AML for Accountants: When the Numbers Tell a Story That Isn't True

Previously: Part 4 - AML for Trust and Company Service Providers: The Architecture of Anonymity

The €1.9 Billion That Was Never There

EY audited Wirecard for a decade. The €1.9 billion was never there.

For ten years, one of the world's largest accounting firms signed off on financial statements for a company that didn't exist in the way it claimed. The cash balances were fabricated. The revenue was inflated. The Asian operations that generated "half of all profit" were largely fictional.

When Wirecard collapsed in June 2020, it wasn't because auditors finally caught the fraud. It was because two Philippine banks told EY that the confirmation documents they'd relied on for years were "spurious."

The message is clear.

Accountants are not neutral observers of financial reality. They are gatekeepers who validate it. When an accountant signs off on financial statements, they're telling the world: these numbers can be trusted.

Criminals understand this better than anyone.

Why Criminals Need Accountants

Criminals don't need accountants to move money. They need accountants to make money look legitimate.

A shell company can exist without an accountant. But a shell company with audited financial statements showing profitable operations? That can raise capital, obtain financing, and attract investors.

The accountant's signature transforms fiction into apparent fact.

The Wirecard Lesson: Anatomy of an Audit Failure

The scale: €24 billion market capitalisation. €1.9 billion in "missing" cash. Ten years of clean audit opinions. Half of reported profits from operations that didn't exist.

What Went Wrong

Failure to verify cash: For three years, EY relied on documents from a Singapore trustee to confirm Wirecard held up to €1 billion at OCBC Bank. They never requested confirmation directly from the bank. When investigators later checked, OCBC's total euro deposits were smaller than what Wirecard claimed to hold there.

Ignored red flags: In 2016, EY's own anti-fraud unit found "red-flag indicators" pointing to balance sheet manipulation. Wirecard's management terminated the investigation. EY complied, and the following year's audit report declared the probe had been "completed" without finding evidence of wrongdoing.

Failed testing: In 2018, EY tested Wirecard's Asian operations by shopping at online merchants identified as clients. The merchants didn't exist. They'd been set up by Wirecard executives to deceive auditors. A Wirecard executive helped identify which merchants to test. The auditors used prepaid cards Wirecard provided.

Reluctance to challenge: When KPMG's forensic audit couldn't verify the Asian operations, EY Germany told Wirecard that KPMG's description lacked "context." Even as evidence mounted, EY defended its client.

The verdict: A German parliamentary inquiry concluded: "EY refrained from key audit procedures or was satisfied with poor audit evidence."

As one senior EY partner later admitted: "We should never have been there in the first place. We never really understood what kind of milieu we were working in."

How Accountants Differ from Other Gatekeepers

You might wonder how accountants differ from Trust and Company Service Providers. The distinctions matter:

The critical distinction: A shell company created by a TCSP is suspicious on its face. But a shell company with audited financial statements showing profitable operations? The accountant's signature transforms a suspicious structure into an apparently legitimate business.

Typologies: How Accountants Get Exploited

The Fabricated Revenue

A fast-growing company provides invoices, contracts, and bank statements supporting reported sales. The auditor reviews the documentation. Everything appears in order. Years later, a short-seller reveals many customers don't exist. The invoices were fabricated.

What should happen: Independently verify significant customers, not through documents the client provides, but through direct confirmation to verified addresses.

The Confirmation Fraud

An auditor sends bank confirmation requests. The client provides the bank's address. Confirmations come back confirming the balances. But the address belongs to a lawyer working with the client. The confirmations are forged. The cash doesn't exist.

What went wrong at Parmalat: Grant Thornton sent confirmations to an address Parmalat provided. €3.9 billion in non-existent assets were confirmed as real.

The Round-Trip Transaction

A company reports strong revenue. Cash flows in. But the company pays a "marketing fee" to an offshore entity equalling 95% of revenue. The offshore entity is controlled by the company's principals. Money circulates, no real economic activity occurs.

What should happen: Understand the economic substance of transactions, not just their legal form. When money flows to offshore entities for vague services, that's a red flag.

The Management Override

A dominant CEO controls all financial decisions. Controls exist on paper but are routinely bypassed. The auditor accepts management's explanations. When fraud is discovered, it's clear the CEO manipulated results for years.

What should happen: Management override is a known fraud risk. When one individual dominates financial reporting, apply enhanced scepticism, not reduced scrutiny.

