Welcome to The CPA Journal Archives

Visit cpajournal.com to read the very latest from The CPA Journal


Today's Fraud Risk Models Lack Personality

Auditing with ‘Dark Triad’ Individuals in the Executive Ranks

Barry Jay Epstein, PhD, CPA, CFF, and Sridhar Ramamoorti, PhD, CPA, CFE, CFF, MAFF

In Brief

Recent behavioral science research on abnormal personality types may have a major impact on the practice of auditing. This article discusses the possible prevalence of “dark triad” personality types within the executive ranks. The risk models currently used by the profession may be insufficient for dealing with such abnormal personalities, for whom only opportunity may be necessary to commit fraud. The authors suggest factoring in executives' personality types and the resultant behavioral/integrity risks as an integral part of risk assessment.


Assessing the risk of fraud requires auditors to have an understanding of which individuals are most likely to commit fraud. The FBI has averred that psychopathy is a crucial concept for understanding white-collar crime in the current business environment (see “Psychopathy: An Important Forensic Concept for the 21st Century,” Paul Babiak, et al., FBO Law Enforcement Bulletin, July 2012, https://leb.fbi.gov/2012/july/psychopathy-an-important-forensic-concept-for-the-21st-century). More generally, the existence and prevalence within the executive ranks of so-called “dark triad” personality types challenge the logic of applying the most commonly cited fraud risk models. Even the well-known Cressey Fraud Triangle, which has been integrated into professional standards, may not be very helpful when auditing in the presence of dark triad personalities (Edwin Sutherland and Donald Cressey, “Why Do Trusted Persons Commit Fraud? A Social-Psychological Study of Defalcators,” Journal of Accountancy, November 1951).

What Is a Dark Triad Personality?

Recent research in personality psychology has identified at least three abnormal (or deviant) personality types, whose behaviors may imply different risk profiles for audit—and financial reporting fraud—risk assessments, engagement planning, and audit execution (see the decade-long retrospective in Adrian Furnham, Steven C. Richards, and Delroy L. Paulhus, “The Dark Triad of Personality: A 10-Year Review,” Social and Personality Psychology Compass, vol. 7, no. 3, 2013, pp. 199–216, as well as Eric N. Johnson, John R. Kuhn Jr., Barbara A. Apostolou, and John M. Hassell, “Auditor Perceptions of Client Narcissism as a Fraud Attitude Risk Factor,” Auditing: A Journal of Practice & Theory, February 2013, vol. 32, no. 1, pp. 203–219). These personality types have been named narcissism, Machiavellianism, and psychopathy—collectively termed “the dark triad.”

The narcissistic personality is characterized by grandiosity, pride, egotism, and a lack of empathy for others. Such persons are excessively preoccupied with personal adequacy, power, prestige, and vanity, and are mentally unable to see the destructive damage they cause to themselves and others. Historically, this was called megalomania, and it is an exaggerated variant of egocentrism.

The Machiavellian personality is characterized by the manipulation and exploitation of others, a cynical disregard for morality, and a focus on self-interest and deception. Machiavellians are temperamentally predisposed to be cal culating, conniving, and deceptive, using other people as stepping stones to reach their goals. Their tactics include charm, friendliness, self-disclosure, guilt, and pressure. Although they prefer to use subtle tactics when possible to mask their true intentions and provide plausible deniability, they have been known to use pressure and threats when necessary.

Lastly, the psychopathic personality is characterized by enduring antisocial behavior, impulsivity, selfishness, callousness, and remorselessness. Psychopaths commonly exhibit glibness or superficial charm, a grandiose sense of self-worth, a heightened need for stimulation and a low threshold for boredom, a pathological inclination for lying, a shallowness of emotional response, a lack of empathy, a parasitic lifestyle, poor behavioral controls, a lack of realistic long-term goals, a failure to accept responsibility for their actions, and criminal versatility.

