# Fraud prevention: how cfos build financial integrity
On June 18, 2020, Wirecard AG, then a DAX 30 darling worth €24 billion, announced that €1.9 billion in cash sitting in Philippine trustee accounts simply did not exist. CEO Markus Braun resigned within 48 hours. COO Jan Marsalek boarded a private jet to Belarus and remains a fugitive. Within a week, the company filed for insolvency, becoming the first DAX-listed firm ever to do so. EY, which had signed clean audits for over a decade, faced criminal investigations. BaFin, Germany's financial regulator, had spent years investigating *short sellers*, the very people who had been screaming "fraud" since 2015.
Wirecard was not a sophisticated fraud. It was a crude one. And it persisted for years because every layer of defense, internal controls, external audit, regulator, board, failed simultaneously. For the modern CFO, Wirecard is the cautionary tale of this decade: not because fraud is exotic, but because the systems designed to catch it are more brittle than most executives realize.
The Association of Certified Fraud Examiners' 2024 *Report to the Nations* estimates that organizations lose 5% of annual revenues to fraud, a $5 trillion global drag. The median fraud loss runs $145,000 per case, but the median *duration* before detection is 12 months. For frauds involving the CFO or C-suite, median losses jump to $459,000 and detection stretches beyond 18 months. The lesson is uncomfortable: the higher in the organization the fraud originates, the longer it survives and the more it costs.
This lesson is about building the controls, culture, and detection mechanisms that prevent your name from appearing in a Wirecard-style postmortem.
Every fraud rests on Donald Cressey's Fraud Triangle: pressure (financial or performance), opportunity (weak controls), and rationalization (the cognitive permission slip). Modern fraud researchers add a fourth element,
The ACFE classifies occupational fraud into three buckets, and your control architecture should explicitly address all three:
Asset misappropriation (86% of cases, but only $120K median loss), skimming, payroll ghost employees, expense reimbursement fraud. Common, manageable, rarely existential.
Corruption (48% of cases, $200K median), bribery, kickbacks, conflicts of interest. Particularly acute in cross-border operations and procurement.
Financial statement fraud (5% of cases, but $766K median loss and frequently company-killing). This is the Wirecard category. It is rare in frequency but accounts for the catastrophic outcomes that end careers and companies.
The error most CFOs make is allocating control resources proportionally to *frequency* rather than *severity*. Your SOX testing budget is probably overweighted on T&E controls and underweighted on revenue recognition cutoff and intercompany reconciliations, the very areas where catastrophic frauds hide.
The Wirecard fraud worked because of a structural blind spot familiar to any CFO with offshore operations. Roughly half of Wirecard's reported revenue came from "Third-Party Acquiring" (TPA) partners in Dubai, the Philippines, and Singapore, small companies that ostensibly processed payments in jurisdictions where Wirecard lacked licenses. The cash from these partners was held in escrow by trustees. EY confirmed the cash existed by relying on *balance confirmations from the trustees themselves*, rather than independently confirming with the underlying banks (BPI and BDO in the Philippines). When EY finally insisted on direct bank confirmations in 2020, both banks confirmed the accounts had never existed.
The control failure was not exotic. It was a violation of ISA 505, the requirement that external confirmations be controlled by the auditor and sent directly to the responding party. Every CFO with offshore receivables or escrow arrangements should be asking right now: who actually sends and receives our bank confirmations, and does our auditor independently control that channel?
The Institute of Internal Auditors' Three Lines Model (updated 2020) remains the operational blueprint, but most CFOs implement it as an org chart rather than a functioning system. Here is how to build it so it actually catches fraud.
The first line is operational management, the people running revenue, procurement, payroll, treasury. Their controls must be designed with the assumption that a determined, intelligent insider is trying to defeat them. Key non-negotiables for 2026:
The second line, risk management, compliance, controllership, owns the framework but must own the *data* to be effective. The shift since 2022 has been from sample-based testing to continuous controls monitoring (CCM). Mid-market CFOs now have access to tools (MindBridge, AppZen, Trullion) that apply machine learning to 100% of journal entries, flagging Benford's Law violations, round-dollar entries, weekend postings, and entries by users outside normal roles.
