The Fraud Pentagon
Why the Human Element Determines Everything
By: Jonathan T. Marks, CPA/CFF, CITP, CGMA, CFE, MBA | NACD Board Fellow
Contributing Author, COSO Fraud Risk Management Guide, 2nd Edition (2023)
U.S. Copyright Registration No. 1-13910038981
Fraud Pentagon - Developed by Jonathan T. Marks
A Career Begins
At a young age, I discovered four qualities in myself that I did not yet have names for: critical thinking, creative thinking, the discipline to challenge my perceptions, and a deep love of solving puzzles. I did not learn them in a classroom. They showed up together, for the first time, on a dock bench in New Jersey in the summer of 1979.
In the summer of 1979, friends invited my family to spend a week with them on the Jersey Shore. I have always enjoyed going to the beach because our host possessed a boat and would take us fishing. One night, around sunset, I was sitting on a dock bench when I heard two men speaking. I turned and noticed some younger men in their mid-twenties wearing jeans and hoodies walking up and down the dock, commenting on various boats. I remember laughing out loud and wondering why these two guys would dress like that, given that the temperature was over 90 degrees.
Later that night, I was sitting in our host's living room watching the evening news, and a story ran about a string of robberies. I listened intently and understood that someone was boarding boats docked in slips and stealing radios, fish finders, and other equipment.
The following day at breakfast, our host spoke about the story, how it was a real problem for the local community, and how thankful they were that nothing happened to them. Later that day, I returned to my spot on the dock to watch the sunset and saw the same two men dressed in the same clothes. I remember pulling down my baseball cap and watching them walk by several slips, whispering to each other, and then, about twenty minutes later, I saw them get into a white van and drive away. I was now suspicious, so I traced their route, focusing on the boats they seemed most interested in. Of course, those were the more expensive boats.
The next day, I remember sitting in the kitchen when our host came in, furious. He picked up the phone and called. After a few seconds, I heard and knew the police were on the other end. He said, 'They got us. Our radio and other equipment are gone.' I felt horrible for them. Later that day, I asked my Dad if he could come with me to my spot and watch the sunset. My Dad and I walked and sat on the same bench, and I turned to him and said, 'I might know who robbed our host.'
My Dad, a CPA and a very bright man, turned to me and said, 'Prove it.' So I explained what I had observed, and after listening to me, he said, 'Let's go.' We walked briskly to the host's house, and my Dad explained what I had told him. We all then jumped into the car. I asked, 'Where are we going?' My host replied, 'To the Police Station.'
About ten minutes later, we were speaking with a Detective who looked at me and said, 'Well?' I told my story, but this time I added in all the details of the men and the van they were driving. The Detective challenged me along the way, and at one point, he asked me how I knew the men were less than six feet tall. I told him there were flags on the dock, and when I observed the men walking by, their heads were below the flags. I went on to tell the Detective that I was five feet eight inches tall, and my Dad was six feet even. My Dad's head was in line with the flags, and mine was below, so I assumed they were less than six feet tall. The Detective laughed and said, 'Smart young man,' while looking at my Dad.
The Detective then asked me if I had anything else that could help them, and I rattled off the van's license plate. I remember watching my Dad, our host, and the Detectives' faces light up as if I had given them the winning lottery numbers. The Detective ran the plate and then told us he would be in touch.
The next day, the Detective came to our host's house and told us they would run a sting operation. That night, I remember watching Johnny Carson when there was a knock on the door. It was the Detective with our host's radio. He looked at me and said, 'Well done, young man,' and then drove off.
Those four qualities, it turned out, are precisely what forensic accounting requires. Not credentials alone, but also character and judgment are important.
I did not know it then. But that moment on that bench, and everything that followed, was the beginning of a forty-year career in forensic accounting. Critical thinking connects the evidence. Creative thinking to find the angle that no one else sees. The discipline to challenge your own perceptions before trusting them. And the love of the puzzle that keeps you at it when others have stopped looking. Those are the qualities that drew me into this profession and, more than four decades later, keep me here.
Putting the Freud in Fraud
Before there was a whiteboard covered in profiles, I kept asking a question the profession was ignoring: why do people who appear successful, respected, and outwardly ethical commit fraud? What is actually happening inside the person? And what does that mean for how we design programs to stop them?
