Tag Archives: COSO

Tone at the Top, History and COSO

By: George M. Wilson & Carol A. Stacey


First, a quick warning before you read this post. One of the authors of this post spent nine years teaching at a university which had one of the few undergraduate business programs in the country with a required course in business ethics. This post is perhaps a bit preachy!

We have seen some distressing examples in the news lately of organizations acting unethically. If you were around during the early 2000s these events evoke a strong feeling of déjà vu. The similarities in the “tone at the top” of the organizations in the news today compared to the tone at the top in the companies involved in the pre-SOX waves of fraud (such as WorldCom and Enron) is eerie!

In all of these frauds, the roots of unethical conduct which harmed shareholders were at the top of the organizations.

History, as it always seems to do, is repeating itself. Eventually defective tone at the top will always result in trouble and distress for the organization and investors. (Yes, that was one of the preachy parts!)

All this makes it seem like a great time to review a key element in the foundations of internal control, the control environment. Here is an excerpt from the Executive Summary of the 2013 COSO Framework:


“Control Environment

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control. “

Building an effective control environment starts at the top of an organization with the executive leadership, board and Audit Committee. If the people in these roles place financial performance before integrity, if their attitude is about accomplishing objectives at whatever the cost, that is poison in the control environment.

Understanding, assessing and evaluating tone at the top and the other elements of the control environment is not easy.

In a telecom company where the message from the CEO is to make the numbers at any cost is there any surprise that the end result is one of the largest financial reporting frauds ever? Or that the fraud was carefully crafted to avoid detection by the auditors? And, when the perpetrators of the fraud are the leaders of the organization, who have the power to punish anyone who might call out the tone at the top issues, is it any wonder that it is easy for them to conceal the corruption in the control environment? Is it any surprise that the courageous internal auditors who eventually called out the fraud actually had to conduct their investigation in secret and at times wondered if they should be afraid for their lives?


In an energy trading company where the CFO was behind hidden issues involving off-balance sheet arrangements that were not on the up-and-up, is it any wonder that the first person to really escalate the issue did so in an anonymous letter?


In a bank where not making sales goals resulted in your termination, is there any surprise when rules are bent? Is there any surprise when people are fired when they attempt to raise the issue to their managers?


As another example, check out this 10-K for Hertz which includes a major restatement. In the “Explanatory Note” at the beginning of the document you will find this language:


As of December 31, 2014, we did not maintain an effective control environment primarily attributable to the following identified material weaknesses:

Our investigation found that an inconsistent and sometimes inappropriate tone at the top was present under the then existing senior management that did not in certain instances result in adherence to accounting principles generally accepted in the United States of America (“GAAP”) and Company accounting policies and procedures. In particular, our former Chief Executive Officer’s management style and temperament created a pressurized operating environment at the Company, where challenging targets were set and achieving those targets was a key performance expectation. There was in certain instances an inappropriate emphasis on meeting internal budgets, business plans, and current estimates. Our former Chief Executive Officer further encouraged employees to focus on potential business risks and opportunities, and on potential financial or operating performance gaps, as well as ways of ameliorating potential risks or gaps, including through accounting reviews. This resulted in an environment which in some instances may have led to inappropriate accounting decisions and the failure to disclose information critical to an effective review of transactions and accounting entries, such as certain changes in accounting methodologies, to the appropriate finance and accounting personnel or our Board, Audit Committee, or independent registered public accounting firm.


This is another example of a fraud with its roots in tone at the top.

When frauds escalate to a material level there is a reasonable likelihood that it started with a problem with tone at the top, with the control environment.

So, where does all this lead? Assessing tone at the top is not easy. And a poisoned control environment will do everything it can to protect itself. The leaders of an organization with a defective control environment will use the power they wield to keep others from exposing the problem. Perhaps more protections for whistleblowers are a good thing in this regard. Tools to measure ethical behavior in an organization are difficult to find, subjective and imprecise. Enron in fact had a model code of ethics, but having something on paper does not mean that people will live by the code of ethics. The one thing that is clear is that this continues to be a complex area and continues to be at the root of many financial reporting frauds. We all need to focus on this area and work to develop a better understanding and better tools to assess the control environment.

We all need to focus on tone at the top and ethical behavior. Yes, it is not easy to measure, it is not easy for an outsider to observe, but it is clearly crucial to effective ICFR!


As always, your thoughts and comments are welcome!



10-K Tip Number One for 2016

Happy New Year from all of us at the SEC Institute Division at PLI! We hope your new year is beginning well and if you are working on closing year-end December 31, 2015 that all is proceeding smoothly.

