Category Archives: Tone at the Top

Tone Deaf

tone-deafThe sensational bribery and corruption cases all over the news recently mean that tone at the top as a concept is yet again in the eye of the financial press.   Journalists of every stripe and persuasion opine on its importance as a vital control but always seem to fall short on the specifics of just how the notion can be practically applied and its strength evaluated once implemented.  One of the problems is that there are so many facile definitions of the concept in popular use.  The one I like the most is one of the simplest declaring it to be the message, the attitude and the ethical culture the board of directors and upper management disseminate throughout the organization. It’s best described as the consistency among statements, assertions and explanations of the management and its actions. In summary, tone at the top is seen by some as a part of and by others as equal to the internal control environment.

The rub comes in because tone at the top is not only far more complicated than the above definition would lead a casual reader of trade press articles to believe, but also because its invisible to the standard tests of an outside auditor or fraud examiner. So a baseline would be a valuable addition not only for fraud examiners and financial auditors, but also for all types of assurance professionals.

To determine a baseline, one first needs to define the different aspects of the target concept. Thus, a baseline might provide reviewers with a starting point to begin improving their analyses of tone at the top. ACFE studies of hundreds of companies tell us that an enriched tone at the top can not only prevent fraud through its implementation of a well-functioning internal control system, but can also have a positive impact on the financial results of an organization. Organizations with an effective corporate governance policy just perform better than those that don’t. In my own practice as an auditor and fraud examiner, I’ve found COSO’s Enterprise Risk Management (ERM) a useful framework to use in the actual practice of evaluating the effectiveness of internal controls (including tone at the top) during fraud risk assessments.

Tone at the top is based on two schools of thought in management literature: the corporate governance school and the management control systems (MCS) school. These schools of thought share three fundamental theories: the agency theory, the transaction cost economics theory and the stakeholder theory. The agency theory views an organization as a nexus of contracts. Separation of ownership and control is essential for this theory.  The agent (the manager) is in control of the organization; however, he or she does not own the organization; the organization is owned by the principal (stakeholders).  Measures (i.e., corporate governance) need to be taken to ensure that the agent will strive to achieve the goals of the principal.

Transaction cost economics (TCE) is based on the concepts of bounded rationality and of homo economicus: a person chooses the best option based on the available information.  TCF aims to explain how firms are formed.  Firms are created to minimize transaction costs.  The domain of TCE has proven useful to explain management control structures.  The performance evaluation needs to be behavioral based, with non-financial subjective measures.  Output controls are low with TCE.  Individual contributions to the organization (individual performance) are analyzed as the outcomes of contracts between the employer and the employee.

The stakeholder theory is based on the belief that besides shareholders, there are others with interest in the organization.  Corporate governance should not only solve conflicts between management and shareholders but also between the organization and other stakeholders.  Tone at the top represents a form of cultural control to the MCS school.  Cultural controls stimulate employees to monitor and stimulate each other’s behavior.  Cultural controls rely on group pressure; if a person deviates from the group’s values, the group will put the person under pressure to convert him or her back to the dominant values.  Cultural controls are usually translated in corporate governance codes.  Corporate governance codes are mainly formulated to prevent/minimize fraudulent activities in organizations by means of internal control.  Five methods of cultural controls, namely code of conduct, group rewards, transfers, physical and social controls, and tone at the top have been identified.

Tone at the top forms an important part of corporate governance codes.  Management behavior should coincide with the culture it tries to form; managers fulfill an example function. An important factor is implementing and operating a whistleblower policy; if staff at any level observes fraudulent activities they can report them and be protected against possible retaliation.

Each of our above theories concludes that an organization needs to have a corporate governance code to minimize transaction cost, manage stakeholder interest and, thereby, increase shareholder value.  However, recent well publicized corruption cases have led to calls in the popular press for a more formal approach.  So, what might such a formal, COSO based, approach look like?

First, management and the CEO need to demonstrate inspiring leadership, set the right ethical example and focus on people skills. They also need to display integrity.  Their risk awareness, actions and messages need to coincide with the dominant culture.  It is also important for managements to formally commit to competence.

As to culture, an independent and active risk culture is necessary for tone at the top to be successful.  Also, employees need to be empowered to make the right decisions.  The reward systems and the culture need to reward desired behavior and be compliant with the norms.  In the event of something going wrong despite these cultural aspects, there needs to be an effective policy present to protect whistleblowers.

