The Fraud Diamond: Considering the Four Elements of Fraud · MANAGEMENT fraud The Fraud Diamond:...

5
M A N A G E M E N T fraud The Fraud Diamond: Considering the Four Elements of Fraud By David T. Wolfe and Dana R. Hermanson D espite intense efforts to stamp out L-orruption. misappropriation of assets, and fraudulent financial reporting, it appears that fraud in its vari- ous foniis is a problem that is increasing in frequency and severity. KPMG's Fraud Survey 2003 documented a marked increase in overall fraud levels since its 1998 survey, with employee fraud by far the most common type of fraud. The 2003 survey also noted that fraudulent financial reporting had more than doubled from 1998. This trend is consistent with the unprecedented recent spate of large accounting frauds (Enron, WorldCom), as well as the increased number of account- ing restatements and SEC enforcement actions in recent years. (See 2003 Annual Review of Financial Reporting Matters by the Huron Consulting Group and the SEC's Report Pursuant to Section 704 of the Sarbanes-Oxley Act of 2002.) In response to the fraud problem. Congress and regulatory authorities have enacted tougher laws and increased enforcement actions. Organizations are implementing tighter controls and broader oversight. The auditing profession has adopted more rigorous auditing standards and procedures, and softv^-are developers are adding continuous monitoring features to back-office systems. It remains unclear whether these efforts are sufficient to mit- igate the fraud problem. Many studies suggest fraud is more like- ly to occur when someone has an incen- tive (pressure) to commit fraud, weak con- trols or oversight provide an opportunity for the person to commit fraud, and the person can rationalize the fraudulent behavior (attitude). This three-pronged framework, commonly known as the "fraud triangle." has long been a useful tool for CPAs seeking to understand and man- age fraud risks. The framework has been fomially adopted by the auditing profes- sion as part of SAS 99. A Different Way to Think About Fraud Risks The authors believe that the fraud trian- gle could be enhanced to improve both fraud prevention and detection by consid- ering a fourth element. In addition to addressing incentive, opportunity, and ratio- nalization, the authors' four-sided "fraud diamond" also considers an individual's capability: personal traits and abilities that play a major role in whether fraud may actually occur even with the presence of the other three elements. Many frauds, especially some of the multibillion-dollar ones, would not have occurred without the right person with the right capabilities in place. Opportunity opens the dtwrway to fraud, and incentive EXHIBIT 1 THE FRAUD DIAMOND Incentive Opportunity Rationalization Capability 38 DECEMBER 2(M>4 / THE CPA JOURNAL

Transcript of The Fraud Diamond: Considering the Four Elements of Fraud · MANAGEMENT fraud The Fraud Diamond:...

Page 1: The Fraud Diamond: Considering the Four Elements of Fraud · MANAGEMENT fraud The Fraud Diamond: Considering the Four Elements of Fraud By David T. Wolfe and Dana R. Hermanson Despite

M A N A G E M E N T

f r a u d

The Fraud Diamond: Consideringthe Four Elements of Fraud

By David T. Wolfe andDana R. Hermanson

D espite intense efforts to stamp outL-orruption. misappropriation ofassets, and fraudulent financial

reporting, it appears that fraud in its vari-ous foniis is a problem that is increasingin frequency and severity. KPMG's FraudSurvey 2003 documented a markedincrease in overall fraud levels since its1998 survey, with employee fraud by farthe most common type of fraud. The2003 survey also noted that fraudulentfinancial reporting had more than doubledfrom 1998. This trend is consistent withthe unprecedented recent spate of largeaccounting frauds (Enron, WorldCom), aswell as the increased number of account-ing restatements and SEC enforcementactions in recent years. (See 2003 AnnualReview of Financial Reporting Mattersby the Huron Consulting Group and theSEC's Report Pursuant to Section 704 ofthe Sarbanes-Oxley Act of 2002.)

