Adherence to Standards Evaluation

The adherence to standards evaluation requirement means you must run repeatable processes that assess whether individuals and teams meet your organization’s standards of conduct, document results, and address deviations through corrective action. Operationalize it by embedding conduct expectations into performance management, manager routines, investigations, and consequence management with auditable evidence. ¹

Key takeaways:

• You need defined, repeatable evaluation processes for conduct, not just a Code of Conduct on paper. ¹
• Evaluations must cover individuals and teams, tie to expected standards, and trigger documented follow-up for exceptions. ¹
• Auditors will look for proof: criteria, completed evaluations, issue tracking, and consistent consequences. ¹

“Adherence to standards evaluation” is where your ethics and compliance program becomes operational. Many organizations can show policies, training, and a hotline. Fewer can show a consistent, documented process that evaluates conduct performance across roles and teams, then drives action when standards are not met. COSO’s Internal Control – Integrated Framework calls for processes that evaluate performance against expected standards of conduct. ¹

For a Compliance Officer, CCO, or GRC lead, the fast path is to treat this as a control system: define standards, translate them into measurable evaluation criteria, assign owners, schedule evaluation events, and create an escalation path that results in corrective action. Your objective is not to “catch bad people.” Your objective is to demonstrate that the organization detects and addresses conduct risk through normal management cadence, not only during investigations.

This page gives requirement-level implementation guidance you can deploy through HR performance processes, manager check-ins, internal audit testing, and compliance monitoring so you can evidence the control on demand. ¹

Regulatory text

COSO requirement (excerpt): “Processes are in place to evaluate the performance of individuals and teams against the entity's expected standards of conduct.” ¹

What the operator must do: Put in place documented, repeatable processes that (1) assess conduct performance for people and teams against defined standards, (2) record outcomes, and (3) trigger action when behavior falls short. A Code of Conduct alone does not satisfy this expectation; the requirement is about evaluation processes and follow-through. ¹

Plain-English interpretation (what “good” looks like)

You are expected to run a closed-loop system for conduct:

1. Define what “expected standards of conduct” mean for your organization (values, policies, risk appetite, role-specific obligations).
2. Evaluate adherence in the flow of work (performance reviews, manager attestations, quality reviews, audit/compliance monitoring, investigations outcomes).
3. Act on deviations using consistent consequence management, coaching, remediation, and control improvements.
4. Prove it with artifacts an auditor can trace from standards → evaluation criteria → completed evaluations → exceptions → corrective action. ¹

A practical hallmark: managers can explain how conduct is assessed for their team, what evidence exists, and what happens if expectations are not met.

Who it applies to (entity and operational context)

Applies to: Organizations implementing COSO internal control expectations, including functions responsible for governance, risk, compliance, and internal audit. ¹

Operationally relevant to:

• HR and People Ops: performance management, disciplinary processes, promotions, incentives.
• Compliance and Ethics: Code of Conduct governance, investigations, hotline management, corrective action oversight.
• Line of business leaders: team culture, sales conduct, customer treatment, operational integrity.
• Internal Audit / 2nd line monitoring: testing whether evaluations are performed and effective. ¹

Scope considerations you should explicitly decide:

• Which populations are in scope (employees, contractors, temp labor, interns, third parties acting on your behalf).
• Whether team-level evaluation includes metrics like complaint trends, audit findings, policy exceptions, or conduct-risk indicators.
• How you treat senior leaders and revenue-producing teams where incentive risk is higher.

What you actually need to do (step-by-step)

Step 1: Define “expected standards of conduct” in operational terms

Produce a short, controlled set of standards that you can evaluate against. Start with:

• Code of Conduct topics (conflicts, gifts, reporting, anti-retaliation, data handling, respectful workplace).
• Role-specific standards (sales practices, procurement integrity, handling customer data, financial reporting behavior).
• “Team standards” (how targets are set, how exceptions are approved, how escalations happen).

Output: Standards catalog mapped to policies and role families. ¹

Step 2: Convert standards into evaluation criteria and rating guidance

Define criteria that a manager, compliance reviewer, or auditor can apply consistently:

• Behavioral indicators (e.g., “reports concerns promptly,” “documents exceptions,” “does not pressure staff to bypass controls”).
• Objective signals (training completion, policy attestations, substantiated cases, audit issues tied to the manager’s span).
• Red flags (repeat exceptions, retaliation allegations, patterns of customer complaints).

Add a rating rubric with examples of what “meets,” “needs improvement,” and “does not meet” look like in your context.

Output: Conduct evaluation rubric + manager guidance. ¹

Step 3: Embed evaluation into existing cycles (don’t build a parallel bureaucracy)

Use channels you already run:

• Performance reviews: require a conduct rating and narrative tied to standards.
• Manager check-ins: add a conduct agenda item (open issues, pressures, exceptions).
• Promotion/bonus decisions: require a conduct gate (no unresolved substantiated issues; documented review of conduct factors).
• Team-level reviews: quarterly or periodic conduct risk review in business reviews (hotline themes, audit issues, exceptions).

Control design tip: Make conduct evaluation a required field in HR systems and review workflows so it can’t be skipped without an exception that is logged.

Step 4: Define the exception workflow and consequence management

COSO’s requirement implies you address deviations appropriately. ¹ Define:

• What counts as a deviation (policy breach, substantiated investigation, repeated control bypassing, harassment, falsification, retaliation, high-risk exceptions).
• Who decides outcomes (HR, Compliance, Legal, business leadership) and what “independent review” looks like for senior leaders.
• Consequence options (coaching, written warning, training, role change, compensation impact, termination) and when each is appropriate.
• Timely documentation of rationale and approvals.

Output: Documented conduct exception and consequence process, with RACI.

