Back to the Basics: Red Flags and the Fraud Triangle


Jeremy Clopton, CFE, CPA, ACDA
Managing Consultant, Forensics and Valuation Services, BKD, LLP

When it comes to looking for ways to improve fraud detection and prevention efforts, sometimes it is best to get back to basics. By basics, I mean the very basics – shapes and colors.  

Criminologist Dr. Donald R. Cressey developed the Fraud Triangle to help examiners understand what leads individuals to commit fraud. Many people refer to the signs that indicate an individual is facing pressure, sees an opportunity or is beginning to rationalize behaviors as red flags. The key becomes identifying the red flags that indicate the legs of the Fraud Triangle are coming together, thus increasing the risk for a potential fraud.

The August issue of the Journal of Accountancy includes an article that examines the inner-workings of an $8 million dollar fraud. In the article, there are repeated examples of pressures (debt, a new baby, gambling, divorce), opportunities (approval access, password knowledge) and rationalization (paying off existing debt). After reading the fraudster’s part of the article it is clear that the Fraud Triangle was complete and, though they went unnoticed, there were multiple red flags. The latter half of the article, written by Dr. Mark Nigrini (author of Forensic Analytics and Benford’s Law), explains the controls and methods organizations should consider to help mitigate the risk of the fraud scheme perpetrated.  

This article emphasizes three important uses of data for fraud investigators:

  • Fraud Triangle analytics – While this fraud took place back in the early 2000s, today the widespread use of email, social media and instant messaging provides a large volume of data for analysis. Analyzing these communications, as well as the related geo-tagging data, may help an investigator identify pressures, opportunities and rationalizations.  
  • Control testing – One of the keys to this fraud scheme’s success was the ability of the fraudster to log in to the system under another individual’s credentials. In fact, there are multiple users’ credentials the fraudster described using during the scheme. Analyzing the access logs of various users with check request and approval authority is beneficial for both deterrence and detection. For example, most employees work off a single computer. Users that log in through multiple terminals may be indicative of a control issue.
  • Payroll trends – The fraudster in the article stated his subordinate had to have the day off in order for the fraud to work. This provided the access needed to take the fraudulent checks. An analysis of the payroll detail, in this situation, would likely have shown an unusual pattern in vacation time for the subordinate. Typically used for vendor activity, trend analysis is also beneficial in analyzing payroll activity (or any activity with an expected pattern over time).

As technology changes, so too must our investigation methods. In 2004, when this fraud took place, it may not have been possible to use data for the three types of tests described above. Ten years later these are just a small subset of the ways fraud investigators use data. However, it all comes back to the basics of shapes and colors. Investigators use data to find the red flags indicating the legs of the Fraud Triangle are all in place.

Follow Jeremy on Twitter @j313 or at