Investors, analysts and corporate directors rely on external audits to keep companies honest. But a new study says audits are woefully ineffective at uncovering fraud. In fact, the study says more than twice as many frauds are uncovered by accident.
That is among the findings in the "Report to the Nations on Occupational Fraud and Abuse" study released Tuesday by the Association of Certified Fraud Examiners, which bills itself as the world's largest anti-fraud organization.
"You can't put the onus on somebody else to keep your place clean," said ACFE faculty member Evy Poumpouras, a former U.S. Secret Service agent. She said internal controls can be much more effective in uncovering fraud—and preventing it in the first place.
The study examined 1,483 cases of fraud as reported by the Certified Fraud Examiners who investigated them.
"The analysis of these cases provides valuable lessons about how fraud is committed, how it is detected and how organizations can reduce their vulnerability to this risk," wrote ACFE President James Ratley in the report's introduction.
The report estimates the typical organization loses five percent of its revenues each year to fraud. That would work out to a global impact of $3.7 trillion, the report says. But as staggering as the figure might seem, Poumpouras says she is not surprised.
"There are so many more cases that we don't know of," she said.
Nearly half of the fraud cases studied were in the United States, where anti-fraud controls tend to be the strictest. But the biggest losses were in Eastern Europe and Western and Central Asia. The median loss in those regions was $383,000, compared to $100,000 in the U.S.
Employees and middle managers committed the lion's share of fraud, with owners and senior executives accounting for just 19 percent of the cases. But perhaps unsurprisingly, the study noted that the higher-ranking the fraudster was, the greater the losses.
Regardless, financial fraud is particularly difficult to uncover, Poumpouras said, because the perpetrators have less of an emotional connection to what they are doing than they do for other types of crime.
"Usually you are not touching money. You're fudging documents. It feels less real," said Poumpouras, who has been involved in many financial fraud investigations.
"Getting people to confess to financial crime is more difficult than getting them to confess to murder," she said, which may help explain why audits can be so ineffective.
The study says auditors detected just 3 percent of the fraud cases reported last year, compared to 7 percent uncovered by accident.
"While independent audits serve a vital role in organizational governance," the report says, "our data indicates that they should not be relied upon as organizations' primary anti-fraud mechanism."
Instead, the study recommends what it calls "proactive detection measures" including internal hotlines that allow employees to report fraud anonymously and keep their co-workers honest.
"Most employees don't want to rat on someone," Poumpouras said. "They want to do it anonymously."
The study appears to bear that out.
"Organizations with hotlines were much more likely to catch fraud by a tip, which our data shows is the most effective way to detect fraud," the study says. More than 42 percent of the cases in the report came to light as the result of a tip.
Yet only about half the organizations surveyed had a system for collecting tips, and fewer than 11 percent offered rewards to whistleblowers.
The study found small businesses were particularly vulnerable to fraud, yet they are least likely to protect themselves, often because don't perceive themselves to be at risk—or because they think fraud protection is too costly.
But the report says some of the most effective measures are not costly at all.
They include an anti-fraud policy that employees are required to acknowledge from time to time—"It lets them know what management is expecting," Poumpouras said.
Surprise audits and spot checks by management—rather than by an external auditor who might not know all the potential ways inside a company to hide fraud—can also be effective.
And training all employees to spot fraud not only creates more cops on the beat, it also puts everyone on notice.
"The more police officers you see on the street, the less likely people are to commit a crime," Poumpouras said.
—By CNBC's Scott Cohn. Follow him on Twitter @ScottCohnCNBC