Assessing a Company’s Tone at the Top: Evidence from South African Auditing Firms

Globally companies collapse because of the unethical conduct of their top management (Cronje, 2018; Schwartz et al., 2005), bearing truth to the proverb: ‘Trees die from the top’ (Druker, 1974 in Staicu et al., 2013). Additionally, companies are losing approximately seven per cent of their revenue each year due to fraud, with the majority of losses attributed to corruption by top management (ACFE, 2018; Rose et al., 2020). Research supports the argument that the weak integrity of top management stimulates not only unethical decisions but also fraudulent behaviour of those in top management (Chen et al., 2013; Rittenhouse, 2015). A company’s “tone at the top” – consisting of the ethical behaviour of the leadership and the creation of an ethical climate (IODSA, 2016) – is a fundamental ingredient for reliable financial reporting (COSO, 2013; Sharma et al., 2008). Thus, the need arises for auditors to contribute to the reliability of financial reporting (Polychronidou et al., 2020) by providing an external opinion on the company’s financial reporting, as to whether it is free of material misstatement due to fraud or error (IAASB, 2009a). While higher integrity levels of top management will decrease the risk of material misstatement, it follows that lower integrity of those in top management positions will increase the risk of material misstatement (Sneathen Jr et al., 2003). Hence, the importance of the external auditors’ assessment of a company’s tone at the top – given the impact it has on audit risk, which is a significant part of forming an audit opinion on a company’s financial statements (Emma et al., 2009).

The International Standards on Auditing (ISAs) require auditors to assess the integrity of a company’s management prior to associating with a company (IAASB, 2009d). In addition, the ISAs require auditors to assess a company’s tone at the top as part of their evaluation of the control environment (IAASB, 2013). However, despite these requirements, limited guidance is provided with regard to appropriate procedures to perform, as well as documentation of such assessments. This lack of proper guidance could have an effect on the auditing methodologies developed by auditing firms and consequently the consistency of tone-at-the-top assessments among auditing firms, as well as the likelihood of detecting unethical conduct of top management. Research confirms inconsistencies in risk assessments among auditing firms (Hassink et al., 2010; Shelton et al., 2001), with poor management integrity being the biggest fraud risk factor (Johnson et al., 2013). Therefore, Kassem and Higson (2012) suggest that auditors need guidance in this regard. More importantly, auditors may suffer losses or potential litigation due to their association with a client with questionable integrity (Carpenter & Reimers, 2013), implying that companies and their stakeholders are unlikely to receive the requisite protection. Therefore, additional guidance enhancing auditors’ assessment of companies’ tone at the top is imperative to reinforce stakeholders’ confidence in the auditing process.

Previous studies relating to the assessment of a company’s tone at the top have tended to focus on the impact of these assessments on aspects of the auditing process (Chen et al., 2013; Rittenhouse, 2015) – for example, on fraud risk (Alexander, 2012; Lamberton et al., 2005), control risk (Sharma et al., 2008; Sneathen Jr et al., 2003), substantive auditing procedures (Beaulieu, 2001; Cohen & Hanno, 2000), and auditors’ judgements (Cohen & Hanno, 2000; Schmidt, 2014). The resulting paucity in research on how auditors assess a company’s tone at the top, as noted by Jaffer et al. (2019) and Kassem (2018), augmented by the limited guidance provided in the ISAs in this regard, prompted this study to understand how auditors assess the tone at the top of companies. This paper attempts to attend to the research gap in terms of the methods and procedures followed by auditing firms in assessing a company’s tone at the top, by qualitatively examining how auditors assess the tone at the top of a listed company in a developing country.

Using semi-structured interviews, the exploratory multiple-case research design adopted for this study collected data from audit partners and inspectors from the audit regulatory body. In addition to contributing to the evolving discourse on the assessment of a company’s tone at the top, given the limited guidance on how these assessments should be done, the study observations provide important insights on the procedures to assess a company’s ethical leadership and ethical culture, as well as the timing and responsibility of such assessments. These insights could be useful to auditing firms in enhancing their audit methodologies and training programmes on assessing a company’s tone at the top and the documentation thereof, specifically during the planning of an audit and to evidence audit engagement partner involvement. Moreover, the findings may inform the audit regulatory body in providing best-practice guidelines to auditors on the assessment of a company’s tone at the top and provide a benchmark against which revised standards related to assessment of the tone at the top can be measured (The following revised standards were issued: ISA 315 (IAASB, 2019) with an implementation date of 15 December 2021; as well as ISA 220 (IAASB, 2020a), ISQM 1 (IAASB, 2020b) and ISQM 2 (IAASB, 2020c) with an implementation date of 15 December 2022).

The ranking of the efficacy of South Africa’s corporate boards dropped from third place in 2016 to thirty-fourth place in 2017 (WEF, 2017a) and the ethical behaviour of companies in South Africa is ranked at number 72 of 151 countries (WEF, 2017b), arguably affecting auditors’ assessment of companies’ tone at the top. In a sense, South Africa therefore seems suitable as a country where auditors’ assessment of a company’s tone at the top can be explored in depth. However, despite the study’s South African orientation, the methods and procedures suggested by these auditors to assess a company’s tone at the top have global relevance, since not only were the Big 4 auditing firms who are known for their high audit quality (Eshleman & Guo, 2014; Gerged et al., 2020) included in the study, but South African auditors are required to adhere to the ISAs (IRBA, 2013) and the Independent Regulatory Board for Auditors (IRBA) is required to review the audit practice of auditors auditing public companies every three years (RSA, 2005) to determine compliance with the ISAs (IRBA, 2020).

