A new report from the Association of Certified Fraud Examiners (ACFE) is sure to throw fuel on the debate about the effectiveness of Sarbanes-Oxley. The law seems to have had a beneficial effect overall on fraudulent activity: Public companies that had Sarbanes-type controls in place incurred median losses 70 percent to 96 percent lower than those that did not, according to the ACFE.

But Sarbanes apparently has had little effect on financial statement fraud schemes -- the most damaging type of fraud, and the one which the legislation specifically aimed to prevent. Sarbanes-related controls were not correlated with a decrease in median loss for this type of event. In fact, "organizations with these controls in place experienced greater fraudulent financial statement manipulations than organizations lacking these controls," the report notes.

Puzzling findings indeed, and the report, based on 959 cases of occupational fraud reported by certified fraud examiners who investigated and resolved them, offers no explanations. But while the study will no doubt provide ammunition for both sides in the Sarb Wars, it also offers a trove of information for companies that want to understand the fraud threat and tighten their defenses.

For example, the ACFE examined the relative effectiveness of a bunch of anti-fraud controls by comparing the losses suffered by companies that had a particular control in place with the losses among companies that lacked that control. The most effective control, by this measure, was surprise audits. Companies that had implemented this defense experienced a median loss of $70,000. Among organizations that didn't use surprise audits, the median loss was a whopping $207,000.

Yet surprise audits ranked low on the list of anti-fraud controls that companies had actually adopted; only about one-quarter had done so. That may be changing, though, according to Tim Hedley, New York City-based partner and global leader for fraud risk management services with KPMG. "If you do your audits the same way every year, your auditee will know exactly what you are going to do," he points out. "More companies are starting to embed forensic-like procedures into their internal audit processes, and one of them would be to build unpredictability into their audit work."

Job rotation/mandatory vacation ranked second in effectiveness; companies with this control in place experienced a median loss 61 percent lower than the median loss incurred by the other organizations in the sample. Mandatory vacation is an expensive proposition, though, Hedley notes. "You're going to insist that the employee leave for a full two weeks, not take the Blackberry, not take the laptop, not have contact with the office -- that's tough." He's seen job rotation and mandatory vacation used primarily in the financial services sector, where fraud risks are particularly high.

The third most effective control -- and the only Sarbanes-related mechanism that actually reduced median losses in financial statement fraud cases -- was the hotline. About half of fraud tips came through a hotline when one was available, and 63 percent of those reports involved fraud by a manager or executive. "This data indicates that hotlines are a very effective fraud detection tool," the study notes. (The International Chamber of Commerce recently issued a useful set of guidelines on whistleblowing programs, as we reported here.)

Other effective, and quite possibly cost-effective, measures include fraud training for employees, managers, and executives. And Hedley adds one of his own: careful background checks on employees. "When you're doing investigative work, you often end up looking into the background of these people, and often they've had instances of inappropriate behavior in the past that haven't been picked up," he says. "That's one control that a lot of organizations could use more."

Read the ACFE's 2008 Report to the Nation on Occupational Fraud and Abuse here.

Reduction in Median Loss Based on Presence of Anti-Fraud Controls

Surprise audits
Job rotation/mandatory vacation
Employee support programs
Fraud training for managers/executives
Internal audit/FE department
Fraud training for employees
Anti-fraud policy
External audit of ICOFR
Code of Conduct
Management review of internal controls
External audit of financial statement
Independent audit committee
Management certification of financial statements
Rewards for whistleblowers

Source: Association of Certified Fraud Examiners