Finally, the risk appetite should be linked to the strategy.  The supervisory board needs to be independent, active and involved.  Responsibilities need to be defined, and management needs to receive adequate information.

All three of the above aspects are an integral part of what the experts currently define as tone at the top.  According to the ACFE, tone at the top can assist in averting fraud throughout every level of an organization. It’s, therefore, necessary to include its assessment in the scope of the fraud examiners fraud risk assessment and to formally schedule its periodic re-evaluation.

Before It Happens

tone-at-the-topRegister Today for Investigating on the Internet May 18-19 2016 RVACFES Seminar!

An attendee at our summer seminar on fraud prevention last year, reported that she had become quite discouraged by the amount of in-house fraud her auditors were detecting among the employees of the overseas subsidiary of her non-profit organization.  She asked our speaker, Chris Rosetti, what he would recommend to head off what seemed like a growing number of defalcations that were costing her firm large amounts of time and money to investigate and, in some case to prosecute.   Chris told her it was always motivation that drives employees to commit fraud, and that motivation can take many forms, ranging from family needs or a desire to keep up with a colleague’s lifestyle. Often, employees’ motivation to commit fraud depends on how they perceive they’re being treated by their employers. Nevertheless, there are many ways any management can minimize employees’ motivation to commit fraud. Some common methods include increasing morale, implementing employee support programs, creating a culture of high ethical standards, rewarding loyalty, establishing an open-door policy,  and reducing pressures to make the numbers.

Fraud occurs less frequently when individuals feel positively about their employers than when they feel abused, threatened, or ignored. Negative workplace environments diminish morale and can affect employees’ attitudes about committing fraud. Employees who consider themselves to be unfairly treated are more prone to commit fraud. Accordingly, increasing employee morale can be a powerful tool in decreasing employees’ motivation to commit fraud.  Chris recommended that our questioner’s management might consider steps like the following, relatively low cost ways to boost employee morale in the overseas subsidiary …

–Provide organization-sponsored social events;
–Routinely recognize employees for good work and make the recognition a big deal, taking time to really celebrate accomplishments;
–Offer flexible work arrangements to the greatest extent possible;
–Exhibit a strong ethical tone at the top;
–Engage individual contributors in the decision-making process;
–Listen closely to employee grievances and settle them as soon as possible;
–Tune into employees’ emotional needs;
–Offer competitive compensation and benefits;
–Show employees the results of their work.

Chris went on to emphasize that competitive compensation and benefits are especially important for increasing employee morale. Perceived inequities between a home office and a subsidiary in compensation and benefits policies can contribute to fraud, and less-than competitive compensation is always a negative factor that can increase the risk of fraud. The ACFE reports that employees who feel adequately compensated for their work are less likely to commit fraud against their employers. Management should compare its organization’s compensation structure with those of their competitors to ensure that their employees are not underpaid.

On the flip side management should reduce the following factors, which the ACFE has identified as detracting from a positive work environment:

–Top management who do not seem to care about or reward appropriate behavior;
–Negative feedback and lack of recognition for job performance;
–Perceived inequities in the organization;
–Autocratic rather than participative management;
–Low organizational loyalty or feelings of ownership;
–Unreasonable budget expectations or other financial targets;
–Fear of delivering bad news to supervisors or management;
–Less-than-competitive compensation;
–Poor training and promotion opportunities;
–Lack of clear organizational responsibilities;
–Poor communication practices or methods within the organization.

Chris went on to say that many organizations have begun to realize the benefit of employee support programs. Support programs are designed to help employees cope with personal problems that might motivate them to commit fraud or adversely affect their work performance, health, and well-being. These programs generally include assessment, short-term counseling, and referral services for employees or their family members.

These programs can provide support for a range of issues, including:

–Substance abuse;
–Emotional distress;
–Major life events, including births, accidents, and deaths;
–Health care concerns;
–Financial or legal concerns.

If organizations can offer employees a means to address such issues, they might be able to prevent fraud by those who are suffering. Providing safe outlets for coping can reduce an employee’s motivation to commit fraud.
Creating a culture of high ethical standards is a necessary component to any fraud prevention program. That is, management must be committed to preventing fraud, and it must build an ethical environment. The tone at the top, which is created by the organization’s leadership, refers to the ethical (or unethical) atmosphere in the workplace. According to Chris, whatever tone top management sets will have a trickle-down effect on employees. If the tone set by managers upholds ethics and integrity, employees will be more inclined to follow those same values. But if management appears unconcerned with integrity and focuses solely on the bottom line, employees will be more prone to engage in corrupt activities because they feel that ethical conduct is not a focus or priority within the organization.

