Fraud Files: How Well Does Sarbanes-Oxley Reduce Fraud Risk?

The 2002 Sarbanes-Oxley law was supposed to protect investors from fraud.
The 2002 Sarbanes-Oxley law was supposed to protect investors from fraud.

For most Americans with an interest in the business world happenings, the story of the $31 million fraud allegedly perpetrated by Koss Corp.'s vice president of finance, Sujata Sachdeva, was of interest for only a brief period. The story was sexy because the company's annual sales average between $40 million and $45 million. Clearly, a $31 million fraud is huge in comparison to annual revenue, even if the fraud was perpetrated over a period of more than five years.

Beyond the initial shock value, however, little interest remained in the story unless you live in the metro Milwaukee area, where Koss is located. I urged executives to learn some lessons from the situation and tighten up controls at their companies. Do I really think many of them did so? Of course not.

Can't Happen Here

Executives often have the mentality that the "bad stuff" doesn't happen at their company. Averages apply to other companies, and the typical corporate theft or embezzlement happens elsewhere. My work is living proof that this is not the case, and companies find out all too late that a little more diligence on the front end could have prevented a large theft.

In steps Sarbanes-Oxley, the 2002 legislation that was supposed to protect investors from fraud by requiring companies to be more diligent in creating and maintaining internal controls and by forcing public company auditors to work harder. Tangible benefits from the legislation are elusive. People would like to think that the legislation has forced companies to have better internal controls, and therefore fraud risks are reduced. Yet there is no real evidence that fraud risk or actual fraud has been reduced because of Sarbanes-Oxley.

The news this week surrounds Section 404 of the Sarbanes-Oxley Act of 2002. This section dictates what companies must do relative to assessing their internal controls. Until now, public companies with a market capitalization under $75 million (referred to as non-accelerated filers) don't have to comply with this section of the legislation. This exemption was created because of the costs of complying with Section 404. Documenting the internal controls process and having the company's outside auditors examine those controls is extremely expensive, and was thought to be disproportionately expensive for smaller companies.

Small-Company Exemption

It looks as if smaller public companies will continue to be exempt from this portion of Sarbanes-Oxley, and of course, there is a debate about whether this is wise. I can't argue against the idea that more focus on controls probably leads to more reliable financials and a decreased risk of fraud, but I can argue that more legislation isn't the answer to this problem.

Companies with dishonest or incompetent executives will have fraud problems no matter what the legislation says. Would Koss have been spared a $31 million fraud if they were subject to more regulations? Maybe. But I'd suggest that a company with executives asleep at the wheel (and to an extreme degree at Koss) will always have fraud problems no matter what the legislation says.

A civil suit filed against Sachdeva and the company's auditors, Grant Thornton, details how the former VP of finance perpetrated and concealed her fraud. Better internal controls could have decreased the fraud risk, but a properly motivated executive still would have found a way to steal and conceal. No matter how good the internal controls are, there are still ways around them, and the top finance official in a company is in the best position to know how to circumvent them.

Check the Checks

For goodness' sakes, the management at Koss didn't even bother to look at the checks being signed by Sachdeva for purchases at department stores and local boutiques. Do you think a silly piece of legislation would have made such a basic control a priority for anyone at Koss? Of course not.

So if regulation isn't the answer to decreasing the fraud risk at companies, what is the answer? It is proactive fraud prevention initiated by company management. It is a company culture that doesn't tolerate dishonesty and works diligently to prevent and detect it. It is an across-the-board better approach to fraud prevention, with the involvement of multiple executives who provide checks and balances against one another, thereby reducing the chances that one or two dishonest executives can bleed a company dry.

Bad management will be bad management no matter what the regulations say. Good management will be good in spite of regulations as well. Invest in companies in which honesty is at the forefront of their business model and is demonstrated each day as they conduct business.