Editor’s note: As the result of an editor’s error, the original headline of this story incorrectly stated that Sarbanes-Oxley controls caused higher fraud losses. The story itself correctly stated that Sarbanes-Oxley controls are associated with a substantial reduction in fraud losses, although, for a variety of possible reasons, losses stemming from financial statement fraud were higher among companies that had Sarbox controls than those that did not. CFO.com regrets the incorrect impression conveyed by the original headline. The headline, deck, and first paragraph of this story have been modified to correct this. The rest of the story remains unchanged from its original form.
The Sarbanes-Oxley Act appears to have done a good job at reducing fraud at companies. But for a variety of reasons, losses stemming from financial statement fraud were higher among companies that had Sarbox controls than those that did not.
A new report from the Association of Certified Fraud Examiners found that companies that had the controls mandated by Sarbanes-Oxley actually suffered greater losses from financial statement fraud than those that did not have the controls. What’s more, the study found, companies whose management certified financial statements and had independent audit committees actually took longer to detect financial misstatements than companies without those controls.
“We found that the presence of [Sarbanes-Oxley-related] controls was not correlated to a decrease in the median loss for financial statement fraud schemes; in fact, for all controls except hotlines, the converse was true,” the report said.
The ACFE report surveyed 959 cases of reported occupational fraud that were examined by certified fraud examiners from 2006 to 2008. The report breaks down fraud into three broad categories: fraudulent statements (most notably financial statement fraud, but also false employment credentials or falsification of internal and external documents), asset misappropriation (for example, larceny, skimming, fraudulent disbursements), and corruption (including bribery, illegal gratuities, economic extortion, invoice kickbacks, and bid rigging).
Of all of these types of fraud, the report said, financial statement fraud proved the most costly. The median loss for the 99 companies experiencing financial statement fraud during the study period was $2 million.
The study found that, in general, publicly traded companies suffered fewer losses from frauds of all types if they had implemented Sarbanes-Oxley controls. Indeed, their median losses from all types of fraud were 70 to 96 percent lower than corporations that had not yet implemented those controls. That suggests that the law has had an impact on theft and other fraudulent behavior at companies.
But the results were far from a ringing endorsement of Sarbanes-Oxley controls. For example, at companies where management was responsible for certifying the financial statements — the control that was associated with the largest reduction in median loss — it took companies longer to actually uncover a fraud. Those companies took a median of 18 months to detect the fraud, compared to 15 months for companies that did not require management to certify financial statements.
Stranger still, when it came to specifically to financial statement fraud — the very type of fraud that prompted Sarbanes-Oxley — companies victimized by fraud actually appeared to suffer fewer losses if they did not have Sarbanes-Oxley controls in place. “Organizations with these controls in place experienced greater fraudulent financial statement manipulations than organizations lacking these controls,” the report noted.
Specifically, the report looked at controls including management certification of financial statements, external auditors, independent audit committees, management reviews of internal controls and hotlines for reporting fraud. Only hotlines were correlated with a reduction in median loss. Indeed, companies with independent audit committees actually experienced losses that were as much as 367 percent greater than companies without them.
“Internal controls are like locks on a door,” says Lance Randolph, a fraud expert at CBIZ Accounting, Tax & Advisory Services, and an ACFE member. “The more sophisticated a lock you have, the better a deterrent it is, but someone who is truly knowledgeable can defeat any internal control.”
Randolph acknowledged being surprised by the findings. He said that one explanation could be that since most frauds occur over an average period of two years, some of the companies surveyed might not have fully implemented Sarbox. He also noted that although Sarbox has been most successful at stamping out fraud at lower levels in companies, it has been less successful at reducing financial statement manipulation among top executives — particularly because internal auditors often report to the CFO.
As companies continue to adjust to Sarbox, problems with manipulation of financial statements should improve, says Randolph, who expects the ACFE’s study two years from now to produce different results. The current study also seems to contradict a report produced last year by Deloitte, which found that financial statement frauds had tapered off since 2003.
The Deloitte study analyzed 344 Securities and Exchange Commission “accounting and auditing enforcement releases,” or AAERs, dealing with financial-statement fraud between 2000 and 2006. The SEC uses AAERs to report any antifraud actions it takes. The Deloitte report found that the number of AAERs doubled between 2001 and 2002, and then rose by an additional 43 percent in 2003, peaking at 77. Since then, the SEC has issued an annual average of 50 fraud-enforcement actions.
It also found that on average it took the SEC 4.7 years from the start of a fraud scheme to the issuance of a release. The longest case took 18 years, according to the report, and the average delay increased by 33 percent between 2004 and 2006. This could buttress Randolph’s argument that ACFE’s findings are skewed because some of the frauds reported occurred before Sarbox was in place.
Click here to see the ACFE’s list of Sarbanes-Oxley-related internal controls in financial statement fraud cases.