Standards of Conduct

To meet the standards of conduct requirement, you need a written, approved code (and supporting policies) that defines expected behavior and a repeatable way to evaluate and document adherence across the organization. Operationalize it by assigning ownership, training the workforce, collecting attestations, monitoring exceptions, and keeping audit-ready evidence. ¹

Key takeaways:

• Standards of conduct must exist in writing and function as the benchmark for expected behavior across the enterprise. ¹
• Auditors will test operation, not intent: training, attestations, investigations, disciplinary actions, and reporting metrics must align to the standards.
• The fastest path is to map standards to real decision points (gifts, conflicts, third parties, financial reporting, data handling) and prove enforcement through records.

“Standards of Conduct” under COSO’s Internal Control – Integrated Framework is a requirement-level expectation: your organization sets explicit behavior standards and uses them to evaluate whether people actually follow them. The test is simple: can you show, with evidence, what “acceptable” looks like, how you communicated it, and how you detect and address deviations? ¹

For a Compliance Officer, CCO, or GRC lead, this is a practical control foundation. It ties directly to tone at the top, internal control effectiveness, and defensibility during internal audit, external audit, or regulator inquiries. Weakness here rarely fails because a code is missing; it fails because the organization cannot show consistent rollout, documentation, and enforcement across regions, functions, and employee populations.

This page gives you an operator’s implementation blueprint: applicability, step-by-step execution, evidence to retain, common audit questions, and a workable 30/60/90 plan. It stays aligned to COSO’s requirement that standards of conduct are established and used as the basis for evaluating adherence to expected behavior across the organization. ¹

Regulatory text

Requirement (excerpt): “Standards of conduct are established and used as a basis for evaluating adherence to expected behavior across the organization.” ¹

What the operator must do:
You must (1) define and approve standards of conduct, then (2) embed them into management routines so you can evaluate adherence consistently and take action when behavior deviates. A static PDF on an intranet is not enough if you cannot demonstrate communication, acknowledgement, monitoring, and consequences tied to the standards. ¹

Plain-English interpretation (what this means in practice)

• “Established” means documented, approved by appropriate governance, accessible to the workforce, and supported by procedures for common risk areas (conflicts, gifts, third parties, recordkeeping, reporting concerns).
• “Used as a basis for evaluating” means you have defined criteria and mechanisms to assess compliance with the standards (attestations, training completion, hotline triage, investigations, manager check-ins, internal audit testing).
• “Across the organization” means consistent coverage by entity, region, function, and worker type (employees, contractors, temporary staff where they act on your behalf, and in many cases key third parties through contract clauses and onboarding expectations).

COSO frames standards of conduct as a foundational element of the control environment under Principle 1. If your standards are unclear, inconsistently applied, or not evidenced, downstream controls (financial reporting integrity, procurement controls, third-party risk processes) become harder to defend. ²

Who it applies to (entity and operational context)

Applies to: Organizations implementing or aligning to COSO Internal Control – Integrated Framework, including public and private companies, nonprofits, and any entity that uses COSO for internal control assurance, SOX-aligned programs, or internal audit baselines. ¹

Operational scope (who must follow the standards):

• Board and executives (tone at the top and accountability)
• All employees (including remote and distributed teams)
• Contractors and contingent workers acting under your direction (as defined in your HR/procurement model)
• High-impact third parties where conduct affects your risk profile (agents, resellers, lobbyists, BPOs, customer support outsourcers). Treat this as “standards flow-down” through contracting and onboarding, even if the third party has its own code.

What you actually need to do (step-by-step)

1) Define the standards of conduct (write what “good” looks like)

Build or refresh a Code of Conduct that is:

• Specific enough to evaluate. Include concrete rules and examples for common situations: conflicts of interest, gifts/entertainment, retaliation, speaking up, accuracy of records, use of company assets, information handling, interactions with third parties, and financial integrity expectations.
• Aligned to your real risk and operating model. A global sales org needs different examples than a regulated financial services back office.
• Written in plain language. If employees cannot understand it, you cannot credibly claim it is the behavioral benchmark.

Deliverable: Code of Conduct + topic policies where needed (e.g., Conflicts of Interest Policy, Gifts & Entertainment Standard, Speak-Up/Non-Retaliation Policy).

