The sensational bribery and corruption cases all over the news recently mean that tone at the top as a concept is yet again in the eye of the financial press. Journalists of every stripe and persuasion opine on its importance as a vital control but always seem to fall short on the specifics of just how the notion can be practically applied and its strength evaluated once implemented. One of the problems is that there are so many facile definitions of the concept in popular use. The one I like the most is one of the simplest declaring it to be the message, the attitude and the ethical culture the board of directors and upper management disseminate throughout the organization. It’s best described as the consistency among statements, assertions and explanations of the management and its actions. In summary, tone at the top is seen by some as a part of and by others as equal to the internal control environment.
The rub comes in because tone at the top is not only far more complicated than the above definition would lead a casual reader of trade press articles to believe, but also because its invisible to the standard tests of an outside auditor or fraud examiner. So a baseline would be a valuable addition not only for fraud examiners and financial auditors, but also for all types of assurance professionals.
To determine a baseline, one first needs to define the different aspects of the target concept. Thus, a baseline might provide reviewers with a starting point to begin improving their analyses of tone at the top. ACFE studies of hundreds of companies tell us that an enriched tone at the top can not only prevent fraud through its implementation of a well-functioning internal control system, but can also have a positive impact on the financial results of an organization. Organizations with an effective corporate governance policy just perform better than those that don’t. In my own practice as an auditor and fraud examiner, I’ve found COSO’s Enterprise Risk Management (ERM) a useful framework to use in the actual practice of evaluating the effectiveness of internal controls (including tone at the top) during fraud risk assessments.
Tone at the top is based on two schools of thought in management literature: the corporate governance school and the management control systems (MCS) school. These schools of thought share three fundamental theories: the agency theory, the transaction cost economics theory and the stakeholder theory. The agency theory views an organization as a nexus of contracts. Separation of ownership and control is essential for this theory. The agent (the manager) is in control of the organization; however, he or she does not own the organization; the organization is owned by the principal (stakeholders). Measures (i.e., corporate governance) need to be taken to ensure that the agent will strive to achieve the goals of the principal.
Transaction cost economics (TCE) is based on the concepts of bounded rationality and of homo economicus: a person chooses the best option based on the available information. TCF aims to explain how firms are formed. Firms are created to minimize transaction costs. The domain of TCE has proven useful to explain management control structures. The performance evaluation needs to be behavioral based, with non-financial subjective measures. Output controls are low with TCE. Individual contributions to the organization (individual performance) are analyzed as the outcomes of contracts between the employer and the employee.
The stakeholder theory is based on the belief that besides shareholders, there are others with interest in the organization. Corporate governance should not only solve conflicts between management and shareholders but also between the organization and other stakeholders. Tone at the top represents a form of cultural control to the MCS school. Cultural controls stimulate employees to monitor and stimulate each other’s behavior. Cultural controls rely on group pressure; if a person deviates from the group’s values, the group will put the person under pressure to convert him or her back to the dominant values. Cultural controls are usually translated in corporate governance codes. Corporate governance codes are mainly formulated to prevent/minimize fraudulent activities in organizations by means of internal control. Five methods of cultural controls, namely code of conduct, group rewards, transfers, physical and social controls, and tone at the top have been identified.
Tone at the top forms an important part of corporate governance codes. Management behavior should coincide with the culture it tries to form; managers fulfill an example function. An important factor is implementing and operating a whistleblower policy; if staff at any level observes fraudulent activities they can report them and be protected against possible retaliation.
Each of our above theories concludes that an organization needs to have a corporate governance code to minimize transaction cost, manage stakeholder interest and, thereby, increase shareholder value. However, recent well publicized corruption cases have led to calls in the popular press for a more formal approach. So, what might such a formal, COSO based, approach look like?
First, management and the CEO need to demonstrate inspiring leadership, set the right ethical example and focus on people skills. They also need to display integrity. Their risk awareness, actions and messages need to coincide with the dominant culture. It is also important for managements to formally commit to competence.
As to culture, an independent and active risk culture is necessary for tone at the top to be successful. Also, employees need to be empowered to make the right decisions. The reward systems and the culture need to reward desired behavior and be compliant with the norms. In the event of something going wrong despite these cultural aspects, there needs to be an effective policy present to protect whistleblowers.
Finally, the risk appetite should be linked to the strategy. The supervisory board needs to be independent, active and involved. Responsibilities need to be defined, and management needs to receive adequate information.
All three of the above aspects are an integral part of what the experts currently define as tone at the top. According to the ACFE, tone at the top can assist in averting fraud throughout every level of an organization. It’s, therefore, necessary to include its assessment in the scope of the fraud examiners fraud risk assessment and to formally schedule its periodic re-evaluation.