The influence of tone at the top management level and internal audit quality on the effectiveness of risk management practices in the financial services sector

Abstract The purpose of this study is to examine the contribution made by the tone at the top management level and internal audit quality on the effectiveness of risk management practices (RMPs) in the financial services sector. This study is cross-sectional and correlational, and it uses firm-level data that were collected by means of a questionnaire survey from a sample of 62 financial services firms in Uganda. Results suggest that the tone at the top management level and internal audit quality are both significant predictors of effective RMPs. However, the predictive potential of tone at the top management level towards effective RMPs reduces when internal audit quality is present. These results support the idea that in terms of agency theory, top management should oversee and review the organization’s risks as a way of spearheading effective RMPs. Similarly, internal auditors should sufficiently and appropriately review and coordinate risk management efforts in the organization, since high-quality internal audits lead to effective RMPs. Top managers of financial services firms should encourage periodic reviews of the appropriateness and effectiveness of risk management systems and controls. At the same time, regulators should ensure that top managers of financial services firms have adequate risk management expertise, with no conflict of interest and apply mechanisms that detect significant risks in time. The study contributes to the strategic risk management position by showing that the tone at the top management level and internal audit quality sets pace for an organization culture towards effective RMPs.


PUBLIC INTEREST STATEMENT
To date, organizations across the world continue to seek for determinants of effective risk management practices. This is because of the increasing risks in organizations irrespective of the different efforts by management, those charged with governance and third parties such as the regulators to combat risks. Risks unfavourably affect the organizational activities and as a result, organization's fail to achieve their desired goals and objectives. In the Ugandan financial services sector, risks such as the credit risk, operational risk, compliance risk and fraud risks are common and lead to huge annual financial and non-financial losses. This has prompted the organization's top managers, scholars and regulators to continue seeking for ways of increasing the effectiveness of the multitudes of risk management practices in the organizations. Therefore, this study suggests that appropriate tone at the top management level and internal audit quality are significant determinants of effective risk management practices in the financial services sector.