This paper commences by briefly positioning stakeholder theory as the applicable theoretical framework for this study and describing the regulatory framework applicable to auditors and directors of companies listed on the Johannesburg Stock Exchange (JSE). It continues by providing a review of research related to auditors’ assessment of tone at the top and how the elements of the control environment (IAASB, 2013) could be aligned to those of a company’s tone at the top. The paper continues by describing the research design and approach, after which the research findings are presented. Finally, the paper provides concluding remarks and identifies areas for future research.

Since the publication of Freeman's landmark book, Strategic Management: A Stakeholder Approach, laying the foundation of the stakeholder theory in 1984, the theory gradually evolved into a framework for corporate accountability to a broad range of stakeholders affected by their corporate activities (Abdullah & Valentine, 2009). Within this context, a stakeholder is “any identifiable individual or group on which the organization is dependable upon for its continued survival” (Freeman & Reed, 1983). Stakeholder theory holds that companies are responsible to various individuals or groups in society who have a legitimate claim in the company rather than only the company having an interest in them (L’Huillier, 2014). If stakeholder claims in the company are not balanced, the company’s survival may be jeopardised (Freeman & Evan, 2010). To align the respective responsibilities of the company to their stakeholders, it is necessary to closely monitor the activities and performance of the company (Hussain et al., 2017). Hence, auditors play an important role in protecting stakeholders' interest in a company (Roy, 2015).

South Africa’s corporate governance model promotes the stakeholder theory. While the King IV Report on Corporate Governance for South Africa (King IV Report) explicitly states that the stakeholder theory is followed, it is also evident in the Companies Act (RSA, 2008) which requires a director to perform his/her functions in a manner that takes into account the “best interests of the company”. By implication this means that a company should not violate any human right as stipulated in the Constitution of South Africa (Gwanyanya, 2015; Muswaka, 2013), and should thus take into account the rights of all stakeholders. Additionally, the Companies Act protects stakeholders through requiring that a social and ethics committee monitors the company’s activities in respect of social and economic development, good corporate citizenship, the environment, health and safety, consumer relations, and labour and employment matters (RSA, 2008). More importantly, auditors are required to protect the interests of all stakeholders (IODSA, 2016). Considering the higher frequency of corruption reported in developing countries than in developed countries (Omidi et al., 2017), the auditors’ assessment of the ethical conduct of top management is arguably even more important in a developing country context. Failure of these companies may be detrimental to the company and, its stakeholders and the economy, suggesting the reliance of stakeholders on auditors’ assessment of companies’ tone at the top in these countries. Therefore, if auditors do not appropriately assess a company’s tone at the top, their opinion on the companies’ financial statements could be undermined, which in turn would mean that the company and its stakeholders would not receive the required protection.

All companies registered in South Africa are obliged to comply with the prescripts of the Companies Act (RSA, 2008). In addition, companies listed on the JSE must comply with the JSE Regulations (JSE, 2015). One of these listing requirements is that all companies with primary JSE listings are required to apply the principles described in the King IV Report, albeit on an ‘apply and explain’ basis (IODSA, 2016). Despite being a voluntary governance framework, the principles in the King IV Report have become quasi-mandatory for all JSE-listed companies, and therefore a proxy for the governance regulations applied to JSE-listed companies. In addition to both the Companies Act and the JSE Regulations requiring annual audits for all JSE-listed companies, they also prescribe certain practices and impose certain responsibilities on auditors and directors, while the King IV Report expands on some of these through its principles and recommended practices. The mandatory requirements for auditors include that an auditor of a company has to perform his/her duties as per the Auditing Profession Act (APA) (RSA, 2005); and that an auditor must carry out an audit free of any restrictions whatsoever and in accordance with the applicable auditing pronouncements (RSA, 2005) which include the ISAs (IRBA, 2013).

Despite the importance of a company’s tone at the top that would ensure trustworthy financial reporting being recognised as far back as 1987 (NCFFR, 1987), previous studies on the assessment of a company’s tone at the top have tended to focus on the impact of these assessments on aspects of the auditing process (Chen et al., 2013; Rittenhouse, 2015), resulting in a paucity of research on how auditors perform tone at the top assessments (Jaffer et al., 2019; Kassem, 2018). “Tone at the top” refers to the ethical climate or atmosphere established in a company (IFAC, 2007; Lail et al., 2015) while ethical leadership is key to the climate of a company and to the reason an organisation performs in a certain way (Soltani, 2014), thus, for ensuring ethical behaviour in a company (Van Vuuren, 2016). Moreover, the tone set by the company’s leadership has a trickle-down effect on employees (Cheng et al., 2019; Payne and Raiborn, 2018). Hence, a company’s tone at the top entails the governing body and management conducting themselves ethically (ethical leadership) and the implementation and promotion of an ethical organisational culture.

