The ACFE Fraud Tree and Occupational Fraud Classification

The Fraud Tree has three levels. At the top sits the single category of occupational fraud and abuse. Below that are the three primary branches. Each branch then subdivides into categories, and each category into specific scheme types. The full taxonomy contains more than 50 named scheme types. The value of the hierarchy is precision: rather than describing an investigation as being about 'fraud', an examiner can specify that it concerns a billing scheme under fraudulent disbursements, which is itself under cash theft, which is itself under asset misappropriation.

The frequency-loss inversion is one of the most practically important patterns in the data. Asset misappropriation cases are common but individually bounded; a payroll fraudster can only steal so much before controls or colleagues notice. Financial statement fraud cases are rare but catastrophic: they often involve senior management, run for years, and affect investors, creditors, and counterparties far beyond the organisation itself. Enron, WorldCom in the United States, Wirecard in Germany, and Satyam Computer Services in India all involved financial statement fraud at scale, with losses measured in billions rather than thousands.

Asset misappropriation divides into cash schemes and non-cash schemes. Cash schemes are the more thoroughly documented because they leave accounting traces. They fall into three sub-categories: skimming (off-book theft before recording), cash larceny (on-book theft after recording), and fraudulent disbursements (manipulating the payment process to divert funds).

Fraudulent disbursements include five scheme types that appear repeatedly in the Report to the Nations data. Billing schemes involve submitting fictitious or inflated invoices, usually through a shell company controlled by the employee. Payroll fraud includes ghost employees, falsified hours, and commission manipulation. Expense reimbursement schemes inflate or fabricate business expenses. Check and payment tampering covers forged authorisations, altered payee fields, and unauthorised electronic transfers. Register disbursements include false refunds and voided sales that redirect cash to the employee.

Non-cash schemes involve theft or misuse of inventory, equipment, proprietary data, or intellectual property. Though they appear less often in fraud examination case files, the ACFE data shows they are systematically under-reported: non-cash thefts are harder to quantify, harder to attribute to a specific individual, and often written off as shrinkage rather than investigated as fraud. In manufacturing sectors, inventory theft can represent the single largest category of occupational loss.

Corruption schemes, as the Fraud Tree defines them, involve an employee who misuses their organisational influence or authority to benefit themselves or a third party, usually at the organisation's expense. The four subcategories are bribery, illegal gratuities, conflicts of interest, and economic extortion.

Bribery is the offering, paying, soliciting, or receiving of anything of value to influence a business decision. The distinction between bribery and an illegal gratuity turns on timing and intent: a bribe is paid before the favourable decision as an inducement, while an illegal gratuity is paid after the fact as a reward. In practice the distinction matters for criminal prosecution under statutes such as the US Foreign Corrupt Practices Act 1977, the UK Bribery Act 2010, India's Prevention of Corruption Act 1988 (amended 2018), or the OECD Anti-Bribery Convention.

A conflict of interest arises when an employee has an undisclosed personal or financial interest in a transaction that they influence on behalf of the organisation. The employee may not receive cash directly from the vendor; the benefit may be a family relationship, a minority equity stake, or preferential treatment for a connected business. Conflicts of interest are among the hardest corruption schemes to detect because the vendor's invoices and the organisation's payments may both be legitimate on their face. Relationship mapping, vendor database screening, and employee disclosure review are the primary detection tools.

Economic extortion is the mirror image of bribery from the employee's perspective: the employee demands payment from a vendor or counterparty in exchange for a favourable decision, threatening adverse action if the payment is not made. Extortion victims often do not report the scheme because reporting exposes their own payment, which may itself constitute bribery under local law.

Financial statement fraud involves intentional manipulation of the financial statements to mislead users, whether investors, creditors, regulators, or the board. The Fraud Tree identifies two directions: overstating assets or revenues (the more common direction, used to inflate apparent profitability or net worth) and understating liabilities or expenses (used to reduce apparent obligations or improve ratios).