Introduction
The aim of this paper is to study the contribution made by the tone at the top management level and internal audit quality on the effectiveness of RMPs. As it becomes crucial for financial services firms to effectively manage prevalent risks such as credit risk, cyber risk, operational risk, compliance risk and fraud risks, implementation of effective RMPs become inevitable (PWC, 2017). The necessity to implement effective RMPs by financial services firms is ingrained in the need to enhance risk prevention, detection and reporting (Bezzina, Grima, & Mamo, 2014;Kim, 2019). Globally, the growth of profit adjusted for risk costs for financial services firms has slowed from 16 basis points overall in 2015 to 11 basis points in 2016, this is stalling economic recovery of the financial industry following five consecutive years of improvement in the aftermath of the 2007-2008 global financial crisis (Grasshoff et al., 2018). Similarly, Ernest and Young global banking outlook (2018) indicates that 85% of banks are citing proper management of evolving risks as one of the critical drivers for sustainable success. Thus, financial services firms still need effective RMPs and reforms to contain the adverse effects of risk(s) (Ahmad, Ibrahim, & Minai, 2018;Chornous & Ursulenko, 2013;Safari, Shateri, Baghiabadi, & Hozhabrnejad, 2016).
In Uganda, financial services firms are continually experiencing prevalent risks. For example, in 2017 banks recorded more than 60% of non-performing loans due to factors like the diversion of funds by borrowers away from their intended use (PWC, 2017). Financial services firms in Uganda also lose between $1-10 m to fraud and cyber risks annually (Deloitte, 2013a;KPMG, 2015). The above risks and others have even led to the closure of banks like global trust bank and crane bank in 2016 and 2017 respectively (Bank of Uganda, 2017). This is regardless of global initiatives towards effective RMPs like the Basel committee on banking supervision's new international regulations designed to minimize the possibility of risks causing the next large-scale financial crisis (Chornous & Ursulenko, 2013;Grasshoff et al., 2018). Questions thus continue to rise on how financial services firms can ensure effective RMPs.
A number of studies have been conducted on the determinants of effective RMPs but most of these studies have focused on the aspects of risk management process such as understanding risk and risk management (URM), risk identification (RI), risk analysis and assessment (RAA), credit risk management (CRM), and risk monitoring (RM) (Abu Hussain & Al-Ajmi, 2012;Khalid & Amjad, 2012;Rosman, 2009). The call for further studies by previous scholars is also common, for example, Khalid & Amjad (2012) called for additional research on further understanding RMPs of banks through studying risk management techniques used to mitigate risk exposure, this has not been widely addressed to date. Similarly, the above studies have mainly focused on Islamic banking. This study focuses on the conventional financial institutions in a developing country which are even more risky. Khalid & Amjad (2012) carried out a study to evaluate the degree to which Islamic banks in Pakistan use RMPs and techniques in dealing with different types of risk. Their findings were that Islamic banks are somewhat reasonably efficient in managing risk where URM, RM and CRM are the most influencing variables in RMPs. In addition, Khalid & Amjad (2012) found that RMPs are determined by the extent to which managers understand risk and risk management, efficient risk identification, risk assessment analysis, risk monitoring and credit risk analysis.
There are hardly any studies that have directly linked tone at the top management level and risk management practices. Available scanty studies have linked tone at the top management level in terms of corporate cultures, ethical communication, operating models and organizational constructs, leadership and governance, as well as the more traditional talent management practices and processes (Cheese, 2016;Dresp-Langley, 2009;Huang, 2004;Ssekiziyivu, Mwesigwa, Joseph, & Nkote Nabeta, 2017). Correspondingly, Kim (2019) findings suggest that individual factors (behavioural belief about risk management, social pressure and risk management knowledge) positively influence risk management intention; organizational factors (such as organizational risk management support) positively affect managers' risk management knowledge; and both individual and organizational factors are affected by organizational environment and/or risk management championship. Furthermore, Law (2011), indicates that tone at the top managerial level, and managerial ethical guidelines and policies are positively associated with a lack of fraud risks within organizations. Nevertheless, these studies do not suggest how the strategic gap in establishing effective RMPs in an entity can be closed through appropriate tone at top management level efforts. As far as internal audit quality is concerned, Zwaan, Stewart, and Subramaniam (2011) found that a high involvement in enterprise risk management impacts the perceptions of internal auditors' willingness to report a breakdown in risk procedures to the audit committee. Also, internal audit should be alert to the whole process of implementation of the systems for managing operational risks in entities (Laviada, 2007). On the contrary, though internal auditors are believed to have a role to play but concerns are expressed about their expertise and independence (Fraser & Henry, 2007) which may limit the quality of their audits is discovering and reporting risks.
In this study, we define RMPs as the procedures of understanding and managing the risks that the entity is inevitably subject to in attempting to achieve its corporate objectives (Chartered Institute of Management Accountants (CIMA) (2009)). By enlisting the views of the chief finance officers, internal audit managers, and risk managers, we find that there are no significant differences in the way these interest groups perceive the influence of tone at the top management level and internal audit quality on effective RMPs. The perceived tone at the top management level, internal audit quality and effective RMPs are all measured by perceptions of 62 financial services firms in Uganda. Hierarchical regression analysis is employed to test the contribution made by the tone at the top management level, and internal audit quality on effective RMPs.
The results in this paper are particularly important for several reasons. First, whilst there are a number of studies that have investigated the link between tone at the top management level, internal audit quality and risk management (e.g. Battaglia, Fiordelisi, & Ricci, 2016;Bezzina et al., 2014;Kim, 2019;Parisi, Clements, & Cornejo, 2016), studies focusing on the financial services sector and developing economies like Uganda are limited. Existing literature has also focused on motivating risk managers in the risk management processes (Kim, 2019;Parisi et al., 2016). This study looks at how self-inspired risk management initiatives among top managers and internal auditors can enhance effective RMPs in their organizations in order to close the strategic gap towards risk management. Therefore, this study contributes to existing body of knowledge by showing that when an organization has effective tone at the top management level, and with quality internal audits they are likely to enhance the effectiveness of RMPs. This is important for regulators like the central bank to require the effectiveness and efficiency of senior management and internal auditors to be elevated.
Second, the research results are also timely and important for policy recommendations to improve the effectiveness of RMPs in the Ugandan financial services sector. This is especially given that the Bank of Uganda's annual supervisory reports (2013)(2014)(2015)(2016)(2017) have over the past five years indicated the inadequacy of effective RMPs in the financial services sector. Specifically, according to the Bank of Uganda (2019), a number of commercial banks in Uganda have weaknesses in the composition of board committees, succession planning for board members and senior management, and delays in addressing vacancies in key positions of banks' organizational structures which end up derailing the effectiveness of RMPs. This also creates a strategic gap in risk management efforts as the tone at the top management level and internal audit quality in those banks is a warning. Thus, the results suggest that both tone at the top management level and internal audit quality are significant in establishing, evaluating and coordinating effective RMPs in an organization.
The rest of the paper is organized as follows. Section 2 reviews literature and develops hypotheses. This is followed by a discussion of the research methodology in Section 3. Section 4 presents and discusses results. The final section is summary and conclusion.

Theoretical foundation
In this study, we use the agency theory to explain the contribution of tone at the top management level and internal audit quality on effective RMPs. According to agency theory, top managers (Agents) in the organization act on behalf of the shareholders (Principals) in dealing with other people and running the organization. Thus, top management has a duty to design, implement and maintain adequate and effective RMPs in order to achieve the goals of the shareholders such as profit maximization, wealth maximization, business continuity, business expansion and growth. Nevertheless, the conflict of interests between the top management and shareholders tend to derail the presupposed agency relationship which leads to agency conflicts/problems. For example, top managers usually earn most of their income from the company they work for. They are therefore interested in the stability of the company, because this will protect their job and their future income. This means that management might be risk averse, and reluctant to invest in higher-risk projects. Contrarily, shareholders might want the organization to take bigger risks, if the expected returns are sufficiently high. Shareholders often invest in a portfolio of different companies; therefore, it matters less to them if an individual company takes risks. Since, top management is unwilling to take risks it may not implement and maintain effective RMPs which may lead to huge financial and non-financial losses due to the failure to manage risks by the top managers as the agents. In the context of this study, the appropriate tone at the top management level can help in reducing goal incongruence between top managers and the shareholders towards implementing effective RMPs.
Internal auditors are employed to monitor the agents (the managers); however, quite often they have not achieved their objectives due to poor-quality audits. The poor-quality internal audits are mainly attributed to limited independence of the internal auditors, inadequate management support, staff expertise, scope of services, and ineffective communication (Roussy & Brivot, 2016). Hitherto researchers such as Chambers and Odar (2015) have advocated the extended role and quality of the internal auditors in order to help in ensuring effective RMPs. Thus, as per the agency theory, internal auditors are expected to remain alert and help in ensuring effective RMPs as a way of adding value to the entity.