Of the three dark triad archetypes, the darkest is psychopathy. Although the three personality types are distinct, some of the traits are found in more than one profile, and over time there has reportedly been “construct creep,” which has been caused by the fact that the three concepts share a conceptual resemblance and because their common measures overlap empirically (Furnham et al., 2013).

Although the popular press has frequently classified certain malefactors within one of these types, those characterizations have rarely been based on actual psychological analyses. Utilizing existing, reliable psychological instruments to identify these sets of behavioral traits in real-world audit contexts may be the biggest challenge facing the profession in applying the dark triad theory to auditing risk assessment.

Prevalence of the Dark Triad in Management

Examples of dark triad fraud perpetrators abound. “Chainsaw Al” Dunlap, former CEO of Scott Paper and later Sunbeam Products, showed no compunction in firing thousands of employees and was characterized as a psychopath (Alan Deutschman, “Is Your Boss a Psychopath?”, Fast Company, July 2005, http://www.fastcompany.copm/53247/your-boss-psychopath; also, Jon Ronson, The Psychopath Test: A Journey through the Madness Industry, Penguin Group, 2011). “Crazy” Eddie Antar was a self-proclaimed psychopath, but he allegedly seized on that description to obtain lenient sentencing for his fraud (Al Lewis, “Psychos on Wall Street,” Wall Street Journal, March 3, 2012, http://on.wsj.com/1mxrhIY). Aaron Beam, one of several HealthSouth CFOs who cooperated in that company's fraud, labeled CEO Richard Scrushy a “sociopath” (John L. Smith, “HealthSouth Co-Founder Knows How Greed Grows on You,” Las Vegas Review-Journal, February 4, 2016), which in common parlance is used to describe a milder version of the psychopath. Former Enron CFO Andrew Fastow has been cited as being a narcissist (Charles Ham, Mark H. Lang, Nicholas Seybert, and Sean Wang, “CFO Narcissism and Financial Reporting Quality,” December 2, 2015, http://dx.doi.org/10.2139/ssrn.2581157). That name could apply to many perpetrators of recent high-profile corporate reporting frauds, such as Dennis Kozlowski, who exhibited outsized needs for luxury and ostentation. The late Steve Jobs was hailed as Machiavellian “in the best sense” (see comments by Dan Fraker in Del Thiessen's blog post “The Machiavellian Tint of Steve Jobs Part 1,” http://bit.ly/1PI763C), and indeed “good” Machiavellian behaviors, such as being able to convince others to follow one's lead, may be more welcomed among management than the traits of narcissism or psychopathy.

Not surprisingly, however, evidence suggests that corporate management contains a much higher proportion of dark triad personalities than the general population (see Paul Babiak, Craig S. Neumann, and Robert D. Hare, “Corporate Psychopathy: Talking the Walk,” Behavioral Sciences and the Law, vol. 28, pp. 174–193, 2010; and Sherree DeCovny, “The Financial Psychopath Next Door,” CFA Institute Magazine, vol. 23, no. 2, March/April 2012). Given that psychopathy exists on a continuum, Ronald Schouten speculates that the incidence of subclinical psychopaths on Wall Street may top 10%, with some studies suggesting an incidence rate of 5%–15% among students from the United States and Sweden (“Psychopaths on Wall Street,” Harvard Business Review, March 14, 2012; Ronald Schouten and James Silver, Almost a Psychopath, Hazelden/Harvard Health Publications, 2012).

The apparent prevalence of psychopaths in corporate management suggests to the authors that auditors might find it useful to incorporate the “dark triad personality risk” factor into their risk assessments. To the extent that auditors remain uninformed about both the possible presence of such personalities and the attendant implications of a heightened risk of fraud, they might fail to appropriately compensate by expanding or altering audit procedures.