I had been working through those questions in training sessions, seminars, and presentations since 2004. The ideas were tested in front of practitioners, refined through case work, and sharpened by years of conversation with investigators, auditors, and board members who were wrestling with the same gap I was seeing: programs built around circumstances, not people. In July 2011, I formalized those ideas in a white paper titled 'Putting the Freud in Fraud: Focus on the Human Element,' published by Crowe Horwath. The paper did not create the thinking. It memorialized it.
The central argument was one I had been making for seven years by then: anti-fraud programs that consider the behavioral and environmental factors common among white-collar criminals and their environments are more likely to either deter bad behavior or detect it before it is too late. The profession was spending enormous energy on controls and systems. I was spending my energy on people.
Much of what I know about the psychology of the white-collar criminal I learned not from textbooks but from Sam E. Antar, the former CFO of Crazy Eddie, the consumer electronics retailer whose fraud collapsed in 1987. Sam and I spent some time together over the years, talking about his past, working through what he did and why, and ultimately presenting our findings jointly in a series of seminars that became known as 'The Crook and the Crook Catcher.' The sessions were packed. Sam explained what he did and how he did it. I explained why that mattered and how we could use that information to build a better anti-fraud program. It was, to my knowledge, a genuinely unusual collaboration: a convicted white-collar criminal and a forensic accountant presenting their complementary perspectives on the same body of conduct to practitioners who needed to understand both sides of the table.
Antar was welcomed into a life of crime at age fourteen when he became a stock boy in the family business. As the CFO and a crafty CPA, he cooked the books for many years, skimming profits, evading taxes, laundering cash, and committing securities fraud. He used, in his own words, a combination of charm, moxie, and smoke and mirrors to pocket more than $100 million in fraudulent funds. He built what he himself called a wall of false integrity around himself. And when asked why he did it, he said, 'Crime was fun. I wanted to please the family and show loyalty.'
What those conversations made unmistakably clear was that Antar did not commit fraud out of desperation. He committed it because he was confident, competent, and completely unbothered by the moral weight of what he was doing. He was not a desperate employee responding to financial pressure. He was a predator operating from a position of arrogance and a moral compass that had been broken before he ever sat down at a ledger. He was, in other words, precisely the kind of person the Fraud Triangle could not explain, and the Fraud Pentagon™ was built to profile.
Years later, I had the opportunity to present at a conference alongside Andy Fastow, the former CFO of Enron. Interacting with Fastow at a private lunch and later listening to him speak about what he did, how he thought about it, and what the organizational environment around him made possible confirmed everything I had come to believe. The arrogance. The rationalization is functioning not as a private internal monologue but as a shared institutional narrative. The competence required to build and sustain structures of extraordinary complexity. The Fraud Pentagon™ was not a theory I had constructed from the outside looking in. It was a framework built from the inside out, shaped by direct and extended engagement with the people it describes.
My 2011 paper identified two categories of elements that distinguished fraud perpetrators and their environments. Behavioral elements: lack of a moral compass, troubling relationships, deception, arrogance, and cleverness and creativity. Environmental elements: weak tone from the top, vulnerable culture, and a loose link between ethics and compensation. Those elements, developed through years of investigation and profiling, were the intellectual precursors to the Fraud Pentagon™'s five conditions.
In the fight against fraud, one must be skeptical, curious, and courageous enough to ask the tough questions and take the necessary steps to establish the accuracy, correctness, or truthfulness of information. Trust is a professional hazard, and you must verify, verify, verify to avoid being deceived.
That line, from the conclusion of the 2011 paper, remains the operating principle of my practice today. It is the thread that connects the dock bench in 1979 to the whiteboard in 2008, and to every fraud risk assessment and investigation I have conducted since.
A Whiteboard Exercise
By late 2008, I was a partner at Crowe Horwath LLP, leading the Fraud, Ethics, and Anti-Corruption practice. Bernie Madoff had just been arrested. The largest Ponzi scheme in history, amounting to $65 billion, involved decades of deception that hid in plain sight behind the most fundamental controls the profession could offer. External auditors. Regulators. Sophisticated investors. None of them caught it.