Brown et al. (2005) coined the concept of ethical leadership and define it as “the demonstration of normatively appropriate conduct through personal actions and interpersonal relationships, and the promotion of such conduct to followers through two-way communication, reinforcement and, decision-making”. Despite their definition being widely accepted, it has been criticised for not including all stakeholders (Eisenbeiß & Brodbeck, 2013; Frisch and Huppenbauer, 2014). Ethical leaders are deemed to connect the goals of the company with those of its stakeholders (Bello, 2012); building and cultivating relationships with stakeholders inside and outside the company (Maak & Pless, 2006). The King IV Report emphasised that companies operate in a “societal context”, with its impact extending to a broad group of stakeholders (IODSA, 2016). Therefore, if a company wishes to create value for itself, it needs to create value for others (IODSA, 2016) – by having regard for the needs, interests and expectations of all stakeholders. To lead ethically and effectively (IODSA, 2016), the members of the governing body and management should have integrity (Kalshoven et al., 2011; Kaptein, 2008), and should be competent (Kalshoven et al., 2011), responsible (IODSA, 2016), accountable (Kalshoven et al., 2011; Resick et al., 2006), fair (Brown et al., 2005; Kalshoven et al., 2011;) and transparent (IODSA, 2016; Kaptein, 2008).

The key elements necessary to build an ethical culture within a company include a set of core ethical values, a formal ethics programme and the continuous presence of ethical leadership (Schwartz, 2013). A set of core ethical values identified by an organisation with both the present and the future in mind and related to multiple issues facing managers and employees – with a responsibility towards each other, the company’s stakeholders and/or society in general (Kaptein, 2011) and included in a code of ethics, is generally accepted as the root for any company’s ethical policy (IODSA, 2016; Webley & Werner, 2008) and central to the company’s strategic decisions (Stevens, 2008). A formal ethics programme entails enforcing the code of ethics consistently and impartially, communicating the code of ethics to employees, training employees on the code of ethics, providing anonymous whistleblowing lines to report non-adherence to the code of ethics, and recruiting and promoting ethical employees (Sauser Jr, 2013; Schwartz, 2004). Continuous presence of ethical leadership is imperative because neither a formal code of ethics nor ethics training can have the desired effect unless the actions and behaviour of the company’s leaders (governing body and management) are consistent with the code of ethics (Bello, 2012). Living by example can be achieved when management’s messages, statements, actions and explanations are consistent with the company’s ethical culture (IFAC, 2007; Staicu et al., 2013).

The risk of material misstatement of the financial statements due to fraud or error, based on a company’s tone at the top, is important to an auditor because it inversely correlates to the nature and extent of the audit evidence collected and the audit fees charged by the auditor through increased or decreased auditing effort (Beaulieu, 2001; Zhang & Shailer, 2020). Thus, if the auditor assesses this risk as low, based on an assessment of the company’s tone at the top, the extent of substantive testing would be decreased, and the auditor can place higher reliance on internal control (Cohen & Hanno, 2000). Likewise, if an auditor assesses the risk of material misstatement due to fraud or error, as high, based on an assessment of the company’s tone at the top, the auditor should increase the quantity and quality of the audit evidence acquired (Awadallah & El-Said, 2018; Sneathen Jr et al., 2003).

The ISAs require that auditors should firstly assess the integrity of the company management – prior to associating with a potential company and when deciding to continue to audit a company’s financial statements (IAASB, 2009b; IAASB, 2009d). Secondly, during the planning of the audit, auditors should assess the risk of material misstatement due to fraud or error associated with a company’s tone at the top when obtaining an understanding of the internal controls of the company (Cohen & Hanno, 2000; IAASB, 2013), specifically the control environment. This component is the foundation of all other components of internal control; the control environment influences the control consciousness of the employees (IAASB, 2013; Ramos, 2004) and is vital in assessing the integrity of management (Kizirian et al., 2005). However, the ISAs do not align the elements of the control environment and those of a company’s tone at the top.

In assessing the first element of the control environment, namely commitment to competence, auditors will consider whether management and key accounting personnel possess the knowledge and skills required to perform their duties, including whether the company complies with applicable laws, codes and standards (Decker et al., 2016; IAASB, 2013). Auditors should acquire an understanding of the independence, experience, status and external involvement of management and the members of the governing body (IAASB, 2013) by performing background checks on them (IAASB, 2009d; Kueppers & Sullivan, 2010).

In assessing management’s philosophy and operating style (second element), auditors should consider the attitude of management towards the financial reporting process, information processing and accounting functions, personnel, and managing the business risk of the company (IAASB, 2013); those who lack integrity tend to disregard company policies and procedures (Fuller & Jensen, 2002). The auditor should also establish whether management is conservative or aggressive in selecting accounting policies and doing estimates (Decker et al., 2016). The auditor should also determine the targets utilised by management to evaluate the company’s financial performance (IAASB, 2013) and calculate management renumeration, which may reveal the risk of management manipulating the financial statements in order to maintain earning targets and influence management remuneration (Callaghan et al., 2007; IAASB, 2009c; IAASB, 2013). According to Callaghan et al. (2007), earnings management may justify the potential for unethical conduct while Ogola et al. (2016) concur that performance-based remuneration is often linked to instances of fraud.

