Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.
Donald Cressey's three-element model of occupational fraud, pressure, opportunity, and rationalization, emerged from empirical research in the 1950s and remains the central conceptual tool for understanding why trusted employees commit fraud.
Last updated:
In the late 1940s, a young criminologist named Donald Cressey spent months interviewing people in American prisons, not murderers or armed robbers, but embezzlers: accountants, bookkeepers, and trusted employees who had stolen from employers or clients. He wanted to know what they all had in common. The answer, stripped to its elements, became the most influential model in the history of fraud investigation.
The fraud triangle holds that every case of occupational fraud involves three elements appearing together: a financial pressure the person felt they could not share with others, an opportunity in the control environment that made the theft look feasible, and a rationalization that let the person frame what they were doing as something other than dishonesty. Remove any one element and the fraud, at least according to Cressey, does not happen. Change the opportunity and you change the risk.
This topic reconstructs Cressey's original research, explains each element in depth, describes the fraud diamond extension that added capability as a fourth factor, and shows how investigators apply the model in practice: to assess risk, to direct interview questions, and to explain why a trusted employee became a fraudster. The model is not a prediction machine. It is a framework for structured thinking about motivation and control.
The fraud triangle came from listening to convicted embezzlers describe exactly why they did it.
Donald Cressey completed his doctoral research at Indiana University under sociologist Edwin Sutherland, whose differential association theory had already challenged simple explanations of criminal behaviour. Cressey's own question was more focused: why do people who occupy positions of trust, who have been given legitimate access to other people's money, cross the line and take it?
He interviewed 133 inmates at Joliet and Menard Correctional Centers in Illinois and Terre Haute Federal Prison in Indiana, all convicted of embezzlement. The interviews were open-ended and exploratory, not structured questionnaires, and Cressey was looking for patterns in the subjects' own accounts of their behaviour. His methodology would not satisfy modern standards for grounded theory research, but it was unusually direct: he was asking fraudsters themselves to explain what happened.
The pattern that emerged was remarkably consistent. Cressey found that every case involved a financial problem the person believed they could not share with others, access to the money or assets as a direct result of their trusted position, and a way of thinking about what they were doing that made it seem acceptable, at least temporarily. He published his findings as Other People's Money: A Study in the Social Psychology of Embezzlement in 1953.
Motivation without opportunity is just a wish. The control environment is where fraud is permitted or prevented.
Opportunity is the element that internal controls directly address. The fraudster needs not just the access to commit the fraud but also a realistic belief that they can conceal it. A poorly designed payroll system that allows one person to add ghost employees, approve the payroll, and receive the corresponding bank transfers without any independent review creates exactly this opportunity. A well-designed system requiring multiple approvals and automatic reconciliation makes the same fraud far harder to execute and conceal.
The three most common opportunity conditions identified in the ACFE's research across its biennial Reports to the Nations are: lack of internal controls (cited in the largest share of cases), override of existing controls, and lack of management review. These are not exotic vulnerabilities. They are the ordinary failures of understaffed, overconfident, or complacent organisations.
Most fraudsters do not think of themselves as criminals. Rationalization is how they manage the contradiction.
Rationalization is the most psychologically interesting element of the model, and the one with the most direct relevance to how investigators conduct interviews. Cressey found that his subjects uniformly adopted mental framings that allowed them to act dishonestly while preserving a self-image of basic honesty. These were not rationalizations invented after the fact to explain their actions to the researcher; Cressey concluded they were present at the time of the act, functioning as a necessary psychological precondition.
In an interview, rationalization often surfaces when a subject is asked open-ended questions about their role and their relationship with the organisation. Statements about being undervalued, about management hypocrisy, or about the organisation's financial capacity are often rationalizations in motion. A skilled interviewer recognises them as such and uses them to structure follow-up questions. The PEACE model interview framework (Preparation, Engage/Explain, Account, Closure, Evaluate) is particularly effective at drawing out this kind of account.
Wolfe and Hermanson's 2004 extension asks not just whether conditions are right, but whether the person can actually pull it off.
In a 2004 article in the CPA Journal, David Wolfe and Dana Hermanson proposed adding a fourth element to the fraud triangle: capability. Their argument was that pressure, opportunity, and rationalization describe the conditions for fraud, but they do not explain why, in an organisation where many employees face the same conditions, only one or a few actually commit it. Capability, they argued, is the difference: the specific combination of position, skills, and personal traits that allows a particular individual to execute and conceal a particular fraud.
The capability element has several components. Position matters because not every employee with motivation and rationalisation has the access to commit the specific fraud that would satisfy their need. Skills matter because complex financial-statement fraud requires accounting knowledge; a complex cyber-enabled fraud requires technical skills. Personal traits such as confidence, tolerance for risk, and the ability to maintain a convincing narrative under scrutiny all contribute to whether a person who meets the first three conditions will actually act.
In practice, the fraud diamond redirects the investigator's attention toward the specific individuals who were in a position to commit the detected fraud type. It is not enough to know that the billing department had weak controls (opportunity). The question becomes: of the people in that department, who had the accounting knowledge to construct the false invoices, the system access to approve them, and the seniority to avoid scrutiny?
The triangle is most useful not as an explanation of the past but as a tool for directing where to look next.
Fraud risk assessment, as required by auditing standards (ISA 240, AU-C Section 240) and internal audit standards, uses Cressey's elements as a structuring framework. The risk assessment asks: where are the significant pressures in this organisation? Where are the opportunity gaps in the control framework? What signals are there about rationalising attitudes in the culture? The answers direct attention to the highest-risk areas without requiring specific allegations.
| Model element | Risk-assessment questions | Investigation application |
|---|---|---|
| Pressure | Which roles or individuals face unachievable targets, financial distress, or debt? | Interview focuses on financial circumstances, lifestyle, and recent stresses |
| Opportunity | Where are segregation of duties absent? Where does management override exist? | Transaction testing targets periods of weakest control; IT access logs reviewed |
| Rationalization | What is the cultural attitude toward expense claims, policy compliance, and reporting? | Interview uses open-ended questions to draw out self-justifying language |
| Capability (diamond) | Who in the identified risk area has the skills and access to commit this specific fraud type? | Narrows the suspect population by position, access rights, and relevant expertise |
One practical caution: the model was built for occupational fraud (individual employees stealing from their employer). It applies less cleanly to management fraud or financial-statement fraud perpetrated by senior executives, where the pressure is often corporate rather than personal and the rationalization is often collective ('we are managing earnings, not committing fraud'). Investigators working on complex financial-statement cases use the triangle as a starting framework and then adapt it to the organisational dynamics of the specific case.
Cressey described the first element of his model as a 'non-shareable financial problem'. Why is the word 'non-shareable' significant?
Test yourself on Forensic Accounting and Financial Forensics with free, timed mocks.
Practice Forensic Accounting and Financial Forensics questionsSpotted an error in this page? Report a correction or read our editorial standards.