The conversation in the profession centered on the controls. The audit failures. The regulatory gaps. The systems that should have caught it. I was thinking about the man.
Because I had been thinking about men like him for years. Mickey Monus at Phar-Mor, whose fraud I first encountered early in my career and watched being dissected publicly. Walter Forbes at Cendant. Ken Lay, Jeff Skilling, and Andy Fastow at Enron. Bernie Ebbers at WorldCom. Richard Scrushy at HealthSouth. Dennis Kozlowski at Tyco. I had spent my career investigating the aftermath of catastrophic fraud, and I kept arriving at the same uncomfortable conclusion: Donald Cressey's Fraud Triangle did not explain these people.
Pressure, opportunity, rationalization. Cressey was right. Those three conditions are present in occupational fraud, and his foundational work from 1953 remains essential. But the Triangle was designed to explain the clerk who steals to cover a debt, not the executive who builds a criminal empire over fifteen years. It said nothing about what kind of person this is. Nothing about the specific human capacity required to execute and sustain deception at that scale. Nothing about the belief, genuine rather than performative, that the rules of the organization do not apply to them.
The deeper problem, which I have come to articulate more precisely over the decades, is that most anti-fraud programs start from the wrong place. They start with controls, work backward to risks, and rarely reach the perpetrator. The result is a program calibrated to the average employee and the average scheme, systematically unprepared for the sophisticated actors who commit the frauds that matter most. A fundamentally different kind of program starts from the perpetrator, not from the checklist.
So I went to my whiteboard. I picked up a marker and started building profiles: Madoff first, then the others, then several more. I spent more than a month at it, intermittently and relentlessly, asking the same question the Detective had asked me on that dock. Prove it. Find the pattern. Name the thing you are actually seeing. Two conditions emerged with unmistakable clarity: conditions present in every high-magnitude case and that Cressey's framework had never captured. Competence and Arrogance. Together, they became the foundation of the Fraud Pentagon™.
The Five Elements of the Fraud Pentagon™
The Fraud Pentagon™ is not a checklist. It is a profiling tool: a framework for understanding the human being behind the fraud, not merely the circumstances around it. Cressey was right that three conditions matter. I believe five do.
Pressure is the motivational force, the perceived need to act. It can be financial, professional, or simply greed. A useful lens I have applied in practice extends beyond financial pressure to include money as pure gain, ideology and entitlement, coercion by a more powerful actor, and ego: the need to demonstrate superiority. An assessment that focuses exclusively on financial pressure will miss the predator every time.
Opportunity is the one element present in every fraud, for every type of perpetrator. It primarily stems from the organization's design: weak segregation of duties, inadequate oversight by senior management, normalized workarounds, and complex transactions without clear ownership. But opportunity without the next two elements is inert. The right question is not simply where opportunity exists, but who in this organization has the capacity to exploit or manufacture it.
Rationalization is the internal architecture of justification: the story the perpetrator tells themselves before the act, not merely after it. It is a prerequisite, not an excuse assembled after the fact. The most common rationalizations involve temporal framing ('I'll pay it back'), entitlement ('They owe me'), minimization ('The company can afford it'), and moral equivalence ('Management does the same thing'). In our conversations and our joint presentations, Sam Antar made clear that he did not reason carefully about what he was doing. He acted, without particular concern. The rationalization had been woven into the business's culture long before any individual transaction occurred. Importantly, the predator does not require rationalization as the accidental fraudster does. This distinction matters enormously for program design: ethics training reaches the rationalizing accidental fraudster; it does not reach the predator, who requires a fundamentally different response.
Competence was the first new element that emerged from my whiteboard work. Not merely intelligence, but a specific operational capacity: the ability to override internal controls, to develop and sustain sophisticated concealment strategies, and to manipulate the social environment. To sell people on false realities. To build, as Antar called it, a wall of false integrity.
This is where the definition of an internal control matters precisely. An internal control is an action or process of interlocking activities designed to support the policies and procedures that detail the specific preventive, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or objectives. A control is not a document. It is not a policy. It is an action. A competent fraudster understands this better than most compliance programs do, and designs around it accordingly.