Tone at the top management level
Tone at the top is the degree of commitment by management and those charged with governance of the entity (board of directors) to having an open, direct, honest, and ethically correct corporate culture (Law, 2011). Tone at the top management level is a key element of an organization's risk management framework, since proper and adequate support from the top is likely to provide a robust foundation for effective RMPs. From prior studies, top management is believed to have a strong influence in setting the overall risk governance within the organization (Cohen et al., 2002& Horton, 2002. This role extends to the identification, assessment, designing and implementing controls, and mitigating risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives (Gatzert & Schmit, 2016). Cheese (2016), argue that in order to manage and mitigate risk, organizations need to understand corporate cultures, operating models and organizational constructs, leadership and governance, as well as the more traditional talent management practices and processes. Similarly, Sheedy and Lubojanski (2018) report that appropriate risk management behaviour at the employee level includes compliance, speaking up, thoughtful engagement with and accountability for the risk management framework. Thus, older workers as well as those with greater seniority are more likely to report desirable risk management behaviour. Correspondingly, Law (2011), indicates that tone at the top managerial level and managerial ethical guidelines and policies are positively associated with a lack of risks within organizations. Therefore, top management must instil values in employees in order to achieve a consistently ethical environment and to avoid risk (Johari, Alam, & Said, 2018;Law, 2011).
Contrarily, Horton (2002) indicates that in 200 cases of purported financial fraud risks that had been investigated by the SEC, five out of the six involved the CEO, the CFO, or both. Meaning that, if there is no appropriate tone at the top management level, risks are likely to increase in the organization. Relatedly, there is a significant negative association between individual risk tolerance and desirable risk management behaviour (Gyensare, Arthur, Twumasi, & Agyapong, 2019;Sheedy & Lubojanski, 2018). Nevertheless, Fraser and Henry (2007) argue that while parent boards have ultimate responsibility, the ownership of risks must reside with management at lower levels. Consequently, management's effectiveness in terms of moral and ethical behaviour is integral to the organization's control systems (Kabuye, Kato, Akugizibwe, & Bugambiro, 2019). Risk management committees tend to exist in organizations with an independent board chairman and larger boards. In comparison to organizations with a combined risk management committee and audit committee, those with a separate risk management committee are more likely to have larger boards, higher financial reporting risk and lower organizational complexity (Subramaniam, McManus, & Zhang, 2009). Given that many boards formulate strategy and manage risk separately (through the risk management committee), organizations can gain a competitive advantage by managing them in an integrative fashion. Boards that integrate strategy formulation and risk management should achieve higher stakeholder returns and be more adaptive than rivals (Sheehan, 2009). At the same time, evaluating the effectiveness of the board risk management committee must include characteristics of the entire board as well as individual contributions of directors (Carretta, Farina, & Schwizer, 2010). Also, for risk management of organizational records to be effective, it needs to be incorporated into the decision-making process of the organization, making it central to all activities (Egbuji, 1999); thus, risk management needs to be proactive, not reactive.
Overly, the board risk management committee oversees operational risk management systems, practices and procedures including risk identification, management, monitoring and control. The committee also monitors legal suits against the organization and their materiality and reports on risk assessment levels. Subordinately, the operational risk committee of executive management is responsible for risk assessment, management and reporting matters arising from discussions of existing and potential operational risk within the various units across the entire organization (Centenary . Thus, the combined role of the risk management committee and the operational risk committee is very substantial in the overall risk management (Bananuka, Tumwebaze, & Orobia, 2018;Stanbic Bank, 2017;Tumwebaze, Mukyala, Ssekiziyivu, Tirisa, & Tumwebonire, 2018). Besides, when a board of directors takes formal responsibility for the overall health of its company's reputation, two things generally happen: one is that the various board sub-committees look for the impact on corporate reputation of their decisions. The other is that corporate reputation becomes a key performance indicator of the company's executive management team (Dowling, 2006;Sherafatmand & Yazdani, 2014). Majorly, the risk management function (and/or committee) facilitates and monitors the implementation of effective RMPs and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organization (IIA, 2013a). Therefore, H 1 : Tone at the top management level is positively and significantly related with effective risk management practices.

