Commitment to Integrity and Ethical Values

“Commitment to Integrity and Ethical Values” is a control-environment requirement under COSO Principle 1: your organization must demonstrate integrity as a living operating standard, not a one-time policy rollout (COSO IC-IF (2013)). For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat this as an end-to-end control system: define expectations, embed them into workflows, create safe reporting paths, investigate promptly, and apply consequences consistently. Then keep audit-ready evidence that these steps happen.

This requirement cuts across every function: HR, Legal, Finance, Procurement, IT, Sales, and third-party management. It is also where many programs fail quietly. Teams often have a code of conduct but cannot show that employees understood it, leaders modeled it, or allegations were handled consistently. COSO assessors and external auditors typically test whether ethical expectations are communicated, understood, and enforced, and whether management overrides are controlled in practice (COSO IC-IF (2013)).

This page is written as requirement-level implementation guidance. It focuses on what you need to do, what evidence to retain, what auditors ask, and how to execute quickly without turning ethics into a paperwork exercise.

Regulatory text

Excerpt: “The organization demonstrates a commitment to integrity and ethical values.” (COSO IC-IF (2013))

What the operator must do:
You must define what “integrity and ethical values” mean for your business, communicate those expectations, and run controls that detect and respond to unethical conduct. The proof standard is operational: policies exist, people acknowledge them, leadership behavior aligns, reporting channels function, investigations are documented, corrective actions occur, and repeat issues drive control improvements (COSO IC-IF (2013)).

Practical interpretation (plain English):

• People need to know the rules (code, conflicts, gifts, reporting).
• People need safe ways to raise concerns (hotline, HR, manager escalation).
• Management must act on issues the same way each time, including for high performers and executives.
• You must be able to show evidence of all of the above.

What this requirement means in practice

The control objective

Create a culture and operating system where unethical behavior is less likely to occur and more likely to be detected and corrected quickly. Under COSO, this sits in the Control Environment because it influences whether every other control is designed and executed honestly (COSO IC-IF (2013)).

What “demonstrates” usually implies for auditors

Auditors rarely accept intent. They test:

• Design: Are expectations clearly defined, approved, and communicated?
• Implementation: Are training, acknowledgments, and reporting channels in place?
• Operating effectiveness: Are allegations tracked, investigated, resolved, and remediated consistently?
• Governance: Does the board/oversight body receive meaningful ethics reporting?

Who it applies to

Entity scope

• The entire organization adopting COSO Internal Control – Integrated Framework (COSO IC-IF (2013)).
• Internal audit and control owners who must assess and document control environment factors (COSO IC-IF (2013)).

Operational context

This requirement applies anywhere ethical failure can cause misstated reporting, fraud, regulatory violations, or reputational harm. It is especially relevant in:

• Revenue recognition and sales incentives
• Procurement and third-party sourcing
• Expense management (gifts, travel, entertainment)
• Financial close and management estimates
• Access management and privileged IT operations
• Third-party relationships (agents, resellers, consultants) where misconduct can be “outsourced”

What you actually need to do (step-by-step)

1) Set the standard: define expectations and boundaries

1. Update or issue a Code of Conduct that is specific enough to guide real choices (conflicts, bribery, gifts, recordkeeping, respectful workplace, reporting duties). Map sections to your key risk areas so it is not generic (COSO IC-IF (2013)).
2. Write supporting policies where the code is insufficient: conflicts of interest, gifts/entertainment, anti-retaliation, investigations, disciplinary standards, and record retention.
3. Define “management override” expectations (who can approve exceptions, what documentation is required, and how exceptions are reported upward). COSO control environment evaluations commonly focus on override behavior (COSO IC-IF (2013)).

Operational tip: If your code is long, add a one-page “ethics quick guide” for high-risk roles (Sales, Procurement, Finance, IT admins). Keep the long form for completeness and the short form for day-to-day use.

