What is the fraud triangle?
On about half the engagements we've reviewed, the fraud risk discussion at planning is SALY with better narratives. Teams copy last year's assessment, tweak a few sentences, and move on. The fraud triangle exists to prevent exactly that by forcing a structured evaluation of why fraud might happen on this engagement, this year.
The framework originates from criminology research by Donald Cressey in the 1950s. It entered the audit standards because it organises fraud risk factors into categories that map to different types of evidence.
Incentive or pressure is the why. Financial targets, debt covenants, personal financial difficulties, compensation structures tied to reported results.
Opportunity is the how. Weak internal controls, complex transactions difficult to audit, related party transactions outside normal course, management's ability to override controls.
Rationalisation or attitude is the justification. History of disputes with auditors, aggressive accounting policy choices, tolerance of petty violations, statements minimising importance of FS accuracy.
In our experience, the practical value is that it forces the engagement team to think beyond opportunity. Most audit procedures test controls (opportunity). Teams are less practised at evaluating whether management has a reason to commit fraud (incentive) or whether management's culture permits it (rationalisation). ISA 240.25 requires the team discussion to cover all three.
Key Points
- The fraud triangle has three elements: incentive/pressure, opportunity, rationalisation/attitude. ISA 240 Appendix 1 organises all fraud risk factor examples around these categories.
- The framework applies to both fraudulent financial reporting and misappropriation of assets.
- Documenting all three elements for each assessed fraud risk strengthens the file against inspection review.
Why it matters in practice
Worked example: Clonmel Pharma Holdings Ltd
Irish pharmaceutical holding company, FY2024, revenue €210M, IFRS reporter. Preparing for potential IPO in next 18 months.
Step 1: evaluate incentive/pressure
Planned IPO creates significant pressure. Management equity plan vests on 15% revenue growth metric. CEO communicated €220M FY2025 target to potential underwriters. Q4 slowdown in new contract wins.
Documentation note: "Incentive/pressure factors: IPO preparation creates pressure to demonstrate revenue growth trajectory. Management equity vesting tied to 15% revenue growth. CEO communicated €220M FY2025 target to underwriters. Q4 slowdown increases pressure on FY2024 reported figures."
Step 2: evaluate opportunity
Revenue contracts include volume rebates and milestone payments. Accounting for these requires judgment about variable consideration under IFRS 15.50 –54. No formal estimation model. The same individual negotiates contracts and estimates variable consideration, with limited CFO review.
Documentation note: "Opportunity factors: variable consideration estimates on volume rebates and milestones require significant judgment ( IFRS 15.50 –54). No formal estimation model. Same individual negotiates contracts and estimates variable consideration. Limited CFO review."
Step 3: evaluate rationalisation/attitude
Prior year, the engagement team proposed €1.4M adjustment to reduce variable consideration accrual. Management accepted but characterised it as "timing difference" rather than overstatement. CEO stated "the revenue is there; it's just a question of when it gets recognised."
Documentation note: "Rationalisation/attitude factors: management characterised prior year €1.4M accrual adjustment as timing rather than error. CEO statement at planning meeting indicates attitude that revenue timing is discretionary."
Step 4: assess combined fraud risk
All three elements present for revenue recognition, specifically variable consideration on volume rebates. Assessed as RMM due to fraud at assertion level (occurrence and accuracy).
What reviewers get wrong
PCAOB has noted teams document incentive and opportunity but neglect rationalisation/attitude. The third leg is the hardest to evidence because it relies on observations about management behaviour rather than financial data. This is the element that generates the most review notes. Teams frequently skip it or drop in a generic statement that could apply to any client.
Teams also apply the fraud triangle to fraudulent financial reporting but not misappropriation of assets. ISA 240 Appendix 1 provides separate examples for misappropriation organised by the same categories, and reviewers check whether the team addressed both.
Fraud triangle vs fraud diamond
| Dimension | Fraud triangle | Fraud diamond |
|---|---|---|
| Elements | Incentive, opportunity, rationalisation | Incentive, opportunity, rationalisation, capability |
| Origin | Cressey (1953) | Wolfe and Hermanson (2004) |
| ISA basis | ISA 240 Appendix 1 uses three-element model | Not explicitly adopted in ISA 240 |
| Practical difference | Focuses on conditions surrounding fraud | Adds whether individual has skills/position to execute |
| Audit application | Required framework for ISA 240 risk assessment | Can supplement but is not mandated |
Key standard references
- ISA 240.25 –27 covers identifying and assessing the RMM due to fraud, including the engagement team discussion covering all three fraud triangle elements.
- ISA 240 Appendix 1 provides fraud risk factor examples organised by incentive/pressure, opportunity, and rationalisation/attitude for both fraudulent financial reporting and misappropriation of assets.
- ISA 240.26 establishes the presumption that revenue recognition involves fraud risk.
- ISA 240.31 establishes the presumption that management override of controls is always a fraud risk.
Related terms
Related reading
Frequently asked questions
Is the fraud triangle required by ISA 240?
Yes. ISA 240.25 requires the engagement team discussion to cover all three elements (incentive/pressure, opportunity, and rationalisation/attitude) when assessing the risk of material misstatement due to fraud. ISA 240 Appendix 1 organises all fraud risk factor examples around these categories.
What is the difference between the fraud triangle and the fraud diamond?
The fraud diamond adds a fourth element (capability) asking whether the individual has the authority and skills to execute the fraud. ISA 240 does not explicitly require this fourth element, but it implicitly covers capability through the opportunity category: access to assets and ability to override controls.