Tone At The Top - Creating A Self-Managing Control Environment

Sunday, January 1, 2006 - 00:00

Uday Gulvadi
Eisner LLP

Several recent studies have indicated that there is significant business value to be gained by managing (and being perceived to be managing) a business in an ethical and transparent manner. Companies that are perceived by the capital markets to be well-governed have been known to have higher market valuation than similar companies that are not. Therefore, creating a control environment and organizational culture that promotes good governance practices, ethical behavior and transparency should be at the top of the agenda for management, often referred to as "tone at the top."

Many public companies are already grappling with the issue of documenting good "tone at the top" entity level controls as they consider the requirements of the Sarbanes-Oxley Act. Some companies have a "check the box" mindset to corporate governance focusing only on the form and not the substance of the regulations. For companies (both public and private) that aspire to be well-governed, quality ethics policies are best demonstrated in everyday activities.

What can companies do to create a self-managing control environment?

Lay down the rules. Management should document and implement a Code of Conduct and Ethics policy that provides direction to employees on acceptable behavior at the work place and in all dealings with fellow employees, customers, suppliers, investors and society at large. A company's code should contain a Whistleblower Policy, Insider Trading Policy, Information Confidentiality Policy, Acceptable Use of Corporate Resources Policy, etc. These policies should be formally approved by the Board or its committee and reviewed annually to make sure the policies are current and consider the requirements of recent regulatory changes, if any.

All employees should be required to acknowledge having read and understood the policies. A good practice is to have new hires read and sign off on the policies immediately upon joining or as part of their orientation training. Additionally, companies should require all employees to sign off on these policies annually so that they are aware of any changes to the policies. The most current version of the Code of Conduct and Ethics policies should be available on the corporate Intranet. Any changes to these policies should be communicated to all employees immediately after approval by the Board.

Management needs to communicate their expectations on workplace behavior at every opportunity. Companies can publish guidance on (an "Acceptable Behavior") a "Do's and Don'ts" section on the company's Intranet, bulletin boards, or other common areas that are accessed regularly by employees. Companies that consistently exhibit best practices such as these take this a step further and impart behavioral training to all employees. In this scenario, situations that might present conflicts of interest are simulated, with the moderator and participants discussing what acceptable behavior is and what it is not and possible consequences of various acts. Such simulated learning sessions have been found to be very effective in ensuring that employees retain and put into practice their learning. Such behavioral training may be provided periodically (perhaps annually), to all employees.

Set the tone at the top. Management should keep in mind that actions speak louder than words and should therefore themselves adhere to the Code at all times. Incidents of breaches of the Code should be dealt with severely, even if members of senior management are involved. Punitive action should be commensurate with the nature of the violation so that it provides a sufficient deterrent factor. Management override of controls should be expressly prohibited. Certain circumstances may require management's actions that are not clearly defined in the Code; in which case, management should inform the Audit Committee to request approval. However even in taking these actions, management should keep the organization's interest above everything else. It is also advisable to clearly discuss with employees the circumstances and reasons for the action and the compensating controls that were exercised through the formal approval of the Audit Committee.

Create a self-managing control environment. Management's biggest challenge is to create a control environment that is largely self-managing. This requires management to promote a culture of transparency, fairness, ethical behavior, teamwork and mutual respect. Culture-based controls typically known as "soft" controls should supplement and strengthen the traditional control activities of segregation of duties, independent reviews and reconciliations, and internal auditing.

Organizational strategies and goals should be set with active participation by employees at all levels, so that employees feel involved and motivated to achieve them. Performance targets should be set to be realistic yet challenging and require employees to put in their best efforts to achieve them. Career advancement should be merit-based. Knowledge sharing, team building, mentoring, and other long-term organization development activities should be included in performance criteria. This will encourage creation of a transparent and high performance culture.

Employees should be encouraged to give constructive feedback and suggestions for improvement. Management should reward good ideas from employees and also acts of honesty, team building and outstanding customer service. Employees should be assured that questionable actions they report through the whistleblower facility will remain confidential and no retaliatory action will be taken against them.

The organizational structure and job responsibilities should be designed in a way to provide a natural segregation of duties. Internal controls should be embedded as an integral part of business processes.

Management must broaden the internal audit charter to include monitoring of the organization's cultural health. This can be achieved through a review of compliance with the Code of Conduct, instances of violations of the code of conduct, disciplinary action taken in those situations, and evaluation of certain performance indicators such as employee attrition rates, number of employee suggestions and percentage of employee suggestions implemented.

Obvious benefits. Integration of "soft" controls with traditional controls provides a holistic self-managing control environment. Keeping a company firmly embedded in a set of core values of ethics, integrity and transparency and at the same time propelling a company on a high growth path can create the greatest long term value for all stakeholders.

Uday Gulvadi, CISA, Chartered Accountant, is a director in Eisner LLP's Corporate Governance and Risk Management Services Group. He has significant experience in Sarbanes-Oxley Section 404 consulting, internal audit, systems audit, internal control documentation and review, enterprise risk analysis and business process improvement.

Please email the author at Ugulvadi@eisnerllp.com with questions about this article.