The three dark triad personality types are thought to explain why some fraud perpetrators inherently are, or become, predators—persons who consciously seek out opportunities to commit fraud, often in serial fashion. This is in contrast to accidental or situational fraudsters, who succumb to pressure—often, but not necessarily, of a financial nature—and are able to rationalize atypical behaviors when the opportunity presents itself. Jack Dorminey, A. Scott Fleming, Mary-Jo Kranacher, and Richard A. Riley Jr. have hypothesized a distinction between accidental fraudsters and predators (“The Evolution of Fraud Theory,” Issues in Accounting Education, vol. 27, no. 2, May 2012), and furthermore posit that, over time, even accidental fraudsters will exhibit true predatory behavior if left unchecked, and in particular will no longer need to rationalize their behaviors, which become habitual. In sociology literature, this is referred to as normalization of deviance, or normalized deviance (Diane Vaughn, Controlling Unlawful Organizational Behavior, University of Chicago Press, 1983). The transformation, over time, of an accidental fraudster into a predator is a classic case of “a wolf in sheep's clothing” and could therefore potentially escape detection.

Dark Triad Personalities and Fraud Risk Assessment Models

Generally accepted auditing standards (GAAS) require that auditors consider the risk of fraud as part of their assessment of internal control risk. Although auditors can select from a number of frameworks when assessing management's risk of fraud, AU-C section 240, “Consideration of Fraud in a Financial Statement Audit,” adopts the well-known “fraud triangle” model first propounded by criminologists Donald Cressey and Edwin Sutherland more than 60 years ago. This model theorizes that the confluence of three factors may increase the likelihood that fraud will occur: a perceived need or pressure, a perceived opportunity, and the ability to rationalize such behavior (see S. Ramamoorti and W. Olsen, “Fraud: The Human Factor,” Financial Executive, July/August 2007).

The logic of the Cressey model is manifest, even if direct observation of perceived pressure or an ability to rationalize is almost impossible. For example, consider a manager with a sick child needing expensive medical treatments who sees an opportunity to perpetrate vendor fraud with the help of a friend outside the company because controls over ordering, receiving, and authorizing payments are weak. The prospective fraudster—who has a normal, non–dark triad personality—needs the ability to rationalize his theft and accompanying financial reporting fraud in order to resolve the resulting internal conflict, commonly described by social psychologists as affective-cognitive dissonance. This rationalization often takes the form of seeking just compensation for resentment over “unfair” pay raises or privileges granted to others (see L. Festinger, “A Theory of Social Comparison Processes,” Human Relations, vol. 7, no. 2, pp. 117–140, 1954). When these factors are aligned, fraud is more likely.

Recent research in personality psychology has identified at least three abnormal personality types, whose behaviors may imply different risk profiles for audit risk assessments, engagement planning, and audit execution.

It is now common practice for auditors, employing “checklists” or other aids, to watch out for the elements of the Cressey fraud triangle and use such indications when making decisions about audit scope. Even if it were practical to observe each of the three Cressey factors, however, the potential effects of abnormal personality types in key management positions would still be left unexplored.

Concern about the applicability of traditional models under abnormal personality conditions can be readily illustrated using the fraud triangle. One could argue that an aberrant personality would not need to rationalize behavior, and in fact might not even require a perceived need or unshareable burden to engage in fraud, only the opportunity (see Martha Stout, The Sociopath Next Door: The Ruthless Versus the Rest of Us, Broadway Books, 2005). In this extreme case, the fraud triangle might collapse to a single dimension, with obvious and worrisome implications regarding the need for effective controls (see the Exhibit). For example, in the case of a normal personality, merely modest controls might be sufficient to eliminate obvious opportunities for fraud, because an individual would still require both a pressing need and the ability to rationalize a dishonest act before committing fraud. On the other hand, if the subject is a dark triad personality, only absolute absence of opportunity would serve as a barrier to fraud. Even then, an imaginative and intelligent dark triad personality could well be capable of creating opportunities where none might exist otherwise.