In assessing the third element (organisational structure) and the fourth element (the assignment of authority and responsibility) of the control environment, the auditor must consider the available staff resources as well as the interrelationship between staff actions and accountability (IAASB, 2013). Inadequate segregation of duties will result in an increase in fraud risk through collusion (Van Akkeren & Buckby, 2017). By implication, if inadequate segregation of duties exists, management cannot hold staff accountable for inappropriate conduct nor anticipate and prevent negative outcomes.

In terms of the participation by those charged with governance (which is the fifth element), the auditor should assess management’s relationship with and attitude towards those charged with governance, which includes the audit committee and the internal auditing function (IAASB, 2013). Although the company’s external stakeholders are not specifically part of the auditor’s understanding of the control environment, in terms of the stakeholder-inclusive approach, they should be included in the auditor’s assessment before accepting a client (Callaghan et al., 2007; IAASB, 2009d). Management’s attitude towards the auditor is also important in assessing the integrity of management (Abdullatif, 2013; Kerr & Diaz, 2009).

Communication and enforcement of integrity and ethical values (the sixth element of the control environment) entail that the auditor should assess the company’s implementation, communication and monitoring of set behavioural standards (IAASB, 2013). Auditors may inquire of employees as to whether management communicated and enforced the code of ethics through policy and procedures, including removing temptations and incentives to commit fraud (COSO, 2014; IAASB, 2013) and by infusing the values of the code of ethics into its strategic plans (Celikdemir & Tukel, 2015). The information obtained from management must be corroborated by observing processes in place and inspecting documents such as the code of ethics itself (IAASB, 2013).

Human resource policies and practices (the seventh element of the control environment) relate to the recruitment and promotion of personnel, including the assessment by the Department of Human Resources of the integrity and trustworthiness of staff hired or promoted (IAASB, 2013). Therefore, the auditor should assess whether the company focuses not only on the experience and qualifications of new personnel but also on their integrity prior to hiring personnel.

Hence, the above elements of the control environment (IAASB, 2013) could be aligned to ethical leadership and to implementing and promoting an ethical culture (see Table 1).

Furthermore, the audit engagement partner is deemed to be responsible for assessing a company’s tone at the top (IFAC, 2010); and the susceptibility of the company’s financial statements to misstatements due to fraud or error because such assessments involve a high degree of professional judgement (Cohen et al., 2002). Audit partners are experienced and have a thorough knowledge of the company being audited (Carpenter & Reimers, 2013, Hussin et al., 2017). Even though auditors may have experienced in the past that the governing body and management are honest and have integrity, they must be aware that circumstances could have changed that may cause the financial statements to be materially misstated (IAASB, 2009c; Ratna & Anisykurlillah, 2020).

Despite the limited guidance provided in the ISAs on the assessment of a company’s tone at the top, specifically not aligning the elements of the control environment and those of a company’s tone at the top, research on how auditors assess a company’s tone at the top remains an under-researched area (Jaffer et al., 2019; Kassem, 2018). Even more, research confirms inconsistencies in risk assessments among auditing firms (Hassink et al., 2010; Shelton et al., 2001), with poor management integrity being the biggest fraud risk factor (Johnson et al., 2013). Within this context, there is a definite need to understand how auditors assess a company’s tone at the top, who is performing such assessment and when such assessment is performed – specifically in a country where the ethical behaviour of companies is deteriorating (WEF, 2017b), arguably affecting auditors’ assessment of companies’ tone at the top.

Auditors’ assessment of a company’s tone at the top may be relatively unique to particular auditing firms and companies, therefore a qualitative research approach was considered most appropriate for this study (Denzin & Lincoln, 2011), where individuals or groups bring meaning to a social problem (Creswell, 2013). This approach allowed for obtaining contextual, in-depth data to gain insight into how auditors assess a company’s tone at the top, as provided by the narratives of the participants (Creswell, 2013).

As constructivists, the researchers relied upon the subjective views of the participants to develop themes, based on the interpretation of the researchers (Creswell, 2013; Guba & Lincoln, 1994). The qualitative research approach chosen was accordingly influenced by the researchers’ paradigm (Creswell, 2013; Fouché & Schurink, 2011). Within this context, an exploratory multiple-case research design was deemed most appropriate since the researchers intended to obtain an in-depth understanding of an existing phenomenon, namely how auditors assess a company’s tone at the top, from auditor partners and inspectors of the audit regulatory body. A case study research design is particularly appropriate to explore ‘how’ or ‘why’ questions within a real-life context in order to understand the relative uniqueness (Yin, 2009), dynamics and eccentricity of each case (Welman et al., 2005). In addition, patterns in their lives, words and activities (Fouché & Schurink, 2011) which are not evident from publicly available sources (Turley & Zaman, 2007), can be identified.