In response to the fraud problem.Congress and regulatory authorities haveenacted tougher laws and increasedenforcement actions. Organizations areimplementing tighter controls and broaderoversight. The auditing profession hasadopted more rigorous auditing standardsand procedures, and softv -̂are developersare adding continuous monitoring featuresto back-office systems. It remains unclearwhether these efforts are sufficient to mit-igate the fraud problem.

Many studies suggest fraud is more like-ly to occur when someone has an incen-tive (pressure) to commit fraud, weak con-trols or oversight provide an opportunityfor the person to commit fraud, and theperson can rationalize the fraudulentbehavior (attitude). This three-prongedframework, commonly known as the"fraud triangle." has long been a useful tool

for CPAs seeking to understand and man-age fraud risks. The framework has beenfomially adopted by the auditing profes-sion as part of SAS 99.

A Different Way to Think About Fraud RisksThe authors believe that the fraud trian-

gle could be enhanced to improve bothfraud prevention and detection by consid-ering a fourth element. In addition toaddressing incentive, opportunity, and ratio-

nalization, the authors' four-sided "frauddiamond" also considers an individual'scapability: personal traits and abilitiesthat play a major role in whether fraud mayactually occur even with the presence ofthe other three elements.

Many frauds, especially some of themultibillion-dollar ones, would not haveoccurred without the right person with theright capabilities in place. Opportunityopens the dtwrway to fraud, and incentive

EXHIBIT 1

THE FRAUD DIAMOND

Incentive Opportunity

Rationalization Capability

3 8 DECEMBER 2(M>4 / THE CPA JOURNAL

Page 2: The Fraud Diamond: Considering the Four Elements of Fraud · MANAGEMENT fraud The Fraud Diamond: Considering the Four Elements of Fraud By David T. Wolfe and Dana R. Hermanson Despite

and rationalization can draw the personloward it. But the person must have thecapability to recognize the open doorwayas an opportunity and to take advantageof it by walking through, not just once, butlime and time again. Accordingly, the crit-ical question is. "Who could turn an oppor-tunity for fraud into reality?"

Using the four-element fraud diamond,a fraudster's thought process might pro-ceed as follows {Exhibit I):• Incentive: I want to, or have a needto. commit fraud.• Opportunity: There is a weakness inthe system that the right person couldexploit. Fraud is possible.• Rationalization: I have convincedmyself that this fraudulent behavior isworth the risks.• Capability: 1 have the necessary traitsand abilities to be the right person to pullit off. I have recognized this particularfraud opportunity and can turn it intoreality.

While these four elements certainly over-lap, the primary contribution of the frauddiamond is that the capabilities to commitfraud are explicitly and separately consid-ered in the assessment of fraud risk. Bydoing so. the fraud diamond moves beyondviewing fraud opportunity largely interms of environmental or situational fac-tors, as has been the praetiee under currentand previous auditing standards.

For example, consider a companywhere the internal controls allow the pos-sibility that revenues could be recordedprematurely by altering sales contractdates in the sales system. An opportuni-ty for fraud exists, if the right person isin place to understand and exploit it. Thisopportunity for fraud becomes a muchmore serious problem if the company'sCEO. who is under intense pressure toincrease sales, has the technical skills tounderstand that the control weaknessexists, can coerce the CFO and sales man-ager to manipulate the sales contract dates,and can consistently lie to analysts andboard members about the company'sgrowth. In the absence of such a CEO.the fraud possibil i ty would neverbecome reality, despite the presence of theelements of the fraud triangle. Thus, theCEO's capabilities arc a major factor indetermining whether this control weak-ness will ultimately lead to fraud.

