An open letter to the AICPA regarding fraud

This is a rehash/mash up of 2 previous posts, so if you’ve seen it before, I apologize. One of my traits is that I need to DO something. If people don’t DO SOMETHING, nothing changes. So I’ve emailed this to the members of the Board of the AICPA.

The response I received from the AICPA is at the end.


from:  benson dana <>
date:  Thu, Jun 13, 2013 at 11:54 AM
subject:  AICPA and Fraud


I have some reasonably extensive experience with fraud auditing, detection and deterrence, and given the recent history of catastrophic frauds and audit failures, and the inexorable revelations on virtually a daily basis of smaller but no less disabling frauds, I’d like the AICPA to consider these following thoughts as you plan and prioritize your future. Please understand that I realize this is somewhat raw and unpolished.

Book Report – Other People’s Money, A Study in the Social Psychology of Embezzlement by Donald R. Cressey

The Free Press, Copyright 1953, 157 pages

This book was written almost 60 years ago. It is still frequently, if not always, cited or referred to in some manner during any discussion or class that deals with fraud. I decided to examine the source for myself.

He attempts to follow proper design and procedure for scientific research.

The criteria used for selecting cases were:

  • Accepting a position of trust in good faith, and
  • A criminal violation of financial trust.

“The legal concept of embezzlement was abandoned.” (p. 20) There is a lot of filtering based on the author’s strict definitions of criminal acts, embezzlement, forgery, confidence game and larceny by bailee.

There is also a lot of discussion regarding an innate defect, depravity or other mental abnormality. The subjects often describe themselves as not acting in my right mind, or other words to that effect. However, the author does not include any psychology as background or discussion or support for his hypothesis. It seems to me that an individual’s psychological makeup and health would be at least a factor in a discussion of criminal behavior.

Source of the case files was persons confined at the Illinois State Penitentiary at Joliet from April to September, 1949, the California Institution for Men at Chino from October, 1950 through May, 1951, and the U.S. Penitentiary at Terre Haute, Indiana from June through August, 1951.

503 files were selected for review, and the author did a significant amount of filtering based on his subjective criteria. He was left with 73 cases from Joliet, 21 from Chino, and 39 from Terre Haute., a total of 133. An average of 15 hours was spent with each subject. As he moved through the process of conducting initial interviews and examining case files, Cressey revised his initial hypothesis several times.

The final hypothesis is as follows:

“Trusted persons become trust violators when they conceive of themselves as having a financial problem that is non-shareable, are aware that this problem can be secretly resolved by violation of the position of financial trust, and are able to apply to their own conduct in that situation verbalizations which enable them to adjust their conceptions of themselves as trusted persons with their conceptions of themselves as users of the entrusted funds or property.” (p. 30)

Chapter 2 examines the role of the non-shareable problem with respect to the hypothesis and the trust violation. Chapter 3 examines the opportunity for trust violation, and chapter 4 covers the violator’ vocabularies of adjustment, or the rationalization. The final chapter closes with conclusions and implications. Surprisingly, on page 153, Cressey states, “The theory which we have presented has few practical implications either for prevention and detection of trust violation or for treatment of apprehended offenders.”

As I read through the book, I get the distinct feeling that he is stacking the deck in his favor. Although the author takes great pains to describe his scientific rigor with respect to being objective in comparing the case histories to his hypothesis, I get the distinct impression, feeling and conclusion that he uses a lot of subjective rationalizations of his own to ensure the cases fit neatly within his theory. He claims that “The formulation of hypotheses was guided entirely by the search for negative cases.” (p. 17) But he admits that future revision will be necessary, if negative cases are found. He claims that he made a rigorous attempt to examine other data in an effort to find negative cases, that is, cases where the facts would not support his hypothesis.

To me, perhaps the most striking aspect of his description and narrative is just how much life, culture, business and technology has changed since the book was written. The narrative is completely infused with the perspective of the depression, World War II, and the environment immediately thereafter. The world he writes about and the world that defines his universe is completely alien to today’s world.

His subjects are all male. Ladies, how do you feel about that? He does not report the ethnicity of his sample, but I’m willing to wager a substantial sum that it was not in the least diverse or representative of our population. Although there is no discussion of it, I am going to go out on a limb and assume they are all white. Does anyone but me else detect a flaw in his sample? There was no automation or information technology in the 1940’s. The world worked differently. Businesses were organized, structured and run differently. Many examples concern bank officers and business owners shuffling and juggling funds and accounts simply to keep the business afloat. For example, back then, when a customer paid cash on deposit for any item, the culture and standard was to keep those funds separate, segregated and in escrow. Today, such funds are simply business cash flow. I believe that in today’s environment, many of his cases would have simply led to a routine bankruptcy instead of incarceration. So I question the relevance of his definition of embezzlement in today’s terms.

