The engagement of an licensed audit/CPA firm to perform an annual audit, complete with compliance testing, for the purpose of publishing financial statements is not an adequate effort by an organization to deter fraud.  Even in the environment under SOX, the audit firm does not approach its engagement with the purpose of fraud detection or subsequent investigation.  Under SOX it is the responsibility of the CEO/CFO to certify that the organizations internal controls are adequate, and have been reviewed by the CFO within the last ninety days.  The SAS 70 audit, which examines the internal controls of those service companies providing inputs into a user (under SOX typically) organization, does specifically examine the internal controls and will then attest to that organizations controls being active and in place, but is often limited to a single time frame and as such will not capture evidence only made visible from time-series analytics.

Neither SOX or SAS 70, or the prototypical annual audit for the purpose of having financial statements published after review by a licensed CPA is an adequate tool for the detection of, the deterrence of, or the prevention of frauds.  The possible exception may be the large scale manipulation of the financial statements by executive management for the purposes of earnings manipulation.

For an organization to be proactive in its approach to fraud prevention, it must develop employee awareness, a monitoring system to provide continuous oversight on high-risk areas and related operating metrics, and have a well-communicated policy on what constitutes a fraud action and how that action, if found, will be addressed by the organization.

Forensic Accounting Specialists can assist you in creating such a proactive approach.