The Person with CapabilityBased on one author's experiences in

investigating frauds for the past 15 years.there are several essential traits for com-mitting fraud, especially for large sums orfor a long period of time (Exhibit 2). First.the person's position or function withinthe organization may fumish the ability tocreate or exploit an opportunity for fraud

not available to others. For example, a CEOor divisional president has the positionalauthority to influence when contracts ordeals take effect, thus affecting the timingof revenue or expense recognition.Fraudulent Einancial Reporting:1987-1997. An Analysis of U.S. PublicCompanies {Beasley et al.. 1999) found thatcorporate CEOs were implicated in over

MS in Taxation

on your scheduleThe MS in Taxation Program at Pace University'sLubin School of Business is ideally suited forthe working professional. 'iTiis all-tax, intensivegraduate program, designed for praaicing CPAs,has courses conveniently scheduled in the eveningso thai you can complete it while maintainingyoLir airrent work schedule. Over 30 aedits inspecialized lax courses conducted by faculty withextensive practical background and experience incurrent tax laws.

• Ail courses meet CPH credit requirementsprescribed in NY and N|.

• Classes are conveniently offered indowntown Manhattan.

• MBA in Taxation and Post-Masters AdvancedProfessional Certificates are also available.

Learn more

U N I V E R S I T YA New York Success StoryFor more information, www.pace.eduor call 1-800-874-PACE ext. A14

New York City • Pleasaniville/BriarcliffWhite Plains • Hudson Valley

DKCKMBKK 2004 / THK CPA JOURNAL 3 9

Page 3: The Fraud Diamond: Considering the Four Elements of Fraud · MANAGEMENT fraud The Fraud Diamond: Considering the Four Elements of Fraud By David T. Wolfe and Dana R. Hermanson Despite

70% of public-company accounting frauds.indicating that many organizations do notimplement suMlcient checks and balancesto mitigate the CEO's capabilities to influ-ence and perpetuate fraud. Additionally.when people perform a certain functionrepeatedly, such as bank reconciliations orsetting up new vendor accounts, their capa-bility to commit fraud increases as iheirknowledge of the function's processes andcontrols expands over time.

Second, the right person for a fraud issmart enough to understand and exploitinternal control weaknesses and to useposition, function, or authorized access tothe greatest advantage. Many of today'slargest frauds are committed by intelli-gent, experienced, creative people, witha solid grasp of company controls and vul-nerabilities. This knowledge is used toleverage the person's responsibility overor authorized access to systems orassets. According lo the Association ofCertified Fraud Examiners. 51% of theperpetrators of occupational fraud had atleast a bachelor's degree, and 49% ofthe fraudsters were over 40 years old. Inaddition, 46% of the frauds theAssociation recently studied were com-mitted by managers or executives.

Third, the right person has a strong egoand great confidence that he will not bedetected, or the person believes that hecould easily talk himself out of trouble ifcaught. Such confidence or arrogance canaffect one's cost-benefit analysis of engag-ing in fraud: the more confldent the per-son, the lower tbe estimated cost of fratidwill be. In "The Human Face of Fraud"(C4 Magazine, May 2003), R. Allan notesthat one of the common personality typesamong fraudsters is the "egotist"—some-one who is "driven to succeed at all costs,self-absorbed, self-confident and n;ircissis-tic." Similarly. DLifiield and Grabosky('The Psychology of Fraud." Trends &issues in Crime and Criminal Justice.March 2001) note that, in addition to finan-cial strain. "Another aspect of motivationthat may apply to some or all types of fraudis ego/power." The authors go on toquote Stotland ("White Collar Criminals."Journal of Social Issues. 1977) regardingego: "As [fraudsters] found thetnseives suc-cessful at this crime, they began to gainsome secondary delight in the knowledgethat they are fooling the world, that they

are showing their superiority to others."Fourth, a sticcessful fratidster can coerce

others to commit or conceal fraud. A per-son with a very persuasive personality maybe able to convince others to go alongwith a fraud or to simply kwk the other way.In addition. Allan notes that a common per-.sonality type among fraudsters is the "bully,"who "makes unusual and significantdemands of those who work for him or her,cultivates fear rather than respect ... andconsequently avoids being subject to thesame rales and procedures as others." Manyfinancial reporting frauds are cotnmittedby subordinates reacting to an edict fromabove to "make your numbers at all costs,or else."

