What is the Fraud Triangle?
Developed by criminologist Donald Cressey in the 1950s, the Fraud Triangle identifies three conditions almost always present when fraud occurs:
- Incentive (or pressure): a financial need or personal pressure that the individual can't resolve through legitimate means. This could be personal debt, performance targets, bonus structures, or lifestyle expectations.
- Opportunity: a weakness in controls, oversight, or governance that makes it possible to commit and conceal fraud. Poor segregation of duties, absent management oversight, or complex transactions create opportunities.
- Rationalisation: a way for the perpetrator to justify the behaviour to themselves. Common rationalisations include "I'll pay it back," "the company owes me," or "everyone does it."
Internal controls focus heavily on eliminating opportunity precisely because it's the one element the entity can directly address.
Key Points
- ISA 240 embeds the Fraud Triangle into the auditor's risk assessment. The standard requires the auditor to consider incentives/pressures, opportunities, and attitudes/rationalisations when identifying fraud risk factors.
- Management override is always a risk. ISA 240 presumes that management has both the opportunity and capability to override controls, which is why journal entry testing and estimates review are mandatory procedures.
- The revenue recognition presumption. ISA 240 also presumes that revenue recognition involves fraud risk, unless the auditor can specifically rebut this presumption with documented reasoning.
- The framework is a thinking tool. The auditor doesn't need to "prove" all three elements exist. It structures the team's discussion and helps identify where fraud risk factors are concentrated.
Why it matters in practice
The Fraud Triangle is the lens through which audit teams conduct their fraud risk discussion, the brainstorming session required by ISA 240 at the planning stage. During this discussion, the engagement team considers where the three conditions might exist in the entity being audited.
Of the three elements, opportunity is the one the auditor has the most ability to assess. It maps directly to the entity's internal control environment. Weak controls, dominant management, complex structures, and related party transactions all signal opportunity.
Incentive is often visible through public information: earnings targets, debt covenants, bonus structures, or pending transactions. Entities in declining industries, for example, face greater pressure to meet expectations, so the auditor also considers industry-level pressures.
The hardest element to observe is rationalisation. The auditor looks for attitudinal indicators: management's attitude toward financial reporting, their responsiveness to control deficiencies, and whether there's a "tone at the top" that tolerates aggressive accounting.
Key standard references
- ISA 240.25: The engagement team discussion must include how and where the entity's financial statements might be susceptible to material misstatement due to fraud.
- ISA 240.A25–A27: Examples of fraud risk factors organised by the Fraud Triangle: incentive/pressure, opportunity, and attitude/rationalisation.
- ISA 240.26: The presumption that revenue recognition involves fraud risk.
- ISA 240.32: The presumption that management override of controls is always a fraud risk.
- ISA 315.A235–A237: Fraud risk factors considered as part of the risk assessment process under ISA 315 (Revised 2019).
Related terms
Related tools
Related reading
Frequently asked questions
Who developed the Fraud Triangle?
The Fraud Triangle was developed by criminologist Donald Cressey in the 1950s based on his research into embezzlers. He found that three conditions were consistently present: a non-shareable financial pressure (incentive), a perceived opportunity to commit fraud undetected, and a way to rationalise the behaviour as acceptable. The framework was later adopted into auditing standards.
Is the auditor required to detect fraud?
No. ISA 240 requires the auditor to obtain reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error. The auditor must maintain professional skepticism, identify and assess fraud risks, and design appropriate responses, but reasonable assurance isn't absolute assurance, and fraud involving concealment or collusion may not be detected.
What is the Fraud Diamond and how does it relate?
The Fraud Diamond extends Cressey's triangle by adding a fourth element: capability. Proposed by David Wolfe and Dana Hermanson in 2004, it recognises that the perpetrator must have the position, intelligence, and skills to exploit the opportunity. While ISA 240 doesn't explicitly reference the Diamond, the concept of capability is implicitly covered when assessing who has the ability to override controls.