Internal audit quality
Internal audit quality involves the internal audit activity's conformance with the definition of internal auditing and the standards and an evaluation of whether internal auditors apply the Code of ethics (Coetzee, Fourie, & Burnaby, 2015). Internal audit quality is further demonstrated by the internal auditor's capability to provide useful audit findings and recommendations (Mihret & Yismaw, 2007). Zwaan et al. (2011), indicate that a high involvement in enterprise risk management (ERM) impacts the perceptions of internal auditors' willingness to report a breakdown in risk procedures to the audit committee. Similarly, internal audit is a rich resource for organizations as it monitors the adequacy and effectiveness of management's internal control framework and contributes to the integrity of corporate governance; risk assessment; and financial, operating, and IT systems (Burnaby & Hass, 2009). Besides, internal audit is more proactive in the implementation of ERM in smaller organizations, and is more important in the finance industry and the private sector (Castanheira, Rodrigues, & Craig, 2009;IIA, 2014b). Though risk management is primarily the responsibility of directors and senior managers. Internal auditors also have a role in consulting and providing assurance on risk management (Stewart & Subramaniam, 2010). This role for internal auditors is predicted to increase in importance in the future (Burnaby & Hass, 2009). The change of systems and processes in organizations is too big for traditional compliance-based internal auditing to absorb, the fact that leads to the necessity that internal auditing includes a risk management focus (Spira & Page, 2003). Therefore, it is important that internal auditors understand well their role in the risk management process. Coetzee (2016) also confirms that internal auditing should play a prominent role in risk-related activities to ensure that the risks threatening the organization are reduced to acceptable levels. Internal audit should be alert to the whole process of implementation of the systems for managing operational risks in organizations (Kabuye, Nkundabanyanga, Opiso & Nakabuye, 2017;Laviada, 2007).
Despite the fact that internal audit quality is perceived to have a significant role in enhancing the effectiveness of RMPs, Fraser and Henry (2007) argue that this role is most times weakened by inadequate expertise and independence of internal auditors. They thus recommend a split of the internal audit and risk management functions to preserve internal audit independence and clarify internal audit roles. Stewart and Kent (2006) indicate there is also a strong association between internal audit and the level of commitment to risk management. Consequently, the need to have strong internal control and risk management systems and to reduce both internal and external agency costs drives companies to have an internal audit function (Ismael & Roberts, 2018). In the Belgian cases, internal auditors' focus on acute shortcomings in the risk management system create opportunities to demonstrate their value. Internal auditors are playing a pioneering role in the creation of a higher level of risk and control awareness and a more formalized risk management system. In the US cases, internal auditors' objective evaluations and opinions are a valuable input for the new internal control review and disclosure requirements mentioned in the Sarbanes Oxley Act (Sarens & De Beelde, 2006).
Contrarily, the role of internal auditors in risk management in banks in Jordan was found to be limited. The risks that internal auditors were most involved in managing were those related to compliance, while the risks least dealt with by internal auditors included those related to the Jordanian economy and culture (Abdullatif & Kawuq, 2015). Therefore, a more formalized risk environment would foster a stronger risk-aware culture and hence provide a strong foundation for internal audit to implement risk-based auditing. However, internal audit experience, size of internal audit function, audit committee qualifications, and internal control system are not found to be significant predictors of the presence of risk-based auditing (Hafizah & Abidin, 2016). Therefore, internal audit quality is arguably a function of extensive staff expertise; reasonableness of the scope of service; and effective planning, execution and communication of internal audits. Consequently, we believe that: H 2 : Internal audit quality is positively and significantly associated with effective risk management practices. Bartov et al. (2000) suggest that failure to control for confounding variables could lead to falsely rejecting the hypothesis when in fact it should be accepted. As such, firm type, ownership and size are controlled in this study. A number of studies have found that firm type (public/private limited) determine the risk management efforts and requirements in an organization (Beasley, Clune, & Hermanson, 2005;Eng & Mak, 2003;Hassan, 2009;Ho & Shun Wong, 2001). Studies by Elshandidy and Neri (2014) and Subramaniam et al. (2009) explicitly indicate that corporate governance councils (regulators) set guidelines for risk management within public listed organizations and the board of directors are seen to hold the primary responsibility over the establishment and implementation of a proper risk management system. Relatedly, firm size is associated with effective RMPs (Collier, Haughwout, Kunreuther, Michel-Kerjan, & Stewart, 2016;Subramaniam et al., 2009). For instance, small firms which are exposed to a myriad of risks do not have the capability to avoid, transfer, diversify all the risky events; thus, they accept more risks which they ultimately fail to effectively manage. Thus, smaller firms inexplicably bear the costs of risk (Collier et al., 2016). Nonetheless, other studies have indicated inconsistent results for the relationship between firm size and risk management (Law, 2011). Besides, firm ownership is a determinant of corporate risk management (Eng & Mak, 2003;Gul & Leung, 2004;Ho & Shun Wong, 2001;Nordin & Hamid, 2013;Samaha, Dahawy, Hussainey, & Stapleton, 2012).

Research setting
This study gathered data from financial services firms in Uganda. Financial services firms in Uganda primarily comprise financial institutions, insurance and investments subsectors. The Ugandan financial services firms are relatively well developed, and they have been helpful not only in fostering investment and growth but also in mobilizing resources and enabling poor people to have some control over risks in their lives through increased access to financial services (Bank of Uganda, 2017;PWC, 2017). Nevertheless, there are huge concerns of increasing incidences of risk in the financial services firms which have aroused concern among the public and the policymakers (Bank of Uganda, 2019;Deloitte, 2013b). This is also significantly affecting the achievement of the desired growth and strategic objectives of the financial services firms (Consultative Group to Assist the Poor [CGAP], 2015). There are a number of security measures and regulations that have been put in place to manage risks in the Ugandan financial services firms, such as, the financial institutions act of 2004 (amended in 2016); the Financial Service firms Regulations of 2005 and the Anti-money Laundering Act of 2013, Basel III and IV recommendations. Nonetheless, a number of high-profile risks, for example, credit risk, cyber risk, liquidity risk, market risk, operational risk, compliance risk, taxation risk, reputation risk and business/strategic risk have continued to affect the financial services firms leading to high actual financial losses, business failure, and reduced investor confidence (Centenary Deloitte, 2013b;Stanbic Bank, 2017). The high-risk prevalence in the financial services firms has similarly been attributed to tone at the top management level ineffectiveness, and lowquality internal audits which lead to performance of insufficient tasks and activities to minimize and mitigate risks (Bank of Uganda, 2019;Deloitte, 2013a;IIA Uganda Chapter, 2015). Given the above discussion, this study setting provides a wealthy basis to examine the contribution of tone at the top management level, and internal audit quality on the effectiveness of RMPs in financial services sector in Uganda.