Fifth, a successful fraudster lies effec-tively and consistently. To avoid detection.she must look auditors., investors, andothers right in the eye and lie convincing-ly. She also possesses the skill lo keep trackof the lies, so that the overall story remainsconsistent. In the Phai-Mor fratid. the audi-tors claimed that Phar-Mor had formed a"fraud team" of executives and formerauditors who "continually worked to hideevidence" abtiut the fraud from them. TTieauditors claimed that the fraud team "lied.forged dtKuments and 'scrubbed' every-thing the auditors saw to hide any indica-tions of malfeasance." (See "FindingAuditors Liable for Fraud: What the JuryHeard in the Phar Mor Case." Cottrelland Glover, The CPA JournaL July 1997.)

Finally, a successful fraudster deals verywell with stress. Committing a fraud andmanaging the fraud over a long period oftime can be extremely stressful. Ttiere isthe risk of detection, with its personal ram-ifications, as well as the constant need toconceal the fraud on a daily basis. FormerHealthSouth CEO Richiird Scrushy nowfaces numerous criminal charges forallegedly masterminding a long-runningscheme to inflate the company's ejimingsduring the terms of several different CFOs.Despite the enormous pressure on him.Scmshy has remained resolute dunng thecourse of the investigation, even appearingon 60 Minnies to proclaim his inmxrence.In contrast, during his sentencing, formerHealthSouth Assistant Controller EmeryHarris, who allegedly was coerced to par-ticipate in the fraud, told the Judge howrelieved he was after the company wasraided by federal agents, thinking it pro-

vided him the opportunity to finally "getout of this mess."

Dealing with CapabilityAppreciating the importance of capa-

bility as a fourth element of fraud is onlyp;ui of the challenge. The next task is toaddress capability when assessing fraudrisk, and lo use knowledge about fraudcapability to prevent or detect fraud.Beyond considering incentive, opportuni-ty, and rationalization, the following stepscould shed light on capability.

Explicitly assess the capabilities of topexecutives and key personnel. Focusingon capability requires organizations andtheir auditors to better understand employ-ees' individual traits and abilities. The auditcommittee member, corporate accountant.or auditor should focus on the personalitytraits and skills of top executives and oth-ers responsible for high-risk areas whenassessing fraud risk or seeking to preventor detect fraud. Routine background checkson new employees can identify past crim-inal convictions.

In assessing individuals' traits andabilities, several methods of gatheringinformation may be helpful. First, thereis no substitute for spending time with aperson. Frequent interaction under a vari-ety of circumstances, both business andsocial, can provide a meaningful picture

EXHIBIT 2THE COMPONENTS OF CAPABILITY

Position/function

Brains

Confidence/ego

Coercion skills

Effective Lying

Immunity to stress

40 DECEMBER 2004 / THE CPA JOLiRNAL

Page 4: The Fraud Diamond: Considering the Four Elements of Fraud · MANAGEMENT fraud The Fraud Diamond: Considering the Four Elements of Fraud By David T. Wolfe and Dana R. Hermanson Despite

of the person's capabilities. Second, lookfor signals in the "little things." If theperson cuts comers on small issues or con-sistently displays an absolute refusal tolose or fail, no matter what the issue orthe cost, this may suggest similar behav-ior on larger issues. For example, manyhave said that an executive who cheats ingolf will cheat in business. Finally, payattention to what others say about a per-son. If there are consistent statementsabout certain traits or tendencies, this infor-mation can supplement more direct obser-vations. For example, if people in the orga-nization are consistently in awe of some-one's technical or creative ability, this pro-vides additional insight into the person'scapabilities.

A key to mitigating fraud

is to focus particular attention

on situations offering, in addition

to incentive and rationayzation.

the combination of opportunity

and capability.

If there are concerns about capabili-ty, respond accordingly. If someone'scapabilities present a significant risk fac-tor, respond with stronger controls orenhanced audit testing. For example, if thesales vice president is overly aggressive,competitive, and obsessed with hittingmonthly sales quotas, there may be a needfor extra-tight controls over revenue recog-nition or expanded testing of sales duringthe annual audit. In addition, implement-ing a periodic rotation of routine, butkey, ftinctions among staff can minimize

the opportunities for fraud gained fromlong-term knowledge of the function andits controls.

