CPE for Government Auditors

Tone at the Top & Oversight

You say you got a real solution
Well, you know
We’d all love to see the plan

You ask me for a contribution
Well, you know
We’re doing what we can

But if you want money for people with minds that hate
All I can tell is brother you have to wait
Don’t you know it’s gonna be
All right, all right, all right

You say you’ll change the constitution
Well, you know
We all want to change your head

You tell me it’s the institution
Well, you know
You better free you mind instead

But if you go carrying pictures of chairman Mao
You ain’t going to make it with anyone anyhow
Don’t you know it’s gonna be
All right, all right, all right

Revolution: The Beatles

Two of the five principles imbedded in the control environment component of the Green Book remind us that you can layer on all the controls you want, but if your leadership doesn’t care about controls, the controls will not be respected by employees, and the controls will break down.  The risks that you are trying to avoid by implementing controls will eventually occur because the environment of the entity encourages and allows – rather than prevents and corrects – bad behaviors.

Spoiled by Oil

I worked as a federal grants controller for a state agency in Texas for a few years.  Every time we got a new governor, the executive team of this agency was replaced with political appointees.  That worked fine under Governor Ann Richards.  She appointed good executives who had a background in government.  But when George Bush became governor, he appointed a friend of his who had worked with him in Houston in the oil business.  His friend never quite adjusted to the way the state worked and the state’s limits on spending.

In her first month on the job, she replaced all of her office furniture with furniture from the most expensive furniture store in Austin.  She had a driver on call at all times and often had a car sitting outside her office at the ready.  She seldom bothered herself with meetings and the business of the agency because she was bored by the mundane nature of the agency’s goals.  But one of the goals of the agency did intrigue her; the goal to bring business to Texas.

Her predecessor focused on convincing businesses in neighboring states, like Oklahoma and Louisiana, to relocate to Texas and many did.  But our new executive set her sights on the champagne business in France!  This allowed her to travel first class to France, tour wineries, sample bubbly, and hobnob with the vintners.  While in France, she entertained wine industry leaders lavishly, all on the taxpayer’s dime. Yes, this is reasonable and normal behavior when you work for a corporation, but not when you work for government!

Elizabeth, my neighbor in the cubicle farm in the accounting department, refused to process the expense report that resulted from the executive’s first jaunt to France.  I overheard Elizabeth inform the ex-oil exec that she had broken every state travel rule possible.  The executive informed Elizabeth that if she didn’t process that voucher, Elizabeth could pack up her things and leave.  Elizabeth was a single mother with a daughter with a severe learning disability.  She had to keep her job.   So, with tears, Elizabeth submitted the ridiculous, noncompliant expense report for payment.

Next, Roxanne, the budget analyst, told the executive that she was way over budget and informed her that future trips would have to be cancelled.  The executive also threatened Roxanne with termination.  Roxanne stopped complaining and cut someone else’s budget to accommodate the trips to France because she, too, needed her job.

Once word got around that the accounting department no longer had any teeth, other leaders started misbehaving and Elizabeth and Roxanne, two of our strongest controls, were powerless to stop them.

I am not sure exactly how the downfall unfolded, as I ended up leaving the agency myself (voluntarily!),  but the bad behavior of the executive and her team was eventually caught by the Comptroller of Public Accounts, who in turn informed the Legislature of the shenanigans.  When the press got a hold of some juicy tidbits of bad behavior by the agency leadership, the executive team was fired and the Legislature defunded the agency and split it into pieces.   Each piece was given to another state agency that had a track record of compliance with state rules.

Tone at the Top and Oversight

The ex-oil executive’s impact on the agency and the eventual demise of the agency were predicted in the GAO’s Green Book.

First, under Principle #1, Tone at the Top, the Green Book warns that controls will break down when leadership does not set an “1.03 … example that demonstrates the organization’s values, philosophy, and operating style”, and when leadership does not have a “1.04 …commitment to doing what is right, not just maintaining a minimum level of performance necessary to comply with applicable laws and regulations.

And 1.05 says, “Without a strong tone at the top to support an internal control system, the entity’s risk identification may be incomplete, risk responses may be inappropriate, control activities may not be appropriately designed or implemented, information and communication may falter, and the results of monitoring may not be understood or acted upon to remediate deficiencies.”

Under principle #2, Exercise Oversight, the Green Book predicted that the Legislature would eventually break up the agency and fire the executive team:

2.08 … Members of an oversight body scrutinize and question management’s activities, present alternative views, and act when faced with obvious or suspected wrongdoing.

