Same Fraud Playbook – Corporate Governance

Article by Rois Ni Thuama Phd, Head of Cyber Governance, Red Sift

In a world brimming with shiny new tech and big promises, making important decisions about where to invest can be challenging.

This year we’ve seen three high profile corporate scandals with larger than life CEO’s in the dock facing serious allegations and it is tech companies that are at the centre of all the action: Theranos, Wirecard, and Autonomy. All three CEO’s have been charged with fraud.

The former CEO of Theranos, Elizabeth Holmes has had her day in court, has been found guilty of fraud. In November, a judge sentenced Holmes to 11 years in prison. Holmes touted Theranos as a health technology company, raised US$700 million, featured on Forbes and defrauded a catalogue of wealthy families, as well as a number of prominent statesmen.

The payment processing firm Wirecard’s former CEO Markus Braun languishes in jail after his bail was revoked. Braun is awaiting trial on charges of fraud, breach of trust and accounting manipulation.

And last but not least, former Autonomy founder & CEO Mike Lynch is on track to be extradited to the US where he faces criminal charges of wire fraud and conspiracy to commit wire fraud. Lynch created Autonomy’s core product: Intelligent Data Operating Layer (IDOL). IDOL is focussed on the analysis of unstructured data. It is a clever bit of kit, that’s not in doubt.

Three previously highly regarded CEO’s are in a whole lot of hot water, awaiting sentencing, awaiting trial and awaiting extradition.

These scandals provide useful fodder for investors generally but tech investors especially to reflect on and to recast what we think we know about corporate governance and due diligence. Because however deep their pockets, no investor can afford to fund a firm that’s bound to fail in the future or worse is already failing now.

In this article we will explore what investors did right, what made absolutely no difference, what went wrong and what, if anything, might have alerted them to wrongdoing. What could investors do differently in the future and is there one thing that might have alerted investors to wrongdoing within the companies? Let’s start with the theory.

Jurisdiction & Investor Type

There is a good deal of academic literature on corporate governance models in the UK, the US, and Europe. Typically, the authors will make a case for one of these jurisdictions as a preeminent destination for investors because of oversight, monitoring and/or control of management. As if to demonstrate this is simply not the case, each of these tech businesses was incorporated in a different jurisdiction; Theranos in the United States, Autonomy in England and Wirecard in Germany.

Could Theranos have occurred in Germany? Perhaps. What is abundantly clear is that obviously each jurisdiction is capable of delivering their own class of fraud. While jurisdiction provides no sanctuary, there’s also no immunity for professional investors either.

Oh oh auditors + the value of verification It is a normal function of any professional team looking to invest that they would seek to verify statements made by these companies with respect to cash reserves, revenue streams, profitability etc.

Typically, auditors can be relied upon. Unfortunately, in the matter of Autonomy and Wirecard, this wasn’t the case. Deloitte’s audit of Autonomy enabled Lynch and his Chief Financial Officer to “present a misleading picture of its financial position”.

Similarly, Ernest & Young’s audit of Wirecard’s revenue stream failed to reveal that the apparently highly profitable and cash rich company was neither profitable nor rich. This is deeply discouraging for any investor who would consider auditors a sound and reliable resource. Truth buys trust and if auditors are not capable of getting to the truth, then their reports are of little or no value.

Verifying with independent, trusted experts would have added enormous value. Had Theranos investors checked with professionals, then it is entirely likely that they would have learned that the tech wasn’t possible and avoided substantial losses.

Check the Tech

In the case of Autonomy, checking the tech did not assist in revealing the fraud. The product IDOL worked. In fact, IDOL worked so well that in the summary judgement the judge referenced words attributed to Meg Whitman who became CEO of HP. She said that the it was ‘almost magical’. Tech does not go to heart of the Autonomy fraud which is a plain vanilla key metric and earnings manipulation fraud.