2) Set governance and ownership (so decisions are consistent)

Define and document:

• Owner: typically Compliance (or Ethics & Compliance), with Legal/HR partnership.
• Approvers: executive sponsor and Board committee (often Audit Committee or Ethics & Compliance committee).
• Exception authority: who can approve deviations (and under what documented rationale).
• Disciplinary model: HR-led but mapped to code violations, with consistency checks.

Practical tip: publish a one-page “standards of conduct operating model” showing roles for Compliance, HR, Legal, Internal Audit, Procurement, and business leaders.

3) Communicate and train (prove people received and understood it)

Minimum operational components:

• Training assignment logic: who must complete, how often, and in what format (e-learning, live training for high-risk roles).
• Attestation workflow: capture acknowledgement that the individual read and will comply with the Code of Conduct.
• Localization: translations, local addenda where required, and accessibility standards.

If you have multiple systems (LMS + HRIS + GRC), define the system of record for completion and attestations.

4) Embed the standards into processes that generate evidence

This is where most programs fail. Tie the standards to operational checkpoints:

• Hiring/onboarding: code acknowledgement at hire; conflict disclosure within onboarding.
• Procurement/third-party onboarding: code clauses, anti-retaliation and reporting channel language, compliance representations, and termination rights for misconduct.
• Finance processes: recordkeeping and approval integrity statements in relevant workflows.
• Performance management: include behavioral expectations in reviews for managers and high-risk functions.
• Hotline and case management: intake categories mapped to code sections; consistent substantiation and disposition codes.

5) Evaluate adherence (monitoring + response)

Create a repeatable evaluation loop:

• Detect: hotline trends, audit findings, policy exceptions, conflicts disclosures, third-party due diligence flags, training non-completion.
• Investigate: defined triage and investigation procedures, privilege decisions, documentation standards.
• Remediate: corrective actions, targeted retraining, process fixes.
• Discipline: consistent outcomes; document rationale and approvals.
• Report: periodic metrics to leadership/Board showing program operation.

COSO expects standards to be used to evaluate adherence, so your monitoring and response activities must explicitly reference the standards as the benchmark. ¹

6) Document everything (audit-ready by design)

Treat documentation as part of the control, not an afterthought. If you cannot produce evidence quickly, auditors will conclude the control is not operating.

Daydream fit (practical, earned mention): if you manage standards, training evidence, attestations, exception logs, and case remediation across multiple teams, Daydream can centralize the evidence set and map it to the COSO requirement so internal audit requests become a pull, not a scramble.

Required evidence and artifacts to retain

Retain artifacts that prove design and operating effectiveness:

Design evidence

• Current Code of Conduct (versioned, dated)
• Approval records (Board/committee minutes or written approvals)
• Supporting policies/standards (conflicts, gifts, speak-up, non-retaliation, disciplinary guidelines)
• Governance/RACI and escalation paths
• Training and attestation requirements (documented standard)

Operating evidence

• Training completion reports (by population, region, role)
• Attestation logs (who attested, date/time, version attested to)
• Exceptions/waivers register (requests, approvals, rationale, expiration)
• Conflicts of interest disclosures and reviews (where applicable)
• Hotline/case management records (intake, triage, investigation steps, outcomes)
• Disciplinary action documentation (with HR controls and privacy handling)
• Management and Board reporting packs (metrics, trends, remediation status)
• Communications artifacts (CEO/leadership messages, intranet postings, campaigns)

Retention approach: align to your legal hold and HR/privacy constraints, but make sure you can reconstruct “who knew what, when” for each code version.

Common exam/audit questions and hangups

Auditors and examiners tend to probe these points:

1. Show me the standard. Where is the Code of Conduct, and what version was effective during the audit period?
2. Who approved it and when? Evidence of governance, not verbal confirmation.
3. How do you know employees received it? Attestation evidence, not just a link on the intranet.
4. How do you evaluate adherence? Describe monitoring, investigations, and consequences tied back to code provisions. ¹
5. Is enforcement consistent? Look for disparities by region, level, or function.
6. How do third parties fit? Contractual flow-down and onboarding controls where third parties represent you.