Last week, on January 7, 2016, Carol and George (that being us of course, the bloggers you are reading now!) presented a One-Hour Briefing, “PLI’s Second Annual Form 10-K Tune-up”. In the briefing we discussed three broad groups of issues to think about this year-end. These were New and Emerging Issues, Recurring Issues, and SEC Staff Focus Areas. Here is the complete list of the topics we discussed in the One-Hour Briefing:

  • New and Emerging Issues
    • Customer accounting for fees paid for cloud computing arrangements
    • PCAOB AS 18 Related Parties – impacts both auditors & registrants
    • PCAOB AS 17 Auditing Supplemental Info Accompanying Audited F/S
    • Audit Committee disclosure
    • ICFR and COSO
  • Recurring Issues
    • SAB 74 disclosures for Revenue Recognition and others
    • Disclosure effectiveness
    • Cybersecurity
    • Conflict minerals & Form SD disclosure
  • SEC Staff Focus Areas
    • Segments – focus on ASU 280
    • Statement of Cash Flows
    • Income taxes
    • Fair value
    • Foreign Exchange Rates, Commodity Prices, and Interest Rates


You can hear everything we discussed in an On-Demand version of the Briefing that will be available soon.

To augment the Briefing we are writing a series of blog posts to dive more deeply into each of the areas we discussed than the one-hour time limit allowed.

The first issue, customer accounting for fees paid for cloud computing arrangements, relates to ASU 2015-5. This ASU is effective for public business entities for periods beginning after December 15, 2015. For other entities the effective date is one year later.

One of the major issues in this new standard is that costs associated with a contract may be accounted for differently depending on whether the contract involves a software license or is only a service contract.

To get to that issue we need to review the major provisions of the ASU.

This project arose with the increase in the use of “cloud” based computing systems. These generally include “software as a service agreements” (SaaS) and other types of “software hosting” arrangements. There was no clear guidance about how customers should account for such arrangements. As a consequence, it was unclear whether these were software contracts subject to software accounting guidance or simply service contracts or perhaps a hybrid of the two accounting areas.

The ASU puts paragraph 350-40-15-4A into the ASC section dealing with internal use software:

“The guidance in this Subtopic applies only to internal-use software that a customer obtains access to in a hosting arrangement if both of the following criteria are met:

  1. The customer has the contractual right to take possession of the software at any time during the hosting period without significant penalty.
  2. It is feasible for the customer to either run the software on its own hardware or contract with another party unrelated to the vendor to host the software.”

If the above criteria are not met then the contract does not involve a software license and is a service contact.

The key issue here is that if the two criteria are met, then the agreement is treated as a multiple element arrangement and the costs are allocated between the software license and a service element associated with the hosting contract. The costs associated with the software license fall into the guidance for costs related to internal use software, or if appropriate, another software model such as software to be used in research and development.

On the other hand, if there is no software license element, then the contract is treated as any other service contract.

The financial reporting implications of this distinction can affect issues such as balance sheet classification, since a software license would be accounted for as an asset in appropriate circumstances, i.e. if it was paid for in advance. Income statement geography can also be affected as software amortization versus service contract expense could be in different income statement line items. And, it is possible that the amount of costs recognized in each period could be different.

This perhaps more complex issue depends on whether the arrangement includes a software license. If it does include a software license the internal use software guidance applies. The expense recognition part of this guidance is articulated in ASC 350-40-30:

30-1     Costs of computer software developed or obtained for internal use that shall be capitalized include only the following:

  1. External direct costs of materials and services consumed in developing or obtaining internal-use computer software. Examples of those costs include but are not limited to the following:
  2. Fees paid to third parties for services provided to develop the software during the application development stage
  3. Costs incurred to obtain computer software from third parties
  4. Travel expenses incurred by employees in their duties directly associated with developing software.
  5. Payroll and payroll-related costs (for example, costs of employee benefits) for employees who are directly associated with and who devote time to the internal-use computer software project, to the extent of the time spent directly on the project. Examples of employee activities include but are not limited to coding and testing during the application development stage.
  6. Interest costs incurred while developing internal-use computer software. Interest shall be capitalized in accordance with the provisions of Subtopic 835-20.

These costs can even include the costs of data conversion.

For service contracts, there is no such guidance. And here in fact lies the more problematic issue. If a cloud based computing arrangement includes a software license the internal use software guidance for costs may require capitalization of costs that would not be capitalized if the contract is only a service contract. Thus the amount of expense recognized for an arrangement could be different if it has a software license or does not have a software license. If you have this situation, careful analysis is crucial!

As always, your thoughts and comments are welcome!