Key Insights
- Fraud requires three converging conditions: pressure, opportunity, and rationalization. Weakening any single element can disrupt the conditions that make fraud more likely.
- AU-C Section 240 and PCAOB AS 2401 formally embed the fraud triangle into required audit procedures, making it foundational to engagement planning and control testing.
Partners managing multiple concurrent engagements need systematic ways to identify fraud risks across diverse clients without starting from scratch each time. The fraud triangle framework provides exactly that: a structured approach for evaluating where fraud conditions exist, regardless of industry or organizational complexity.
Criminologist Donald Cressey identified three conditions present in every fraud case he studied: perceived pressure, perceived opportunity, and rationalization. According to Cressey's model, fraud occurs when all three elements exist simultaneously, which gives practitioners a practical advantage during fieldwork. Rather than searching for fraud after the fact, auditors can assess whether the conditions for fraud exist and design procedures that target specific vulnerabilities.
This guide covers how each fraud triangle element translates to specific audit procedures, how modern variations like the Fraud Diamond and Pentagon expand the assessment toolkit, and what practitioners should change in response to intensifying fraud risk.
Identifying Fraud Triangle Elements During Fieldwork
Each fraud triangle element produces distinct, observable indicators during audit fieldwork.
Opportunity: Evaluating Control Design and Access
Opportunity is less about the individual and more about how controls are designed. When you're evaluating a client's processes, the core question is whether any single person can initiate, authorize, and reconcile transactions without someone else reviewing the work.
Consider a controller who approves vendor invoices, processes payments, and reconciles bank statements. That combination of access means the person could create a fictitious vendor, approve invoices to it, issue payments, and then conceal the activity during reconciliation. No one else touches the process, so there's no natural point where the fraud surfaces.
The same pattern shows up in inventory when one employee handles receiving, record-keeping, and physical counts, or in payroll when a single person adds employees, approves hours, and processes checks.
Beyond segregation gaps, pay attention to how employees interact with their access. Staff who resist sharing duties, refuse to cross-train, or avoid taking vacation may be protecting a scheme from discovery, though these behaviors can also reflect other workplace dynamics. Poor asset reconciliation deserves scrutiny too, particularly when the same person controls physical assets and maintains the records. These are the structural conditions that create opportunity, and they tend to persist until someone specifically tests for them.
Pressure: Recognizing Motivation During Planning
Financial pressure takes multiple forms that practitioners can identify during engagement planning. Personal circumstances, including unexpected medical expenses, family obligations, and lifestyle maintenance, can create motivation. Organizational pressures such as quarterly targets, commission structures, and job security concerns prove equally powerful when present.
PCAOB AS 2401 identifies specific pressure indicators that practitioners should assess during planning:
- Compensation structure: Management compensation heavily weighted toward stock-based awards creates vulnerability to short-term earnings manipulation, particularly when vesting schedules align with reporting periods.
- Debt covenant exposure: Significant debt covenants with limited compliance cushion put pressure on financial reporting, especially when covenant violations would trigger material consequences.
- Analyst expectations: External expectations that management feels compelled to meet regardless of operational performance can drive aggressive accounting choices or outright misstatement.
These indicators rarely appear in isolation. Unrealistic performance targets disconnected from historical results or market conditions intensify these pressures further, particularly when bonuses depend entirely on achieving specific financial metrics.
Personal financial pressure manifests through behavioral red flags that practitioners can observe or learn about during fieldwork: living beyond means, financial difficulties, and unusually close association with vendors or customers. Organizational pressure intensifies during restructuring when job security concerns create widespread vulnerability across multiple levels of the organization.
Rationalization: Reading Behavioral Cues in Interviews
Rationalization allows perpetrators to reconcile fraudulent behavior with their self-image as honest professionals. The IIA's Engagement Planning guide identifies key indicators including management override of controls, "ends justify the means" mentality, and lack of consequences for policy violations.