Red Flags: What Should Trigger Scrutiny

Client Red Flags

🚩 Resistance to independent verification

🚩 Complexity without business rationale

🚩 Revenue growth inconsistent with market conditions

🚩 History of changing auditors after disputes

🚩 Single individual controlling all key functions

🚩 Pressure on timing that precludes normal procedures

Transaction Red Flags

🚩 Round-trip transactions through related entities

🚩 Large adjustments near period-end without clear rationale

🚩 Reported profits not supported by operating cash flow

🚩 Bank confirmations from unfamiliar addresses

🚩 Transactions routed through jurisdictions with no business purpose

Structural Red Flags

🚩 Shell entities with no apparent operations

🚩 Nominee directors or shareholders

🚩 Acquisitions at values far exceeding apparent worth

🚩 Rapid restructuring without clear purpose

The PULSE Framework for Accountants

P - Purpose

Move beyond box-ticking. Understand that your signature doesn't just validate numbers — it validates trust. Every audit opinion either enables or prevents financial crime. There is no neutral ground.

U - Unified Standards

Apply the same rigour to every engagement, regardless of client prestige or fee level. The blue-chip client deserves the same scepticism as the unknown startup. Wirecard was a DAX-30 company.

L - Leadership

Partners must create a culture where challenging clients is rewarded, not punished. When staff raise concerns, listen. When red flags emerge, investigate — don't accommodate.

S - Screening

Verify independently. Don't accept client-provided documentation as sufficient. Confirm bank balances directly, to addresses you've independently verified. Screen related parties and beneficial owners.

E - Evidence

If you can't explain why you accepted an explanation, you shouldn't have. Document not just what you did, but why. "Prepared by Client" is not verification — it's transcription.

What Firms Can Do Today

1. Verify Independently Don't accept client-provided documentation as sufficient. Confirm bank balances directly, to addresses you've independently verified.

2. Follow the Cash Reported profits should become cash. When receivables grow faster than revenue, when cash flow lags earnings, ask why.

3. Question Related PartiesTransactions with related parties deserve enhanced scrutiny. When money flows between entities with common ownership, verify economic substance.

4. Resist PressureWhen a client pressures you to accept explanations that don't make sense, that pressure is itself a red flag.

5. Document Your Reasoning If you can't explain why you accepted an explanation, you shouldn't have. Document not just what you did, but why.

6. Know When to Walk Away Not every client deserves your signature. The fee you forgo is smaller than the liability you avoid.

The Bottom Line

EY audited Wirecard for a decade. The €1.9 billion was never there.

When an accountant accepts client-provided documentation without independent verification, they're not auditing — they're transcribing. When an accountant ignores red flags because the client seems respectable, they're not exercising professional judgment — they're providing cover.

The fines are coming. The lawsuits are coming. The criminal investigations are coming.

But more importantly: the victims are already here. The investors who trusted audited financial statements. The employees who lost jobs when fraudulent companies collapsed. The markets that function less efficiently because trust has been eroded.

The criminals have networks. They have advisors who help them find accountants who ask fewer questions.

It takes a network to defeat a network.

The accountant who verifies independently. The auditor who follows up on red flags. The partner who empowers staff to challenge rather than accommodate. The profession that takes its gatekeeper role seriously.

That's how we close the gatekeeper gap.

Are you part of the defence?

---

This is Part 5 of our DNFBP series.

Coming Next: Part 6: AML for High-Value Dealers - Precious Metals, Stones, Luxury Goods & Pawn Shops, where Value meets Invisibility

𝗥𝗲𝗹𝗮𝘁𝗲𝗱 𝗥𝗲𝗮𝗱𝗶𝗻𝗴:

• The 2026 Compliance Landscape (Part 1)

• The 2026 Compliance Landscape (Part 2)

• The 2026 Compliance Landscape (Part 3)

• The Gatekeeper Gap: Why Criminals Bypass Banks

• AML for Real Estate Agents: The Frontline of Property Crime

• AML for Lawyers: When Legal Privilege Meets Financial Crime Prevention

• AML for Trust and Company Service Providers: The Architecture of Anonymity

• Wirecard collapses into insolvency (FT, June 26, 2020)

• How Parmalat Differs From U.S. Scandals (Knowledge at Wharton, January 28, 2004)

𝗙𝗔𝗧𝗙 𝗥𝗲𝘀𝗼𝘂𝗿𝗰𝗲𝘀:

• FATF Mutual Evaluations

• 5th Round Procedures

• FATF Horizontal Review of Gatekeepers (2024)

• FATF Guidance: Risk-Based Approach for Accountants (2019)

---

Work With Us

JFourth works at the intersection of compliance, governance, and financial inclusion. We help DNFBPs build the capability to navigate AML/CFT requirements without losing sight of their missions.

If your organisation is grappling with these challenges, get in touch. We'd love to help.