Controls erode in predictable ways, and the competent fraudster exploits every one of them. Overrides and workarounds are the most direct: a control that someone with sufficient authority can bypass is not a control; it is a suggestion. People are fallible: controls executed by humans are subject to fatigue, inattention, and pressure. Time is an enemy: controls designed for a process that no longer exists or for a risk profile that has shifted provide false assurance. Judgments vary: controls requiring significant human discretion at the point of execution produce inconsistent results. Compensation creates tension: when a person's incentive is tied to an outcome that a control is designed to constrain, the control will lose. And access is the foundational vulnerability: excessive access to data, systems, or model parameters creates opportunity. In fraud risk assessment, identifying which individuals possess the competence to navigate and exploit all six of these vulnerabilities is as important as mapping their locations.
Arrogance was the second new element. An attitude of superiority and entitlement, a disposition that says company policies, internal controls, regulations, and the norms of decent conduct do not apply to this person personally, not as a rationalization assembled after the act but as a precondition that makes the act feel natural. After interviewing incarcerated former Enron CEO Jeffrey Skilling, Dr. Archelle Georgiou observed: “Was he arrogant? Yes. But that's not a surprise. After all, arrogance springs from the same well of confidence that led him to the big chair at Enron.' In my years of profiling, arrogance and greed together account for more than seventy percent of the behavioral characteristics I consistently observed.
Four of the five elements are human factors. That is not a coincidence. It is the point. Books and records do not commit fraud. People do. The human is always in the loop.
The Fraud Pentagon™ must be used for profiling, never for stereotyping. The presence of any single element does not necessarily mean fraud is in play. But any combination of these elements increases the risk of fraud. Profiling is the systematic application of the five elements to specific roles and individuals to identify where access, authority, and behavioral profiles converge in ways that elevate risk. Stereotyping is the attribution of fraud risk based on demographic characteristics that have no logical connection to the Pentagon's elements. The distinction matters legally, ethically, and practically.
What the Fraud Triangle Could Not Explain
The Fraud Triangle has been the dominant framework in fraud risk management since the early 1990s. It was never designed as an anti-fraud tool. Critically, it describes only what I call the accidental fraudster: the otherwise law-abiding employee who succumbs to situational pressure. It does not describe the predator, the executive who entered the organization intending to exploit it, who possesses the technical sophistication to override controls and the contempt for organizational rules to believe they do not apply.
Designing a program around the Fraud Triangle means designing it around the less dangerous of the two perpetrator types.
U.S. courts have confirmed the Triangle's evidentiary limitations. In Haupt v. Heaps (2005), the appellate court found no precedent in adopting it as a reliable scientific method. In Travis v. State Farm (2005), Fraud Triangle expert testimony was excluded as resting on professional judgment rather than hard science. The Triangle fails as an evidentiary standard precisely because its elements exist in the perpetrator's mind rather than in the documentary record.
The Fraud Diamond, developed by Wolfe and Hermanson in 2004, added a fourth element called capability, an important step forward. The Fraud Pentagon™ adds both competence, which extends capability to include the social manipulation and control-override dimensions, and arrogance, which is entirely distinct from any element in the Diamond. Four human factors, rather than two, make the Fraud Pentagon™ a fundamentally more complete behavioral profiling instrument.
Minimize image
Edit image
Delete image
Advanced Meta-Model of Fraud
From the Meta-Model of Fraud to the Advanced Meta-Model of Fraud
The Fraud Pentagon™ answers why fraud happens and who commits it. But a complete anti-fraud architecture requires more than a perpetrator profile. It also requires a framework for understanding what the crime itself looks like: how it is executed, how it is hidden, and how the perpetrator converts the act into personal benefit. That is what the Triangle of Fraud Action provides, working through three elements.
The Act is the execution of the fraud itself, such as asset misappropriation, financial statement fraud, corruption, or cyber-enabled schemes.
Concealment is the deliberate effort to hide the act: false journal entries, fabricated invoices, altered records, destroyed documents, and, in today's environment, AI-generated synthetic records. Concealment is the most forensically powerful element of the three because it establishes intent. It transforms what might otherwise be characterized as an accounting error into provable fraud. Every investigation must prioritize documenting concealment precisely because of this evidentiary power.
