Tone at the Top

The “tone at the top” requirement means your board and senior leaders must visibly model integrity and ethical behavior, and back it up with concrete directives, decisions, and accountability that reach every level of the organization (COSO IC-IF (2013)). To operationalize it quickly, document leadership expectations, embed them in governance and performance, and keep evidence that leaders act consistently when pressure, revenue, or speed conflict with ethics.

Key takeaways:

• Tone at the top is an operational control: leadership behavior must be consistent, repeatable, and evidenced (COSO IC-IF (2013)).
• Auditors look for alignment between messaging, incentives, decision-making, and disciplinary actions.
• Your fastest path is an “evidence pack” that ties board oversight, executive actions, and employee accountability into one traceable record set.

“Tough on paper, soft in practice” is how tone at the top fails. Many programs have a Code of Conduct, annual training, and a hotline. Examiners and auditors still flag the control environment because leadership behavior does not match leadership messaging, or because the organization cannot prove it does.

COSO frames tone at the top as a control environment expectation: integrity and ethical values must be demonstrated by the board and management “through their directives, actions, and behavior” (COSO IC-IF (2013)). That wording matters. “Directives” points to governance, policies, and communications. “Actions” points to decisions, resource allocation, and consequences. “Behavior” points to what leaders tolerate, reward, and personally do.

For a CCO, GRC lead, or Compliance Officer, the practical goal is simple: you need a small set of mechanisms that force ethical expectations into day-to-day management, plus durable evidence that the mechanisms operate. This page shows exactly what to build, who owns it, what artifacts to retain, and how to pass the “prove it” questions.

Regulatory text

COSO Principle 1 – Point of Focus (excerpt): “The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values.” (COSO IC-IF (2013))

Plain-English interpretation

You must be able to show that leaders:

1. Set expectations for integrity and ethical conduct (directives),
2. Make decisions consistent with those expectations (actions), and
3. Personally model the behavior and reinforce it across the org (behavior) (COSO IC-IF (2013)).

A key operational nuance: “at all levels” means it cannot stop with the CEO. You need evidence that tone is carried by the executive team and reinforced by mid-level leaders who control hiring, promotions, deal approvals, customer concessions, third-party selection, and issue escalation.

Operator test: If a reviewer asks, “Show me a time leadership chose ethics over convenience,” you should have multiple examples with records, not stories.

Who it applies to

This requirement applies broadly to organizations using COSO’s Internal Control–Integrated Framework as a basis for internal control design or assessment (COSO IC-IF (2013); COSO Internal Control guidance page).

Typical operational contexts

• Public companies / SOX environments: tone at the top supports reliable financial reporting and reduces management override risk (COSO IC-IF (2013)).
• Regulated financial services and fintechs: tone at the top is often tested through escalation handling, customer treatment, third-party oversight, and remediation discipline.
• Healthcare, insurance, and other highly regulated operators: leadership behavior is examined through how the company responds to incidents, complaints, and corrective actions.
• High third-party dependence: tone shows up in whether leadership funds due diligence, rejects risky third parties, and enforces contract controls when delivery teams push back.

What you actually need to do (step-by-step)

Treat tone at the top as a control set with named owners, routines, and evidence. Build it so it survives leadership turnover.

Step 1: Define the non-negotiables leaders are accountable for

Create (or refresh) a short set of leadership commitments that connect integrity to operational decisions:

• Conflicts of interest disclosure and recusal expectations
• Zero tolerance categories (fraud, bribery, retaliation, material misstatement)
• Expectations for truthful reporting, including “bad news travels fast”
• Commitment to fund remediation and stop-the-line authority

Artifacts

• Board-approved Code of Conduct and ethics statement
• Executive “integrity commitments” memo (one page, dated, signed)
• Leadership meeting minutes showing approval or reaffirmation

Step 2: Assign governance and oversight with a clear cadence

Tone at the top needs oversight that is routine enough to be provable:

• Board (or committee) agenda items that cover ethics, hotline trends, investigations, and remediation status
• Executive compliance/risk committee with documented decisions and follow-ups
• Defined escalation paths for “pressure” situations (revenue, deadlines, executive requests)

