The Fraud Hexagon
By Dr. Hernan Murdock ,VP – Content and Programming at ACI Learning
Fraud is defined as the intentional misrepresentation or concealment of information to deceive others with the objective of gaining unfair or unlawful gains. It is a global problem affecting organizations of all types and sizes in all industries. Fraud is costly.
The Association of Certified Fraud Examiners’ (ACFE) 2020 Report to the Nations reports that organizations lose an estimated 5 percent of annual revenue to fraud. Fraud is difficult to identify, investigate, and prosecute. Attempts are made continuously to identify fraudsters’ motives and modus operandi so that antifraud programs can be designed to prevent, detect, and effectively investigate fraudulent activities.
To varying degrees all organizations are subject to the risk of fraudulent activities being committed against them. Constant fraud risk management is needed to identify vulnerabilities, proactively reduce the likelihood of fraud and monitor the drivers of fraudulent activities.
The Fraud Triangle, developed by Dr. Donald Cressey, has been used for many years to assess the three drivers of fraud: Need, Opportunity, and Justification.
It is typically caused by circumstances that increase financial pressures. In this case, the individual has a financial problem that cannot be solved through legitimate means, so inappropriate activities are seen as a way to remedy the situation.
Examples include housing expenses, tuition payments, elder care, and medical care bills. Other needs are created by the lack of personal discipline, the need to acquire status symbols, or sustain a lavish lifestyle. In some cases, organizations’ and investors’ expectations for unreasonably high financial returns create pressures that lead employees to consider committing financial statement fraud. Other pressures are political and social, where individuals feel they cannot appear to fail due to their reputation, or high-ranking position within the organization.
Since need can be a precursor of fraudulent activities, auditors should search for conditions that point to significant changes in employee needs and wants.
Internal control questionnaires (ICQs), interviews with managers, surveys, and interaction with department staff will encourage conversations about lifestyle changes that may be early warning signals of future issues.Taking a proactive approach to identify risk factors early on can yield huge dividends through early intervention and counseling.
This is often created in the absence of, or weaknesses in, internal controls. Common internal controls include approvals, reconciliations, segregation of duties, access controls and reviews.
When some individuals identify an opportunity, and upon their assessment of the risk of being caught as being low, they decide to abuse their position of trust. Examples include an individual who notices that certain bank accounts are not being reconciled timely or appropriately and concludes that inappropriate transactions using those accounts will escape detection. Similar conclusions may be drawn from poor intrusion detection controls, a lack of oversight over transactions below a certain monetary threshold, or insufficient segregation of duties.
The International Standards for the Professional Practice of Internal Auditing (the Standards) state that “the internal audit activity should assist the organization by identifying and evaluating exposures to risk and contributing to the improvement of risk management and control systems” (Standard 2110). Clearly, fraud risks are related to this mandate and internal auditors accomplish this when they document and test the effectiveness of controls, which are essential activities to reduce the likelihood that weak controls will create opportunities for fraud.
This occurs when an individual develops a rationale for their fraudulent activities and considers the act acceptable. Some fraudsters conclude that since they were overlooked for a promotion they believe they deserve, that they will “make things right” by stealing from the organization.
A similar conclusion may be drawn from reductions in employee benefits, feelings of being underpaid, perceptions of poor management practices, favoritism, and other workplace human relations issues. Sometimes an individual considers the funds taken as merely being borrowed and argues that they will return them later.
The likelihood that employees will commit fraud and rationalize its acceptability increase with poor management practices, unclear expectations, favoritism, and the subjective granting of workplace rewards and perks. Auditors should evaluate management’s competence, consistency, objectivity, documentation, and transparency to identify vulnerabilities and fraud risks.
The Other Factors
While the Fraud Triangle is a useful tool to categorize the drivers of fraudulent activities, most users of the model fail to consider other very important aspects of fraudulent activities and the people who commit them: Their competence, character, and arrogance.
Individuals with a deep understanding of the controls in their work areas may also have a deep understanding of the ways that those controls can be circumvented.
It is very important for management to understand the exposure that this creates and make sure that oversight is not replaced simply by trust, as many fraudsters abuse the trust bestowed on them to commit their crimes.
Individuals bring to organizations elements of their upbringing, cultures, and ethical and moral beliefs. These ingredients are the foundation of people’s attitudes, which become the key factors determining their behaviors and ultimately, their character. When these elements are placed along a moral continuum, the result is that people are essentially Honest, Dishonest or Situational/Potential, as relates to fraud.
Honest individuals always do the right thing and as such represent the lowest fraud risk. When an excruciating or unexpected financial need arises, they work overtime, hold two or more jobs, cut back on their expenses, and seek help from friends, family or others to bridge the gap. They sacrifice to meet their financial obligations and adapt accordingly. They are driven by high moral values and address social and political setbacks as learning opportunities and challenges to overcome.
When honest individuals identify control weaknesses, they tend to notify their managers, become whistleblowers by calling the ethics hotline or confide in the internal auditors, compliance officer, legal counsel, or other appropriate personnel. They don’t take advantage of the organization’s weakness. Instead, they communicate their finding to someone who can take corrective action.
These individuals represent the highest fraud risk because they seek opportunities to defraud unsuspecting victims. They test the boundaries to determine management’s tolerance for deviations from company policy and are constantly in search of loopholes. They typically question authority and rules, lie, and should not be placed in positions where they control company assets. They seek vulnerabilities and take advantage of those weaknesses for personal gain. In some extreme cases, they suffer from psychological conditions and may seek power, success, recognition, and grandeur.
Dishonest employees ignore the organization’s attempts to create a positive, productive, and controlled work environment and constantly search for ways to beat the system.
These employees are generally honest, disciplined, and committed employees and they make conscious efforts to comply with the organization’s policies and procedures. Although they have the best intentions at heart, to varying degrees they are also susceptible to break the rules. When the organization’s culture condones deviations from the stated policy, they may follow their peers in those practices. They seek and need reminders, reassurance, guidance, and follow-up to ensure their continued awareness and compliance. When management fails to document, provide training, and sanction unethical practices, fraud risks grow rapidly and while these employees may follow the explicit organizational rules, they may disregard the spirit of the law.
Due to the possibility of succumbing to temptation, these individuals benefit from effective controls, a strong tone at the top, visible leadership, clearly documented policies, and frequent audits. These individuals represent the largest percentage of an organization’s population. As a result, organizational policies, operating procedures, and internal controls should take a risk-based approach to fraud and consider this portion of the workforce as a potential fraud risk pool.
Arrogance involves egotism, overconfidence, self-importance, condescension, the lack of conscience, an attitude of superiority, entitlement, or greed by individuals who believe the organization’s policies and procedures do not apply to them. Furthermore, arrogant individuals disregard the consequences to victims, so they often also lack empathy.
This extreme egotism can result in the individual not having any feeling of guilt for committing fraud and the impact it may have on the many stakeholders organizations are accountable to.
Implications for Internal Auditors
Internal auditors can play a crucial role helping their organizations lower their vulnerability to fraud. Reviews of the organization’s employment practices, tone throughout the organization, reliability of the system of internal controls and assessing employees’ understanding of the word and the spirit of the law in policies and procedures, can help identify early warning signals of fraud risks.
Internal auditors can assist management in the identification of control weaknesses and unmanaged fraud risks.
By working collaboratively with senior management and the board, and by using The Fraud Hexagon, internal auditors can help the organization establish a strong control environment that will reduce the likelihood of suffering financial and reputational losses due to fraud.