Conversion is the transfer of benefit from the victim to the perpetrator. With few exceptions, perpetrators spend what they steal, which is why spending pattern analysis is a primary investigation technique. Non-monetary conversion, meeting performance targets, maintaining employment, and preserving reputation must also be assessed for management-level fraud scenarios.
There is also a category of fraud that most programs miss entirely because they are designed only to protect the organization from fraud: fraud committed for the organization's benefit. Revenue is recognized before it is earned. ESG metrics are reported against methodologies that do not withstand scrutiny. Sales practices systematically mislead customers. Management estimates are consistently and directionally biased to serve short-term performance objectives. None of these requires senior leadership to authorize misconduct explicitly. They require only that incentive structures reward certain outcomes, that the culture tolerates the methods used to achieve them, and that the oversight function lacks both the independence and the professional skepticism to challenge what it is shown. An anti-fraud program that assesses only victimization has assessed only half the risk.
The question of how to bring these two bodies of analysis together productively, the why of the perpetrator and the what of the crime, was the challenge that led me to collaborate with two colleagues I have long respected: Dick Riley and Scott Fleming.
The three of us developed the Meta-Model of Fraud, published in Fraud Magazine in July/August 2018. The model was built around a simple but powerful structural insight: the Fraud Triangle sits on the left side, explaining why fraud occurs by profiling the perpetrator's psychological conditions; the Triangle of Fraud Action sits on the right side, explaining what happens when the fraud is executed; and between them sit the anti-fraud interventions, the governance structures, internal controls, and compliance mechanisms that either interrupt the flow from intent to criminal act or fail to do so.
The Meta-Model of Fraud answered a question the profession had not been asking clearly enough: what sits between the fraudster's decision to act and the organization's last dollar of loss?
But I kept returning to the left side of the model. The Fraud Triangle accurately described the accidental fraudster. It did not describe the predator. So I took the next step. I replaced the Fraud Triangle on the left side of the Meta-Model of Fraud with the Fraud Pentagon™, placing all five elements in the perpetrator profile at the model's heart. That substitution produced the Advanced Meta-Model of Fraud.
The distinction between the two models is not cosmetic. It changes what the program is designed to stop. The Meta-Model of Fraud profiles a perpetrator defined by situational conditions. The Advanced Meta-Model of Fraud, built around the Fraud Pentagon™, profiles a perpetrator defined by human character, capability, and disposition. A program calibrated to the former is systematically unprepared for the latter. That gap is where the most consequential frauds of the last two decades lived.
The Advanced Meta-Model of Fraud is the organizing architecture of my Anti-Fraud Playbook. Every component of that framework, governance design, fraud risk assessment methodology, control architecture, investigation protocol, and the feedback loop that closes the program into a continuous learning cycle, is positioned within the flow that runs from the left side of the model to the right. The Playbook proceeds from a single premise: an anti-fraud program that does not understand how fraud actually works cannot stop it.
Three Reasons This Matters
When I built those profiles in late 2008, I believed the Fraud Pentagon™ would help the profession catch up to the fraudsters it was consistently failing to anticipate. Years later, the urgency has only grown. Three developments converge to make the human element of fraud not merely relevant but essential.
First: governance failure has become endemic. FTX. Wirecard. Theranos. Silicon Valley Bank. Each case is different in its mechanics. Each is identical in its human profile. In every one of them, the Fraud Pentagon™'s five elements were present and pronounced. Sam Bankman-Fried admitted, 'I think I got a little cocky, more than a little bit.' John J. Ray III, the restructuring professional who stepped in at FTX, stated under oath: 'Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here.' Elizabeth Holmes controlled 99.7 percent of Theranos' voting rights and appointed a board that, by design, was incapable of challenging her. Wirecard's CEO operated with such contempt for oversight that 1.9 billion euros in cash was declared not to exist.
These are not compliance failures. They are human failures of the precise variety the Fraud Pentagon™ identifies. They are also, in many respects, the same story Sam Antar shared with me: arrogance operating without accountability, competence deployed in the service of concealment, and an organizational culture that had confused the wall of false integrity around its leaders with genuine governance. The Fraud Pentagon™ does not just describe these people after the fact. Applied prospectively, in fraud risk assessments and board-level governance reviews, it identifies the conditions under which these people become dangerous before the first dollar disappears.
