In its October 1987 report, the Treadway Commission discussed a number of factors that cause fraudulent financial reporting and provided recommendations to assist companies and their advisors in avoiding fraud. The Treadway Commission focused in particular on “tone at the top.” As the Treadway Commission found:
The tone set by top management—the corporate environment or culture within which financial reporting occurs—is the most important factor contributing to the integrity of the financial reporting process. Notwithstanding an impressive set of written rules and procedures, if the tone set by management is lax, fraudulent financial reporting is more likely to occur.1
In the 22 years since the Treadway Commission issued its report, there have been many examples of companies that ignored the counsel of their auditors and attorneys, disregarded their own internal procedures, and proceeded to engage in inappropriate and unlawful conduct. In many of these examples, the answer to the question of why the company acted as it did can be found by analyzing the tone top management set for its employees.
The Treadway Commission also underlines this in COSO Enterprise Risk Management Framework(COSO ERM), which is built around the concept of tone at the top.
What is tone at the top? It is the message, the attitude and the culture the board of directors disseminates throughout the organization. It is best described as the consistency among statements, assertions and explanations of the management and its actions. Tone at the top is seen by some as a part of and by others as equal to the internal control environment.
Tone at the top is not only complicated, but also almost invisible to an outside auditor. A baseline would be a valuable addition not only for financial auditors, but also for IT auditors (internal or external). However, to determine a baseline, one first needs to define the different aspects of tone at the top.
A baseline provides organizations with a starting point to begin improving their tone at the top. An enriched tone at the top can not only prevent fraud by a well-functioning internal control system, but can also have a positive impact on the financial results of an organization.2 Organizations with an effective corporate governance policy perform better than those that do not.3
COSO ERM is an important framework to use to evaluate the effectiveness of internal controls, and it represents an important issue on the agenda of senior executives and corporate boards in enterprises across industries and throughout the world.
When auditing or assessing the way IT controls are implemented, IT auditors traditionally work with baselines on IT systems and processes whereby the (hard) controls are worked out in detail. However, in these baselines, the human factors (soft controls) are missing. At the same time, when things go wrong, the result is a leakage of data or integrity of systems, and the human factor is sometimes to blame.
Enterprise risk management (ERM) frameworks urge that the internal control environment and tone at the top be the starting point of every audit or risk assessment. This article expects that the tone and the human factor have been made more explicit, thus tone at the top should become part of IT through frameworks such as Control Objectives for Information and related Technology (COBIT) and Val IT.
Two Schools of Thought
Tone at the top is based on two schools of thought in management literature: the corporate governance school and the management control systems (MCS) school. These schools of thought share three fundamental theories: the agency theory, the transaction cost economics theory and the stakeholder theory.
The agency theory views an organization as a “nexus of contracts.”4 Separation of ownership and control is essential for this theory. The agent (the manager) is in control of the organization; however, he or she does not own the organization, the organization is owned by the principal (stakeholders). Measures (e.g., corporate governance) need to be taken to ensure that the agent will strive to achieve the goals of the principal.
Transaction cost economics (TCE) is based on the concepts “bounded rationality” and “homo economicus”; a person chooses the best option based on the available information.5 TCE aims to explain how firms are formed. Firms are created to minimize transaction costs.6, 7 The domain of TCE has proven useful to explain management control structures.8 TCE has several consequences for MCS. The performance evaluation needs to be behavioral-based, with nonfinancial subjective measures.9 Output controls are low with TCE. Individual contributions to the organization (individual performance) are analyzed as contracts between the employer and the employee.10
The stakeholder theory is based on the belief that, besides shareholders, there are others with interest in the organization. Corporate governance should not only solve conflicts between management and shareholders but also between the organization and other stakeholders.
Tone at the top is a form of cultural controls in the MCS school. Cultural controls stimulate employees to monitor and stimulate each other’s behavior. Cultural controls rely on group pressure; if a person deviates from the group’s values, the group will put the person under pressure to convert him or her back to the dominant values. Cultural controls are usually translated in corporate governance codes. Corporate governance codes are mainly formulated to prevent/minimize fraudulent activities in organizations by means of internal control. Five methods of cultural controls, namely code of conduct, group rewards, transfers, physical and social controls, and tone at the top, have been identified.11 Tone at the top forms an important part of the corporate governance codes. Management behavior should coincide with the culture it tries to form; managers fulfill an example function. An important factor is having and emphasizing a whistleblower policy; if people observe fraudulent activities they can report them and be protected against possible reprisal measures.12
Sarbanes-Oxley and COSO
The aforementioned theories all conclude that an organization needs to have a corporate governance code to minimize transaction cost, manage stakeholder interest and, thereby, increase shareholder value. However, recent financial scandals (e.g., Enron) have led to the belief that a more formal approach is necessary. In the US, this led to the Sarbanes- Oxley Act. An important part of Sarbanes-Oxley is the “in control statement”—an internal control clause (sections 302 and 404). That is, the chief executive officer (CEO) and the chief financial officer (CFO) of a company need to state that they are “in control.” An organization is “in control” if it has a well-functioning internal control system. The Treadway Commission has therefore designed the COSO Internal Control Framework.
The first element of the COSO models (COSO Internal Control and COSO ERM) is the control or internal environment. The control or internal environment is mainly the risk appetite, the risk culture and tone at the top. The board carries out a risk philosophy and determines the risk appetite. The internal environment forms the basis for handling risks and control measures. The heart of every organization is its employees—their individual integrity, values, competence and work environment. Tone at the top is a critical influence on this.
Elements of Tone at the Top
COSO ERM uses the elements shown in figure 113 to describe tone at the top.