Rationalization proves hardest to assess because it occurs internally. Practitioners identify it through observable proxies during interviews and walkthroughs: defensive responses when questioned about unusual transactions, hostile reactions to control recommendations, or explicit statements suggesting ethical flexibility.
When executives routinely bypass approval workflows with justifications like "we needed to move fast" or "controls don't apply to management," they can establish patterns that normalize rule-breaking.
Management that demonstrates "wheeler-dealer" attitudes or dismisses control recommendations as bureaucratic obstacles warrants heightened scrutiny. When sales personnel routinely override credit limits without documented justification and face no repercussions, staff may internalize that rules are flexible rather than firm. This lack of consequences can create conditions where rationalization becomes easier to sustain.
When to Apply the Fraud Diamond and Pentagon
Cressey's original framework remains foundational, but it doesn't fully explain every fraud scenario. Some individuals facing pressure, opportunity, and rationalization never commit fraud, while others in similar circumstances do. This gap prompted researchers to expand the model with elements that help practitioners refine their risk assessments.
The Fraud Diamond (Wolfe and Hermanson, 2004) adds capability as a fourth element. A staff accountant with five years of experience in the general ledger system likely understands which entries receive automated review and which bypass controls entirely.
A newer employee facing the same pressure and opportunity may lack the technical knowledge to execute the scheme undetected. When evaluating position-based vulnerabilities, particularly for individuals with deep system knowledge and organizational authority, capability helps practitioners distinguish between theoretical and practical fraud risk.
The Fraud Pentagon (Crowe, 2011) adds arrogance. This element proves particularly relevant when assessing executive-level financial statement fraud, where leaders believe they are above organizational controls, dismiss auditor inquiries as unnecessary, or demonstrate contempt for oversight functions. These distinct risk profiles aren't fully captured by the original three elements.
One way to think about practical application: the fraud triangle works well for initial risk assessments across the client portfolio, the fraud diamond adds depth when evaluating position-based vulnerabilities for specific individuals with system access and institutional knowledge, and the fraud pentagon is worth considering for executive-level fraud risk where leadership attitude toward controls is itself a risk factor.
Applying the Fraud Triangle Across Engagement Phases
Professional standards embed the fraud triangle directly into required audit procedures. Effective application means focusing existing procedures on fraud-specific considerations rather than adding entirely new steps to an already full work program.
Audit Planning Phase
Planning begins with gathering information to identify fraud risks. AU-C Section 240 describes three steps: gather information needed to identify risks of material misstatement due to fraud, assess these risks after considering the entity's programs and controls, and respond to the assessment results.
Client budgets, forecasts, and debt covenants often reveal the first signs of financial performance pressure: tight covenant cushions or aggressive growth targets signal environments where fraud motivation runs high. Internal control design deserves equal attention. Look for processes where segregation gaps create opportunity for undetected misappropriation. Management interviews round out the picture by revealing tone at the top, particularly how executives respond when you raise control recommendations or reference findings from prior periods.
Fraud brainstorming sessions with the engagement team prove particularly valuable. Partners should facilitate discussions where team members with different client exposure identify potential fraud schemes specific to the client's processes and industry. An associate who processed cash receipts during interim fieldwork might identify reconciliation weaknesses a manager focused on financial statement presentation would miss.
Risk Assessment Phase
The IIA's five-step methodology provides structure for moving from broad risk categories to specific, testable schemes. Start by defining the risk assessment universe and fraud categories, then identify potential schemes in each area. Rate each scheme for likelihood and significance, link high-rated risks to existing controls, and develop remediation plans where gaps exist.
The key to effective risk assessment lies in specificity. Generic statements like "management could manipulate revenue" don't give you enough to design responsive procedures. Instead, effective risk assessment captures both the scheme mechanics and the control gaps that allow it. For example: "Sales personnel could recognize revenue before shipment by creating fictitious shipping documents, which would remain undetected without independent verification of carrier pickup." That level of detail tells you exactly what to test.