There is a structural dimension that most anti-fraud frameworks acknowledge obliquely but rarely state plainly. The conventional assumption is that misconduct flows upward: that fraud originates at the employee level, is detected by management, and is ultimately governed by the board. Field experience and an expanding body of evidence suggest the opposite is frequently true. The more power an individual holds, the less likely they are to face consequences for ethical lapses, the more capable they are of overriding the controls designed to catch them. An anti-fraud program that relies on management to self-assess its integrity, report its failures, and calibrate its risk tolerance has confused the problem with the solution.
Second: artificial intelligence has not changed what fraud is. It has changed who can execute it. Deepfake video calls. Synthetic voices. AI-generated financial documents indistinguishable from genuine ones. In January 2024, a finance worker at Arup transferred $25.6 million across fifteen transactions after fraudsters used real-time deepfake technology to impersonate the CFO and multiple colleagues on a video call. No systems were breached. The only control that failed was human judgment.
What generative AI has done to the Advanced Meta-Model of Fraud is significant and specific. On the left side of the model, it has dramatically lowered the threshold for fraud at scale. The Fraud Pentagon™'s competence element once required years of organizational access and technical skill. Today, a bad actor with a browser and a prompt can fabricate a voice, synthesize a video call, and generate supporting documentation indistinguishable from genuine records. AI has also created a powerful new rationalization mechanism: the algorithmic alibi. When responsibility is diffused across systems and automated processes, each human participant feels less culpable. On the right side of the model, AI has elevated concealment sophistication to levels that the profession's detection tools were not designed to match. But AI also helps govern AI: automated multi-model validation can provide monitoring at a scale that human review alone cannot match. The answer is not more technology alone. It is more skepticism, continuously recalibrated, applied by humans who understand the human element. Trust is a professional hazard, and one must verify, verify, verify to avoid being deceived.
Third: the profession is still underequipped at the exact moment it matters most. External auditors detect approximately three percent of fraud despite being present in eighty-four percent of victim organizations. Tips detect forty-three percent, more than fourteen times as much. The research is consistent: auditors assess opportunity but neglect the behavioral elements. They evaluate control environments but avoid evaluating the people running them. Senior management's character and motivations are, by professional consensus, too complicated to assess, so they are not assessed at all. The Fraud Pentagon™ does not replace the Triangle. It completes it. And the Advanced Meta-Model of Fraud does not replace the original Meta-Model of Fraud. It extends it by bringing the full human profile of the perpetrator into the center of the analytical framework where it belongs.
Governance as the Invisible Infrastructure
The Advanced Meta-Model of Fraud's most important practical implication is that governance is not a passive function. It is the architecture that either interrupts the flow from perpetrator psychology to criminal execution or fails to do so.
Two organizational pathologies consistently undermine fraud risk programs that are otherwise architecturally sound, and they deserve to be named plainly because they are common, recognizable, and correctable.
The first is treating the fraud risk assessment and the compliance program more broadly as a documentation exercise rather than a genuine inquiry. The organization assembles the framework, completes the process, produces the deliverable, and files it. Controls exist on paper and receive favorable ratings in assessments, yet operate ineffectively in practice. Training is delivered and recorded, but not designed to change behavior. The investigation process is documented in policy but applied inconsistently when the subject is senior. In each case, the organization appears to have a fraud risk program without substance. This is more dangerous than having no program because it produces an institutional confidence that has not been earned.
The second pathology is subtler and more resistant to correction. It is the organizational tendency to avoid looking for fraud: not because leadership condones it, but because leadership is genuinely anxious about what a determined inquiry might reveal. Finding fraud means confronting the failure of controls that were represented as effective, the inadequacy of oversight that was represented as rigorous, and in some cases, the conduct of individuals whose tenure the organization has invested in protecting. The instinct to avoid that confrontation is understandable. It is also, in a well-governed organization, impermissible. Frauds thrive precisely in the spaces where no one is looking.
