"Getting people to confess to financial crime is more difficult than getting them to confess to murder," she said, which may help explain why audits can be so ineffective.
The study says auditors detected just 3 percent of the fraud cases reported last year, compared to 7 percent uncovered by accident.
"While independent audits serve a vital role in organizational governance," the report says, "our data indicates that they should not be relied upon as organizations' primary anti-fraud mechanism."
Instead, the study recommends what it calls "proactive detection measures" including internal hotlines that allow employees to report fraud anonymously and keep their co-workers honest.
"Most employees don't want to rat on someone," Poumpouras said. "They want to do it anonymously."
The study appears to bear that out.
"Organizations with hotlines were much more likely to catch fraud by a tip, which our data shows is the most effective way to detect fraud," the study says. More than 42 percent of the cases in the report came to light as the result of a tip.
Yet only about half the organizations surveyed had a system for collecting tips, and fewer than 11 percent offered rewards to whistleblowers.
The study found small businesses were particularly vulnerable to fraud, yet they are least likely to protect themselves, often because don't perceive themselves to be at risk—or because they think fraud protection is too costly.
But the report says some of the most effective measures are not costly at all.
They include an anti-fraud policy that employees are required to acknowledge from time to time—"It lets them know what management is expecting," Poumpouras said.
Surprise audits and spot checks by management—rather than by an external auditor who might not know all the potential ways inside a company to hide fraud—can also be effective.
And training all employees to spot fraud not only creates more cops on the beat, it also puts everyone on notice.
"The more police officers you see on the street, the less likely people are to commit a crime," Poumpouras said.
—By CNBC's Scott Cohn. Follow him on Twitter