At its foundations, auditing is about verifying the assertions that find expression through the numbers presented in the financial statements, performed by well-qualified, competent, and independent auditors. This propriety derives from, and may be constrained by, the integrity of executive management and the preparers of the financial statements—the people who create those numbers. But reliance upon principles-based accounting standards cannot succeed if the market is full of unscrupulous and unprincipled parties. Principles work only when wielded by principled people, and auditors and financial statement users shouldn’t expect principles-based strategies to work very well with unprincipled actors.

It all comes down to integrity and behavior. Auditors, as well as those charged with responsibility for corporate governance, need to understand people in order to understand what they produce. At the end of the day, fraud is a human act.

There’s More to Fraud than the Fraud Triangle

Donald Cressey, the famous sociologist and criminologist, created the fraud triangle with its three vertices. First is opportunity, which is the occasion for someone to commit fraud—perhaps because of weak controls, perhaps because of a lax managerial, regulatory or cultural environment creating a fertile ground for fraud. Second is pressure and incentive, which drives or inspires a person to commit fraud, and which can be either external or internal. Last is rationalization, which is the most psychological element of the fraud triangle. Rationalization is the need for normal human beings to justify to themselves, as well as to others, why they did something that, when viewed by most observers, appears improper and out of character. Because it is very difficult to commit fraud without suffering this psychological pain of “cognitive-affective dissonance,” the prototypical fraudster tells himself that either everybody is doing it, so he or she is no different than other people, or that he is overworked and underpaid and deserves the ill-gotten gains. Thus are perpetrators able to assuage normal feelings of guilt.

Professor Delroy Paulhus of the University of British Columbia has devoted considerable research to characterizing deviant personalities. He has coined the term “the dark triad,” which consists of three types of personalities, including psychopaths. The American Psychiatric Association’s DSM-5 would probably put psychopathy under the label antisocial personality disorder. (For more on the dark triad, see the authors’ earlier article, “Today’s Fraud Risk Models Lack Personality: Auditing with ‘Dark Triad’ Individuals in the Executive Ranks,” The CPA Journal, March 2016.) The dark triad consists of narcissists, Machiavellians, and, the darkest of all, psychopaths. It turns out that while the overall incidence of these deviant, abnormal personalities is relatively small—2% or less in the general male population—the incidence on Wall Street and in corporate America seems to be in the 10–20% range, including those described as subclinical psychopaths, or “almost psychopaths” (Ronald Schouten and James Silver, Almost a Psychopath, Hazelden/Harvard Health Publications, 2012).

At that dangerously high rate of incidence, we think they far surpass measures of statistical significance. This is a level of practical significance so great that auditors should worry about whether they are properly taking into account the types of personalities they’re dealing with, particularly with respect to “dark triad” types in the executive suite. People with one of these personality types have little or no conscience; they are known to exhibit disagreeableness; they are callous and indifferent to the harm or the injury they cause others. They seem to have no compunctions about their behavior, and are not troubled by the pangs of dissonance (Paul Babiak and Robert D. Hare, Snakes in Suits: When Psychopaths Go To Work, HarperCollins, 2006).

What that means with regard to the fraud triangle is that two of the vertices are not pertinent to such abnormal and deviant personalities. The presumption, as has long been incorporated into U.S. and international auditing standards, that fraud risk only becomes significant when all three of the vertices are present, is thus not accurate in the context of dark triad personalities. The rationalization aspect doesn’t matter to someone who has little or no conscience, and pressure and incentive are always implicitly present for such people, because they will do whatever it takes to enrich themselves, be it for material rewards or for the psychological excitement that accrues from “getting away with it.” In such circumstances, the fraud triangle collapses to a singularity: in the presence of such individuals, where there exists opportunity, there will be a high likelihood of fraud.

The only thing restraining such abnormal personalities from committing fraud is the lack of opportunity; if the opportunity is there, they will probably commit fraud. It’s not clear whether we can do away with all potential opportunities, once these individuals have attained positions of power and influence, from which they may even be able to create opportunities for themselves that would not otherwise exist (e.g., by overriding otherwise well-designed controls).

How does one deal with managers or other employees who have the ability to create opportunities to commit fraud and don’t care about the consequences? It falls on organizations, professional and regulatory bodies, academics, and society at large to make sure that such individuals are not permitted to reach the top echelons of large corporations, where they could potentially do significant damage, as seen in recent decades.