Both pathologies share a common corrective: treating fraud as evidence of a functioning program, not as evidence of a failed one. The board and audit committee establish that standard by the quality of the questions they ask, the professional skepticism they bring to favorable management representations, and the seriousness with which they treat an absence of findings as a hypothesis requiring explanation rather than a conclusion requiring acceptance.
For decades, the governance conversation has been dominated by a phrase that sounds meaningful but demands almost nothing: tone at the top. If leadership says the right things and models the right values, the culture will follow. It is not wrong, exactly. But it is dangerously incomplete, and I have seen it fail in the most consequential ways across nearly four decades of forensic investigations and governance work.
The problem is that tone is atmospheric. Conduct is observable. What actually determines the health of an organization is not just what leaders project in all-hands meetings. It is what they do in the specific moments that matter, when someone brings them information they do not want to hear, when a subordinate raises a concern that is inconvenient, when acting on the truth carries a real cost. Those moments do not appear in values statements. They appear in investigations, consent orders, and congressional testimony. And they reveal something that tone never could: who a leader actually is under pressure.
I call it the Conduct Covenant™. It is the implicit obligation every leader carries, not to say the right things about integrity, but to demonstrate through consistent, observable behavior that candor is safe, that bad news is welcome, and that the messenger will not pay a price for delivering it. It is not a program or a policy. It either exists in practice, or it does not. You cannot audit a speech. You can audit conduct.
The Conduct Covenant™ and the Candor Chain™ are two sides of the same governance failure. The Candor Chain™ describes the journey that critical information takes as it travels from the person who first identifies a problem to the board or audit committee with the authority and the duty to act on it. At every organizational handoff along that journey, well-intentioned professionals make individually defensible decisions about how to frame, contextualize, and pass along what they know. They soften the language. They add qualifications. They lead with the resolution rather than the concern. Cumulatively, they can transform a material red flag into a routine update or eliminate it from the conversation entirely.
The Conduct Covenant™ is the tensile strength of the Candor Chain™. Without it, the chain does not bend. It breaks. Every link in that chain, from the employee who first identifies a problem to the executive who decides whether to escalate it, is making a judgment call about whether the truth is safe to pass along. That judgment is not made in a vacuum. It is made in the context of every prior signal leadership has sent about what happens to people who deliver bad news. When the Conduct Covenant™ is strong, the chain holds. When it is broken, no hotline, no open-door policy, and no speak-up campaign will save it. The chain fails not at the bottom, where someone finally stays silent. It fails at the top, where conduct has already made silence the rational choice.
This is why the conventional answer, “build a stronger speak-up culture,” misses the point entirely. The Candor Chain™ is not a theory about people who lack courage. It is a theory about how organizations, staffed by otherwise honest people operating under real professional and social pressures, systematically produce boards that are the last to know and the first to be blamed. And the Conduct Covenant™ explains why. When leaders have historically responded to bad news by minimizing it, delegating it into oblivion, or signaling through their reaction that certain truths are unwelcome, the organization learns. It adjusts. And the chain breaks not because people lack courage but because, somewhere above them, the Conduct Covenant™ was already broken.
One concept I have found consistently underappreciated in governance discussions is what I call the Candor Chain™: the integrity of information flow through organizational hierarchies. Tone at the top matters only if the information that reaches the top is accurate.
The Candor Chain™ operates through six phases, each of which progressively dilutes information before it reaches the people who need it. At Detection, someone at the front line sees something wrong: an anomalous transaction, a pattern of failures, or a complaint heard repeatedly. At Translation, the raw observation is converted into organizational language, and the emotional urgency begins to fade. At Contextualization, middle management adds qualifiers and explanations that rationalize the concern into something manageable. At Termination, a manager makes the most dangerous judgment call of all: this does not need to go any higher. At Aggregation, whatever survives is rolled into broader reports where the specific becomes general and the urgent becomes routine. At Presentation, what reaches the board is sanitized, summarized, and framed for palatability rather than accuracy. No one lies. Each link in the chain acts rationally. But the chain either converts a warning into a reassurance or kills it before it ever reaches the people who needed to hear it.