The Collapse of the Fraud Triangle

The Cressey model is not unique in this perceived limitation. Several extensions or variations of the fraud triangle model have been proposed in the years since it was first theorized, but even when the dark triad concerns have been noted, newer approaches have not demonstrated how to fully address them. For example, David T. Wolfe and Dana R. Hermanson's fraud diamond model adds a fourth dimension, capability, to Cressey's triad. Zabihollah Rezaee and Richard A. Riley offer the CRIME model, standing for cooks, recipes, incentives, (lack of) monitoring, and end results (Financial Statement Fraud: Prevention and Detection, 2nd Ed., Wiley, 2009). A Crowe Horwath white paper (http://bit.ly/1mIk1Kq) put forth the fraud pentagon, consisting of the Cressey trio plus arrogance and competence (or Wolfe and Hermanson's diamond plus arrogance). The respected textbook Forensic Accounting and Fraud Examination, coauthored by ACFE Founder and Chairman Joseph T. Wells, uses the acronym MICE, which stands for money, ideology, coercion, and ego (or entitlement) (Forensic Accounting and Fraud Examination, Wiley, 2011).

Additionally, “The Evolution of Fraud Theory,” referenced above, offers a “metamodel” of white-collar crime that incorporates the fraud triangle but urges the formal consideration of other behavior and decision models affecting the classic three factors. Most recently, Tim V. Eaton and Sam Korach have further elaborated on this metamodel, exploring literature from other disciplines in order to better identify criminological personality profiles and to incorporate different behavioral features that apply to white-collar fraud (“A Criminological Profile Of White-Collar Crime,” The Journal of Applied Business Research, vol. 32, no. 1, pp. 129–142, January/February 2016). But none of the above models and frameworks (with the possible exception of the just-published Eaton and Korach article) attempt to distinguish, in terms of the assessment of fraud likelihood, normal and abnormal actors in positions with high fraud risk susceptibility.

Personality-based risk factors are therefore not typically considered by auditors; the susceptibility of a manager or other employee is implicitly presumed to be that of a normal personality type. No attempt is made to fine-tune the model to address increased likelihood of fraud by those with abnormal personality traits. In essence, the extant internal control frameworks and risk assessment tools are “people-neutral,” indifferent to the personalities and motivations of those who commit fraud. Although this is historically understandable, it means that under certain circumstances control risk assessments may inadequately capture the true risk of fraud. Incorporating management personality factors into audit and control risk assessments could potentially enhance the detection of financial reporting fraud.

Evidence suggests that corporate management contains a much higher proportion of dark triad personalities than the general population.

In order to fully employ a risk-based auditing strategy, as mandated by the PCAOB, all factors contributing to risk must be understood, addressed, and, if possible, systematically measured—including the impact of deviant personalities. In the authors' opinion, this represents a major opportunity for the profession to improve the effectiveness of audits, as well as internal controls and other systems and procedures. Fraud risk assessment based on abnormal personality factors could represent a significant breakthrough.

How Auditors Can Address Dark Triad Personalities

As a first step, practicing auditors—including current accounting students, who have a unique opportunity to expand their auditing knowledge base—should strive to become educated about abnormal personalities and their potential impact on audit risk. This will require a new focus on areas that so far have played little or no part in accounting curricula. Many practitioners and academics may see these areas as hardly relevant to the mainstream concerns of accounting and auditing, and may therefore be resistant; however, the profession's experience in finding, and, more importantly, in failing to find, evidence of fraud puts the lie to that assumption. As little as one targeted college course, or the equivalent amount integrated into several classes, could convey a decent understanding of behavioral cues and personality diagnoses, which could then be used in actual audit settings. (For further discussion, see Sridhar Ramamoorti, “The Psychology and Sociology of Fraud: Integrating the Behavioral Sciences Component into Fraud and Forensic Accounting Curricula,” Issues in Accounting Education, vol. 23, no. 4, pp. 521–533, 2008; and Sridhar Ramamoorti, D. E. Morrison, J. W. Koletar, and K. R. Pope, A.B.C.'s of Behavioral Forensics: Applying Psychology to Financial Fraud Prevention and Detection, Wiley, 2013). In the authors' opinion, a better understanding of personality characteristics, even informally or partially implemented by auditors, could lead to significant improvement in fraud risk assessments and audit scope decisions. Later, as more sophisticated, formalized practices come into use, further improvements to fraud risk assessment processes in even routine financial audits are almost certain. Furthermore, a focus by auditors on personality factors is unlikely to go unnoticed by potential dark triad personality types, and the heightened “perception of detection” may itself potentially serve as a deterrent.