While reading Cressey’s book, it’s easy to be transported back in time, and you get a vivid feeling of a 1940’s film noir movie. You almost expect to see Humphrey Bogart or Jimmy Stewart step out of the pages. From today’s perspective, it seems quaint and unreal.

None of his examples involve collusion. Don’t we have lots of examples of fraud and embezzlement that involve collusion? Where is the “unshareable problem” when the fraud involves or requires collusion? There were no massive multinational corporate entities like we have today. No global markets with 24 hour-per-day trading. No derivative investments so complicated that virtually no single person can understand them.

Non-shareable Problem

I’m convinced that Cressey’s non-shareable problem leg is incomplete, if not irrelevant. Everyone has some non-shareable problem. One non-shareable problem that Cressey seems to virtually ignore is simple greed. Wouldn’t most of us love to have more? More of everything? Today, we are literally bombarded with media depictions of seemingly endless wealth and prosperity enjoyed by a limited few people. Doesn’t our base instinct for survival tend to drive us toward accumulating wealth? Clearly, in today’s world, this basic instinct has been allowed to flourish to absurd proportions in some cases. But the underlying drive is there in all of us, bonded deeply with our nature. Today, almost everyone seems to possess the non-shareable problem of being greedy.


I agree with the rationalization aspect of Cressey’s theory up to a point, except that I think it’s more often that once the perpetrator can manufacture an adequate rationalization for him/herself, that becomes the trigger for the fraud to begin. I also think that one of the most common rationalizations is, “Can I get away with it?” It also occurs to me that virtually all humans seem to be able to rationalize almost any conceivable behavior.

I’m tempted to believe that there is an aspect of learned behavior here, too, that touches on cultural and individual behavior norm. We like to compare life in Maine with life in Massachusetts. There is a stronger culture in Maine of being proud of our reputation for honesty and our sense of shared community and shared sacrifice. Life in Maine is more difficult in many ways than life elsewhere, and Mainers need to look out for each other. The commonly held belief in Maine is that for folks in Massachusetts, and points south (people from away), it’s every person for themselves, and you grab what you can, when you can, before someone else beats you to it. So I would bet that, yes, there is less fraud in Maine, but I have no idea how much less. It might turn out to be insignificant, a myth.

I am always amazed at the number of people who view religion, religious behavior, piety, etc., as a reason why they or someone else could not possibly commit or be guilty of fraud. If you have ever had any formal interview training (as opposed to interrogation training), one clue that the person being interviewed is guilty is when/if they claim, “I swear to God I didn’t do it,” or, “As God is my witness…”


So, of Cressey’s three legs of fraud, the fraud triad, I think the first two are relatively insignificant, if not completely irrelevant. We all have problems, and given enough time, the human brain can rationalize virtually any behavior. The place for us to focus our attention on is opportunity. That is where internal controls and risk analysis come together.

We need a new framework for understanding fraud, and a stronger effort to combat it.

AU Section 316
Consideration of Fraud in a Financial
Statement Audit
(Supersedes SAS No. 82.)
Source: SAS No. 99; SAS No. 113.
Effective for audits of financial statements for periods beginning on or after
December 15, 2002, unless otherwise indicated.

So in light of having gone to the source of modern fraud theory and documenting my opinions, I decided to take a closer look at the above statement. In paragraph .33, the AICPA affirmatively states that, “the three conditions generally present when fraud exists: incentive/pressure to perpetrate fraud, an opportunity to carry out the fraud, and attitude/rationalization to justify the fraudulent action.”

Really? The AICPA is relying on and referring to a single study from 1953 as a key aspect of their formal statement on fraud?

Here is where the AICPA indicates that the authors of Section 316 may actually have read the book. Beginning in paragraph .35, we see, “However, the auditor should not assume that all three conditions must be observed or evident before concluding that there are identified risks. Although the risk of material misstatement due to fraud may be greatest when all three fraud conditions are observed or evident, the auditor cannot assume that the inability to observe one or two of these conditions means there is no risk of material misstatement due to fraud.”

Paragraph .36 adds, “The extent to which each of the three conditions referred to above are present when fraud occurs may vary.” And very importantly, the next three paragraphs include additional risk characteristics that auditors need to consider.

This all sounds very wishy washy to me. First they present and reaffirm the three classic determinants that indicate or are required for fraud to occur, and then they admit that any one of the three may be adequate to indicate a fraud risk. Well, that’s reassuring and concrete and helpful.

And now recently have the shocking revelation that Wal-Mart may have been involved in supplying bribes to Mexican officials to receive favorable treatment with respect to the construction of new stores. Certainly no one could have seen that coming. I wonder what the auditors thought about the risk of fraud in the Mexican division……….

We need a new framework for understanding fraud, and a stronger effort to combat it

So what do I suggest if I think the triad of fraud “guidance” is a crock? Good question. In an accounting/auditing engagement, what would I recommend as guidance in considering the risk of fraud?

