What does management do when a star employee violates company policy? If management lets a star employee get away with such violations, how will this affect average employees? The authors published an academic study examining these issues in 2018; in this article, the authors discuss its implications for CPAs. In the long term, lenience with star employees can lead to average employees being more likely to get away with similar ethical violations, greatly weakening the control environment and increasing fraud risk.
Star employees provide their employers with a range of benefits from their exceptional performance, including greater organizational effectiveness and efficiency. However, sometimes such stars violate company policy or engage in occupational fraud, which the Association of Certified Fraud Examiners (ACFE, Report to the Nations on Occupational Fraud and Abuse, 2020, p. 6) defines as “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” Such situations prompt difficult decisions about how stars should be disciplined.
In the short run, the logic behind letting star employees get away with certain infractions may seem quite compelling. However, this short-term decision could have important longer-term consequences. In particular, how might management respond if an average employee were to commit a similar violation in the future? Would management treat the average employee differently than the star, or would the average employee also be likely to get away with it because of the apparent lenient precedent that had been set? If the average employee also gets away with this type of behavior, what impact would this normalization of unethical behavior have on the company’s control environment [Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control–Integrated Framework: Framework and Appendices, 2013] and fraud risk?
In the sections below, the authors describe their research on these issues; then they develop implications for CPAs in corporate or not-for-profit settings and CPAs in auditing.
The 2018 Academic Study
The authors published (with a third coauthor) an academic study on management’s handling of ethical violations by star employees and average employees (Scot E. Justice, Jeffrey R. Cohen, and Dana R. Hermanson, “Star Employee Occupational Fraud: Treatment and Subsequent Effects,” Journal of Forensic and Investigative Accounting, 2018, vol. 10, no. 3, pp. 294–315; https://bit.ly/3czPtIc). In the 2018 study, the authors built on some older research in the sales field to examine two key questions in non-sales settings: 1) Are star employees treated differently than average employees when they engage in occupational fraud? and 2) How are average employees treated for ethical violations when a star employee previously got away with a similar violation or was punished for the violation? Across the two experiments, the authors focused on how treatment of stars in one period could affect the treatment of average employees in the future. The sections below describe the two experiments and related results.
Experiment 1: Are Stars Treated Differently?
The first experiment in the 2018 study examined whether managers believe that most managers they have worked with would treat stars more leniently than average employees in occupational fraud cases. The authors focused on “most managers” to avoid bias issues with asking what participants would do themselves.
In Experiment 1, the authors sampled 119 managers using a case scenario where a star or average employee used a company credit card to purchase jewelry for personal use. The magnitude of the act was either $500 (small) or $5,000 (large). The authors measured the discipline intensity response on a scale anchored with “do nothing” and “terminate” the employee. The tolerance response was measured by a scale anchored with other managers who were “not likely” and “very likely” to tolerate the act.
The authors found that the participants believe that most managers will respond to a star employee’s occupational fraud with greater tolerance and less discipline than when the act is perpetrated by an average employee. Furthermore, larger acts generate greater discipline than smaller acts; thus, the authors provided experimental evidence that stars can get away with more than average employees can.
Experiment 2: How Does Treatment of Stars Affect the Future Treatment of Others?
The second experiment in the 2018 study examined the effect of strict or lenient treatment of a star on the subsequent decisions a manager makes when an average employee perpetrates a similar act of occupational fraud. In Experiment 2, 108 different managers assumed the role of a manager who had been previously directed by the CEO to either discipline or not discipline a star employee who perpetrated occupational fraud. Subsequently, an average employee perpetrates a similar act of occupational fraud. As with the first study, the magnitude of the act was $500 or $5,000.
The authors found that managers are less severe in their discipline of an average employee, and are more likely to tolerate the act, if a star had been allowed to get away with a similar act previously. This indicates that allowing a star employee to engage in occupational fraud influences the discipline of, and tolerance for, average employees who subsequently engage in similar occupational frauds. The authors also found that larger acts resulted in more intense discipline. Thus, this experiment provided evidence that lenient treatment of a star in one period can lead to more lenient treatment of an average employee in a future period.