Organizations that cultivate ethical cultures frequently encompass strong governance practices, such as:

–Free information flow;
–Employee access to multiple layers of management and effective control of a whistleblower hotline;
–Effective senior management team (including chief executive officer, chief financial officer, and chief operating officer) evaluations, performance management, compensation, and succession planning;
–An employee code of conduct that is clear, concise, and communicated;
–A code of conduct specific for senior management.

An ethical organization culture also includes management assurance of ethical considerations in hiring, evaluating, promoting, and earning policies for employees, as well as ethical considerations in all aspects of the entity’s relationships with customers, vendors, and other stakeholders. Ethical organizations will also address issues of ethics and the impact of ethical behavior on their strategies, operations, and long term survival. The level of management’s commitment to these areas varies widely and directly affects the fraud risk profile of an organization.

Rewarding employees for their loyalty might reduce the likelihood of fraud, but this type of morale boosting activity, according to Chris, can be successful only if the organization has an ethical culture. From a fraud prevention point of view, it’s probably more important that management establish an open-door policy to minimize employee pressures. Having an open door policy gives employees an opportunity to voice their concerns and feel heard. Employees who feel empowered and valued as a member of a team might feel a sense of loyalty to their organization and will be less inclined to commit fraud against their employer. Likewise, if employees can speak freely, managers will understand the pressures facing their employees and might be able to eliminate or reduce them.

Finally, Chris recommended reducing the pressures on employees to “make the numbers at any cost”. This alone can reduce the likelihood of fraud. One way to reduce pressures is to provide performance-based compensation rather than profit based or revenue-based compensation. When compared to profit or revenue-based compensation, performance-based compensation-such as bonuses calculated as a function of clearly set performance indicators-can reduce the motivation to cut corners, cheat, or fraudulently make the numbers. In some industries, it’s possible to tie compensation only to sales or profits. When this is done, it’s important to monitor staff performance closely, and management must encourage ethical behavior on a regular basis.

Global Storm Clouds Rising

TankThe recent turbulence in the global financial markets is raising the by now too familiar questions in the trade press.  Who is managing the risk? Where is the oversight? Could this financial turmoil have been avoided if associated risks had been managed more proactively? Manage has a positive connotation, implying that someone is in control, as in “The governor is managing the coastal flooding event.” Risk has a negative connotation, implying a lack of control, as in “An unattended gun puts lives at risk.” Risk is everywhere and can be an opportunity or a threat. Although an effective risk management system cannot provide absolute assurance that events such as the current unsettled market situation will not occur, it can, as the least, lend confidence that the key risks will be identified and dealt with timely.

As a first step, understanding the structure and dimensions of ideal risk management can support common understanding and effective implementation by management and an adequate fraud risk assessment effort by CFE’s and other assurance professionals. Management must understand the key vulnerabilities to the business model and establish risk expectations, which can then be incorporated into business practices. Likewise, CFE’s must understand and consider the context of those expectations in their periodic fraud risk assessments. A thorough management understanding of fraud risk also improves the quality of any subsequent investigation of financial irregularities as it creates a standard against which to compare management’s due diligence efforts. Although it may be difficult for your individual clients to identify ideal standards for risk management, addressing some fundamentals can help frame those ideals.

Regulatory, market, and fraud risks are common and familiar to CFE’s, who’re used to identifying these external events and asking “What if” questions: What if this process is not in compliance? What if a fraud were to occur as a result? Inside counsel and auditors often encourage management to address these types of risks immediately, which can result in operational silos dedicated to addressing a single significant fraud risk. However, these single events are only part of the picture. What about process efficiency risk, process design risk, system implementation risk, data integrity risk, skill-set risk, and the myriad other internal risks that, from the CFE’s informed perspective impact operations and fraud prevention?  In the end, a risk is only important if it affects achievement of strategic and business objectives. Both external and internal risks can be placed in the context of their impact on business objectives. The strategic and objective framework must be defined and understood if an organization is to gauge the impact of the risks confronting it. The simplest way to define this framework is to start with the strategy and identify who is accountable for its parts. The framework is further defined as interviews with senior management reveal its objectives and accountability. The process continues until the framework has been constructively defined down to a relevant level for any external or internal risk. The relevance is determined based on the fraud risk’s ability to impact key elements of the framework. The framework provides a formal structure for ensuring strategic achievement.