Design, population and sample
The research design for this study is cross-sectional and correlational. The population of interest is the financial service firms in Uganda. Specifically, the population includes 89 financial services firms obtained from the three main subsectors of the financial services sector that is financial institutions, capital markets advisors and brokerage firms and insurance companies operating in Uganda. We determine the sample size using Krejcie and Morgan (1970) and generate a sample size of 73 financial service firms proportionately (Table 1). Proportionate stratified random sampling was used to select financial services firms from each stratum thus reducing bias (Berger & Zhang, 2005). The unit of enquiry is three people involved in risk management (the Chief Finance Officer, Internal Audit Manager, and Risk manager) in each of the sample firms. The respondents are selected purposively by virtue of their position, knowledge and experience (McEvily & Marcus, 2005;Saunders, Lewis, & Thornhill, 2012). Only 62 firms responded to our questionnaire with 160 completed questionnaires. The responses were aggregated using a firm as a breaking variable.

Questionnaire and variable measurement
A six-point likert scale questionnaire ranging from strongly disagree to strongly agree designed to measure the opinion or attitude of a respondent is utilized to obtain self-reported information using closed-ended questions. The questionnaire design is based on our review of relevant literature regarding tone at the top management level, internal audit quality and risk management practices. The questionnaire was used because, data are provided to the researcher by the respondent directly without going through any third party, thus retaining the confidentiality of the data. Similarly, the questionnaire is suitable for data collection from firms in several locations and for this study, data were collected from multiple financial services firms in different locations in Uganda. Besides, a questionnaire is appropriate for descriptive and explanatory research (Saunders et al., 2012). In this study, we therefore relied on responses obtained through a questionnaire survey.
The dependent variable for this study is risk management practices, which is operationalized in terms of risk prevention, risk detection and risk response (Coetzee, 2016;Safari et al., 2016;Vinnari & Skaerbaek, 2014;Zwaan et al., 2011;Fraser & Henry, 2007;Sarens & De Beelde, 2006;Spira & Page, 2003). Thus, respondents were asked to indicate their perception of the effectiveness of risk management practices using fifteen items which were anchored on a six-point Likert scale with 1 = strongly disagree and 6 = strongly agree. As a measurement of risk management practices, risk prevention is defined as the process of avoiding risk or reducing the probability and impact of risk (Rooney & Cuganesan, 2015). For example, through issuing a risk policy outlining the entity's position on risk. We define risk detection as the process of identifying potential entity risks and their characteristics (Abdullatif & Kawuq, 2015). For risk response, it is the process of developing strategic options, and determining actions, to enhance opportunities and reduce threats to the organizational goals and objectives (Laviada, 2007). The independent variables in this study are; tone at the top management level and internal audit quality. Tone at the top management level is measured using internal processes (inclusive of internal controls), objectivity, and experience and expertise (Cohen et al., 2002;Law, 2011;Cheese, 2016;Fraser & Henry, 2007). Thus, respondents were asked to indicate their perception of the effectiveness of tone at the top management level using thirteen items which were anchored on a six-point Likert scale with 1 = strongly disagree and 6 = strongly agree. Internal audit quality with its dimensions of scope of service, independence, staff expertise, effective communication and management support (Al Twaijry et al., 2003;Arena & Azzone, 2009;Badara & Saidin, 2013;Coetzee, Fourie & Burnaby, 2015;Cohen & Sayag, 2010;Soh & Martinov-Bennie, 2011;Endaya & Hanefah, 2013;Feizizadeh, 2012;Goodwin, 2004;Karagiorgos et al., 2011;Mihret & Yismaw, 2007;Mihret et al., 2010;Roussy & Brivot, 2016) was measured using the respondents' mean rank of the seventeen items of information included in the questionnaire on a six-point Likert scale (1 = strongly disagree and 6 = strongly agree).
To control for non-response bias, each questionnaire was accompanied by a letter providing explanations and assurances that all individual responses would be treated confidentially. Aware that non-response manifests in two types, namely, item and unit nonresponse, where item nonresponse is when certain questions in a survey are not answered by a respondent and unit nonresponse is when a randomly sampled individual cannot be contacted or they refuse to participate in a survey, we kept a short survey length, ensured a clear and concise wording of the questions (also utilized the results of content validity analysis), practical and appealing, placed multiple follow-up calls or email reminders up to a maximum of three for those delaying to answer the questionnaire. In this case, the 73 financial services firms in the sample had three units of enquiry responding (Table 8).
To control for item non-response, we carried out simple frequency runs and found that item nonresponse (missing values) was less than 1 per cent of all the questions, and thus trivial to suppress the standard deviation (Field, 2009). However, even with this, the present study carried out a missing values analysis because missing data may reduce the precision of calculated statistics because there is less information than originally planned. Indeed, a common concern when faced with multivariate data with missing values is whether the missing data are missing completely at random (MCAR); that is whether the missing data depend on the variables in the data set (Little, 1988). Using the E-M (expectation-maximization), the MCAR, was not significant (Little's MCAR test: chi-square = 122.730, df = 130, Significance = 0.662). This meant that data were missing completely at random. As the missing values were for cases on different variables, it was deemed necessary to not delete those cases (because a lot of data could be lost) but instead replaced them by using linear interpolation for its simplicity.