If we performed a psychological autopsy of the many “headline” frauds of the past 20-plus years, we would most certainly find a very large number of dark triad personalities who flourished in the kind of permissive, reported growth-driven, easy-credit climate that has existed over this era. But Margaret Heffernan is correct in challenging the “psychopath” argument as the sole reason for the financial crisis: “The dangerous promise of the psychopath argument is this: Get rid of the madmen and everything will be fine” (“Are CEOs Psychopaths?” MoneyWatch, Feb. 13, 2012; http://www.cbsnews.com/news/are-ceos-psychopaths/). After all, the fraud triangle-based risk assessment approach is generally efficacious for most situations where sensitive positions are occupied by normal human beings, and yet we still have undetected instances of fraud. Even the behaviors of normal personalities are not constant and predictable over time, and improvements in auditing, including fraud detection, still remain to be developed and implemented.

How to Deal with Abnormal Personalities

Given the research-validated prevalence of dark triad personalities in the ranks of corporate management, reliance on the Cressey fraud triangle almost certainly has been unwarranted and quite misplaced. Simply addressing the fraud triangle’s recommendations does not mean auditors are out of the woods, because the fraud triangle does not even attempt to address fraud risks traceable to the actions of dark triad personalities. Indeed, the most important question is how can auditors deal with such individuals? When auditors become aware of such personalities in the executive suite, or anywhere else, they should, at a minimum, factor this unpleasant reality into their fraud risk assessments. This is obviously not happening currently, because the fraud triangle and existing audit procedures are not designed to detect such factors.

During fraud risk assessment under GAAS and PCAOB standards, hard questions must be asked about behavioral and integrity risks. Auditors cannot possibly look through the financial statements for every instance of material information being either manipulated or inappropriately disclosed. The most effective remedy is making sure that such “dark triad” personalities are not occupying positions of influence in the first place. Ultimately, this becomes a question of informing and warning human resources before such people are brought into an organization and, if mistakenly permitted to enter, not allowing them to advance to higher executive positions. Given the importance of this risk, albeit heretofore underappreciated, we believe that some variant of personality testing should be adopted to identify dark triad personalities as part of the executive search process, at least for public companies. So important is this that it should be one of the factors auditors evaluate in the fraud risk assessment phase of audit planning. It should also be equally vital to the discharge of responsibilities by those concerned with corporate governance. After all, the Enron failure resulted not only in the demise of Arthur Andersen – but also the demise of Enron itself.

It is clearly in companies’ best interests to investigate and implement mechanisms by which deviant personalities can be prevented from reaching positions of power and influence. This will be a tall order, because psychopaths are known for their ability to be charming during the interview process (Sridhar Ramamoorti, “The Psychology and Sociology of Fraud: Integrating the Behavioral Sciences Component into Fraud and Forensic Accounting Curricula,” Issues in Accounting Education, vol. 23, no. 4, pp. 521–533, 2008). To fail to do this, however, condemns businesses (and other organizations) to having as much as 20% of senior managers drawn from this undesirable and destructive cohort of the population. Once this reality is understood, inaction becomes anathema, and the need to act urgently is soon recognized.

What is being suggested here goes well beyond a routine background check to examine personality characteristics. Before anyone is promoted into senior executive positions, there should be assurance that their personalities are not deviant, not even close to the dark triad zone (recall the “almost psychopath” description). There are several psychological instruments (e.g., questionnaires) that have been validated as able to identify each of the dark triad personality characteristics, so such tools can be adopted or adapted by companies that are serious about the effort.

Auditors should also consider whether the relationship between the engagement partner and the CEO or CFO could lead to trouble. If the CEO or CFO has a dark triad personality—which presumes that the auditors have first made such an observation or formal assessment—this might influence the selection of an appropriate engagement partner. Someone with a “go along to get along” personality might, whatever her other positive attributes (technical proficiency and audit experience, industry expertise), be unfit for such higher risk assignments. In addition, the audit staff might need to be better trained to be even more vigilant regarding aggressive accounting and earnings management in such circumstances, giving extra attention to non-routine, year-end entries that consistently boost income. Again, senior client management personality types should first be assessed and then used to impact the nature, timing, and scope of audit procedures, including audit team assignments.