The COSO ERM framework is not the only framework describing the elements of tone at the top. Tone at the top is explained by some as a model consisting of three building blocks (see figure 2).14
Besides the aforementioned frameworks, there are also other opinions on tone at the top, and there has been research on the influence of tone at the top on internal audit activities. The variables with positive results were formal integrity, ethical values, management integrity in management style and opinions, the code of conduct/ ethics, and the risk awareness of management.15, 16 Research on corporate governance and internal control describes tone at the top as a part of the control environment of COSO.17 Tone at the top has also been characterized as the communication on what is right and what is wrong and how this is embedded in the organization.18
Management team members are example figures for the rest of the organization.19 Additionally, a whistleblower policy is a valuable part of tone at the top.20
Much qualitative or quantitative research has been conducted in regard to tone at the top. Senior auditors and professors from the four largest audit firms in The Netherlands were asked to form their opinion on it. The elements on which they formed consensus are the elements used in the baseline. Tone at the top remains a concept with many features and most of the elements were valued as important by the auditors. The elements that the auditors did not find important were prominently seen as results of tone at the top. These mainly came out of the COSO ERM framework.
Expert Views on Tone at the Top
The elements on which consensus was formed can be grouped into four cornerstones: management, culture, structure and communication (figure 3).
These can be defined as follows:
- Management—Management and the CEO need to show inspiring leadership, set the right example and focus on people skills. They also need to display integrity. Their risk awareness, actions and messages need to coincide with the dominant culture. It is also important for management to commit to competence. See figure 4.
- Communication—Top-down and bottom-up communication on right and wrong, symbols, rituals and assumptions need to be present in written, verbal, visual and digital communication. Additionally, code of conduct/ ethics and formal integrity are necessary. See figure 4.
- Culture—An independent and active risk culture is necessary for tone at the top to be successful. Also, employees need to be empowered to make the right decisions. The reward systems and the culture need to reward desired behavior and be compliant with the norms. In the event of something going wrong despite these cultural aspects, there needs to be a policy present to protect whistleblowers. See figure 4.
- Structure—The risk appetite should be linked to the strategy. The supervisory board needs to be independent, active and involved. Responsibilities need to be defined, and management needs to receive adequate information. All of the aforementioned aspects are part of the structure element of tone at the top. See figure 4.
Tone at the top can assist in averting fraud within an organization. It is, therefore, necessary to include it in the audit scope. It can also have a positive influence on the financial results of an organization. Management must set an example and there needs to be communication throughout the company, which should reward desirable behavior. These elements form the building blocks of this vital concept: tone at the top.
- Merchant, K. A.; Modern Management Control Systems, Prentice Hall, USA, 1998
- US Securities and Exchange Commission (SEC), “Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934,” CFR PART 241, Release No. 33-8810, 34-55929, FR-77, File No. S7-24- 06, 2007, www.sec.gov/rules/interp/2007/33-8810.pdf
- Tabaksblat, M.; et al; De Nederlandse corporate governance code. Beginselen van deugdelijk ondernemingsbestuur en best practice bepalingen, Den Haag: Commissie Corporate Governance, 2003
1 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Report of the National Commission on Fraudulent Financial Reporting, October 1987
2 Verschoor, C.; “A Study of the Link Between a Corporation’s Financial Performance and Its Commitment to Ethics,” Journal of Business Ethics, October, vol. 17, no. 13, 1998, p. 1509-1516
5 Simon, H.; Models of Bounded Rationality, The MIT Press, USA, 1982
6 Coase, R.; “The Nature of the Firm,” Economica, vol. 4, 1937, p. 386-405
7 Williamson, O.; “Corporate Finance and Corporate Governance,” The Journal of Finance, vol. 43, no. 3., 1988, p. 567-591
8 Spekle, R.F.; “Explaining Management Control Structure Variety: A Transaction Cost Economics Perspective,” Accounting, Organizations and Society, vol. 26, 2001, p. 419-441
9 Verbeeten, International Controlling class, March 2006
10 Op cit, Spekle
11 Merchant, K.; W. Van der Stede; “Management Control Systems,” Financial Times, Prentice Hall, 2003
13 Committee of Sponsoring Organizations of the Treadway Commission, COSO Enterprise Risk Management Framework, 2004
14 Swinkels, W.; “Tone at the Top,” Consistentie Tussen Worden En Daden Van Het Management, Deventer, Kluwer, 2003
15 Sarens, G.; I. De Beelde; “Internal Auditors’ Perception About Their Role in Risk Management: A Comparison Between US and Belgian Companies,” Managerial Auditing Journal, vol. 21, no. 1, 2006, p. 63-80
16 Sarens, G.; I. De Beelde; “Building a Research Model for Internal Auditing: Insights From Literature and Theory Specification Cases,” International Journal of Accounting, Auditing and Performance Evaluation, vol. 3, no. 4, 2006, p. 452-470
17 Kooijman, C.; Corporate Governance & Internal Control, “Een onderzoek naar de naleving van de interne beheersing gerelateerde best practice bepalingen van de code Tabaksblat,” Doctoraalscriptie, 2005
19 Op cit, Merchant and Van der Stede
Christine Bruinsma, MSC
is employed at Atos Consulting as an information risk management consultant. Bruinsma graduated from the Erasmus University in Rotterdam, The Netherlands, and has master’s degrees in controlling and strategy.
Peter Wemmenhove, CISA, EMITA
as partner, is responsible for information risk management at Atos Consulting in The Netherlands. Wemmenhove graduated as executive master in finance and control, as executive master in IT auditing and as master in public management. Tone at the top and its impact for IT auditors is the subject of one of his current studies.
ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.