Wirecard Scandal and
Quality Control in Audit
International Standard on
Quality Control - ISQC 1
ISQC 1 sets out a few principles that Audit firms need to follow to maintain a base level of quality control. The following principles set out in ISQC 1, therefore allow audit and accountancy firms to not only maintain their standard but also to avoid any penalty or criminal charges in case their clients are found involved in any illegal activity.
• Acceptance and Continuance
• Human Resources
• Engagement Performance
Leadership is a key principle when it comes to quality control. The senior partners in an audit and accountancy firm need to lead from the front when it comes to quality control. An audit firm is like any other company, where the whole hierarchy looks up to the decision makers, the tone from the top matters a lot when it comes to maintaining a strict protocol of quality in an audit firm.
Consider it like this, if the directors of a company are not transparent, if they are involved in dubious practices then the lower levels of the hierarchy will not follow the rules set out strictly. Similarly if the audit partners, do not follow the required regulatory standards, codes of ethics and best professional practices then the audit managers, supervisors and the junior staff will not follow them either and this is how a firm starts to weaken its quality control mechanism.
If we look at the case of Wirecard, then EY stated that when asked for proof of $1.9 billion, they were provided with a photocopy of the bank statement, which was accepted by the audit engagement team. Audit students know that for an amount which is material, photocopied statements do not pass as substantive evidence. At this point the audit engagement team of EY should have asked for more substantive evidence and if Wirecard refused then the matter should have been taken up with the senior management and so on. But we can see that for years, this issue was not audit properly and this indicates that EY audit engagement team, at some point did not follow the required practices for the audit of an individually material amount.
To maintain proper leadership standards, the audit partners should
• Create policies that ensure timely and proper performance appraisal of employees.
• Implement those policies and procedures to perform appraisal and reward employees who meet the required criteria. This should create a culture of competence based on performance.
• Discourage prioritization of increasing revenue over maintaining audit quality.
• Always maintain enough resources to meet any ongoing engagements and do not enter audit engagements for which the required number of resources are not present.
• Assign responsibilities only to professionally qualified and competent individuals.
All professional accountants and auditors are required to follow ethical standards that have been prepared by IESBA. This code of ethics ensures that the professionals maintain a base level of ethics and in addition to this the code of ethics has guidelines on how ethical threats can arise for a professional, how to identify these threats and how to manage these threats to ensure compliance with the code of ethics and relevant regulatory standards.
Audit partners need to ensure that they stress upon the importance of following the code of ethics and this is where their own leadership skills will be required If the staff of an audit firm sees the audit partners following the code of ethics, the staff will also be motivated and compelled to do the same but if the audit partners get involved in activities that defy the code of ethics, then the other staff will too think that the code of ethics is not important enough to be followed.
The fiver fundamental principles outlined in the IESBA code of ethics that professional accountants must follow are
• Professional competence and due care
• Professional behavior
Professionals must consider the ethical implications of accepting an engagement before accepting it and similarly at each step of the audit the ethical implications must be kept at the forefront. For instance, if a client asks the audit team to prepare the financial statements, then this would create a self-review threat because primarily the responsibility of preparing the financial statements is of the finance department of the client. If the client is outsourcing this function to an audit and accountancy firm, then it cannot be done to the same audit engagement team that is conducting the external audit. Because then the team will be reviewing its own work, it may fail to find out any errors or may not want to report on its own mistakes.
Therefore, ethical implications must be kept in mind on all three key stages of an audit namely.
• Planning stage
• Performance stage
• Review stage
If we look at the Wirecard scandal then we can see that EY was conducting the audit of Wirecard since the last many years, this must have created a familiarity threat where the audit engagement team of EY must have thought that it understood the internal control of EY too well and this may have resulted in an oversight.
The SOP for this type of ethical threat is to simply rotate the audit engagement team after every 3 -5 years. Now it remains to be seen if EY followed the required SOPs or not. Failure to do so may very well be seen as gross negligence by the German regulatory authorities who are investigating this matter.
Acceptance and Continuance
The acceptance and continuance of audit engagements is an important area when it comes to quality control. However most of the times this is the most neglected area because audit partners may feel that they may lose revenue if they implement the proper acceptance and continuance practices.
For instance, if at the end of an audit, there are serious matters that need to be resolved by the senior management but they refuse to do so and the auditor ends up qualifying the report then this would raise serious implications for the next audit engagement. If the matters raised were significant then the auditor should refuse to continue with the same client till the matters that were raised in the meeting are resolved.
However, in practice this is rare as audit firms tend to prioritize clients and revenue over professional practices and therefore the FRC report is such a damning report for the audit and accountancy companies.
Similarly, before taking on new clients the firms should carry out due diligence to make sure that the client doesn`t have problematic past. This is one of the important factors for preconditions to audit.