Artifacts

• Board/committee charters referencing ethics and integrity oversight
• Board/committee packets and minutes showing ethics topics discussed
• Escalation procedure and log of escalations (sanitized where needed)

Step 3: Make leadership communications auditable (not just inspirational)

You need repeatable communications that tie ethics expectations to real operations:

• CEO/GM quarterly message linking integrity to performance expectations
• Leader talking points for managers before key risk cycles (sales comp changes, product launches, year-end close, major third-party onboarding)
• “What good looks like” examples (approved deals that walked away from risky terms, paused launch due to control gaps)

Artifacts

• Email copies, all-hands recordings, intranet posts (dated)
• Manager toolkits and distribution records
• Evidence employees received the message (attestations, LMS campaign completion, meeting rosters)

Step 4: Align incentives, performance management, and consequences

This is where programs fail. If incentives reward speed and revenue without guardrails, the tone becomes “results first.”

• Add a documented integrity component to performance reviews for leaders and people managers.
• Require leaders to attest they did not direct control bypasses or suppress issues.
• Apply consistent discipline for violations, including senior personnel, with documented rationale.

Artifacts

• Performance review templates showing integrity/values criteria
• Executive attestations (conflicts, anti-retaliation, accurate reporting)
• Disciplinary action decision records (HR/compliance summaries; protect privilege appropriately)

Step 5: Prove middle-management reinforcement (“tone in the middle”)

COSO’s language includes “management, at all levels” (COSO IC-IF (2013)). Build a manager reinforcement layer:

• Manager training focused on escalation, anti-retaliation, conflicts, third-party engagement, and documentation
• Required “speak up” moments in team meetings (structured prompts)
• Spot checks: ask employees whether managers reinforce the message and whether raising issues feels safe

Artifacts

• Manager training completion records
• Team meeting agendas or attestations (lightweight but consistent)
• Survey results and action plans (avoid unsupported numeric claims; focus on themes and remediation)

Step 6: Build the “Tone at the Top Evidence Pack”

Make audit and exam requests easy. Maintain a living folder (or GRC system record) organized by:

• Governance (board/committee oversight)
• Leadership communications
• Incentives and accountability
• Escalations and outcomes
• Hotline/investigations oversight and remediation governance

Daydream can help by structuring the evidence pack as a requirement record with mapped artifacts, owners, and review tasks, so the proof stays current and survives staff turnover.

Required evidence and artifacts to retain (audit-ready)

Use this as your minimum checklist:

Evidence category	What to retain	Owner
Board oversight	Agenda, materials, minutes showing ethics/integrity topics	Corporate Secretary / Legal
Executive governance	Compliance/risk committee charter, minutes, action tracker	Compliance / ERM
Leader communications	All-hands recordings, CEO messages, manager talking points	Comms / Compliance
Accountability	Performance review criteria, leader attestations, discipline summaries	HR / Compliance
Escalation proof	Escalation policy, escalation log, decisions and approvals	Compliance / Ops
Speak-up culture	Non-retaliation policy, investigation process overview, remediation tracking	Compliance / HR

Keep retention consistent with your corporate record retention schedule.

Common exam/audit questions and hangups

Expect these “prove it” questions:

• “Show me where the board oversees ethics and integrity.” (COSO IC-IF (2013))
• “How do you know senior leaders follow the same rules as everyone else?”
• “What happens when a top performer violates policy? Show records.”
• “How do you prevent retaliation? Show escalation routes and outcomes.”
• “How do leaders respond to control issues: defer, fund, or fix?”

Common hangup: teams provide policies and training completions, but no evidence of leadership decisions that reflect integrity tradeoffs. Another hangup is privilege confusion. Decide up front which investigation records are privileged and which operational metrics and governance summaries can be shared.

Frequent implementation mistakes and how to avoid them

1. Mistake: Treating tone as messaging-only.
   Fix: require governance decisions, documented escalations, and performance consequences that match the message (COSO IC-IF (2013)).

