Are we just reading the wrong newspapers and reports or does it seem that auditors—although they spend hours and hours performing audits—rarely identify instances of fraud? Most companies rely on their auditors to uncover irregularities and breathe a sigh of relief when the audit comes up “clean.” Is that reliance misplaced? Probably so, according to this article from CFO.com. “Audits almost never find fraud,” the author writes; the data shows that “external audits find it 4% of the time, and internal 15%.” Instead, the author suggests, to detect fraud, management should look in a different direction.

The author, Tiffany Couch, CEO of Acuity Forensics, suggests that the notion of a “clean audit” is widely misunderstood:

“It is not uncommon to hear from non-accountants who incorrectly assume that a clean audit means there is no fraud on the books. This misunderstanding of the purpose of an audit is one of the main reasons why companies rely on them to detect fraud, when that is, in fact, not their true intent. An audit is a very specific type of financial engagement that is executed to determine whether a company’s financial statements are ‘reasonably stated.’ And while assessing fraud risk is part of those engagements, the procedures associated with most audits are not sufficient to actually root out and prove fraud.”

In support, the author identifies a number of reasons why she believes audits don’t typically find fraud. First among them is that auditors are way too nice. Apparently, auditors need to exercise more professional skepticism! Because auditors are themselves such “rule-followers,” they have difficulty conceiving of “nice people” engaging in dishonest behavior. Importantly, the author points out, fraudsters tend to be a company’s “most liked and trusted employee. ” Accordingly, if auditors “spot something amiss during a routine audit, and in return were given documents or explanations that resolved the anomaly, it is more likely than not that they will proceed with the explanation without obtaining outside substantive documents or evidence to resolve the aberration. Because they presume honesty, auditors often take the explanations and documents at face value.”

Other reasons are an audit’s primary focus on materiality, which is designed to detect material errors, not to find fraud; the prevalence of sampling, which is unlikely to find fraud; the craftiness of fraudsters, who can typically fool trusting auditors; the difficulty of identifying red flags, which often appear instead as simple errors; time and budget constraints; and the “unapproachable” character often ascribed to auditors, which can deter whistleblowers.

So what’s the answer for the stressed-out CFO? Apparently, instead of looking to the auditor, the CFO needs to look in the mirror: the best way to detect or deter fraud is by conducting management due diligence, applying internal controls, engaging in oversight, setting up a confidential hotline and conveying a tone at the top that promotes honesty