Step 5: Implement oversight, quality checks, and consistency testing

Auditors will look for consistency across teams and levels. Put checks in place:

• HR/Compliance review of a sample of evaluations for completeness and quality.
• Analysis for outliers (teams with perfect conduct ratings despite high issue volumes).
• Calibration sessions for managers to align scoring and narratives.
• Internal audit testing plan (design and operating effectiveness) tied to the standards-to-evaluation traceability.

If you use a GRC platform such as Daydream, configure workflows to: assign evaluations, collect attestations, store evidence, track exceptions, and produce an audit-ready report that ties each evaluation to the applicable standard.

Required evidence and artifacts to retain

Keep artifacts that show design, execution, and follow-through:

Design artifacts

• Standards of conduct catalog (mapped to Code/policies). ¹
• Conduct evaluation rubric and scoring guidance. ¹
• Procedures for evaluations (who, when, how; individual and team). ¹
• Exception handling and consequence management procedure. ¹
• RACI and governance approvals (HR/Compliance/Legal sign-off).

Operating artifacts

• Completed performance evaluations showing conduct assessment fields.
• Team conduct review decks/minutes (agenda, attendees, issues reviewed, actions).
• Manager attestations (if used) with submission logs.
• Investigation outcomes tied to remediation actions.
• Corrective action plans, owners, due dates, completion evidence.
• Calibration records and QA findings from HR/Compliance sampling.

Retention and accessibility

Define retention in your records schedule and keep evidence searchable by person/team, period, and standard. Audits fail when evidence exists but cannot be retrieved quickly.

Common exam/audit questions and hangups

Expect questions like:

• “Show me the process that evaluates adherence to standards of conduct.” ¹
• “How do you evaluate teams, not just individuals?” ¹
• “How do you prevent managers from rubber-stamping ‘meets expectations’ for everyone?”
• “Walk me from a deviation to corrective action. Where is it documented?”
• “How do you ensure consistent consequences across departments and geographies?”
• “How is senior leadership evaluated, and who reviews their results?”

Hangups that slow teams down:

• Standards are too broad to score consistently.
• Team-level evaluation is undefined or treated as “culture” with no artifacts.
• Exceptions are handled informally outside the documented workflow.
• HR and Compliance disagree on ownership of consequence decisions.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating training completion as the evaluation.
   Fix: Training is an input; the requirement expects performance evaluation against standards plus follow-up. ¹

2. Mistake: No team-level view.
   Fix: Add team conduct reviews using aggregated indicators (hotline themes, audit issues, exception volumes) and document actions. ¹

3. Mistake: Vague rubrics.
   Fix: Write scoring anchors with concrete examples by role family.

4. Mistake: Consequences vary by business unit without rationale.
   Fix: Centralize oversight and require documented rationale for deviations from standard disciplinary guidance.

5. Mistake: Evaluations happen, but remediation doesn’t.
   Fix: Link exceptions to corrective action tracking with owners and deadlines, and report status to governance.

Risk implications (why this control matters)

If you cannot demonstrate adherence-to-standards evaluation, you have a gap in the “tone at the top” control environment: misconduct and control bypassing can persist because performance systems reward outcomes without testing behaviors. COSO frames this as foundational to internal control. Weakness here increases the chance that policy violations, reporting breakdowns, and cultural issues stay undetected until they become incidents. ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Inventory existing standards (Code, key policies) and decide scope populations.
• Draft the standards catalog and a first-pass evaluation rubric.
• Map where evaluations already occur (HR reviews, business reviews, audit monitoring).
• Define the exception workflow and decision rights (RACI).
• Choose the system of record for evidence (HRIS + GRC repository; Daydream if you need workflow and audit-ready reporting).

By 60 days (embed and pilot)

• Update performance review forms to include conduct evaluation fields and required narratives.
• Pilot team-level conduct reviews in a higher-risk area (sales, procurement, operations) and capture minutes/actions.
• Stand up corrective action tracking for conduct deviations (workflow, approvals, closure evidence).
• Train managers on the rubric and run a calibration session.

By 90 days (operate and test)

• Roll out the evaluation process across in-scope functions.
• Run QA sampling for completeness and scoring quality; document findings and improvements.
• Produce an audit packet: standards catalog, rubric, procedures, sample evaluations, team review artifacts, exception-to-remediation trace.
• Ask internal audit (or an independent reviewer) to test operating effectiveness and report gaps to governance. ¹

Frequently Asked Questions

Do we need a separate “conduct evaluation” program if we already do annual performance reviews?

No, but you do need a reliable process that evaluates conduct against defined standards and produces auditable evidence. Embedding conduct criteria into performance reviews is usually the cleanest path. ¹

What counts as “team” evaluation in practice?

Use a periodic review that looks at aggregated indicators for a team or function (themes from reports, audit issues, policy exceptions) and documents actions. The key is a repeatable meeting cadence with recorded outputs. ¹

How do we keep managers from giving everyone top marks?

Add scoring anchors, require short narratives tied to standards, and run calibration plus QA sampling. Flag outliers where “perfect” ratings conflict with issue data and require review.

Do contractors or third parties need to be included?

Include non-employees who act on your behalf where your standards of conduct apply contractually or operationally. If you exclude them, document the boundary and the alternative controls you rely on.

What evidence do auditors usually ask for first?

They typically start with your rubric/procedure and then request a sample of completed evaluations plus proof that deviations produced corrective action. Make sure samples are traceable to specific standards. ¹

How should we handle senior leadership evaluations?

Define an independent review path (board committee, HR + Legal + Compliance oversight) and ensure documentation exists for both ratings and any exceptions. Avoid informal handling that bypasses the standard workflow.

Footnotes

1. COSO IC-IF (2013)