Why the Fraud Triangle is useless in Fraud Prevention and Detection

Accounting and audit practitioners, along with fraud investigators and compliance professionals, have been using the Fraud Triangle as a tool for the identification and mitigation of fraud risks. Attributed to Donald Cressey, a sociologist and criminologist, the origins of the Fraud Triangle trace back to his study on the motivations of embezzlers conducted in the 1950s. It is noteworthy that Cressey himself did not create the term ‘Fraud Triangle’. Cressey merely described common factors why an individual would become an embezzler. The conceptual framework of the Fraud Triangle, as we know today, is based on these common factors and was developed by the founder of the Association of Certified Fraud Examiners during the 1980s.

The Fraud Triangle suggests that there are three factors – opportunity, pressure, and rationalisation – that can drive an individual to commit fraud. While the Fraud Triangle can be a valuable instrument for understanding the motivations driving fraudulent behaviour, we question its efficacy in fraud prevention and detection. Despite efforts to refine the Fraud Triangle, such as the introduction of the ‘Fraud Diamond’, our view maintains that the practical application of the Fraud Triangle is inherently limited.

Cressey’s study that was the basis for the Fraud Triangle already had its limitations. For example, the study focussed on convicted male middle-class embezzlers in the 1950s. The study only researched embezzlement, leaving other forms of fraud unexplored. Moreover, the work environment and workforce dynamics of that era vastly differs from the complex landscape we have today. I.e., in addition to other forms of fraud such as financial statement fraud and bribery and corruption, we now also have cybercrime, digital fraud, and ESG fraud to name a few. The opportunities for fraudulent activities have expanded significantly, and the pressures and rationalisations driving such behaviour have evolved over time. But the constraints of Cressey’s study are not the topic of this blog, this blog focus is on the limitations of the Fraud Triangle itself.

First, the Fraud Triangle assumes that individuals faced with pressure, opportunity, and rationalisation will choose to commit fraud. In reality, people have diverse moral compasses, and not everyone exposed to these elements will engage in fraudulent behaviour. The Fraud Triangle oversimplifies the complex psychological, ethical, and situational factors that influence human behaviour. With respect to opportunity, I have seen fraudsters create opportunity in situations where there was extremely limited opportunity to perpetrate fraud. Even well-designed internal controls can be circumvented by collusion or management override of controls. We can have a semantic discussion on whether collusion or management override of controls are also ‘opportunities’, but where does that bring us in terms of managing the risk of fraud? Moreover, in my experience with investigating major fraud cases and interviewing fraudsters, I regularly observed an absence of rationalisation. Post-fraud when these fraudster were facing criminal prosecution or penalisation, perhaps. But in the heat of the moment not. There are fraudsters that genuinely believed they are not doing anything wrong (and thus no rationalisation is needed). But pressure is the element which always puzzles us most. How do we explain that certain individuals – in apparently identical – pressure and opportunity situations commit fraud and others do not?

Second, the Fraud Triangle focus heavily on the situation of an individual fraudster. It always gives us the idea that if the three elements align, fraud is almost inevitable. However, fraud is not solely a product of an individual’s situation, it occurs within a broader organisational context. Fraud often thrives when an organisation lacks a culture of ethical behaviour. Although the Fraud Triangle considers ‘opportunity’, this in my view does not sufficiently address the more complex organisational factors that can either deter or enable fraud. Preventing and detecting fraud requires a broader approach that encompasses culture, risk management, strong governance, and (value-based) compliance frameworks.

Third, while the Fraud Triangle provides insight into the root causes why fraud occurred, its predictive capabilities are limited. It does not offer any reliable information on the identification of potential fraudsters or foreseeing when and where fraud will occur. In contrast, modern fraud prevention and detection efforts that rely on data analytics, machine learning, and artificial intelligence to identify patterns and anomalies are way better in identifying vulnerable areas.

I immediately agree that the Fraud Triangle remains a valuable theoretical model for understanding why fraud happened in a particular situation. Nonetheless, its practical efficacy in fraud prevention and detection of fraud is extremely limited. To effectively combat fraud a different approach is necessary. Such an approach must go much further then only exploring in which situations fraud may occur, discussing general fraud risks and implementing standard controls. It should include a detailed exploration of how an individual can perpetrate fraud?

Fraud Risk Assessment are crucial element fraud risk management and often the place where the Fraud Triangle is used. The Fraud Triangle may serve as inspirational material for stimulating creative thought during fraud brainstorming sessions but it is insufficient in practice.

Based on my experience with facilitating and conducting numerous fraud brainstorming sessions, it has become clear that participants in such sessions often struggle to effectively use the Fraud Triangle as a tool to identify potential fraud risks. In my view, a more effective approach involves showing participants real-life fraud examples, revealing how fraud was perpetrated and discuss the impact it had on the people within the organisation that fell victim to fraud. So not reasoning from the fraud triangle, but reasoning from possible modi operandi and all that comes with it such as culture, deceit, manipulation and governance. In short, move from the “why” to the “how.” The next step is then to instruct participants to assume the role of a fraudster and discuss how potential fraud would take place in their organisation. Explore how you would commit fraud? Fantasise of being a fraudster and in detail think of how such a thing should work. Are there internal controls? Then brainstorm how you could circumvent them? Is circumvention difficult or not possible? Then explore the possibility of collusion. Also consider which documentation has to be fabricated of falsified. And ask yourself whether there are people that need to deceived or manipulated, e.g., colleagues, auditors or banks?

Based on the above our conclusion is that there is limited practical value in Cressey’s Fraud Triangle for those charged with the responsibility for preventing or detecting fraud. Effectively managing the risk of fraud goes beyond the theoretical considerations why fraud occurred in certain situation. Organisation must obtain a granular understanding of how fraud can occur, i.e., explore the practicalities of circumventing internal controls, possibilities for collusion, and creation or falsification of documentation. This includes assessing misconduct, malpractice and manipulation that is needed to commit fraud. Only when assessing at this level, organisations will be able to create proper vigilance toward fraud risks and reduce fraud threats to the greatest extent possible.

In closing, it is essential to recognise that while one should always strive to prevent fraud, achieving 100% prevention is an elusive goal (as also elaborated in our articles on internal control). Nonetheless, through an approach that combines theoretical understanding, practical immersion, vigilance capabilities, and creating resilience, organisations can bolster their defences against fraudulent behaviour. In following blogs I will elaborate on how to do this practically.