In this response phase, a key to miti-gating fraud is to focus particular atten-tion on situations offering, in addition toincentive and rationalization, the combi-nation of opportunity and capability. Inother words. "Do we have any dtxirwaysto fraud that can be opened by people withthe right set of keys?" If so, these areas areespecially high risk, because all the ele-ments are in place for a fraud opportunity10 become reality.

For example, when designing detec-tion systems, it is important to considerwho within the organization has thecapability to quash a red flag, or to causea potential inquiry by internal auditors tobe redirected. Cynthia Cooper, the inter-nal auditor at WorldCom credited with dis-covering the massive fraud, has describedin Time magazine how CFO Scott Sullivanhad exercised his position and seniorityto dissuade her team from looking into cer-tain areas that later proved to have beeninfested with massive fraud. But believingthey were on to something, her teamsworked behind Sullivan's back, on manyoccasions at night or from home, toavoid detection and retribution. Althoughit appears he tried, according to Cooper,in this instance Sullivan was not capableof completely thwarting the persistentefforts of the auditors to uncover theapparent fraud.

Reassess the capabilities of top execu-tives and key personnel. Assessing capa-bility and responding to concerns shouldnot be viewed as one-time exercises.Continuous updating of the capabilityassessment and response is warranted fortwo reasons. First, people can develop newcapabilities over time, especially if they areclimbing the corporate ladder and growingprofessionally. Just because someone didnot have enough power or knowledge ofan area to commit fraud in the past, thereis no guarantee that the person will notdevelop such power or knowledge in thefuture. Their capability to commit fraudmay increase, and additional controls orscrutiny may be warranted.

Second, organizational processes, con-trols, and circumstances change overtime. As a result, some people may be bet-ter suited to commit fraud in the new envi-

ronment, even though they were notcapable under previous conditions. Forexample, consider a company that hasrecently implemented a complex new ITsystem. The new system may renderthose less digitally sophisticated employ-ees incapable of exploiting its controls. Onthe other hand, for those with strong ITskills, the change might increase their capa-bility of committing fraud. This new capa-bility should be considered, and appropri-ate responses implemented.

Beyond StandardsIn the final analysis, recent legisla-

tion, increased enforcement, regulatoryoversight, broader controls, improvedauditing standards, and sophisticatedmonitoring technology are all steps in theright direction and will contribute topreventing and detecting fraud. Limitingthis effort to current standards and prac-tices may not be enough, however,especially for auditors. Consistent withthis view, the 2(X)4 Miller GAAS Guidedescribes the fraud triangle elements pre-sented in SAS 99 and notes that "it isobvious that the Auditing StandardsBoard is struggling with the broad topicof how to detect fraud ... auditors shouldbe careful about following relevant pro-fessional standards and then having asense of security about the likelihood thatfraud does not exist in a particularengagement."

Accordingly, if capability could play arole in influencing or magnifying the otherfraud elements, other checks and balancesor detection systems should be imple-mented, or an auditor should expandaudit scope, procedures, and testing forpotential fraud. Q

David T. Wolfe, CPA, is the founder ofGlasgow Forensic Group, a forensicaccounting ftmi in Allanla. Ga., and hassen'ed a variety of clients, including top-tier taw firms, govemmenl agencies, pri-vately held small to mid-sized businesses,and Fortune 500 companies. Dana R.Hermanson, PhD, is a professor ofaccounting in the Coles College ofBusiness at Kennesaw State University andcurrently serves as a research fellow of theCorporate Governance Center at theUniversity of Tennessee.

4 2 DECEMBER 2004 / THE CPA JOURNAL

Page 5: The Fraud Diamond: Considering the Four Elements of Fraud · MANAGEMENT fraud The Fraud Diamond: Considering the Four Elements of Fraud By David T. Wolfe and Dana R. Hermanson Despite