Recklessness and Success

The real challenge is that many successful CEOs and CFOs share some, but not all, of the characteristics of dark triad personalities. It is difficult to actually sift out the so-called evil personality from the more normal personality at the hiring stage without the expertise of professional psychologists and psychiatrists. Furthermore, many such people have already risen through the ranks, where over time their personality traits have been discounted by their colleagues and superiors, making the risk more insidious (e.g., “wolf in sheep’s clothing”). Even if new hiring decisions take full advantage of modern assessment tools, it might be another generation before risks fully abate.

It is self-evidently easier to take reckless risks when one has a personality that does not require one to evaluate and assess the consequences. Normal people are going to worry about the consequences of their behavior, and therefore generally avoid making reckless decisions. But with dark triad personalities, this is a blind spot; they are instead more likely to take those risks. When these reckless risks lead to blockbuster success in the markets, the risk-takers will typically be promoted to ever-higher positions in the organization and even be recruited by other companies. This is in fact central to the problem, and explains why the fraction of deviant personalities in executive ranks is a multiple of that in the general population. In certain settings, having a dark triad personality is actually a helpful, even desirable, characteristic of aspiring CEOs. Leaders need to be able to make difficult decisions that more prudent people may actually shy away from. There is something about dark triad personalities that allows them to make those big bets. When those big bets succeed, that’s a wonderful outcome inviting the highest plaudits, and everybody wins. Unfortunately, when those bets go sour, they go sour very badly, and everyone loses. This is the flaw in the asymmetric risk-reward structure, which is a corollary concern to the dark triad personality risk matter.

As 2016 Economics Nobel Laureates Oliver Hart and Bengt Holmstrom have demonstrated, people respond to incentives, and hence contract theory has correctly focused on compensation design. In other words, there is a need to go beyond a focus on risk management and talk about rewards management as well (Sridhar Ramamoorti and Usha R. Balakrishnan, “Carrots and Sticks: Making the Case for Auditing Executive Compensation’” Internal Auditor, October 2010, pp. 61, 63, 65). In some instances—if the reward structure is such that the compensation is not subject to any cap, any deferment, or any clawback—the organization actually encourages people to engage in reckless behavior. If things go right, the behavior is richly rewarded, but even if everything goes wrong, in a variant of the “moral hazard” phenomenon widely observed in the S&L and banking crises, the reckless behavior does not affect compensation. Too often, even crooked CEOs glide away in golden parachutes. More thought needs to be directed at how to align performance with reward structures, and, from an audit perspective, the auditee’s system needs to be understood as part of the audit risk assessment process.

Dark triad personalities do not wear obvious “black hats”; there absolutely are some desirable characteristics shared by dark triad personalities and normal people. The challenge is, management and auditors have not been successful in detecting which “normal” employees harbor “dark triad” traits until the true personality reveals itself, at which time the damages have already been incurred.

It falls on organizations, professional and regulatory bodies, academics, and society at large to make sure that such individuals are not permitted to reach the top echelons of large corporations.

Unfortunately, it appears more and more that these narcissistic, Machiavellian, and psychopathic traits are hard-wired tendencies that people cannot be educated out of. Therefore, changing the incentives will perhaps not help these abnormal personalities reform their behavior. Instead, the focus needs to be on preventing them from attaining positions where they have the opportunity to commit fraud, and on strengthening controls over the financial reporting process and on physical safeguarding of assets. To the greatest extent, effective damage control requires that the most egregious behaviors be removed from the system. Doing so may require a generational shift in terms of changing the behavioral expectations from board members and from members of the executive suite, coupled with improved audit risk assessment strategies and techniques.

All the above observations apply more emphatically in situations where collusive fraud might occur, and it is worth noting that dark triad individuals do not always operate solo, but in fact are often adept at recruiting coconspirators—after all, Machiavellianism is all about obtaining desired outcomes through others. It is a not infrequently observed formula for total and wholesale disaster (S. Bing, What Would Machiavelli Do? The Ends Justify the Meanness, HarperCollins, 2000). For example, Enron’s Jeff Skilling demanded that his underlings mirror his own behavioral characteristics: too many people at the upper echelons had similar very hard-driving, type A personalities. And when you put the type A on steroids, you may end up getting a composite dark triad.

Reforming Corporate Culture

We believe that auditors need to play a more active role in fraud detection, and in part that will require that the issues germane to “dark triad” personalities in the executive ranks be better understood and addressed in audit planning and execution efforts. But those charged with responsibilities for corporate governance have an equally vital role to play, and they—far more than auditors—have the ability to actually change corporate culture. When culture change is warranted, making process changes is simply not enough. This is where fundamental changes in expectations need to be effected, such that risk-taking behaviors that sometimes seem to be on the edge of insanity are no longer tolerated.