Fraud risk management requires adequate identification of general risks and an awareness of existing vulnerabilities. Failure to do so can have dire consequences as the ever increasing volume of recent fraud cases attest. A century ago, modern soldiers recognized that good weapons were important to survival. However, realizing the value of tanks and exploding shells was only one element of effective risk management. Another was assessing the quality of the armor tanks carried into battle. No general would order a tank advance, without adequate vehicle armor. An army with limited protection would avoid or delay battles while its vehicles were being adequately fitted. Likewise, as an organization pursues its objectives, it must understand its strengths and vulnerabilities. Organizations cannot charge into daily economic battles without both weapons for success and armor to manage their inherent risks. Historically, assurance professionals have operated in a black-and-white world – a control is either present or absent, effective or ineffective. Although this may work for compliance or financial reporting objectives, it doesn’t help management effectively improve governance, risk management, or overall fraud prevention. Recognizing that business operations mature over time requires critical anti-fraud controls to mature with them. So if operations and controls mature over time, how does an organization organize the current state of affairs to avoid fraud vulnerabilities?

It’s important for fraud prevention to evaluate how effectively current business processes are supporting the achievement of strategic and business objectives. This evaluation will provide insights into the overall maturity of the fraud prevention controls that are in place to manage key risks. If the objective is to attack, yet the process or control maturity shows insufficient strength, it’s likely that the risk appetite of the general exceeds that of his government and country. Risk becomes more manageable with a framework of key risks in the context of key objectives and process/control maturity.

Business process and control vulnerability to fraud can be measured by defining high-level management controls that illustrate what management is doing to achieve its strategic and business objectives. By this point organizations should understand the strategy and objectives and be aware of their people, process, and technology capabilities; but this alone does not provide an overall understanding of fraud control maturity. Because maturity implies sustainability, it’s important to concurrently understand just how capable or strong the systems of control are. One way to begin creating a control maturity perspective is to look at what management is currently doing to ensure it achieves its objectives.

  • Does management have formal fraud prevention objectives that are well-written and communicated?
  • Is accountability clearly established?
  • Have metrics been set to measure the progress of those who are accountable?
  • Is existing reporting capable of illustrating the metric?
  • Are the information and communication channels adequate?
  • Does the tone at the top champion ethical behavior?

Frank answers to these types of simple questions help determine whether the CFE’s client organization is closer to the top, middle, or low levels of management fraud control maturity. This determination can help the organization identify gaps between its current level of maturity and the desired level so that actions can be prioritized to address the largest gaps. The answers to these questions can also help determine how formally objective achievement is being managed. They also provide a window into process capabilities and indicate the degree to which these capabilities are aligned with objective achievement. Informal alignment can create vulnerabilities. Management fraud control maturity is by no means the ultimate tool, but it provides a bridge in assessing risk management vulnerabilities.

All CFE’s have a role in educating senior management and the board (if there is one) about effective fraud risk management and irregularity prevention. Risk management means many things to almost everyone, yet communicating a few basic principles to clients will help CFE’s not only be successful but will provide the foundation for a program of robust fraud risk assessment. These principles help define a framework for valuing risk, assessing vulnerabilities, and determining the necessary steps for improving management fraud control maturity. Taken together, they can help any client organization improve the management of its overall risk and fraud prevention program.

Singing into the Hurricane

StormCloudsDuring the last few weeks, when I can find the time, I’ve been reading chapters of former Fed Chairman Ben Bernanke’s recent book on the financial crisis. It’s a sobering experience.  What’s most striking to me as a fraud examiner and auditor is how apparently flawed the corporate cultures of the banking and insurance firms involved in the crisis were. But tone at the top and culture weren’t problems for banks and insurance companies alone, as the book makes clear. Time and again, boards across America apparently decided what the tone in their organizations should be, but seemed to fail to communicate it to people lower down the chain. Perhaps their audience didn’t understand the message. Perhaps staff members just decided to ignore it. Other times the message was completely clear, and adhered to by everyone, just completely wrong ethically, and that individual business, along with so many others, simply sailed ahead on a fixed collision course with the whirlwind.

The Chairman makes clear that the challenge is not only to set the right tone at the top, but also to ensure that it’s in harmony with what he calls the ‘tune in the middle’ – the unwritten real world rules that describe how people further down the organization should behave and work. For a business to thrive – or to simply survive – everyone in the organization needs to sing from the same piece of ethical sheet music.  On page after page of Bernanke’s  book, as the unfolding of the crisis was described, it occurred to me again and again that there’s a lot CFE’s and other control assurance professionals can do to assist our clients to fore-stall the risk of any future, similar crisis.