Implications for CPAs
What the authors’ 2018 academic research suggests is that if a star employee gets away with occupational fraud, the foreseeable progression shown in the Exhibit is likely. The lenient treatment of star employees can set an observable precedent. This lenient treatment of stars becomes a key consideration when an average employee engages in a similar act. Managers have to decide between punishing the average employee (thereby treating different employees differently) or treating the average employee the way the star was treated before.
What happens when average employees get away with the same unethical acts as stars? The organization effectively has defined these unethical acts as normal and acceptable. Overriding normal punishment for star employees, and then average employees, reduces the power of “perception of detection” that is thought to deter employees from perpetrating unethical behavior (ACFE, p. 32). If punishment is unlikely, then detection becomes a less important consideration for the perpetrator.
A likely end to the story is that, as average employee occupational fraud also is tolerated, many other employees quickly learn the “new rules.” Lenient treatment of ethical violations spreads, and others behave unethically; the standards of behavior are permanently altered, and bad behavior spreads. Consistent with this notion, Robert Sutton (“Memo to the CEO: Are You the Source of Workplace Dysfunction?”, The McKinsey Quarterly, 2017, no. 4, pp. 102–111) cautions businesspeople to “beware of contagion … because bad behavior is so contagious.” Ultimately, what begins with a “one-time pass” for a star employee leads to unethical behavior that is commonly accepted. People begin to rationalize the behavior, and new employees are trained in the organization’s corrupt ways.
From a COSO perspective (COSO, Internal Control–Integrated Framework: Framework and Appendices, 2013), the control environment has been seriously damaged, as the tone at the top has been undermined. This notion is reinforced by “upper-echelons” theory (Donald C. Hambrick and Phyllis A. Mason, “Upper Echelons: The Organization as a Reflection of Its Top Managers,” The Academy of Management Review, 1984, vol. 9, no. 2, pp. 193–206). Hambrick and Mason describe company decisions as “reflections of the values and cognitive bases of powerful actors” (the upper echelons of the company). A review of accounting literature using upper echelons theory (Martin Plockinger, Ewald Aschauer, Martin Hiebl, and Roman Rohatschek, “The Influence of Individual Executives on Corporate Financial Reporting: A Review and Outlook from the Perspective of Upper Echelons Theory,” Journal of Accounting Literature, 2016, no. 37, pp. 55–75) finds evidence that companies’ financial reporting decisions are linked to executives’ characteristics. Research has specifically linked CFO narcissism with weaker internal controls (Charles Ham, Mark Lang, Nicholas Seybert, and Sean Wang, “CFO Narcissism and Financial Reporting Quality,” Journal of Accounting Research, 2017, vol. 55, no. 5, pp. 1089–1135).
Finally, it is important to note that the normalization of deviance and its negative impacts are not confined to business or accounting settings. Diane Vaughan (The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA, University of Chicago Press, 1996) examined the role of normalization of deviance in the Space Shuttle Challenger disaster in 1986. Mary R. Price and Teresa C. Williams (“When Doing Wrong Feels So Right: Normalization of Deviance,” Journal of Patient Safety, 2018, vol. 14, no. 1, pp. 1–2) discuss Vaughan’s work and relate it to current challenges in the healthcare field:
Vaughan noted that the root cause of the Challenger disaster was related to the repeated choice of NASA officials to fly the space shuttle despite a dangerous design flaw with the O-rings. Vaughan describes this phenomenon as occurring when people within an organization become so insensitive to deviant practice that it no longer feels wrong. Insensitivity occurs insidiously and sometimes over years because disaster does not happen until other critical factors line up. In clinical practice, failing to do time outs before procedures, shutting off alarms, and breaches of infection control are deviances from evidence-based practice. As in other industries, healthcare workers do not make these choices intending to set into motion a cascade toward disaster and harm. Deviation occurs because of barriers to using the correct process or drivers such as time, cost, and peer pressure.
Across many settings, the normalization of deviance can lead to negative outcomes in the long term. The discussion below covers some specific implications for CPAs in corporate or not-for-profit settings and CPAs in auditing.
CPAs in Corporate or Not-for-Profit Settings
CPAs in corporate or not-for-profit settings may serve in many roles, including controller, CFO, internal auditor, or analyst. In many of these roles, CPAs will likely have to deal with unethical acts committed by employees.