2) Assign ownership and governance

4. Name accountable owners for (a) policy content, (b) training/communications, (c) intake channels, and (d) investigations. Put this in a RACI.
5. Define oversight: what the board/audit committee (or equivalent) receives, how often, and what decisions they are expected to make (COSO IC-IF (2013)).
6. Create an ethics committee cadence for cross-functional review of trends and significant cases (Legal, HR, Compliance, Internal Audit).

3) Communicate and train in a way you can prove

7. Run role-based training: baseline for all personnel, with deeper modules for high-risk teams (procurement, finance, sales, engineering with privileged access).
8. Collect attestations: employees acknowledge the code and key policies and re-attest on a defined schedule you set.
9. Use leadership communications: CEO/GM message, manager talking points, and a documented expectation that managers reinforce reporting and non-retaliation (COSO IC-IF (2013)).

Evidence rule: If it is not recorded (LMS completion, signed attestation, meeting minutes), auditors will treat it as “not done.”

4) Provide safe reporting channels and protect reporters

10. Maintain at least two reporting paths (for example: hotline/web portal and HR/Compliance email). Make sure they are accessible to remote staff and, where relevant, third parties.
11. Publish anti-retaliation standards and train managers on escalation and confidentiality.
12. Test the channels (mystery shopper tests or controlled test submissions) and document results and fixes.

5) Investigate, remediate, and discipline consistently

13. Standardize triage: severity categories, conflict checks, assignment rules, and time-to-initial-response targets that you define internally.
14. Document investigations end-to-end: intake, allegation summary, evidence collected, interviews, findings, decision rationale, and closure approvals.
15. Apply consistent consequences: align HR discipline practices to policy; document exceptions and approvals.
16. Track remediation to closure: control changes, training refresh, supervisory actions, process fixes. Feed lessons learned into your risk assessment and control testing plan (COSO IC-IF (2013)).

6) Monitor and report

17. Define ethics KPIs/KRIs without inventing precision. Focus on trend and completeness: training completion status, hotline volume trends, substantiation categories, repeat issues, aging of open cases, retaliation allegations.
18. Report to oversight with enough detail to show governance, while protecting confidentiality.
19. Integrate with third-party risk management: require code-of-conduct alignment for relevant third parties, train internal sponsor teams, and ensure allegations involving third parties follow the same intake and investigation rigor.

Required evidence and artifacts to retain (audit-ready)

Use a single “Ethics & Integrity Evidence Binder” structure (folder or GRC tool) so you can produce artifacts quickly.

Control element	Evidence to retain	Common owner
Code of conduct and policies	Approved versions, revision history, board/leadership approvals, exception logs	Compliance/Legal
Training and communications	LMS completion reports, training content, attendance logs, leadership emails, manager talking points	Compliance/HR
Attestations	Signed acknowledgments, conflict disclosures, annual questionnaires	HR/Compliance
Reporting channels	Hotline vendor contract (if used), published reporting guidance, test results, access controls for case system	Compliance/IT
Investigations	Case register, triage notes, investigation plans, findings memos, closure approvals, disciplinary documentation	Compliance/Legal/HR
Remediation	Corrective action plans, control change tickets, policy updates, follow-up testing results	Control owners/Internal Audit
Oversight	Committee charters, meeting agendas/minutes, board reporting decks	Compliance/Company Secretary

Daydream fit (where it earns its place): If you struggle to keep evidence consistent across HR, Legal, and Compliance, Daydream can act as the system-of-record for requirement-to-artifact mapping, so your COSO Principle 1 evidence is linked, current, and exportable for audit.

Common exam/audit questions and hangups

Auditors and examiners often ask:

• “Show me how you communicate ethics expectations to employees and contractors.”
• “How do you know employees understood the code?” (expect training records and attestations)
• “Walk me through three closed investigations end-to-end.” (expect consistent documentation)
• “How are senior leaders held accountable?” (expect evidence that discipline is consistent)
• “How does the board know this is working?” (expect governance reporting and actions)
• “Show how conflicts of interest are disclosed, reviewed, and resolved.”

