By: George M. Wilson & Carol A. Stacey
First, a quick warning before you read this post. One of the authors of this post spent nine years teaching at a university which had one of the few undergraduate business programs in the country with a required course in business ethics. This post is perhaps a bit preachy!
We have seen some distressing examples in the news lately of organizations acting unethically. If you were around during the early 2000s these events evoke a strong feeling of déjà vu. The similarities in the “tone at the top” of the organizations in the news today compared to the tone at the top in the companies involved in the pre-SOX waves of fraud (such as WorldCom and Enron) is eerie!
In all of these frauds, the roots of unethical conduct which harmed shareholders were at the top of the organizations.
History, as it always seems to do, is repeating itself. Eventually defective tone at the top will always result in trouble and distress for the organization and investors. (Yes, that was one of the preachy parts!)
All this makes it seem like a great time to review a key element in the foundations of internal control, the control environment. Here is an excerpt from the Executive Summary of the 2013 COSO Framework:
The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control. “
Building an effective control environment starts at the top of an organization with the executive leadership, board and Audit Committee. If the people in these roles place financial performance before integrity, if their attitude is about accomplishing objectives at whatever the cost, that is poison in the control environment.
Understanding, assessing and evaluating tone at the top and the other elements of the control environment is not easy.
In a telecom company where the message from the CEO is to make the numbers at any cost is there any surprise that the end result is one of the largest financial reporting frauds ever? Or that the fraud was carefully crafted to avoid detection by the auditors? And, when the perpetrators of the fraud are the leaders of the organization, who have the power to punish anyone who might call out the tone at the top issues, is it any wonder that it is easy for them to conceal the corruption in the control environment? Is it any surprise that the courageous internal auditors who eventually called out the fraud actually had to conduct their investigation in secret and at times wondered if they should be afraid for their lives?
In an energy trading company where the CFO was behind hidden issues involving off-balance sheet arrangements that were not on the up-and-up, is it any wonder that the first person to really escalate the issue did so in an anonymous letter?
In a bank where not making sales goals resulted in your termination, is there any surprise when rules are bent? Is there any surprise when people are fired when they attempt to raise the issue to their managers?
As another example, check out this 10-K for Hertz which includes a major restatement. In the “Explanatory Note” at the beginning of the document you will find this language:
As of December 31, 2014, we did not maintain an effective control environment primarily attributable to the following identified material weaknesses:
||Our investigation found that an inconsistent and sometimes inappropriate tone at the top was present under the then existing senior management that did not in certain instances result in adherence to accounting principles generally accepted in the United States of America (“GAAP”) and Company accounting policies and procedures. In particular, our former Chief Executive Officer’s management style and temperament created a pressurized operating environment at the Company, where challenging targets were set and achieving those targets was a key performance expectation. There was in certain instances an inappropriate emphasis on meeting internal budgets, business plans, and current estimates. Our former Chief Executive Officer further encouraged employees to focus on potential business risks and opportunities, and on potential financial or operating performance gaps, as well as ways of ameliorating potential risks or gaps, including through accounting reviews. This resulted in an environment which in some instances may have led to inappropriate accounting decisions and the failure to disclose information critical to an effective review of transactions and accounting entries, such as certain changes in accounting methodologies, to the appropriate finance and accounting personnel or our Board, Audit Committee, or independent registered public accounting firm.
This is another example of a fraud with its roots in tone at the top.
When frauds escalate to a material level there is a reasonable likelihood that it started with a problem with tone at the top, with the control environment.
So, where does all this lead? Assessing tone at the top is not easy. And a poisoned control environment will do everything it can to protect itself. The leaders of an organization with a defective control environment will use the power they wield to keep others from exposing the problem. Perhaps more protections for whistleblowers are a good thing in this regard. Tools to measure ethical behavior in an organization are difficult to find, subjective and imprecise. Enron in fact had a model code of ethics, but having something on paper does not mean that people will live by the code of ethics. The one thing that is clear is that this continues to be a complex area and continues to be at the root of many financial reporting frauds. We all need to focus on this area and work to develop a better understanding and better tools to assess the control environment.
We all need to focus on tone at the top and ethical behavior. Yes, it is not easy to measure, it is not easy for an outsider to observe, but it is clearly crucial to effective ICFR!
As always, your thoughts and comments are welcome!