Tests of factorability, validity, reliability and assumptions of parametrical data
We used exploratory factor analysis (EFA) based on principal components and Cronbach's a (Tables 2-4) to examine the validity and reliability of the scales as measures of tone at the top management level, internal audit quality and effective RMPs in the financial services firms. EFA was also performed to identify patterns in data and to reduce data to a manageable level (Field, 2009). To establish convergent validity, the principal components for each variable were extracted by running principal component analysis using varimax rotation method, and factor loadings below 0.5 coefficients were suppressed to avoid extracting factors with weak loadings. Prior to performing the principal component analysis for scales, we assessed the suitability of the data for factor analysis based on sample size adequacy, the Kaiser-Meyer-Olkin (KMO) and Bartlett tests. The results show the KMO values: tone at the top management level = 0.756, internal audit quality = 0.684 and RMPs = 0.821. Bartlett's test of sphericity in all scales reached statistical significance (p < 0.05) (significant value was 0.00 for each scale). Collectively, these results support the factorability of the correlation matrices because our correlation matrices are significantly different from the identity matrices in which the variables would not correlate with each other. The determinants for all the three matrices were greater than 0.01, implying that there were no multicollinearity or singularity between variables.
To obtain the content validity index (CVI), we dichotomized the rating scale through a duo split of the scores such that rating scores 1-3 = measure not useable, 4-6 = measure useable. The CVI was computed by obtaining the proportion of items assessed as useable divided by the total number of items (Field, 2009). The CVI for each variable was above 0.7 (Tone at the top management level = 0.817, internal audit quality = 0.890, and RMPs = 0.889). Thus, the instrument attained content validity. To determine the internal consistency (reliability) of our scales we computed Cronbach's α coefficients for the study variables. The standardized α coefficients for all the scales were found to be 0.70 and above (Tone at the top management level = 0.850, internal audit quality = 0.868, and RMPs = 0.868).
The Likert scale (six-point) used in this study was analysed using parametric tests and Pearson's correlation coefficient. Parametric tests of normality and homogeneity of variance were performed before carrying out tests of hypotheses in order to avoid coming to the wrong conclusions (Norman, 2010). We checked our data for normality to determine the applicability of parametric tests. This was done by use of skewness and kurtosis statistics. The skewness scores for all variables were close to 0,

Management support
Internal audit reviews the management of key risks .785 Internal audit evaluates the risk management processes .748 Internal audit coordinates the enterprise risk management framework activities .680 Our internal audit gives assurance on the risk management processes .612 Internal audit evaluates the reporting of key risks .604 Internal audit administratively reports to executive management .834 Internal audit has an independent budget approved by audit committee .741 Internal audit functionally reports directly to the audit committee .727 Internal auditors are trained to acquire the necessary skills to perform their duties .842 The internal audit complies with the approved audit plans .780 Internal audit has full knowledge of the transaction systems of the entity .759 Internal audit maintains an unbiased mindset with regard to all audit engagements .768 Internal auditors are normally appraised basing on set targets .642 The internal audit reports are clear and well presented .572 Internal auditors have the ability to analyse complex information to discover risks .519 Internal audit staff assignments are rotated periodically whenever it is practicable.
.798 (Continued) and kurtosis results were all within the range of −2 and +2; besides standard errors for each of the variables were not very different from their respective Skewness and kurtosis scores, and therefore, normality assumption was not violated (Garson, 2012;Field, 2009). Levene's test (Levene, 1960) was used to test for homogeneity of variance because it is the most commonly used test for each group (Garson, 2012). The test results are non-significant (p > 0.05) for all the predictor variables, and thus homogeneity of variance for the categorical variables in relation to the outcome variable is not violated (Field, 2009). In addition to the parametric tests, the Pearson's correlation coefficient was used to analyse the multiple-item Likert scales to report the bivariate relationships that were hypothesized in this study. There is ongoing monitoring of employees' activities in high risk departments .766 The entity ensures that adequate risk awareness activities and training .729 Responsibilities related to risk management are clearly defined within our company .629 We have technology solutions with trigger mechanisms that flag irregular activities .561 Our entity ensures that adequate employment screening proceedings are implemented .547 The entity uses the relevant government investigation standards when conducting investigations .802 We have established lines of communication with police for further investigations of detected risks in our organization .729 We have developed a risk control plan to minimize the impact and likelihood of identified risks .709 We have disclosure procedures in place for evidence relating to detected risk. .635 Our entity has a formal process in place for communicating the outcomes of completed risk investigations .620 Risks faced by our organization are managed on enterprise wide basis .542 Our risk reporting mechanisms are easily accessible by internal and external parties .797 The entity uses internal audit to actively review its detective control environment .727 Our entity provides sufficient information to enable employees recognize the possible red flags or early warning signs of risk activity The problem with univariate analyses is that they do not control for other factors, thus making the interpretation of results difficult. We, therefore, extend the analysis to a multivariate setting. We first examine correlations among our independent variables to determine whether multicollinearity problems exist. Field (2009) suggests that multicollinearity becomes a problem only when correlations exceed 0.80 or 0.90. As Table 9 shows, none of the correlations between independent variables is close to these threshold values.