Responding to the paucity of research on how auditors assess a company’s tone at the top (Jaffer, 2019; Kassem, 2018), auditing firms who were appointed as the auditors of JSE-listed companies were selected as cases for the study – since fraud is found to be more prominent in larger companies than in smaller companies (ACFE, 2018) – and the statutory body responsible for reviewing auditing firms appointed as auditors of public companies (IRBA, 2020). A non-probability, purposive sampling strategy was used to firstly select the cases and then the participants (Babbie, 2010). The criteria used to select the appropriate cases included that the auditing firms and the regulatory body as well as the intended participants had to be accessible (Creswell, 2013; Rowley, 2012). Furthermore, the auditing firm should have been appointed as the auditor for a Top 40 JSE-listed company, representing over 80% of the total market capitalisation of all JSE-listed companies (SA Shares, 2021). These amounted to six auditing firms and the IRBA selected as cases.

The study data were collected through conducting semi-structured individual interviews which lasted approximately 60 minutes each, with purposively selected participants from the selected auditing firms and a semi-structured group interview with purposively selected participants from IRBA. Participants were approached based on their perceived ability to provide information about the phenomena being studied (Saldaña, 2013). As audit partners are responsible for tone-at-the-top assessments (IFAC, 2010), the selection criteria meant that an audit partner from each of the selected auditing firms who has been with the firm for at least five years was approached to participate in the study. The five-year requirement was a key determinant, based on the assumption that a period of five years would have allowed the partner to be familiar with the methodology followed by the firm – particularly the methodology regarding the assessment of a company’s tone at the top. As IRBA’s inspection’s department is responsible for reviewing auditing firms appointed as the auditors of public companies (IRBA, 2020), the selection criteria meant that the senior inspectors from IRBA’s inspection department were approached to participate in the study as they are responsible for reviewing the auditing firms appointed as auditors of the Top 40 JSE-listed companies. Participants at such auditing firms and IRBA would therefore be in a position to provide rich information about the phenomena being studied and not the cases itself (Eriksson & Kovalainen, 2008). A total of six audit partners and three senior inspectors participated – these numbers were deemed sufficient as data saturation was being achieved, since the same recurring themes and categories began emerging during the interviews. It was therefore unlikely that any additional information would have resulted from interviews with additional audit partners at the selected auditing firms – as all audit partners at the same auditing firm would follow the same methodology. The interview guiding questions were based on the theoretical framework of the aspects of a company’s tone at the top, as identified in the literature, and the requirements related to auditors’ assessment of a company’s tone at the top. The questions were tailored for each category of participant and included in an interview schedule (Greeff, 2011), allowing the interview to take the form of an inductive inquiry (Rowley, 2012). The following open-ended questions were included in the interview guide:

- Describe your understanding of the term “tone at the top”.

- How do you obtain an understanding of and evaluate a company’s tone at the top?

- Who within the audit engagement team gains insight into and evaluates a company’s tone at the top?

- When do you evaluate a company’s tone at the top?

As recommended by Yin (2009), a pilot interview was conducted with an audit partner of an international auditing firm that did not form part of the auditing firms selected, whereafter the interview questions were refined. Semi-structured interviews allowed for flexibility so that sub-questions could be used by the researchers to explore the main questions if necessary (Kvale, 2006; Rowley, 2012). This way, participants had an opportunity to introduce important matters relating to the phenomenon being studied, which are not adequately covered by the pre-populated questions which provide structure to the interviews (Myers, 2009). During the interviews, participants were prompted in an effort to critically question the participant’s response and not to impose the researchers’ thoughts (Kvale, 2006). In addition to the interviews, field notes were made immediately after each interview (Yin, 2009), serving as a commentary of observations made during the interviews and notes of impressions and ideas as they occurred before the formal data analysis (Eisenhardt, 1989; Voss et al., 2002). After obtaining permission from the participants, the interviews were digitally recorded and transcribed into Microsoft Word documents. In line with the international guidelines for research ethics (National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, 1978), the ethical principles, respect for persons, beneficence and justice were adhered to. The interview transcripts and field notes were analysed inductively using descriptive open coding (Saldaña, 2013). Open coding entails examining textual data (a sentence or paragraph in the interview transcripts and field notes), and then thematically summarising the main aspects of a particular text using descriptive codes (Myers, 2009; Saldaña, 2013). Similar descriptive codes were grouped and assigned to particular descriptive categories (Babbie, 2010; Saldaña, 2013). After the preliminary coding, the interview transcripts and field notes were imported into ATLAS.ti™ and coded a second time in a similar fashion, merely using ATLAS.ti™ as a repository for the data (Saldaña, 2013; Yin, 2009). The interrelationships among the descriptive categories were then explored (Saldaña, 2013), with common themes being identified to understand how auditors go about assessing a company’s tone at the top. To increase the trustworthiness of the findings, the coding report was compared to the report of an independent and experienced second coder – and consensus were reached on any discrepancies (Campbell et al., 2013; Lincoln & Guba, 1999).

The themes identified from the analysis of the data obtained from the interviews and field notes represent commonalities among the participants’ assessment of a company’s tone at the top (see Table 2), as evident in the presentation and discussion of the findings below. To preserve the anonymity of the participants, pseudonyms were used in the study (AP1–AP6 for the audit partners and SI for the senior inspectors).

Supporting the view that ethical leadership is central to achieving a positive tone at the top (IODSA, 2016; Van Vuuren, 2016), the participants asserted the importance of ethical leadership as a key aspect of a company’s tone at the top, stating that “if the leaders are corrupt, chances are the whole organisation will be corrupt”.

To gain an understanding of the members of the governing body and management’s experience, competence, and independence in terms of the King IV Report (IODSA, 2016), most of the AP participants would perform background checks. Such background checks include third-party confirmations from lawyers and bankers of the company, as well as the auditing firm’s forensic department, and consult available databases. These procedures are consistent with Kueppers and Sullivan (2010) positing that background checks assist with determining if management is ethical. In line with the suggestion made by Decker et al. (2016), the AP participants would also obtain details about the members’ experience, positions previously held, and competence from their Curriculum Vitae to assess whether management has the knowledge and skill to perform the duties assigned to them. One participant emphasised that if a director served on the board of a company that is perceived as unethical, “it is possible that that director is bringing that conduct to the client company”. The independence or non-independence of the members of the governing body and management gives an indication of “what pressures they are under”. Related to independence, an AP participant would identify, from the background checks, if any of the directors or other key personnel of the company is a “politically exposed person” who in terms of the Financial Intelligence Centre (2018) must be regarded as high-risk clients.

The AP participants would also consider parties related to management and related party transactions. Kohlberg and Mayhew (2017) agree that auditors should flag related party transactions because of the fraud risk attached to them. All the AP participants indicated that they would review the company group structure, while some would inspect the register of directors’ interests in contracts as well as the shareholders’ register to identify parties related to management. Other AP participants would verify related party relationships and transactions when performing background checks on the directors. The SI participants shared that many auditors went as far as selecting a sample of directors and performing an audit on the director and his/her family members in terms of shareholdings and directorships to identify related parties. The identified related parties would also be screened to determine if any of them might be a “politically exposed person”.

According to the SI participants, auditors would consider management’s attitude towards the control environment when assessing management’s integrity, which corresponds to Kizirian et al.’s (2005) view that the control environment is paramount in assessing the integrity of management. The SI participants further elaborated by stating that “…if managements’ …doing everything …, that’s normally the first place that the tone at the top is not right” because insufficient segregation of duties increases the risk of management override of controls and collusion. An AP participant confirmed that management override of controls and collusion are high-risk fraud factors in terms of ISA 240 (IAASB, 2009c). Furthermore, a few of the AP participants indicated that they would inspect the internal audit reports to determine whether management implemented the recommendations stated in such reports, thereby showing their commitment to enhancing internal controls – which is in line with ISA 315R (IAASB, 2013).

The AP participants further stated that they would consider the company’s policies for compliance with laws and regulations, including who is responsible for the implementation and monitoring of these policies and how they are implemented and monitored through inquiries from management, corroborated with inquiries from the company’s legal team. Furthermore, they would inquire from the relevant regulators of the company about any pending investigations and the outcomes of completed investigations. In addition, some of the AP participants indicated that the background checks performed would assist in determining whether the members of the board qualify to act as directors (RSA, 2008), with the appointment of people who do not qualify amounting to non-compliance with laws and regulations. The SI participants added that auditors would make inquiries of the directors to determine whether the company has a social and ethics committee in place, and if such a committee exists, what its role is and who the chairperson is (IODSA, 2016; RSA, 2008). It can be argued that if the social and ethics committee is responsible for the oversight of and reporting on the company’s organisational ethics (IODSA, 2016), it signifies not only compliance with laws and regulations but also the company’s commitment to an ethical culture. An AP participant further stated that he/she would consider if the directors have discharged their fiduciary duties in good faith (RSA, 2008).

Some of the AP participants indicated that they would also consider management’s attitude towards the application of policies and procedures, specifically related to the accounting of estimates and accruals. These AP participants would inquire of management as to what the company’s accounting processes and policies for the raising of estimates and accruals are. They would also determine if the estimates and accruals are reasonable or aggressive in nature. Decker et al. (2016) concur that a review of the accounting policies of a company provides the auditor with an indication of whether management is committed to the correct interpretation of accounting standards. Moreover, Fuller and Jensen (2002) point out that those members of top management who lack integrity tend to disregard the company’s policies and procedures. In addition, some AP participants would also consider how management are remunerated when evaluating their integrity. Ogola et al. (2016) support this finding as performance-based remuneration provides an incentive for management fraud.

The AP participants indicated that they would consider management’s attitude and behaviour towards and their relationship with the auditor. This finding is in accordance with Abdullatif’s (2013) view that management’s attitude and reactions toward the audit could give an indication of management’s level of integrity and could be a good indicator of fraud risk. The AP participants indicated that they would consider the manner in which management accept the auditor’s management letter, outlining errors and control weaknesses, and whether they are keen to “fix” errors encountered or whether they are offended and defensive. Another AP participant would evaluate how management agree to the audit fees which is in line with ISQC 1 (IAASB, 2009d), stating that managements’ attitude towards aggressively keeping the audit fee as low as possible might be a reflection of their integrity. A few of the AP participants described their relationship with management as a mixture of positive and negative aspects, with one of the AP participants warning that managers who agree with the auditor on everything should not be taken lightly, especially if what the auditor hears from them differs to what the auditor has observed. Another AP participant considered a “love/hate relationship” between management and the auditor as healthy.

Additionally, some of the AP participants indicated that they would consider the audit committee’s (responsible for overseeing financial reporting matters in line with the Companies Act (RSA, 2008) and the King IV Report (IODSA, 2016)), relationship with the auditor. They would consider whether they were invited to audit committee meetings allowing them to evaluate the audit committee’s governance role and influence over the financial reporting process. If not invited, “that’s a red flag” – as inviting the auditor to attend audit committee meetings implies good governance (IAASB, 2016b). Attending audit committee meetings provided the AP participants with an opportunity to engage with the audit committee in the presence of management. According to Sharma et al. (2008) the relationship between management and the audit committee portrays whether the audit committee will be able to act as an arbitrator when there are disagreements between management and the auditor. In addition, all the AP participants would determine whether the audit committee is willing to have a meeting with the auditor without management being present – as recommended by the King IV Report (IODSA, 2016). During such meetings, one of the AP participants stated that he will consider if there is an open relationship between him/her and the audit committee, with an open relationship demonstrating that management have no influence on the audit committee (ARCA, 2007).

Despite auditors being reliant on management to provide the necessary documents to enable them to obtain sufficient and appropriate audit evidence (Osemeke & Osemeke, 2017), according to most of the participants, it is imperative that information presented by the governing body and management is corroborated. An AP participant explained the importance of corroboration of client-supplied information “because that’s one thing about auditing, if they want to pull the wool over your eyes, management or whoever, they will do it. If there is proper collusion …, they can pull the wool over your eyes fairly easily… if your wits is not on”. Corroboration of information supplied by the governing body and/or management would be performed by inspecting minutes of board meetings, inquiries from the internal audit function, the audit committee and employees, and the disclosures made by the company in their integrated report, ensuring that the information corresponds to what the governing body and/or management have provided. Sneathen Jr et al. (2003) confirm that corroborated information increases the auditor’s trust in management and gives confidence to the auditor that client-supplied information is credible.

An AP participant aptly summarised the significance of an ethical culture in relation to a company’s tone at the top when stating: “the culture at the end of the day tends to be a reflection of the tone at the top”. The significance of an ethical culture as an element of a company’s tone at the top is supported by Lail et al. (2015) and concurred by IFAC (2007).

Most of the AP participants indicated that the starting point in assessing a company’s ethical culture is to inquire from management whether the company has a code of ethics in place as recommended by the King IV Report (IODSA, 2016), then requesting a copy of the code of ethics or inspecting the company’s website for its existence. Webley and Werner (2008) assert that the presence of a code of ethics shows that a company takes ethics seriously.

According to an AP participant the code of ethics must also be implemented in the conduct of the company: “It’s not good enough … just having a code”. This finding aligns with Sauser Jr (2013) and Schwartz (2004) who posit that the code must be implemented for it to be effective. One AP participant mentioned that he/she would assess whether the values infused in the code of ethics are effected when he/she considers if the code of ethics aligns to the company’s vision and mission statements and whether these statements incorporate the code of ethics in the goals and objectives outlined by the company. The SI participants added that some auditors would evaluate whether the values infused in the code of ethics are effected, by reviewing the ethical policy of the company and establishing if the code of ethics is implemented in the company’s strategic plans. Stevens (2008) points out that the code of ethics must be central to the company’s strategic decisions.

An AP participant revealed that he/she would inquire if employees were annually reminded of the code of ethics. Kaptein (2011) supports the importance of the auditor to determine if management communicates the code of ethics effectively to employees. For another AP participant, communicating the code of ethics alone is insufficient; he/she would also evaluate how effectively the Board convey the values embodied in the code of ethics to employees. Thus, if the code of ethics is not communicated properly and the governing body and management do not adequately convey the values embodied in the code of ethics, employees might not be aware of the ethical values of the company or might not perceive ethics as important.

Another AP participant mentioned that he/she would obtain an understanding of the recruitment policies and processes of a company to evaluate if the code of ethics has been incorporated in those policies and processes. The participant would determine if the human resources division conducted background checks on potential employees. This is in line with Sauser Jr’s (2005) recommendation that a company should investigate if potential employees have a high moral standing. In addition, an AP participant indicated that he/she would review a sample of employment letters to determine if reference is made to the company’s code of ethics or ethical values when hiring employees. The SI participants added that auditors would also consider if employees were trained on the code of ethics. Furthermore, some of the AP participants mentioned that they would determine whether the company recruits employees through proper recruitment channels.

The implementation of a code of ethics should not be about the governing body and management “paying lip service” to a code of ethics, therefore the AP participants stated that auditors would inquire from the employees if there is a whistleblowing line in place to report non-compliance with the code of ethics or fraud and whether the employees feel comfortable reporting non-compliance without the fear of being prejudiced against, which is in line with the King IV Report (IODSA, 2016). Furthermore, the AP participants mentioned that auditors would determine the effectiveness of the whistleblowing process. Some of them would determine if the audit committee or someone independent of management receives the whistleblowing reports, thereby minimising the risk of concealing unethical behaviour. According to an AP participant, if the whistleblowing reports are correctly handled, “it’s actually a very powerful tool”.

The AP participants stated that auditors would perform a tone-at-the-top assessment before accepting or continuing with an audit engagement and during an audit which is in line with ISA 315R (IAASB, 2013). However, according to the SI participants, auditors placed greater emphasis on tone-at-the-top assessments during the pre-engagement phase of the audit – as opposed to during the audit planning phase. One of the SI participants stated that “sometimes you would see one sentence … we had discussions (with management) and nothing has come to light” as evidence of an auditor’s assessment of a company’s tone at the top during the planning phase of an audit in the audit file. The SI participants ascribed this to the fact that subsequent to assessing the company’s tone at the top as part of their client acceptance and continuance procedures, auditors assume that they possess the necessary knowledge of the company’s tone at the top. Some of the AP participants explained that despite considering a company’s tone at the top throughout the entire audit, they did not complete a specific document entitled “evaluation of management integrity or tone at the top” as part of their audit file. The SI participants acknowledged that the standards are not prescriptive on the documentation of tone-at-the-top assessments but emphasised that tone-at-the-top assessments should be performed during the planning of an audit. Whereas the AP participants stated that auditors’ experience with a client would be taken into account when assessing the company’s tone at the top, ISA 240 (IAASB, 2009c) cautions that even if management and those charged with governance have been honest and ethical in the past, the auditor should remain alert that circumstances may change.

Despite being assisted by an audit team, the AP participants agreed that the audit engagement partner would be ultimately responsible for the tone-at-the-top assessment. Research supports that the audit engagement partner is deemed to possess the required level of experience and knowledge of the company (Carpenter & Reimers, 2013; Dennis & Johnstone, 2018). The AP participants further stated that auditors would perform tone-at-the-top assessments according to the auditing methodology used by their auditing firms, which is aligned to the ISAs, thus implying that their procedures to assess a company’s tone at the top would be performed according to the ISAs. Nevertheless, the SI participants expressed concern about the fact that the audit files seemed to contain minimal evidence of audit engagement partner involvement in tone-at-the-top assessments.

The findings from the study provided four main insights. First, the research indicated that ethical leadership would be assessed by gaining an understanding of management’s attributes, their attitude towards controls and compliance, and their relationship with the auditor, corroborating management-supplied information. Second, the research indicated that an ethical organisation culture would be assessed by determining if a code of ethics not only existed but was implemented and enforced by an effective whistleblowing process. Third, despite assessing a company’s tone at the top before accepting or continuing with an audit engagement, and throughout an audit, it seemed that greater emphasis is placed on tone-at-the-top assessments during pre-engagement compared to during the audit, probably due to better documentation of the assessments during the pre-engagement phase than during the audit. Fourth, the audit files generally contained limited evidence of audit engagement partners being involved in tone-at-the-top assessments despite the participants acknowledging that such assessments were ultimately his/her responsibility and that the relevant decisions were affected by the professional judgement and scepticisms of the audit engagement partner. Hence, indicating shortcomings in documenting tone-at-the-top assessments.

The study set out to understand how auditors assess a company’s tone at the top, as an integral component of audit risk which is a significant part of forming an audit opinion (as required by the Companies Act, the JSE Regulations, and the APA). The study adopted the lens offered by the stakeholder theory, meaning if auditors do not appropriately assess a company’s tone at the top (ethical leadership and ethical culture), their opinion on the companies’ financial statements could be undermined, which in turn would mean that the company and its stakeholders would not receive the required protection. Our findings contribute to the existing body of knowledge by specifically examining how auditors assess a company’s tone at the top for selected listed companies, which is an under-researched area.

Given the limited practical guidance on how these assessments should be done, the study observations provide important insights that could be useful to auditing firms in enhancing their audit methodologies and training programmes on assessing a company’s tone at the top and the documentation thereof specifically during the planning of an audit and to evidence audit engagement partner involvement. In addition, the findings may inform the audit regulatory body in providing best-practice guidelines for auditors on the assessment of a company’s tone at the top and provide a benchmark against which revised standards related to tone-at-the-top assessments can be measured. Despite its South African orientation, the study’s findings have global relevance, since the methods and procedures to assess a company’s tone at the top should adhere to the ISAs.

A limitation of the study is that it was confined to the examination of how the auditors of the Top 40 JSE-listed companies assess these companies’ tone at the top. Further research should therefore be undertaken on auditing firms of other listed companies to understand the extent to which these auditors’ assessment of a company’s tone at the top were similar. Future research could also include a comparison of how the assessment of a company’s tone at the top differs in various jurisdictions and after the implementation of the revised ISA 315 (IAASB, 2019), ISA 220 (IAASB, 2020a), ISQM 1 (IAASB, 2020b) and ISQM 2 (IAASB, 2020c).

This study found that auditors were perceived to place greater emphasis on tone-at-the-top assessments before accepting or continuing with an audit engagement than during the performance of an audit. An area for future research could be to explore if the perceived emphasis on tone-at-the-top assessments before accepting or continuing with an audit engagement could be ascribed to better documentation of these assessments.