Investors in Wirecard may have had more luck had they checked the tech before pumping in nearly a billion euros into the failing firm. Wirecard was on the face of it a profitable payment processing firm. Their revenues Investors in Wirecard may have had more luck had they checked the tech before pumping in nearly a billion euros into the failing firm. Wirecard was on the face of it a profitable payment processing firm. Their revenues

The most egregious tech fraud is undoubtedly Theranos. Their blood testing system amounted to wires in a box. The tech didn’t exist. To test the efficacy of the Edison the investors would only have needed to have had known an answer to a question in advance and sense checked that against the Edison’s response. The lack of imagination and determination by investors to verify the efficacy of this tech makes this a dreary fraud.

The great thing about techie’s is that they want to show you how their kit works. They want to show you all the clever features, and when it works, they want you to play with it. Whether you’re investing in the firm or the technology. Always, kick its tyres. It is the fastest way to determine whether something works.

Hokey Cokey Principles

Both Wirecard and Theranos engaged in tactics which fell well beyond normal business practices including surveillance, doorstepping, intimidation, threats implicit and express against analysts, journalists, and former employees. That is shameful behaviour. It indicates a willingness to cross the line that should have put current and future investors on notice of a failing firm. Integrity and principles aren’t subject to the hokey cokey routine. You’re either in or you’re out. The firm either behaves in a principled manner or it does not.

Another red flag that was missed in both cases: individuals within the firms were promoted well beyond their capabilities into critical business roles while experts and qualified individuals were demoted, demeaned, and defamed — this shows such poor leadership that this alone should concern investors.

The Free Press isn’t Free

Why investors didn’t raise an eyebrow when lawyers for Wirecard and Theranos pursued credible, leading global publications in an effort to silence them is anyone’s guess.

It is to their endless credit that the investigative journalists and editors at both the FT and the Wall Street Journal (WSJ) would not be intimidated into submission. Uncovering these frauds and bringing them to light was only possible because both of these well capitalized publications had the might and the resources to withstand the bullying tactics of criminals.

Don’t let others define the world around you.

Holmes touted Theranos as a health technology company. That’s misleading — the proposal was actually to create medical diagnostic equipment capable of surpassing existing equipment and miniaturising it.

Reframing the proposition might have caused investors to pause. In addition, readers will recall that Holmes had no background in any of the disciplines necessary to take part in, never mind run a medical diagnostics equipment project. If only those investors had checked.

Consider Your Source

The free press isn’t actually free. Anyone looking to invest in tech should be doing their homework. Had investors, like Softbank put more weight in the reports from the FT about Wirecard they could have saved themselves 900 million euros. That’s a solid return on investment for a subscription.

Auditors, as we learned, cannot sadly be relied upon, they’re paid by the company and in no way meet the definition of ‘independent’. While large auditing firms hold themselves out as the unrivalled experts, that tune changes when they’re caught up in a fraud — the very thing they’re expected to uncover. At that point they’re only human. More of that humility at the front end and more confidence at the back end of these scandals would help to restore the reputation of some of these players.


Academic theory suggests that optimising for corporate governance makes a difference. The reality is that criminals will work around every system to perpetrate their fraud. Investors cannot afford to be complacent.

Ultimately, what investors did right was to seek to verify the statements made by these firms. Unfortunately, what they did wrong was to rely on sources that weren’t credible and simultaneously dismissed those that were. In order to avoid a similar fate, investors would do well to rely on trusted, independent experts.

However you carve these scandals up, these leaders operated from the same fraud playbook. They overstated performance, recorded bogus revenue, and they trusted that the brazen mocked documents painted a picture of firm value and that no one would bother to check.

For all their differences these scandals relied on the same tactics: dishonesty, deflection, and misdirection — they just had different products.

Products on the Red Sift Platform work together to block outbound phishing attacks, analyze the security
of inbound emails, and provide domain impersonation defense for company-wide threat protection.
Find out more at