Making such fundamental changes is a huge challenge because, until a disaster occurs, bold risk taking and outsized favorable outcomes will almost always be admired. For example, Nick Leeson of Barings Bank in Singapore initially placed many unauthorized, speculative bets that paid off—in 1992, the £10 million he made accounted for 10% of the company’s entire annual profits—which led senior management and the board to conclude that he was a good trader who was making them a lot of money. Then in 1995, he made a huge bet that failed, wiping out the 232-year-old bank. There was nothing left of this venerable institution.

Absent employing more effective personality screening, and passing up the winnings that reckless behavior (or worse) could potentially deliver, how could the organization have protected itself from such actions? As mundane as it may sound, the answer is that old standby: internal control, which is as effective against most dark triad personalities as against those with normal traits. Dark triad individuals need to know that they’re being watched. When a perception of detection exists, dark triad personalities do not engage in such behaviors recklessly, because they know that people are watching them and they are subject to scrutiny.

Unfortunately, this does militate against the trust-based culture that organizations prefer to cultivate. This holds that management can’t be snooping on people and constantly forcing them to watch their backs because they don’t know if they’re being spied upon or if there is a “sting” operation in progress (illegal in certain jurisdictions). But clearly a balance is needed, and now, with an advanced understanding of how deviant personality types radically exacerbate fraud risk, time may be running out to take action. Audit and corporate governance failures have become so common and widely remarked upon, as well as costly, that the need to develop procedures, including employee psychological screening and more traditional types of controls, has become manifest. Inaction will not only extend the string of financial losses incurred by businesses and by professional firms, it will tend to institutionalize the bad behaviors, including those associated with aberrant personality types, that will make suboptimal economic performance ever more the norm.

A Psychological Perspective

Dark triad individuals are more than just intermittently bad actors. Their behavior is a constant, it is a hard-wiring problem, meaning “behavior modification” is unlikely to be a successful strategy. It’s akin to the proverbial leopard who won’t change its spots. We cannot expect these persons to change: the best we can do is take steps to mitigate the potential damage they can cause. The solution for this recently appreciated societal issue might require that corporations seek the help and the assistance of experts and professionals who are qualified to evaluate the personalities of executives, perhaps even “embedded” as members of staff.

From the auditors’ perspective, when firms make client acceptance and retention decisions, perhaps psychologists or psychiatrists should interview client management and make assessments. Notwithstanding the existence of reliable instruments that identify dark triad traits, this must be done discreetly, because dark triad individuals are definitely smart enough to resent and resist any psychological or psychiatric testing. This is a huge practical challenge for both independent auditors and human resources managers, and as of now unobtrusive measurement schemes have not been publicly offered. This hurdle must be surmounted if the already acknowledged societal cost of business fraud is to be controlled in a meaningful way.

This article deals only with the possibility of differentiating abnormal from normal personalities and incorporating that distinction, and the fraud risk implications of it, into auditing practice. It does not address the vagaries of behavior exhibited by seemingly normal personalities, nor does it consider how to distinguish abnormal personalities from uncharacteristic behavior by otherwise normal personalities. The intersection of personalities (normal vs. aberrant) and perpetrators (solo vs. collusive), and the implications of those for audit strategies and techniques, is a related, but distinct, topic for further research. It may be helpful to think broader and invoke the “ABC” taxonomy that traces the psychology of fraud to “the bad apple, the bad bushel, and the bad crop” (Sridhar Ramamoorti, David E. Morrison, Joseph W. Koletar, and Kelly Richmond Pope, A.B.C.’s of Behavioral Forensics: Applying Psychology to Financial Fraud Prevention and Detection, Wiley, 2013).

This article is based in part on a CPA Journal interview with Sridhar Ramamoorti; excerpts from that interview will be available at http://www.cpaj.com.)

Sridhar Ramamoorti, PhD, CPA, CFE, CFF, MAFF is an associate professor in the school of accountancy and a director of the corporate governance center at Kennesaw State University, Kennesaw, Ga. He is also a member of the Standing Advisory Group of the Public Company Accounting Oversight Board; the views expressed in this article are his own and should not be attributed to the PCAOB or the SAG.
Barry J. Epstein, PhD, CPA, CFF is a principal with Epstein + Nach LLC based in Chicago, Illinois.