Secondly, at least in the near term, auditors must develop and fine-tune fraud risk assessment tools to cope with the possibility of managers with abnormal personality profiles in positions where fraud could take place (i.e., managers in the “financial reporting supply chain”) and go undetected. These tools should be designed to identify these deviant personalities and adjust audit risk assessments to reflect their potential impact on the entity's financial reporting. Such observational or measurement techniques would ideally be unobtrusive, but that may be easier said than done.

The Need for Further Research

A number of instruments for the measurement of narcissism, Machiavellianism, and psychopathy exist, in some cases tested and validated in research conducted over many years. For example, the Narcissistic Personality Inventory, the Five-Factor Narcissism Inventory, the Machiavellian Personality Scale, the Psychopathy Checklist (Revised), and the Short Dark Triad (SD3) have all been widely employed, albeit not in audit environments. Although selection from among these would be ideal, it is also possible that an amalgamation of these tools, or the informed development of a new set of tools, might be required to meet the unusual, and probably challenging, requirements of the auditing profession. It will take careful research to determine whether these tools will in fact be useful in increasing detection and lessening overall occurrence of financial reporting fraud.

The biggest challenge will be to develop inconspicuous ways to analyze the personalities of at-risk individuals. Unlike behavioral scientists' typical subjects—the beloved college sophomores looking to score some easy extra credit—corporate executives will almost certainly resist and resent receiving multiple-item questionnaires concerning abnormal personality traits or the proclivity to perpetrate fraud. Behavioral scientists and auditing professionals will have to work together to develop new tools in order to accomplish such diagnostic exercises, taking into account the existence of the powerful “social desirability of responses” bias. Once that is done, a means for drawing operational inferences from the results of those exercises will need to be developed. For example, if a given CFO scores high on the narcissism scale, there will need to be a mechanism to combine this insight with other risk assessment data so that planned auditing procedures can be altered accordingly. Indeed, at some point the profession may have to choose, as a solution to personality-driven fraud risks, whether to change auditing procedures or simply to conduct “more auditing.” This of course is not a new problem; the standard mathematical audit risk model does not specify how much “more auditing” should be performed for a given amount of additional assessed risk (inherent risk or control risk), and there is no reason why the risk of dark triad personalities would be any different.

The transformation, over time, of an accidental fraudster into a predator is a classic case of “a wolf in sheep's clothing” and could therefore potentially escape detection.

Thinking Outside the Box

While factoring in deviant personalities might seem too out-of-the-box for professional accountants, the emerging field of behavioral forensics provides insights into how and why people commit fraud. The profession cannot afford to ignore the significance of behavioral and integrity risks in management as part of a fraud risk assessment. The well-known Cressey Fraud Triangle is too basic and does not consider abnormal or deviant personalities, for whom neither perceived pressure nor the need to rationalize matter. Instead, for the dark triad personality, the three vertices of the triangle collapse into one: opportunity. Auditors need to be aware of this, and to the heightened risk of fraud when one or more members of management falls into one of the dark triad personalities. After all, it is people who commit fraud: internal controls should not be people-neutral, and neither should be the auditing profession.

Barry Jay Epstein, PhD, CPA, CFF is a principal at Epstein + Nach LLC, in Chicago, Ill.
Sridhar Ramamoorti, PhD, CPA, CFE, CFF, MAFF is an associate professor in the school of accountancy and director of the corporate governance center at Kennesaw State University, Kennesaw, Ga.

Search for archived articles, authors, and topics below:


Login or create a new account