banks and received forged responses — then the forgery was extremely sophisticated and the audit failure, while real, is more understandable. If the confirmation process was not conducted properly — if confirmations were routed through Wirecard or its intermediaries, or if contact information was provided by the client — then the audit failure reflects a fundamental breakdown in procedure.
The civil litigation currently underway will, presumably, establish which scenario occurred. But either answer is troubling for the audit profession.
The regulatory failure
The audit failure did not occur in isolation. Germany’s financial regulator, BaFin, also failed to detect the fraud — and, more remarkably, actively impeded those who tried to expose it.
When the Financial Times published a series of investigative articles in 2019 raising detailed questions about Wirecard’s accounting, BaFin’s response was to file a criminal complaint against the FT journalists for market manipulation and impose a ban on short-selling Wirecard shares. The regulator investigated the people who found the fraud rather than the company that committed it.
This was not an intelligence failure. BaFin had the information — the FT had published it, in detail, with supporting documents. It was, at best, a failure of institutional judgment. At worst, it suggests a regulatory culture in which the default response to negative information about a national champion was to defend the company rather than investigate it.
What this teaches about fraud detection
From my work in both cybersecurity and financial crime, I see the Wirecard case as a failure of verification at every level.
The audit relied on paper confirmations that could be — and were — forged. In cybersecurity, we call this a “trust anchor” problem: if your verification process depends on a communication channel that can be intercepted or spoofed, the verification is only as strong as that channel. Digital bank confirmations with cryptographic authentication would have been significantly harder to forge. The audit profession is slowly moving toward electronic confirmation platforms, but the transition is far from complete.
The regulator relied on the auditor’s sign-off. BaFin’s position was, in essence, that if EY had signed an unqualified opinion, the financial statements were reliable. This circular logic — the regulator trusts the auditor, the auditor trusts the confirmations, the confirmations are forged — is a systemic vulnerability, not just a German one.
The market relied on the company’s DAX 30 membership and its prestigious board. Wirecard’s inclusion in Germany’s benchmark stock index was treated as validation of its legitimacy. The reputational halo of index membership substituted for independent scrutiny.
Each of these layers of trust was individually plausible. Together, they created a system in which a straightforward cash fabrication — arguably the simplest form of financial statement fraud — survived for over a decade in broad daylight.
If it can happen at a DAX 30 company audited by a Big Four firm and supervised by a G7 regulator, it can happen anywhere. The question is not whether the defences are perfect — they never are — but whether the institutions responsible for verification are performing their functions with genuine rigour or merely going through the motions. At Wirecard, they went through the motions. It cost investors €24 billion.