5.2 Core Workflows and Decision Points
Key Takeaways
- The fraud triangle explains why fraud occurs: pressure/incentive, opportunity, and rationalization must all be present.
- The fraud diamond adds a fourth element, capability, recognizing the perpetrator needs the skill and authority to exploit the opportunity.
- The ACFE fraud tree classifies occupational fraud into asset misappropriation (most common), corruption, and financial statement fraud (costliest).
- Of the three triangle legs, opportunity is the one internal controls can most directly reduce.
The Fraud Triangle
The fraud triangle, developed by criminologist Donald Cressey, is the most heavily tested concept in Section D. It states that fraud is most likely when three conditions are present simultaneously:
| Leg | Meaning | Typical examples |
|---|---|---|
| Pressure (incentive/motivation) | A perceived non-shareable financial or emotional need | Personal debt, addiction, lifestyle, unrealistic earnings targets, fear of losing a job |
| Opportunity | The ability to commit and conceal the act without being caught | Weak controls, poor segregation of duties, lack of oversight, override ability |
| Rationalization | A mindset that justifies the act | "I'm only borrowing it," "I'm underpaid," "the company can afford it," "everyone does it" |
The exam loves the insight that opportunity is the leg internal controls can most directly attack. An organization cannot easily eliminate an employee's personal financial pressure or control how a person rationalizes, but it can design controls — segregation of duties, approvals, reconciliations, system access limits — that shrink opportunity. So when a stem asks which fraud-triangle element controls best address, the answer is opportunity.
The Fraud Diamond
The fraud diamond extends the triangle by adding a fourth element: capability. Capability recognizes that even when pressure, opportunity, and rationalization exist, the person must have the position, intelligence, ego, and skill to actually exploit the opportunity and override controls. A junior clerk and a chief financial officer face different opportunities precisely because of capability. Some texts also reference competence or capacity as synonyms. If a stem describes a senior executive uniquely able to override controls, it is testing the capability concept.
The ACFE Fraud Tree
The Association of Certified Fraud Examiners (ACFE) classifies occupational fraud — fraud committed by people against their own employers — into three primary branches, often called the fraud tree. The IIA aligns its fraud-type teaching with this taxonomy, and the ACFE's Report to the Nations supplies the figures the exam may reference.
| Branch | What it is | Frequency (ACFE) | Median loss |
|---|---|---|---|
| Asset misappropriation | Theft or misuse of organizational assets (cash and non-cash) | ~89% of cases (most common) | ~$120,000 (lowest) |
| Corruption | Wrongful use of influence in a transaction | ~48% of cases | ~$200,000 |
| Financial statement fraud | Intentional misstatement or omission in financial reports | ~5% of cases (least common) | ~$766,000 (highest) |
The key tested inverse relationship: asset misappropriation is the most frequent but least costly per case, while financial statement fraud is the rarest but most damaging. Corruption sits in the middle. (Percentages exceed 100% because some cases involve more than one scheme.)
Asset misappropriation sub-schemes
Asset misappropriation divides into cash schemes (skimming, cash larceny, and fraudulent disbursements such as billing, payroll, expense reimbursement, check tampering, and register disbursements) and non-cash schemes (theft or misuse of inventory and other assets). Skimming is theft of cash before it is recorded (off-book), which makes it harder to detect; cash larceny is theft after it is recorded (on-book).
Corruption sub-schemes
Corruption includes bribery, illegal gratuities, economic extortion, and conflicts of interest (e.g., undisclosed self-dealing, kickbacks, and bid rigging). Corruption almost always involves a second party outside the organization, which is what separates it from pure asset misappropriation.
Decision Points When Classifying a Scheme
Classification questions are quick points if you ask the right diagnostic questions in order:
- Was an asset stolen or misused? If yes and it's an internal theft, it's asset misappropriation. Then ask whether the cash was taken before recording (skimming) or after (larceny), or through a false disbursement (billing/payroll/expense/check tampering).
- Was influence misused in a transaction with an outside party? Kickbacks, bribes, bid rigging, undisclosed conflicts point to corruption.
- Were the financial statements deliberately misstated to deceive users? Overstated revenue, understated liabilities, fictitious assets, improper timing point to financial statement fraud, typically committed by senior management because they have the capability to override controls.
A worked example
A purchasing manager sets up a shell company, submits inflated invoices for goods never delivered, and approves the payments herself. Diagnose it: assets (cash) are taken via false disbursements, so it is asset misappropriation (a billing scheme). She lacks a kickback from an external colluder, so it is not corruption. Had she instead steered real contracts to a friend's firm in exchange for a personal payment, that would be corruption (a conflict of interest / kickback). Same manager, different scheme, based purely on the mechanics — that distinction is exactly what the exam tests.
The diagnostic sequence above also keeps you from over-classifying. A stem that simply describes a control weakness is not yet describing a fraud; you classify a scheme only when the mechanics of an intentional, deceptive act are present in the facts. When in doubt, name the asset taken or the statement misstated before you label the branch.
Linking the Frameworks to Controls
The two frameworks are not academic — the exam wants you to connect them to control design. Because the fraud triangle says opportunity is the controllable leg, anti-fraud controls concentrate on shrinking opportunity: separating incompatible duties, requiring independent approvals, limiting system access, and reconciling independently. Because the fraud diamond highlights capability, organizations pay special attention to people who can override controls — senior managers, system administrators, and anyone with broad authority — by adding monitoring, dual approvals, and review of their activity.
The fraud tree, in turn, tells you where to expect each scheme so risk assessments can be targeted:
| Scheme | Where it usually lives | Targeted controls |
|---|---|---|
| Skimming / cash larceny | Point-of-sale, receivables, cash handling | Independent cash counts, lockbox, customer statements |
| Billing / disbursement | Accounts payable, procurement | Vendor master review, three-way match, approval limits |
| Payroll | HR/payroll | New-hire verification, ghost-employee testing |
| Corruption | Procurement, sales contracting | Conflict-of-interest disclosures, bid controls, vendor due diligence |
| Financial statement fraud | Financial reporting, top management | Strong governance, independent audit committee, analytic review |
The takeaway the exam rewards: a fraud risk program maps likely schemes to specific controls, rather than applying generic controls everywhere. When a stem describes a process, anticipate which fraud-tree scheme it is most exposed to and which control directly addresses it. This scheme-to-control mapping is the bridge from Section D's frameworks to the governance and control material in Section C.
Which leg of the fraud triangle can internal controls most directly reduce?
According to ACFE classifications, which fraud branch is the LEAST common but causes the HIGHEST median loss?
An employee steals cash from a customer payment before any record of that payment is entered into the accounting system. This scheme is best described as: