The following points of focus highlight important characteristics relating to this principle:

Management and the board of directors ^{fn 9} are expected to lead by example in developing values, a philosophy, and an operating style for the organization. They take into account the expectations of the entity's various stakeholders, such as employees, suppliers, customers, investors, and the wider community. Further, they are influenced by the social and ethical norms in the markets where the entity operates. In addition to fostering an understanding and adherence to legal and regulatory requirements, management and the board take specific measures to set the tone in terms of moral, social, environmental, or other forms of responsible conduct, such as greenhouse gas emissions reporting, sustainable production processes, or community outreach after natural disasters. The resulting expectations are expressed to varying degrees of formality in the form of:

These elements reflect the expectations of integrity and ethical values and the degree to which they are applied in decisions made at all levels of the organization, by outsourced service providers, and by business partners (e.g., joint venture partners, strategic alliances). They articulate and reinforce the commitment to doing what is right, not just what complies with laws and regulations, so that these priorities are understood and embraced across the organization. The degree to which these expectations are not only communicated but also applied by senior management and the board as well as all other levels of leadership within the organization characterizes the tone at the top and throughout the organization.

Tone is impacted by the operating style and personal conduct of management and the board of directors, attitudes toward risk, and positions, which may be conservative or aggressive (e.g., position on estimates, policy choices), and degree of formality (e.g., in a smaller family business, controls may be more informal), all of which sends a message to the organization. Personal indiscretions, lack of receptiveness to bad news, or unfairly balanced compensation practices could impact the culture and ultimately provide an incentive for inappropriate conduct. In contrast, a history of ethical and responsible behavior by management and the board of directors and demonstrated commitment to addressing misconduct send strong messages in support of integrity. Employees are likely to develop the same attitudes about right and wrong—and about risks and controls—as those shown by management. Individual behavior is often influenced by the knowledge that the chief executive officer has behaved ethically when faced with a tough business-based or personal decision, and that all managers have taken timely action to address misconduct.

A consistent tone from the board and senior management through to operating unit management levels helps establish a common understanding of the values, business drivers, and expected behavior of employees and partners of the organization. This includes the various layers and divisions sometimes referred to as "tone in the middle" in larger organizations. Such consistency helps pull the organization together in the pursuit of the entity's objectives. Challenges to such consistency can arise in various forms. For instance, different markets may call for different motivational approaches, different degrees of evaluation of suppliers, and different customer service levels—how management responds to such pressures can create different tones at different levels of the organization. The messages from management about what is or is not acceptable may vary to address particular challenges at those different levels, but the more they remain consistent with the tone at the top, the more homogenous the performance of internal control responsibilities in the pursuit of the entity's objectives will be.

In some cases, the tone set by the chief executive may result in unintended consequences. Consider, for example, a management team that readily modifies the entity's standard contractual terms to compete in the local business environment. While such modification may be seen as positive for purposes of satisfying customer needs and generating revenue—for instance getting products to customers faster—it may be detrimental to the achievement of other objectives, such as complying with product safety standards, quotas, fair sales practices, or other requirements. Clear guidance and direction from the top, as well as congruence across different levels of management, facilitate the achievement of the entity's objectives.

Tone at the top and throughout the organization is fundamental to the functioning of an internal control system. Without a strong tone at the top to support a strong culture of internal control, awareness of risk can be undermined, responses to risks may be inappropriate, control activities may be ill defined or not followed, information and communication may falter, and feedback from monitoring activities may not be heard or acted upon. Therefore tone can be either a driver or a barrier to internal control.

Standards of conduct guide the organization in behavior, activities, and decisions in the pursuit of objectives by:

Ethical expectations, norms, and customs can vary across borders. Management and the board of directors or equivalent oversight body establish the standards and mechanisms for the organization to understand and adhere to doing what is right, and define the process and resources for interpreting and addressing the potential for deviations. These expectations are translated into an organizational statement of beliefs, values, and standards of conduct.

The organization demonstrates its commitment to integrity and ethical values by applying the standards of conduct and continually asking challenging questions, particularly when faced with difficult decisions. For example, it might ask: Does it infringe on the organization's standards of conduct? Is it legal? Would we want our shareholders, customers, regulators, suppliers, or other stakeholders to know about it? Would it reflect negatively on the individual or the organization?

Integrity and ethical values are core messages in the organization's communications and training. For example, a company that regularly receives awards for "best places to work" and achieves high employee retention rates typically provides training on corporate ethical values and organizational culture, with the support of senior management and the board. The training sessions are conducted quarterly or biannually depending on the number of new employees hired. During such training, employees learn how the ethical climate has developed in the organization. In addition, employees are provided with examples of how integrity and ethical values have assisted in identifying issues and solving problems and the importance of speaking up and raising concerns.

The organization's standards of conduct are regularly communicated and reinforced not only to all levels of the organization but also to outsourced service providers. For example, enforcing internal control for compliance with product safety standards extends beyond the entity to include joint venture partners, suppliers, sales distributors, and other outsourced service providers at all locations.

Management retains ultimate accountability for activities it delegates through legal or contractual arrangements to outsourced service providers. Variables that can affect the extent of communications, oversight, and other activities needed to ensure that outsourced service providers and business partners adhere to the entity's standards of conduct include:

Inappropriate conduct by outsourced service providers or business partners can reflect negatively on senior management and impact the entity itself by causing harm to customers, other stakeholders, or the reputation of the organization, requiring costly corrective action. Therefore management retains responsibility for the performance of processes that it has delegated to outside service providers or business partners.

The established standards of conduct provide the basis for evaluating adherence to integrity and ethical values across the organization and its outsourced service providers. They are communicated through the organization's policies and practices, and employment or service contracts. Some organizations require formal acknowledgment of receipt and compliance with such standards. To be sure that the standards are being followed in practice, the actions, decisions, and attitudes of individuals are evaluated by management or an independent party.

The lack of adherence to standards of conduct often stems from situations such as:

For example, standards of conduct may prohibit practices that could be perceived as collusion to fix prices, but the organization must establish mechanisms to enforce standards, such as awareness communications and training, scanning market pricing activity to identify potential issues, and other measures to prevent or detect a deviation from the organization's standards of conduct. The organization communicates established tolerance levels for deviations. Depending on the significance of the impact to the organization, the level of remedial action may vary but is applied consistently across the organization. Evaluations of individual and team adherence to standards of conduct are part of a systematic process for escalation and resolution of exceptions. The process requires that management:

Evaluations may be conducted by an ongoing management process and/or by an independent party. Individuals can also assess and report irregularities through formal and informal communication channels, such as a whistle-blowing program, an ethics hotline, upward feedback processes, and regular staff meetings.

Deviations from expected standards of conduct are addressed in a timely and consistent manner. Depending on the severity of the deviation determined through the evaluation process, management may take different actions and may also need to consider local laws, but the standards to which it holds employees remain consistent. Depending on the severity of the deviation, the employee may be issued a warning and provided coaching, put on probation, or terminated.