Siemens, after its €1.3 billion FCPA settlement in 2008, built what is now considered the gold standard compliance program: 600+ full-time compliance officers, mandatory annual certifications for 100,000+ employees, and a centralized case management system. The cultural transformation took a decade. The point for today's CFO: compliance is not a department, it is a data infrastructure.
Internal audit must report functionally to the audit committee, not the CFO. If your Chief Audit Executive's bonus is influenced by the CFO, you have a structural conflict that will surface in the worst possible moment. The audit committee should approve the IA budget, the audit plan, and the CAE's compensation. Anything less is theater.
Post-Wirecard, the EU's Corporate Sustainability Reporting Directive (CSRD), now in full force for FY2025 reporting, has dramatically expanded the scope of what auditors must assess, including non-financial control environments around ESG data. CFOs who treat CSRD compliance as a sustainability problem rather than an internal controls problem are setting up the next generation of restatements.
Vérification des acquis
1. According to the ACFE's 2024 Report to the Nations, what percentage of annual revenues do organizations typically lose to fraud?
2. What was the amount of cash that Wirecard AG admitted did not exist in June 2020?
3. When fraud involves the CFO or C-suite, what is the approximate median loss per case according to the ACFE?
4. Select ALL correct answers about the elements of Donald Cressey's classic Fraud Triangle:
Sélectionnez toutes les réponses correctes.
5. Select ALL correct answers about the failures that enabled the Wirecard fraud to persist:
Sélectionnez toutes les réponses correctes.
Theory is cheap. Here is what a CFO does in the first 90 days to materially reduce fraud risk.
Most fraud risk assessments are generic heat maps. A useful one identifies, for each material business process, the *specific scheme* that could occur and the *specific control* that prevents it. For revenue recognition in a SaaS business, that means listing: channel stuffing, side letters voiding revenue recognition criteria, bill-and-hold arrangements, related-party round-tripping. For each, document the preventive control, the detective control, and the named owner.
The case study here is Under Armour, which paid a $9 million SEC penalty in 2021 for pulling forward $408 million in sales over six quarters (2015-2016) without disclosing the practice. The fraud was not a control failure in the traditional sense, orders were real, but rather a disclosure failure that masked decelerating organic growth. A robust fraud risk assessment would have flagged "pull-forward of future-quarter orders" as a scheme requiring specific disclosure controls. Most assessments don't get this granular. Yours should.
The ACFE finds 43% of frauds are detected by tips, more than internal audit, management review, and external audit *combined*. Yet most corporate hotlines generate negligible volume because employees correctly perceive them as career-ending. Three design principles separate functional hotlines from theatrical ones:
1. Independence of intake, outsource to a third party (NAVEX, Convercent) with direct reporting to the audit committee chair.
2. Anonymity that holds up, under the EU Whistleblower Directive (transposed into national law across member states by 2023), retaliation against whistleblowers is a personal liability event for executives. Make sure your legal team has briefed you.
3. Feedback loops, tipsters who never hear what happened to their report don't tip again. Without breaching confidentiality, communicate disposition statistics quarterly.
Dan McCrum's Wirecard reporting was sourced largely from internal whistleblowers, people who had tried internal channels and been ignored or threatened. By the time information reaches the *Financial Times*, your internal controls have already failed twice.
Every CFO recites the "tone at the top" mantra. The operational question is how you measure it. The most rigorous companies now run culture audits, anonymized employee surveys that probe specific dimensions: "Do you believe leaders would accept bad news?" "Have you seen colleagues pressured to hit numbers in ways that concerned you?" The results are reported to the audit committee alongside financial metrics. Boeing's MAX crisis, while not an accounting fraud, illustrates the cost of ignoring middle-management signals about engineering shortcuts driven by financial pressure.
Post-Wirecard, the global audit profession is under regulatory siege. The UK's FRC has split audit and consulting at the Big Four; the PCAOB has dramatically increased inspection scrutiny under Erica Williams. As CFO, your job is not to be your auditor's friend, it is to ensure your auditor has the resources, access, and spine to challenge management. Practical tests:
1. **Commission an independent fraud risk assessment in