2. Mistake: CEO evidence without “all levels” evidence.
   Fix: create manager reinforcement artifacts: toolkits, meeting prompts, and manager attestations (COSO IC-IF (2013)).

3. Mistake: Incentives contradict ethics.
   Fix: add integrity criteria to promotions and bonuses for leaders, with documented review.

4. Mistake: No audit trail for uncomfortable decisions.
   Fix: keep decision memos for “walk-away” deals, launch delays, third-party rejections, and remediation funding approvals.

5. Mistake: Over-collecting weak evidence.
   Fix: keep fewer artifacts, but make them high-signal: minutes, action trackers, decision records, and accountability outcomes.

Enforcement context and risk implications

No enforcement cases are provided in the approved source catalog for this requirement, so this page does not cite specific public actions.

Operationally, weak tone at the top increases risk in predictable ways:

• Control override risk: leaders bypass controls under pressure, undermining the internal control environment (COSO IC-IF (2013)).
• Retaliation and silence risk: issues stay buried until they become incidents.
• Third-party risk acceptance drift: the business normalizes exceptions without documented risk acceptance and board visibility.
• Financial reporting and disclosure risk: integrity failures often correlate with misstatements and poor remediation discipline in COSO-based assessments (COSO IC-IF (2013)).

Practical execution plan (30/60/90-day)

You asked for speed. Use this as an execution sequence; adjust to your governance calendar.

First 30 days (stabilize and document)

• Name an executive owner (often CEO/COO) and a compliance owner for the evidence pack.
• Gather existing artifacts: Code of Conduct, board minutes, committee charters, leadership messages.
• Create the Tone at the Top Evidence Pack structure and assign artifact owners.
• Add tone-at-the-top topics to the next board/committee agenda and exec risk/compliance committee agenda (COSO IC-IF (2013)).

Days 31–60 (embed into operating rhythms)

• Implement leader attestations (conflicts, non-retaliation, accurate reporting).
• Add integrity criteria to leader performance templates (HR partnership).
• Publish manager talking points and require manager reinforcement touchpoints for high-risk cycles.
• Establish an escalation log with a simple taxonomy (issue type, decision, approver, remediation owner).

Days 61–90 (test and harden)

• Run a tabletop: “sales pressure scenario,” “third-party exception scenario,” and “incident disclosure scenario.” Capture decisions and gaps.
• Sample check: pick a few escalations and verify documentation, timeliness, and remediation closure.
• Present a concise board update: themes, actions taken, and open remediation items (COSO IC-IF (2013)).
• Lock the ongoing cadence: quarterly evidence refresh and an annual effectiveness review aligned to COSO control environment assessment (COSO IC-IF (2013); COSO Internal Control guidance page).

Frequently Asked Questions

Do we need a separate “tone at the top policy”?

Usually no. Auditors care more about governance routines and evidence that leaders act consistently than a standalone policy (COSO IC-IF (2013)). If you create a document, keep it short and tie it directly to performance, escalation, and oversight artifacts.

What’s the minimum evidence to satisfy an auditor?

Keep board/committee minutes showing ethics oversight, records of leadership communications, and proof of accountability (performance criteria and discipline summaries) (COSO IC-IF (2013)). Add a small set of documented “integrity tradeoff” decisions to show it operates under pressure.

How do we show “at all levels” without boiling the ocean?

Focus on people managers. Require manager training, distribute talking points, and collect lightweight attestations or meeting records that show reinforcement happened (COSO IC-IF (2013)). Validate with targeted interviews during audits.

How should tone at the top connect to third-party risk management?

Require leadership approval for high-risk third-party exceptions and keep the written rationale and compensating controls. If leaders routinely override due diligence steps, your tone at the top evidence will contradict your third-party control design.

Our investigations are privileged. What can we show auditors?

You can still show governance: hotline volume themes (qualitative), investigation process documentation, decision authorities, and remediation tracking without disclosing privileged details. Coordinate with counsel on a “shareable summary” format.

How can Daydream help without turning this into a big tool rollout?

Use Daydream as the system of record for the requirement: owners, review cadence, and a mapped evidence pack. Start by attaching the artifacts you already have, then add the missing pieces as tasks.