Who are auditors actually working for?

Ernst & Young — one of the four largest accounting firms on the planet — audited Wirecard for ten consecutive years. Clean opinions every time. The company was missing €1.9 billion — money that was supposed to be sitting in bank accounts in the Philippines. It didn’t exist. For three of those years, EY never contacted the banks directly to confirm the balances. They relied on screenshots.

Screenshots.

This is not a story about one bad auditor. This is a pattern.

The Audit of Bad Audits

Wirecard, 2020. Ten years of clean audits from one of the Big Four. €1.9 billion in fictitious assets. EY accepted fabricated bank confirmations without independent verification — a procedure so basic it appears in undergraduate accounting textbooks. When they finally called the banks in 2019, the banks said the accounts didn’t exist.

Theranos, 2013–2016. The company held a federal CLIA certificate to run clinical blood tests on real patients. For three years, Theranos operated labs where the proprietary devices couldn’t reliably perform the tests they advertised. The company was secretly running most tests on conventional Siemens machines. When CMS finally inspected — prompted not by their own oversight but by a Wall Street Journal investigation — they found 29% of quality-control checks were outside acceptable range. They classified the deficiencies as “immediate jeopardy to patient health and safety.” Theranos voided two years of patient test results.

Boeing 737 MAX, 2017. The FAA certified the aircraft as airworthy in March 2017. The certification process missed that Boeing had expanded the MCAS flight-control system’s authority from 0.6 degrees to 2.5 degrees of nose-down deflection — more than four times the original design — while reducing it to a single-sensor input with no cross-check. Boeing removed all mention of MCAS from the pilot manual. The FAA had delegated so much of the certification to Boeing through its Organization Designation Authorization program that Boeing was effectively auditing itself. Nineteen months later, 189 people died when Lion Air Flight 610 crashed. Five months after that, 157 more died on Ethiopian Airlines Flight 302. Same failure.

Boohoo, 2017–2020. Third-party supply chain auditors flagged “critical issues” at Leicester garment factories for four consecutive years. Workers were paid £3.50 an hour — less than half the legal minimum. Fire safety conditions were so poor that the independent review concluded a fire would “likely” cause loss of life. Senior directors knew. The audits existed. Nothing changed — until a Sunday Times undercover investigation made it public.

The Convenient Explanation

The standard response to each of these: bad actors. Corrupt auditors. Negligent regulators. Fraudulent executives.

And yes — in every case, individuals failed. But the pattern is too consistent to be explained by individual failure. These aren’t four unlucky coincidences. This is four instances of the same structural problem.

EY isn’t uniquely incompetent. The FAA isn’t uniquely captured. CLIA inspectors aren’t uniquely blind. Supply chain auditors aren’t uniquely corrupt.

The mechanism is the same in every case.

What Audits Actually Test

An audit tests what you prepared for.

The world tests everything else.

Wirecard prepared bank confirmations. EY tested the confirmations. Nobody tested whether the money was real. Theranos prepared a lab that looked like a lab. Inspectors tested the appearance. Nobody tested whether the devices worked. Boeing prepared certification documentation. The FAA tested the documentation. Nobody tested what happened when a single sensor failed at altitude. Boohoo’s suppliers prepared for audit visits. Auditors tested what they saw on the day. Nobody tested what happened the other 364 days.

In every case, the audit verified the performance, not the reality.

This is the structural problem: when you optimize for passing an audit rather than building operations that are auditable by design, you create a system that certifies its own blind spots.

The audit photographs the room you cleaned. Not the house you live in.

Why This Keeps Getting Worse

You’d expect the pattern to improve. More regulation. More oversight. More auditors. More standards.

Instead, it keeps accelerating.

Arthur Andersen audited Enron for sixteen years — clean opinions the entire time — while the company hid billions in off-balance-sheet debt. Andersen was earning $52 million a year in combined audit and consulting fees from Enron. When the fraud surfaced, an 89-year-old firm with 85,000 employees ceased to exist.

That was 2001. A generation ago. Every audit reform since then has been designed to prevent another Enron.

Wirecard happened anyway. With the same auditor structure. The same incentives. The same reliance on documentation over verification.

The reforms kept targeting the auditors. Nobody questioned the architecture of auditing itself.

The Questions We Should Be Asking

We’ve built a global system that spends billions verifying that companies can produce the right documents on the right day for the right reviewer.

And we keep acting surprised when companies that are excellent at producing documents turn out to be terrible at the thing the documents are supposed to represent.

The question isn’t why auditors keep missing things.

It’s this: why did we design a system where the test and the thing being tested have almost nothing to do with each other?