RSM Resources

When leaders of mid sized public companies view compliance with the Sarbanes-Oxley Act of 2002 (SOX) as burdensome and expensive, they maybe ignoring one of the underlying benefits of the law: fraud prevention.

"A significant focus of SOX was to reduce fraud," says John Morrow, vice president of the American Institute of Certified Public Accountants(AICPA) in Washington, D.C. "When you look at the law’s provisions about reducing improper influence on the conduct of audits, or the added corporate responsibility for financial reporting — where the CEO and CFO must explicitly sign off on the accuracy of the numbers — those are big steps."

A recent nationwide survey of certified fraud examiners supports Morrow’s view. Of those polled, 65 percent said SOX was either very or somewhat effective in curbing financial-statement fraud. On the other hand, a 2005 Global Economic Crime survey reported that internal controls caught only 30 percent of all North American fraud cases. In fact, the largest percentage of reported company frauds were discovered accidentally via anonymous tips or other means.

Leaving fraud detection to chance is often an expensive gamble. In its most recent Report to the Nation,the Association of Certified Fraud Examiners (ACFE) noted that the average U.S. company loses about 6 percent of annual revenue to fraudulent practices such as asset misappropriation or falsified financial statements. While SOX regulations have made it tougher for individuals to "cook the books" in public companies, ACFE’s poll of more than 500 companies noted that losses stemming from financial-statement fraud cost companies about $1 million per incident.

Not surprisingly, small and mid sized companies tend to be more vulnerable to fraud. More than 46 percent of all cases in the ACFE study occurred in companies with 100 or fewer employees, and those firms had average losses of $98,000. Within industry sectors,manufacturing, banking and general services reported the highest number of fraud incidents.

Looking beyond basic compliance
After SOX passed in 2002, leaders of public companies immediately scrambled to ensure their businesses complied with the new regulations. While that was the right approach at the time, experts say savvy executives should step back and view compliance as part of a bigger picture to protect and grow their companies.

"Some mid sized firms have hundreds of financial controls, which means that people often get bogged down in compliance details without considering how those controls could be designed to maximize effectiveness against fraud,"says Carl Lackstrom, a manager with RSM McGladrey’s Risk Management practice. "The goal should be to leverage the work already done with SOX to lower the cost and compliance burden, while being smarter about its application."

For example, a major provision of SOX compliance centers around required assessment, testing and disclosure of internal controls. However, most public companies overlook the opportunity to buttress those defenses with consistent messages from company leaders that they will punish those who commit fraud. That strong "tone at the top" is a company’s most effective tool to deter fraud, according to certified fraud examiners polled in 2005.

While SOX does regulate many financial disclosures and controls for public firms, it does not prescribe how those companies should handle occasions where senior management overrides those controls — regardless of intent. Experts say a healthy dose of sunshine can help overcome that loophole.

"If management overrides internal financial controls — for any reason — it needs to be done out in the open,"Morrow says. "That means notifying the other members of the executive committee, as well as the board and audit committee, in regard to the’what’ and ’why’ for those actions as soon as possible."

Fraud often harder to detect in private and not-for-profit organizations
Because SOX technically applies only to publicly traded U.S. companies, its benefits don’t accrue to privately held firms or not-for-profits.Whether or not those organizations follow SOX requirements as "best practices," undetected acts of fraud can lead to expensive consequences.

To improve your organization’s odds in successfully curbing fraud, experts suggest the following tips:

Use SOX principles to reinforce an ethical culture.While corporate leaders have seen several high-profile fraud trials command center stage in recent years, some believe that any trend toward higher institutional integrity won’t be long-lasting. In fact,83 percent of fraud examiners polled in the 2005 survey believe corporate vigilance over fraud already has peaked and will decline substantially over the next five years. If that happens, Morrow believes companies that take the high road ultimately will benefit:"Even if you’re not required to adopt SOX, the approach to controls,testing and reporting will effectively certify to your bank, your employees and your outside stakeholders that you hold your company to a strict code of ethics."

Encourage and support employee whistle blower systems. Sarbanes-Oxley contains a whistle blower protection provision designedto encourage employees to report unethical or illegal financial behavior. But, when companies view SOX from a compliance rather than a prevention viewpoint, they lose the opportunity to use this provision as a significant fraud-protection tool. When the City of Toronto established a fraud hotline in 2001, anonymous tips started to come in,leading to a 74 percent rise in internal investigations by 2003. Among the results was a tip that led to criminal charges against a property manager for misappropriating $65,000 and another report of a $120,000scam by a local resident who was selling knockoffs of the city’s yellow garbage bags for businesses.

Take aggressive action when fraud is discovered.In many midsized companies, especially family-owned businesses, it’s easy to assume that fraud is not a threat. However, experts agree the assumed level of trust in closely held businesses makes them perfect breeding grounds for a wide range of workplace thefts. If that occurs,visible prosecution sends a strong message that no one is above the rules.

"Stiff penalties and thorough prosecution send a strongmessage to employees," says Dana Hermanson, a professor of privateenterprise at Kennesaw State University and co-author of a researchreport on fraudulent financial reporting. "It establishes the corporateattitude that fraud will not be tolerated."