The authors believe that a key role for CPAs in corporate or not-for-profit settings is to ensure that decision makers consider the potential longer-term effects of how unethical acts by stars or others are handled. Specifically, CPAs in corporate or not-for-profit settings may ask themselves the following questions:
- What are the reasons underlying the decision to handle this instance of unethical behavior in this manner?
- Were other methods of handling this instance of unethical behavior considered? If so, why were they rejected?
- How does the nature of the person (e.g., performance, characteristics) who committed the unethical act affect the decision made?
- Will the decision about how to handle this particular unethical act set a precedent within the organization?
- How observable will this decision be to others in the organization?
- Have the decision makers carefully considered the potential longer-term implications that could arise from the handling of this particular instance of unethical behavior?
These questions are designed to lead to full, intentional consideration of the circumstances surrounding the current instance of unethical behavior, as well as the longer-term implications of decisions made today.
CPAs in Auditing
The authors suggest two avenues for CPAs in auditing. First, CPAs in auditing can refer to the questions above if they are dealing with unethical acts committed by members of their firm (e.g., improper time reporting, signing off on uncompleted audit steps).
Second, CPAs in auditing devote considerable attention to fraud risk and to their audit clients’ internal controls, especially for larger public clients requiring an audit opinion on internal control over financial reporting. Thus, it is important for auditors to consider what a client’s handling of unethical employee behavior indicates about the control environment and about broader fraud risk.
The control environment is the foundational element of COSO’s internal control framework, and COSO’s definition of the control environment includes “tone at the top” and management reinforcing “expectations [of the standards of conduct] at the various levels of the organization” (p. 31). If management routinely lets unethical behavior go unchecked, then this sends a message to others about the ethical climate in the organization. As COSO notes, the “control environment has a pervasive impact on the overall system of internal control” (p. 31).
Furthermore, auditing standards require auditors to make various fraud-related inquiries of management. One line of inquiry (AICPA AU-C section 240, “Consideration of Fraud in a Financial Statement Audit,” paragraph 17.d) addresses “management’s communication, if any, to employees regarding its views on business practices and ethical behavior.” Likewise, the PCAOB (AS 2401, Appendix, “Consideration of Fraud in a Financial Statement Audit”) discusses a related risk factor: “Ineffective communication, implementation, support, or enforcement of the entity’s values or ethical standards by management or the communication of inappropriate values or ethical standards.”
In assessing how management’s view of business ethics is being supported, enforced, and communicated to others, auditors should be attuned to management’s words, as well as management’s actions, such as lenient treatment of those engaged in unethical conduct. Auditors may consider asking themselves the following questions:
- What is my understanding of how this client handles unethical employee behavior?
- Does this understanding indicate anything about how management reinforces its views of ethical behavior with employees?
- Does this understanding suggest that the control environment is weaker than previously believed?
- When I conduct inquiries about how management’s view of business ethics is being supported, enforced, and communicated to others, what does management say about the handling of unethical employee behavior?
- Do the inquiries made of a client’s staff reveal perspectives that contradict management’s views of the control environment? If so, how should that be investigated?
- If unethical employee behavior is routinely dealt with in a very lenient manner, what implications does this have for my assessment of the control environment and fraud risk?
Nothing Occurs in a Vacuum
The authors’ research suggests the beginning of an unfortunate chain of events that can occur when a star employee behaves badly and gets away with it. If management views the star’s behavior in a vacuum, it might sometimes seem appropriate to excuse the bad behavior because of the great value that the star brings to the company. However, the treatment of stars does not occur in vacuum; rather, the treatment of stars can become a baseline for assessing average employees in the future. In the end, concerns about being fair to everyone can result in average employees also being more likely to escape the consequences of bad behavior. If so, then unethical behavior could spread through the organization. What may have started out as dealing with a single star employee’s one-time bad act has affected the standards of acceptable behavior throughout the organization.
This is why CPAs should carefully consider the longer-term consequences of letting star employees get away with ethical violations. The handling of bad acts by stars is not a “one-time pass”; rather, it can affect future decisions and ultimately weaken the organization’s control environment and increase the risk of fraud. CPAs in all settings must carefully consider the effects that today’s decisions can have on the future.