Model
The study utilizes a hierarchical regression model in investigating the contribution of tone at the top management level and internal audit quality on effectiveness of RMPs. To examine the contribution of tone at the top management level and internal audit quality on effective RMPs, we specify the following regression models (see Table 5): where; RMPs are Risk management practices, FT is Firm size, OWNP is Ownership, FS is Firm size, TTML is Tone at the top management level, IAQ is internal audit quality, β 0 is a constant and εj is the error term. Table 6 shows the mean scores of the study variables. Risk management practices had the lowest mean score of 4.9905 with a standard deviation of 0.42912. Internal audit quality had the highest mean score 5.1744 with a standard deviation of 0.30250. As standard deviations relative to mean values are small; the calculated means highly represent the observed data (Field, 2009). The data also indicate that predictor variables are rated high towards risk management in the financial service firms. This implies that effective tone at the top management level, risk management committee and internal audit quality are key towards managing risk in the organization.

Descriptive statistics
To determine whether the firm differences influenced the study variables, a one-way analysis of variance (ANOVA) was used to determine the impact of firm sector on the study variables. The results of the one-way ANOVA presented in Table 7 show that the p-values for all study variables are above 0.05; also, the actual difference in mean scores between the groups on each of the global variables are reasonably small, indicating that the various group differences between firms did not significantly influence their responses on the study variables. Similarly, results in Table 8 suggest that the overall differences between respondents did not bias the results of this study.

Correlation analysis results
We present Pearson's correlation coefficient analysis of the study variables. Correlations from Table 9 indicate a significant positive relationship between tone at the top management level and risk management practices (r = 0.792** and p < 0.01). Meaning that Tone at the top management level leads to enhanced risk management practices. Thus, H1 is supported. There is also a significant positive relationship between internal audit quality and risk management practices (r = 0.719** and p < 0.01). This means that an increase in internal audit quality leads to improved risk management practices. Therefore, H2 is also supported. The correlation analysis results also show that control variables, that is, firm type, ownership and size are not significantly related at the 1 per cent level. This implies that control variables do not confound the results of testing for the relationship between tone at the top management level, internal audit quality and effective RMPs in the financial service firms. Consequently, the relationship between tone at the top management level effectiveness, risk internal audit quality and effective RMPs is not affected by the control variables.

Hierarchical regression analysis results
To further test for the sensitivity of the results to the control variables and the contribution of each predictor variable, we performed hierarchical regression analysis as a means of statistical control and for examining incremental validity. Study variables were entered simultaneously within each hierarchical group (Field, 2009;Aiken & West 1991) as shown in Table 10. Standardized versions of the β values were used because they are easier to interpret and are not dependent on the units of measurement of the variables (Field, 2009). The standardized beta values also tell us the number of standard deviations that the outcome will change as a result of one standard deviation change   in the predictor; thus, they are directly comparable and provide a better insight into the importance of each predictor in the model (Field, 2009).
The hierarchical regression results in Table 10 indicate that Model 1 reports the baseline model with only control variables. The results show that control variables do not explain any significant variance in RMPs. This suggests that the models in this study are not sensitive to confounding factors and the models are highly acceptable (Field, 2009). Results in Models 2 and 3 show that the F is significant at the 1 per cent level or better with tone at the top management level (standardized β = 0.694, p < 0.01) as significant in model 2. Essentially, Model 3 presents the combined effect of all the predictor variables on the outcome variable, and the results show that internal audit quality is the best and significant predictor variable of effective RMPs (standardized β = 0.529**), and tone at the top management level has the least predictive potential of the variance of RMPs in the general model (standardized β = 0.299**). This means that H1 and H2 are both further supported at this level of analysis. This means that when an organization's tone at the top management level is effective and with high-quality internal audits, effective RMPs are likely to be designed, implemented and maintained. Taken together, the predictor variables explain about 67.7 per cent of the variance in RMPs in financial service firms in Uganda. Generally, the results suggest that Model 3 in Table 10 is the most plausible model. The incremental validity in adjusted R 2 in Models 1-3 in Table 10 suggests a better fitting model which develops as tone at the top management level and internal audit quality are successively introduced (Field, 2009)   all the cases but Model 1, the F change is significant. Durbin-Watson test was carried out to test for serial correlations between errors in regression models. As a very conservative rule of thumb, values lesser than 1 or greater than 3 are definitely cause for concern, but, the closer to 2 the value is, the better it is (Field, 2009). For this study, the Durbin-Watson statistic was 1.707, which justifies the assumption of independent errors or no serial correlation.