It is almost as if the authors of the COSO model and Green Book have seen these kind of shenanigans before…

Standards of Conduct

Our ex-oil executive did not understand (or care?) that government employees are stewards of the taxpayer’s money and that the taxpayer is never happy when they hear that government employees are enjoying themselves!  One of my clients, a city auditor, forbid her staff from having birthday and holiday celebrations after the local newspaper printed photos of her staff eating at their desks.  The photo’s caption pointed out how wasteful and lazy the auditors were!

Obviously, Texas citizens went nuts when they heard about the champagne fueled trips to France! Maybe the ex-oil executive read the standards of conduct when she signed the mountain of paperwork necessary to become a state employee.  Or maybe the standards weren’t specific enough.  But either way, the GAO points out that standards of conduct are one of the ways to help ensure a healthy tone at the top and throughout the organization:

1.06 Management establishes standards of conduct to communicate expectations concerning integrity and ethical values. The entity uses ethical values to balance the needs and concerns of different stakeholders, such as regulators, employees, and the general public. The standards of conduct guide the directives, attitudes, and behaviors of the organization in achieving the entity’s objectives. 

1.07 Management, with oversight from the oversight body, defines the organization’s expectations of ethical values in the standards of conduct. Management may consider using policies, operating principles, or guidelines to communicate the standards of conduct to the organization. 

Nip bad behavior in the bud!

The GAO goes on to say that there isn’t much point in having a standard of conduct, if you don’t enforce it.  Here is what the Green Book has to say about making sure that bad behavior is identified and remediated:

1.09…To gain assurance that the entity’s standards of conduct are implemented effectively, management evaluates the directives, attitudes, and behaviors of individuals and teams. Evaluations may consist of ongoing monitoring or separate evaluations. Individual personnel can also report issues through reporting lines, such as regular staff meetings, upward feedback processes, a whistle-blowing program, or an ethics hotline. 

1.10 Management determines the tolerance level for deviations. Management may determine that the entity will have zero tolerance for deviations from certain expected standards of conduct, while deviations from others may be addressed with warnings to personnel. Management establishes a process for evaluations of individual and team adherence to standards of conduct that escalates and remediates deviations. 

Sometimes management is not motivated to take action on bad behaviors, possibly because they are complicit in the behaviors.  That is where the oversight body comes in handy:

2.12…The oversight body oversees and provides direction to management on the remediation of these deficiencies. The oversight body also provides direction when a deficiency crosses organizational boundaries or units, or when the interests of management may conflict with remediation efforts. 

Qualifications for the Oversight Body

Governments usually operate under layers of oversight.  Most government entities have boards, and these boards report to a local legislative body which ultimately reports to a federal grantor who reports to Congress.  In some countries, the United Nations acts as an oversight body for the legislative body.  The United States refused to submit itself to this oversight.

The GAO’s Green Book tells us both what an oversight body is supposed to do and who they should be:

2.03 … An oversight body oversees the entity’s operations; provides constructive criticism to management; and where appropriate, makes oversight decisions so that the entity achieves its objectives in alignment with the entity’s integrity and ethical values. 

2.05 Members of an oversight body understand the entity’s objectives, its related risks, and expectations of its stakeholders. 

2.06 … Capabilities expected of all members of an oversight body include integrity and ethical values, leadership, critical thinking, and problem-solving abilities. 

2.07 Further, in determining the number of members of an oversight body, the entity or applicable body considers the need for members of the oversight body to have specialized skills to enable discussion, offer constructive criticism to management, and make appropriate oversight decisions. Some specialized skills may include the following: 

  • Internal control mindset (e.g., professional skepticism and perspectives on approaches for identifying and responding to risks and assessing the effectiveness of the system of internal control) 
  • Programmatic expertise, including knowledge of the entity’s mission, programs, and operational processes (e.g., procurement, human capital, and functional management expertise) 
  • Financial expertise, including financial reporting (e.g., accounting standards and financial reporting requirements and budgetary expertise) 
  • Relevant systems and technology (e.g., understanding critical systems and technology risks and opportunities) 
  • Legal and regulatory expertise (e.g., understanding of applicable laws and regulations) 

What’s next?

The control environment component of the COSO model/Green Book covers five principles.  In this chapter, we covered two: tone at the top and the qualities and roles of an oversight body.  In the next two chapters we will discuss the remaining principles.

Visit the Yellowbook-CPE.com Student Center
Click to learn more about Yellowbook requirements.


Lost your password?