Human resources are an asset for any company and the same applies to Audit and accountancy firms. The senior audit partners need to ensure that the human resources of their firms fulfill at least the base criteria to meet the relevant industry standards.
The staff of an audit firms needs to be professionally competent and technically proficient. Once again this comes down to effective leadership. Audit partners need to ensure that only competent individuals within a firm are promoted to roles that carry responsibility such as the roles of audit supervisors, audit managers and engagement partners. The partners need to hold themselves up to high standards as well to keep their competence and technical competencies sharp.
The annual appraisal process needs to be robust and should focus on work done and knowledge gained. An audit firm is only as good as its staff, the reason why Big 4 firms are Big 4 is because they not only select the best individuals from the market but they also groom their staff to be the best in the industry. It is however clear that lately these standards have fallen for Big 4 firms. It would be biased to focus only on EY. PWC has also been sued by Watchstone for over $63 million because a PWC employee leaked the details of a merger that was still under process. KPMG similarly was fined over $6 million last year for audit misconduct.
The engagement performance is linked with HR. In simple terms engagement performance means that the audits need to be performed according to the set regulatory and reporting standards. At a deeper level this means that competent staff needs to undertake audit to perform it according to industry standards. This is the point outlined in the FRC report that audit firms failed to achieve.
Engagement performance can be broken up into 3 different portions, namely.
Quality control can be maintained by ensuring consistency in the performance of audits. To ensure consistency, the audit partners need to make sure that there are policies, procedures and protocols in place that should be followed.
For instance, if the procedures regarding the preconditions to an audit are clearly defined in an audit firm and followed diligently, then the audit firm can root out problematic clients thereby reducing the risk.
There should be a well-defined protocol to assess each client before accepting the engagement, protocols for appropriate planning before an audit, protocols for setting up teams with the required number of staff with appropriate and relevant skills and competencies required for the audit. The audit engagement partners should know the policies and procedures to deal with any issue during or after audit.
By creating such policies and protocols, the audit partners can ensure that quality control practices are followed, and the quality of each audit is consistent.
Consistency needs to be followed up with supervision of the stated policies, procedures, responsibilities, and work done. The audit work needs to be supervised by competent individuals to resolve issues as they arise during an audit. HR department similarly needs appropriate supervision over the hiring and appraisal process, to ensure the cultivation of proper and relevant skills.
Consistency in audit work and appropriate supervision should be followed by review of the audit engagement by the relevant persons. Review of audit work done at a timely manner, during the course of audit can not only reduce the amount of work required to be done at the later stages of an audit but it can also keep the whole audit process running smoothly by addressing issues as they arise.
Quality control is not a one-off activity it is a continuous process that must continue at every stage of the audit, with every client always and monitoring of the quality control process is also therefore a continuing activity.
All the discussion that we have done above, is required to establish a rigorous quality control mechanism but all of it is incomplete without proper monitoring. If you look back at the factors of internal control mechanism, it too has got monitoring as the final factor, that overlooks the whole mechanism, similarly for quality control monitoring is the final key factor that overlooks the whole process.
The senior audit partners need to keep an eye over the quality control process because they are the ones who will ultimately be responsible, whose reputations are ultimately on the line. The lower staff can change firms and even industry but the audit partners are in there for the long haul and the image of the audit firm, is the image of the audit partners.
The audit partners should at least carry out the following activities to monitor the quality control process.
• Senior partners should monitor of the audit partners and engagement managers are following the regulatory standards and fulfilling the legal and reporting requirements for all their engagements.
• Senior partners should assess whether the quality control process was followed by audit managers and supervisors on a day to day basis. Failure to follow procedures on a day to day basis means that there is a high risk of noncompliance and issues that may require a high level of attention.
• Senior partners should also assess and ensure that the policies in place
Conclusively it can be said that there is a dire need for the regulatory and legal authorities to focus on improving the quality control procedures for audit and accountancy firms to prevent scandals like Wirecard from occurring again. The scandal involves at least $1.9 billion but its ramifications are far more than this amount. Multiple Wirecard offices have shut down, terminating hundreds of workers and billions of dollars of funds have been frozen in accounts of individuals and businesses who used cards and services handled by Wirecard.
This therefore is truly a watershed moment for the finance and accounting world because such a huge financial irregularity or fraud passed under the radar of a globally recognized top of the line audit firm such as EY. It is particularly important because this scandal took place in EU which already has quite strict financial regulations, this is almost reminiscent to the Sarbanes Oxley act which was passed on 2002 after the Enron scandal.
There is therefore a need to reassess the quality control mechanism and improve it so that such scandals do not arise in future. Financial regulators in the EU may have to impose stricter conditions upon audit firms to improve their quality controls because as we have mentioned in the article, Wirecard scandal is not the only audit related scandal. The FRC report can be considered as an unofficial verdict indicting audit firms for poor quality control mechanisms.