Discussion
The main theme arising out of this study is that effective RMPs are significantly influenced by appropriate tone at the top management level and high internal audit quality. This infers that agency theory is well suited to explain the relevance of tone at the top management level and internal audit quality in ensuring effective RMPs since most principal-agency associations can be identified among internal stakeholders of an organization (Nalukenge, Nkundabanyanga, & Ntayi, 2018). For example, the results indicate that when management and those charged with governance of the entity design, implement and maintain effective internal controls and there is commitment from the chief executive and executive management of the organization towards RMPs, there is likely to be effective RMPs in the organization. This is consistent with the suggestion that tone at the top management level is crucial in ensuring effective RMPs and responsible for maintaining effective internal controls and for executing risk and control procedures in risk firms (IIA, 2013a) such as financial services firms, making agency theory a relevant framework for understanding variances in RMPs. Further still, the current study concurs with Cheese (2016) on the need to manage and mitigate risks effectively, through understanding corporate cultures, operating models and organizational constructs, leadership and governance, as well as the more traditional talent management practices and processes. At the same time, since tone at the top management level's scope of activities includes the identification, assessment, control, and mitigation of risks (Fraser & Henry, 2007), these roles make it lead the way to overall risk management in the organization. However, the efforts of top managers will be enhanced if contemporaneously they are knowledgeable in risk management, do not have any conflict of interest with the organization and focus on risk issues. That way the top manager's role in managing risk is improved by the enhanced expertise and objectivity. The results also suggest that executive management should allocate appropriate resources for training and the development of an enhanced risk awareness by all stakeholders. In this regard, tone at the top managerial level is seen as an elevator of the risk management efforts in the organization which seems to concur with Sheedy and Lubojanski (2018) observation that older workers as well as those with greater seniority are more likely to report desirable risk management behaviour. Thus, senior staff are expected to play a greater role in promoting risk management in firms that are committed to risk culture. Overall, adequate internal processes, objectivity and experience and expertise are key considerations for tone at the top management level in influencing effective RMPs.
The results further suggest that the individual contribution of internal audit quality to effective RMPs is very vital. It is highly likely that if the organization has an effective tone at the top management level, this will help internal auditors to perform their duties independently. Besides, with adequate management support, internal auditors will be able to access all records as necessary and acquire training of the necessary skills to perform their duties competently to prevent, detect and report the risks. This corroborates with Coetzee (2016) who confirms that internal auditing should play a prominent role in risk-related activities to ensure that the risks threatening an organization are reduced to acceptable levels. Other corroborative studies have indicated that internal auditors are sensitive to factors that may lead to risk disclosures and that when they encounter such factors, internal auditors may be more likely to design tests to search for risk, which in turn can increase the likelihood of detection and reporting (Abdullatif & Kawuq, 2015;Chambers & Odar, 2015;Zwaan et al., 2011). However, our results contradict the findings of Fraser and Henry (2007) who recommended a split of the internal audit and risk management functions to preserve internal audit independence and clarify internal audit roles. Nonetheless, in this study, we suggest that even though a separate risk management function is established in the organization, internal audit remains with the primary role of assisting the top management to meet the strategic and operational objectives of the organization, by providing an independent and objective evaluation of the adequacy and effectiveness of risk management, controls and governance processes. As a result, the organization's internal audit approach must be aligned with the organization's risk management function by focusing on key strategic, financial, operational, compliance and information technology risks. This links well with the studies of Stewart and Kent (2006) and Ismael and Roberts (2018). The empirical results presented herein further confirm the contemporary literature in this regard, thus contributing to the internal audit quality and effective RMPs literature, particularly that focusing on the financial services sector.

Summary and conclusion
The purpose of this paper was to examine the contribution made by the tone at the top management level effectiveness and internal audit quality on effective RMPs in the financial services firms. We surveyed 62 financial services firms and we find that tone at the top management level and internal audit quality are significant predictors of effective RMPs. Once the organization has effective tone at the top management level, it is likely to aid internal auditors perform quality audits to enhance effective risk management practices.
This study offers several implications. We explore the role played by the tone at the top management level and internal audit quality in enhancing the effectiveness of RMPs, meaning that organization managers who design, implement and maintain effective internal controls and do not have any conflict of interest with the organization are likely to enhance risk prevention, detection and reporting. For policymakers like the central bank (e.g. Bank of Uganda), the findings of this study will help them in prescribing the operating standards for financial services firms, composition and expertise of the risk management committee and qualifications for internal auditors. Besides, internal auditors should be independent, competent, get adequate support from management and perform their new and expanded activities as per the institute of internal auditors (IIA, 2013a; IIA, 2014a) to ensure quality audits. The results are important for risk management policy development, for example, in terms of prescribing the role of tone at the top management level, and internal audit quality in spearheading risk management in the financial service firms.
Despite the contributions and implications, this study focused on financial services firms in Uganda to determine the contribution of tone at the top management level effectiveness and internal audit quality on risk management. It is possible that these results are only applicable to financial service firms unlike other service firms. The study also used more of quantitative data which sometimes misses certain information and limits the respondent's opinions on the study variables. While care was taken to control for response bias, it is unlikely it could be ruled out completely. However, this study clearly brought out the overall contribution of tone at the top managerial level, and internal audit quality in risk prevention, detection and reporting as necessary.