Hangups that slow audits:

• Investigations handled in email with no case log.
• Missing rationale for closing cases as “unsubstantiated.”
• Inconsistent discipline across teams or seniority levels.
• Training exists, but completion reporting is incomplete or not retained.

Frequent implementation mistakes and how to avoid them

1. Mistake: Treating the code as the control.
   Avoid: Treat the code as the starting point; the control is communication, reporting, investigations, and consequences (COSO IC-IF (2013)).

2. Mistake: Ethics program owned by one person with no governance.
   Avoid: Put a RACI in writing and establish oversight reporting.

3. Mistake: No documented management override boundaries.
   Avoid: Require written justification for exceptions and route them to a defined approver with periodic review (COSO IC-IF (2013)).

4. Mistake: Over-collecting data and under-documenting decisions.
   Avoid: For each case, record the allegation, steps taken, evidence reviewed, and decision rationale. Auditors grade the rationale.

5. Mistake: Third parties excluded from ethics expectations.
   Avoid: Flow down code-of-conduct expectations contractually and make reporting available for third-party-related allegations.

Risk implications (why auditors care)

Weak integrity controls raise the probability of:

• Financial misstatement through override, manipulation, or concealment
• Fraud risk from pressure-based incentives with weak consequences
• Procurement misconduct (conflicts, kickbacks) and third-party corruption exposure
• Compliance program credibility failures: employees stop reporting if they see retaliation or inconsistent discipline

COSO places this in the Control Environment because failures here degrade the reliability of other controls, even if they look good on paper (COSO IC-IF (2013)).

Practical 30/60/90-day execution plan

Use phases so you can move fast without pretending every organization can implement on the same clock.

First 30 days (stabilize and make it auditable)

• Confirm executive sponsor and assign program owner(s) with a written RACI.
• Inventory existing artifacts: code, policies, training, hotline, investigations process.
• Stand up a single case register (even a controlled spreadsheet temporarily) with required fields.
• Establish minimum investigation documentation standards and a closure approval step.
• Publish or re-publish reporting channels and anti-retaliation statement.

Days 31–60 (standardize controls and close gaps)

• Update code/policies to address your top ethics risks (conflicts, gifts, reporting, anti-retaliation).
• Implement role-based training and track completion centrally.
• Start an ethics oversight cadence (committee and/or audit committee reporting package).
• Define exception/override documentation requirements and review process.
• Add third-party contractual clauses for code-of-conduct alignment where relevant.

Days 61–90 (prove operation and improve)

• Test reporting channels and document remediation.
• Run a retrospective review of closed cases for consistency and documentation quality.
• Build trend reporting for oversight (volume categories, aging, repeat issues).
• Perform a targeted internal audit or control test focused on Principle 1 evidence and investigation files (COSO IC-IF (2013)).
• Move evidence into a GRC system (or Daydream) for requirement-to-artifact mapping and audit exports.

Frequently Asked Questions

Do we need a separate “ethics policy” if we already have a code of conduct?

Not always. The key is whether your code plus supporting policies cover your real risk areas and you can prove training, reporting, investigations, and discipline work in practice (COSO IC-IF (2013)).

What’s the minimum evidence auditors expect for this requirement?

Approved ethics standards (code/policies), proof of communication (training and attestations), and investigation artifacts that show consistent handling and remediation (COSO IC-IF (2013)).

How do we demonstrate “tone at the top” without subjective claims?

Use objective artifacts: leadership communications, governance minutes, documented decisions on significant cases, and evidence that discipline applies consistently across seniority levels.

Does this apply to third parties?

Yes in operational reality, even if your internal policies are employee-focused. Flow down expectations contractually and ensure allegations involving third parties enter the same intake and investigation workflow.

Our investigations are run by HR. How should Compliance be involved?

Define intake routing and oversight. Compliance typically owns standards and program monitoring, while HR may own employment actions; document the handoffs and keep a unified case log.

How can Daydream help without replacing our hotline or HR case tool?

Use Daydream to map COSO Principle 1 to your existing systems and artifacts, maintain version-controlled evidence, and produce audit-ready exports that show the control operates end-to-end.