First, I would create at least 2 major and wholly independent categories of fraud.

  1. Material, willful, financial statement fraud
  2. Isolated personal fraud

The first category is the most serious. Think Enron, WorldCom, blah blah blah. It seems that current guidance and procedures should be EXPECTED to identify this category of fraud. If not, then the independent CPA and his or her audit opinion is virtually worthless. The fact that CPA firms continue to miss this means the status quo is not good enough. The AICPA needs a major initiative to revise, refine and redo the formal audit procedures for detecting this category of fraud. There are a lot of recent graphic examples on which to draw. Random testing is not good enough. Audit procedures should be directed at specifically and actively searching for fraud based on a risk analysis. Are inventories a big number? Search for inventory fraud ala Phar-Mor and other similar known audit failures. Capitalization of fixed assets a big number? WorldCom. Etc. These all included a large cast of co-conspirators and as such, should have been caught by the auditors. We need specific procedures designed to address this.

I think the large national and international companies need to be brought to heel. They run roughshod over their auditors, over the regulators, over the tax authorities, over their shareholders, over everyone. Enough is enough.

Now, for smaller companies, the issue of isolated personal fraud looms as perhaps a larger threat than full-blown financial statement fraud. The fact that these are isolated and personal does not mean that they do not present a financial statement risk. Dennis Koslowski at Tyco did tremendous damage to the stockholders’ value by his personal greed and fraud. We need to take this risk more seriously. As far as specific audit procedures, I offer these as a start:

Identify any and all key executive staff who have positions of power and influence sufficient to bypass or corrupt standard internal controls. By default, this list must include the President, COO, CEO, Chief Financial Officer, any Executive Vice Presidents, Division or group presidents, and board chair.

Complete a detailed internal control review over the span of influence and control exercised by these individuals. The control review needs to specifically target potential fraud vulnerabilities such as lack of segregation of duties, lack of effective review and approval, etc. Require that significant control weaknesses be remediated and re-examined for verification. The auditor should be in complete control over this. There should be zero tolerance for delay, denial, equivocation and whining from the audit client.

Obtain independently the personal credit reports for these individuals and examine them for unusual entries. Complete a 100% detailed review of all compensation paid to these individuals. Inspect and audit 100% of all travel and entertainment reimbursement, stock option grants, asset transfers, etc. A sample is not good enough. This requires a complete census of transactions. Present the detailed results of this examination to the full board for review and approval.

There is an awful lot more that can and should be added. This is just the beginnings of my own personal rant and is horribly incomplete and inadequate. But even given that, I think it’s a start in the right direction. And there is nothing to prevent a CPA firm from implementing these procedures unilaterally and immediately. At least, that’s what I think. I could be wrong, but I don’t think so.

Thanks for your time.


After hearing no response from my email for about 10 days, I asked for one and got this in reply:


No one has ignore your message. I personally forwarded it to the CAQ which has and is doing a lot of fraud work. I also forwarded it to the auditing standards team.

Both will take your input and consider it. As you can well imagine there are many issues and theories in addition to the ones you cite in all of the profession’s fraud work.

The role of auditing in fraud detection has evolved tremendously. Auditing standards in the USA today are set for public companies by the PCAOB not the AICPA. We do not control the PCAOB standards agenda.

AICPA’s auditing standards for private companies are also coordinated with international standards.


Barry C. Melancon, CPA, CGMA
President and CEO
(212) 596-6001
1211 Avenue of the Americas
19th Floor
New York, NY 10036

Renew your AICPA membership today,

Thank you for your continued support.

This message, including any attachments, may contain confidential information intended for a specific individual and purpose and is protected by law. If you are not the intended recipient, please delete it. Any disclosure, copying or distribution of this message is strictly prohibited.

Views expressed by AICPA employees are expressed for purposes of deliberation, providing member services and other purposes exclusive of practicing public accounting. Views expressed by AICPA staff do not necessarily represent the official views of the AICPA unless otherwise noted. Official AICPA positions are determined through certain specific committee procedures, due process and deliberation.

Tax Advice Disclosure: To ensure compliance with IRS requirements, we inform you that any U.S. federal tax advice contained in this communication (including any attachments) is not intended to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

, , , , , , , , ,

One Comment to “An open letter to the AICPA regarding fraud”

  1. Randall Steinmeyer says:

    Well done. It’s interesting the standard to which you refer has 3 elements whereas generally in litigation, at least for 34 ACT claims, we are limited to motive and opportunity.
    Enron – the motivation was the consulting fees that when combined with audit fees = approx 1m per week.

    I liked your letter, well done.

Leave a Reply

This entry was posted on June 18, 2013 and is filed under Fraud and Embezzlement. Written by: . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.