Specific scheme types include fictitious revenues, timing differences (recording revenue in an earlier period than earned, or expenses in a later period), concealed liabilities, improper asset valuations, and disclosure fraud (omitting or misrepresenting material information in notes or management commentary). The WorldCom fraud centred on capitalising operating expenses as assets to inflate earnings before interest and tax. Satyam's fraud involved overstating cash balances on the balance sheet over multiple years. Wirecard fabricated entire revenue streams and bank balances across multiple jurisdictions.

The examiner's analytical toolkit for financial statement fraud includes ratio analysis over time and against industry peers, Beneish M-Score and Altman Z-Score models, Benford's Law testing of transaction-level data, and detailed vouching of revenue transactions to supporting contracts and delivery evidence. The audit standards and fraud detection responsibility framework defines what the statutory auditor's obligation is versus what the forensic examiner adds.

The Report to the Nations is the most comprehensive longitudinal dataset on occupational fraud available. Each edition draws on cases submitted by Certified Fraud Examiners globally. The 2024 edition covered 1,921 cases from 138 countries with a total loss exceeding $3.1 billion. Because the dataset reflects cases that were detected and investigated, it likely understates true fraud frequency and total organisational loss.

Tips are consistently the leading initial detection method, accounting for roughly 43 percent of cases in recent editions. Of those tips, the majority come from employees, though customers, vendors, and anonymous sources also contribute. The practical implication is direct: organisations with a functioning confidential reporting mechanism (a hotline, an ethics portal, or a third-party reporting service) detect fraud earlier and at lower median loss than those without one. The ACFE data shows that median loss in organisations with a hotline is roughly half that in organisations without one.

Perpetrator profile data consistently shows that fraud loss correlates strongly with the perpetrator's position in the organisation hierarchy. Owner-operator and executive-level frauds have median losses several times higher than employee-level frauds, reflecting both access to larger assets and ability to override controls. Fraud duration before detection averages 12 to 18 months across the full dataset, and duration correlates directly with total loss: every month of an undetected scheme is a month of additional extraction.

The report also tracks the effectiveness of anti-fraud controls. Organisations that have adopted proactive controls, including data analytics, surprise audits, job rotation, and mandatory holiday policies, consistently show lower median fraud losses than those relying solely on traditional internal audit cycles. These findings align with guidance from the Institute of Internal Auditors (IIA) and ICAI, as well as the Financial Reporting Council (FRC) in the UK and the Public Company Accounting Oversight Board (PCAOB) in the US.

The Fraud Tree's practical value in an engagement is to convert a vague allegation into a structured hypothesis and then into a specific evidence-gathering plan. The process begins at predication: the examiner reviews the triggering facts and identifies which Fraud Tree branch or branches are consistent with those facts. This initial classification is a hypothesis, not a conclusion, but it is a testable one.

If predication points to cash disbursement irregularities, the examiner follows the billing scheme pathway: obtain and analyse the vendor master file, identify vendors with PO box addresses and no physical presence, pull invoice-level transaction data, map approver relationships, and search public databases for connections between approvers and vendor registrations. If predication points to unexplained vendor preference or anomalous contract awards, the corruption pathway calls for relationship mapping, gift and hospitality register review, and interview planning targeting both the suspected employee and vendors. If predication involves unexpectedly positive financial results that contradict operational indicators, the financial statement fraud pathway triggers ratio analysis, journal entry testing, and revenue recognition vouching.

The Fraud Tree also guides how the examiner scopes the work and communicates with the client. A clearly defined Fraud Tree hypothesis lets the examiner tell the engagement sponsor: here is the specific type of scheme we are testing for, here is the evidence we need, and here are the controls whose failure this scheme exploits. That precision is more useful to both the legal team and the remediation team than an open-ended mandate to 'look for fraud'. For evidence-gathering methods aligned to each branch, see Evidence Gathering Methods in Fraud Examinations.