Hangup to expect: training completion looks “high,” but auditors ask for population integrity (who was supposed to take it, and why are exceptions valid).

Frequent implementation mistakes (and how to avoid them)

• Mistake: Code is aspirational and non-testable.
  Fix: add decision rules and examples; link each section to a reporting channel and consequence framework.

• Mistake: No defined evaluation mechanism.
  Fix: document a monitoring plan and case management taxonomy that maps allegations to code sections. ¹

• Mistake: Incomplete population coverage.
  Fix: define covered populations from HRIS, include contractors where appropriate, and document exclusions with rationale.

• Mistake: Evidence scattered across inboxes and tools.
  Fix: establish an evidence register and a single evidence repository with version control (a GRC tool or a disciplined document management process).

• Mistake: Third parties ignored.
  Fix: add contract clauses, require third party acknowledgements for high-risk relationships, and ensure reporting mechanisms are available to them.

Enforcement context and risk implications

No public enforcement cases are provided in the source catalog for this requirement, so this page does not list cases.

Operational risk implications still matter:

• Weak standards of conduct increase the likelihood of control failures tied to fraud risk, inaccurate books and records, retaliation claims, procurement misconduct, and inconsistent disciplinary outcomes.
• From a COSO assurance perspective, gaps show up as control environment deficiencies that can cascade into findings in audits and management letter comments. ²

Practical 30/60/90-day execution plan

First 30 days (stabilize and inventory)

• Assign an accountable owner and confirm approvers for the Code of Conduct and key topic policies.
• Inventory existing documents, training modules, attestations, hotline/case procedures, and disciplinary guidelines.
• Build an “evidence map” that lists each artifact you can produce for design and operation.
• Identify population sources (HRIS, contractor lists) and gaps in who receives training and attests.

Days 31–60 (close design gaps and make adherence measurable)

• Update or rewrite the Code of Conduct where language is vague or not testable.
• Publish/refresh supporting policies that are missing or inconsistent (conflicts, gifts, speak-up, non-retaliation).
• Define evaluation mechanisms: monitoring inputs, case taxonomy mapped to code sections, exception handling process.
• Implement a consistent attestation workflow tied to the code version.

Days 61–90 (prove operation and prepare for audit)

• Run training and attestation campaigns; track non-completion and remediate.
• Start recurring reporting to leadership (training/attestation status, hotline trends, substantiation categories, remediation aging).
• Test evidence retrieval: simulate an audit request and produce a complete package within your internal SLA.
• Formalize third-party flow-down where needed (contract language + onboarding acknowledgements for high-impact third parties).

Frequently Asked Questions

Do we need a standalone Code of Conduct if we already have multiple policies?

You need a clear set of standards that employees can understand and that you can use as the benchmark for evaluating behavior. A Code of Conduct often serves as the “front door,” with detailed policies underneath it. ¹

How do we prove we are “using” standards of conduct to evaluate adherence?

Tie monitoring and response activities to the standards: training and attestations, hotline categories mapped to code sections, documented investigations, and consistent disciplinary outcomes. Your evidence should show the standards are the reference point in decisions. ¹

Who should approve the standards of conduct?

Approval should match your governance model, but auditors expect executive-level sponsorship and appropriate Board oversight for enterprise standards. Retain meeting minutes or written approvals as evidence.

Do contractors and third parties need to attest to our Code of Conduct?

For contractors acting under your direction and high-impact third parties, a documented expectation and contractual flow-down is a common control pattern. Use a risk-based approach and document which third parties are in scope and why.

What if local law or works councils restrict certain training or investigations?

Create localized addenda and procedures that preserve the behavioral standards while adapting execution steps. Document the constraint, the approved alternative process, and how it still supports adherence evaluation.

What’s the minimum evidence package to satisfy internal audit quickly?

Keep a versioned Code of Conduct, approval records, training and attestation reports, a sample set of hotline/investigation files, and leadership reporting that shows oversight and remediation. This aligns directly to the COSO expectation that standards exist and are used to evaluate adherence. ¹

Footnotes

1. COSO IC-IF (2013)

2. COSO IC-IF (2013); Source: COSO Internal Control guidance page