But the six phases describe only what happens after someone decides to report. The more fundamental question is why signals never enter the chain at all. Research on organizational silence documents a collective condition, not merely an individual one: a shared, unwritten, and deeply understood understanding of what can and cannot be said. A single retaliatory action against a truth-teller does more to suppress candor across an organization than a hundred speeches about openness. The organization that counts the absence of reported problems as evidence of program health may be measuring the depth of its silence rather than the quality of its controls.
After every significant investigation, the Candor Chain™ diagnostic must be applied as a required analytical step in the root cause analysis. Not just what went wrong and why, but where in the organization the information about what was going wrong existed and why it did not travel. In nearly every governance failure I have examined over four decades, the fraud that finally surfaced was not the first signal. It was the signal that survived.
Root cause analysis is the most important analytical product of the post-investigation process and the gateway through which investigation findings become program improvements. An organization that investigates fraud thoroughly but remediates superficially is preparing to be defrauded again by the same scheme, through the same control gap, by the same type of perpetrator who exhibited the same red flags as before. The root cause analysis must trace not just who committed the violation, but also what organizational conditions made it possible and what must change structurally to prevent its recurrence.
Before a board asks management whether an anti-fraud program exists and receives a reassuring answer, it should ask the harder question: does the program actually understand how fraud works in this organization, against this control environment, perpetrated by actors with this level of access, authority, and sophistication? That is the question that separates genuine fraud risk governance from mere appearance.
A Note on Attribution
I developed the Fraud Pentagon™ beginning in 2009 during my tenure at Crowe Horwath LLP, where I led the Fraud, Ethics, and Anti-Corruption practice. The framework is protected under U.S. Copyright Registration No. 1-13910038981. I developed it, not the firm. Crowe published my work and provided the platform, and I am genuinely grateful for that. But the intellectual work, the whiteboard, the month of profiles, and the two elements that changed the shape of the theory belong to me personally. The behavioral and environmental framework underlying the Fraud Pentagon™ was developed and presented in training sessions and seminars beginning in 2004, seven years before 'Putting the Freud in Fraud' was published. The same principle applies to all of my Crowe-published work: 'Putting the Freud in Fraud' (2011), 'Playing Offense in a High-Risk Environment' (2009/2014), and 'Setting the Tone at the Top' (2009); all were published through Crowe, and all were developed by me.
The Meta-Model of Fraud and the Advanced Meta-Model of Fraud were developed and published with Dick Riley and Scott Fleming, and I am proud of that collaboration. The distinction between the two models and the specific intellectual act of inserting the Fraud Pentagon™ into the Meta-Model of Fraud to produce the advanced version is a distinction worth preserving clearly in the literature. The Advanced Meta-Model of Fraud also serves as the foundation for my Anti-Fraud Playbook.
A substantial body of academic literature cites the Fraud Pentagon™ as 'Crowe Horwath (2011)' rather than citing me personally, a mechanical error born of institutional publication norms that has compounded across hundreds of papers and thousands of citations.
If you have applied this theory in your research or practice, please cite it correctly:
Marks, J. T. (2009/2010). Playing Offense in a High-Risk Environment: A Sophisticated Approach to Fighting Fraud. Crowe Horwath LLP.
And if you would like to share how you have applied it, whether in a risk assessment, a governance conversation, a case, or a classroom, I would genuinely welcome hearing from you.
A Closing Thought
The Detective on that dock bench turned to a twelve-year-old boy and said, 'Well done, young man.' I have never forgotten the look on his face.
What that day gave me was not a career direction. It gave me a way of seeing. The conviction that observation matters, that detail matters, that challenging your own perceptions matters, and that the puzzle, however uncomfortable its answer, is always worth solving.
The Fraud Pentagon™ is that conviction applied to forty years of the most consequential fraud cases of our time. The human element determined the outcome in every one of them.
It still does.
With gratitude and purpose,
Jonathan T. Marks, CPA, CFE, MBA, NACD Board Fellow
Developer: Fraud Pentagon™ | Meta-Model of Fraud | Advanced Meta-Model of Fraud | Enterprise Risk Resilient Ecosystem | Candor Chain™ | Conduct Covenant™ | Business Fraud Risk Framework
U.S. Copyright Registration No. 1-13910038981
