Nowadays, legitimate money flows can be so complex that individual transactions are barely auditable.
Bad players can therefore hide illegitimate capital flows (Wirecard, cum ex tax evasion scheme, panama papers) or risks (world economic crisis 2007). Retroactively, those bad apples are identifiable, traceable and explainable. Recent history seems to show that the way they rise to the surface in the first place though isn’t through regular auditing but through a scandal raised by the media (after data leaks or whistle blowing), the burst of a bubble, or both.
Fundamentally it’s likely too expensive for public entities to audit thoroughly enough to catch those cases before they do damage. Just another concomitant outcome of the effectiveness of capital flow in capitalism in the international economy: money streams through all paths and small holes in the system like water flows through riverbeds above ground as well as it sickers through infinite counts of cavernities deep below. The phrasing “money flow” is not an accidental one.
Though it’s not just money flows which are too hard to practically audit. It’s the same story in IT system security and personal data protection. It’s implausible for any government to verify that a Google or Facebook are really doing what they claim to be doing with user data. No wonder that newsstories are about sucessful hacks and data leaks, and not about government agencies pro-actively preventing issues. Having gone through GDPR and SOC2 audits I can attest that these audits are barely worth the proverbial paper that they are printed on. All they represent is a lot of busywork of a vendor to claim that they are following certain practices. Reality tends to diverge in varying degrees.