I think the first time I saw the term ‘tone at the top’ was in a 1987 report on fraudulent financial reporting from the Treadway Commission, which paved the way for the commission’s Committee of Sponsoring Organizations’ (COSO’s) Internal Control-Integrated Framework.  As I recall the framework said, and still says, the CEO has to take ownership of the organization’s control system. Part of the CEO’s responsibility is to set a tone at the top that will enable a positive control environment. That includes providing direction to senior managers and checking how they’re controlling the business. Senior managers, in turn, assign responsibility for more specific internal control policies and procedures to their subordinates. The idea is that the right tone will cascade all the way down through the organization, from top to bottom. But the CEO isn’t the only person responsible for setting the tone. COSO says the full board and audit committee (if there is one) have an important role, as well.  Eventually, further COSO guidance, published for small public companies, fleshed out what a good tone at the top might sound like. And in its most recent guidance on monitoring controls, COSO puts even more emphasis on tone at the top. All COSO publications stress the importance of establishing a culture in which managers are aware of the risks in their part of the business, monitor the controls designed to mitigate them, and take action if those controls aren’t working.

There’s no shortage of guidance on what a good tone at the top should look and sound like, yet this remains, for Bernanke, an issue that many organizations, to this day, still get badly wrong. The banking and insurance sectors are just one example. Official reports like the Chairman’s into the causes of the credit crunch, and such as the one published years ago by the Financial Stability Forum, a group of central bankers, criticize banks for their poor risk management, and point to organizational cultures that failed to recognize the importance of risk management and internal control functions. Many of the banks that failed literally “dis-empowered” their risk functions.

A lack of support for the value of risk and control functions wasn’t the only indicator that tone at the top in the financial industry had gone generally awry. Another significant one is the controversy over executive pay in the sector. According to Bernanke, the size of bankers’ pay awards and bonuses, the apparent failure to link rewards to performance, and the refusal to forgo or repay bonuses led to the current global political drive to reintroduce a degree of control over pay. Directors’ pay is the litmus test of tone at the top, because pay is the most significant issue over which the interests of shareholders can directly conflict with those of boards of directors. The former want pay levels set in the company’s best long-term interests, while the directors must fight the temptation to line their pockets with short term rewards. Any company with a chief executive who has pay that is considered offensive by colleagues, owners, or the wider society has failed that fundamental test.

And the nature of the financial crisis, according to the Chairman, also tells us something else generally about tone at the top in the financial services industry. While the rocket scientists inside banks and insurance companies were inventing increasingly complicated financial products, their boards failed to ask the intellectually naive but important questions that might have told them that trouble was brewing.  These would have been simple questions, such as “Do housing prices always go up?” and “Can we always trust the opinions of rating agencies?” In failing to ask such questions, boards set a tone of what Bernanke styles “mindless compliance” – and it’s this tone that cascaded down the organization. That meant that the tune in the middle was not right. Middle managers weren’t applying their minds, only singing into the storm. For banks, this failure of middle management’s tune was as damaging as the poor board-level tone. Clearly, culture isn’t just a question of what board directors say and do; there are leaders throughout every part of the organization.  They range from heads of departments, business unit directors, and project team managers, to shop floor supervisors and shift leaders. Every one of them sets an example, for good or bad. Wherever there is someone in a leadership role, there is an opportunity for a gap to emerge between the stated aspirations of the board and what actually happens.

Tone at the top is often categorized as an issue of business ethics (we’ve repeatedly so categorized it in this blog), but the example of the banking and insurance industries during the crisis, demonstrates that it’s clearly about more than just that. Ethics are universal, applying to all companies; don’t steal, act honestly, and don’t mislead the board. Tone at the top includes how the company should relate to all of its stakeholders, such as its employees, shareholders, suppliers, customers, and the wider community.  So tone at the top symbolizes what the leadership of the business believes the ethical priorities are for that business at this point in time. It’s a question of how senior people expect the organization to be run and organized. That would include the kind of ethical conduct that Bernanke describes, but also the reputational risk appetite associated with every individual project and product sale.

To my mind, Ben Bernanke’s book is the very best on the financial crisis for financially literate readers.  I whole-heartedly recommend it as must reading for all practicing fraud prevention and control assurance professionals.