Control Testing Phase
Centralized control testing workflows streamline this examination process. PCAOB AS 2401 requires examining journal entries for evidence of possible material misstatement due to fraud. Test entries made to unrelated accounts, entries made by individuals who typically don't make journal entries, entries recorded at period-end or as post-closing entries, and entries with descriptions suggesting unusual circumstances.
Testing segregation of duties goes beyond documentation review. Verify that user access rights match documented responsibilities. An employee whose job description indicates receivables processing shouldn't have payment processing rights in the ERP system.
Test whether supervisory review actually occurs by examining approval timestamps relative to transaction processing. Approvals dated before subordinate processing may indicate control failure and warrant further investigation.
Why Fraud Risk Assessment Demands More Rigor Today
Recent trends suggest all three fraud triangle elements have intensified simultaneously, which means practitioners need to adapt how they apply the framework during engagements rather than relying on prior year procedures rolled forward unchanged. Three shifts in particular deserve attention.
-
Remote Work Expanded Opportunity Gaps
Remote work environments weakened physical supervision and traditional oversight mechanisms. Practitioners should specifically evaluate whether clients updated their control designs after shifting to remote or hybrid arrangements.
Many organizations adopted temporary workarounds during 2020 that became permanent without formal risk assessment, and those workarounds often introduced segregation gaps that didn't exist when teams worked in the same office.
Internal Auditor Magazine's analysis identifies emerging remote worker fraud schemes including multiple job holding, where employees simultaneously work for competing organizations, and time theft, where individuals claim full-time hours while delivering minimal output.
When assessing opportunity during fieldwork, test whether remote access controls, approval workflows, and reconciliation procedures reflect current working arrangements rather than pre-2020 assumptions.
Cultural Erosion and Rationalization Risk
Risk in Focus 2024, a survey of 4,207 Chief Audit Executives across 111 countries, identified organizational culture as a distinct risk category.
Weakened culture, often resulting from rapid growth, leadership turnover, or sustained remote work, can erode the ethical foundation that helps discourage rationalization.
Practitioners can gauge this during planning by asking how the client communicates ethical expectations, whether policy violations carry consistent consequences, and how leadership responds when control recommendations conflict with revenue targets.
Cyber-Enabled Fraud at Scale
Cyber-enabled fraud schemes exploit technology to create opportunity at scale. Kroll's Q4 2024 report noted professional services organizations, including accounting firms, as the most targeted sector.
Phishing attacks that compromise legitimate user credentials allow fraud that bypasses technical controls because the system correctly identifies the user; it simply can't determine the credentials were stolen. Supply chain complexity compounds this risk: Kroll's 2025 report found 56% of organizations lack confidence detecting supply chain threats.
Partners should ask whether their current fraud risk assessment procedures account for these shifts. Where controls assume in-person oversight, test whether equivalent controls exist for remote processes. Where economic conditions changed client risk profiles, revisit pressure assessments from prior year workpapers rather than rolling them forward unchanged.
Strengthening Fraud Risk Assessment Across Your Portfolio
Applying the fraud triangle consistently across a diverse client portfolio depends on capturing fraud indicators as they surface during fieldwork and making those observations visible to the full engagement team. When an associate identifies a segregation gap during walkthrough testing or notes defensive language during a client interview, that information needs to reach the engagement manager and partner before risk assessments are finalized.
Disconnected documentation across spreadsheets and email threads creates gaps where critical indicators get lost between planning and reporting. While technology can help teams document, surface, and organize fraud indicators consistently, fraud risk assessment remains a professional judgment exercise, one that depends on human skepticism, contextual understanding, and informed decision-making at every stage of the engagement.
Fieldguide's engagement automation platform helps audit and advisory firms maintain more consistent fraud risk documentation throughout engagements, with centralized workpapers and real-time visibility across the team. Request a demo to see how leading firms apply consistent fraud risk assessment across their portfolio.
Amanda Waldmann
Increasing trust with AI for audit and advisory firms.
