Principle 1: Demonstrates commitment to integrity and values

Principle 1: demonstrates commitment to integrity and values requirement means you must set, communicate, and enforce clear ethical expectations from the top, then prove they operate in daily decisions. Operationalize it by assigning an owner, documenting standards (code of conduct and related policies), training and attestations, escalation and discipline processes, and maintaining audit-ready evidence that leadership actions align with stated values.

Key takeaways:

• Treat integrity and values as an auditable control environment, not a culture slogan ¹
• Examiners look for “tone at the top” plus “proof at the edges”: hiring, incentives, third parties, and discipline
• Evidence wins: define the minimum evidence bundle and retain it on a consistent cadence ²

A COSO-aligned control environment starts with whether your organization can demonstrate ethical standards that are clear, enforced, and reflected in leadership behavior. Principle 1: demonstrates commitment to integrity and values requirement is the anchor for that expectation within COSO’s Internal Control—Integrated Framework ². For a Compliance Officer, CCO, or GRC lead, the fastest path is to translate “integrity and values” into a small set of controls that are easy to run repeatedly and easy to evidence.

This requirement shows up in audits, SOX-style internal control assessments, customer due diligence, and board risk oversight because weak integrity controls create downstream failures: inaccurate reporting, procurement fraud, bribery risk, retaliatory conduct, data misuse, and “exceptions” that become normalized. Your job is to make integrity measurable without turning it into busywork.

This page gives requirement-level implementation guidance: who must do what, how to set ownership and cadence, what artifacts to retain, what auditors ask, and where teams usually fail. It stays close to COSO’s intent while focusing on operational steps you can execute with the teams you already have ¹.

Regulatory text

Provided excerpt: “COSO internal control principle 1 implementation expectation.”
Requirement summary: “Principle 1: Demonstrates commitment to integrity and values.” ³

What the operator must do

You must be able to show, with evidence, that:

1. The organization has defined integrity and values expectations (not implied, not tribal knowledge).
2. Leadership communicates and models those expectations.
3. The expectations are reinforced through practical mechanisms: training, reporting channels, investigations, and consistent consequences.
4. Misconduct and exceptions are detected, escalated, remediated, and tracked.

COSO frames this as a control environment expectation: integrity and ethical values are foundational to effective internal control ¹. In practice, your controls should connect “what we say” to “what we do,” especially when decisions are inconvenient.

Plain-English interpretation

Auditors are not grading your culture. They are testing whether integrity and values are defined, operational, and enforceable.

A “pass” usually looks like this:

• Staff can find the standards quickly (code of conduct + key policies).
• Leaders reinforce them in observable ways (messages, decisions, consequences).
• People can report concerns without friction and the company responds consistently.
• HR, Legal, Compliance, Security, Finance, and Procurement apply the same rules across teams and seniority.

A “fail” usually looks like:

• Policy exists, but no training, no attestations, no investigation discipline, no tracking.
• Reporting channels exist, but reports stall or outcomes are undocumented.
• Incentives reward the wrong behavior (for example, sales targets with no ethics guardrails) and exceptions are routinely approved without rationale.

Who it applies to

Entity scope: Any enterprise using COSO to design or evaluate internal control ². This commonly includes public companies, large private companies, and regulated entities that align with COSO for governance and assurance expectations.

Operational scope (where you must implement controls):

• Board and executive leadership communications and decision-making
• HR lifecycle: hiring, onboarding, performance management, discipline, and exits
• Finance and accounting close processes (ethics tie-in: accuracy, overrides, approvals)
• Procurement and third-party management (agents, distributors, contractors, consultants)
• Information security and data handling expectations (acceptable use and reporting)
• Hotline/reporting, investigations, and remediation governance

What you actually need to do (step-by-step)

Step 1: Build a “Requirement Control Card” for Principle 1

Create a single runbook page that a tester can follow without interviews. Include:

• Objective: Demonstrate integrity and values are defined, communicated, and enforced.
• Control owner: Named role (often Compliance or Ethics & Compliance), with HR and Legal as required partners.
• In-scope populations: Employees, contingent workers, and relevant third parties (where they act on your behalf).
• Trigger events: New hire, annual cycle, policy updates, leadership changes, substantiated misconduct, third-party onboarding.
• Cadence: Define how often each component runs (training cycle, leadership messaging, hotline reporting, discipline review).
• Execution steps: Who does what, in what system, and what outputs are produced.
• Exceptions: What qualifies as an exception, who can approve, and what documentation is required.

This is the fastest way to address the common risk factor: teams cannot show ownership, cadence, or evidence ¹.

Step 2: Define integrity standards as a controllable policy set

At minimum, maintain:

• Code of conduct (plain language, accessible)
• Conflict of interest policy (disclosure + review workflow)
• Anti-fraud / reporting and investigations standard
• Gifts/entertainment and anti-bribery guidance where relevant to your footprint
• Non-retaliation statement tied to reporting channels
• Management override policy for financial/operational approvals (where applicable)

Operational requirement: keep version control, approval history, and a distribution method (intranet posting alone is rarely enough if you cannot prove awareness).

Step 3: Make communication and training testable

Implement a small set of repeatable actions:

• Assign mandatory training to in-scope populations.
• Require attestations (code of conduct acknowledgment; conflicts disclosures).
• Track completions, overdue follow-up, and escalation.
• Add targeted training for high-risk roles (procurement, finance, sales, customer support handling sensitive data).

Practical tip: If you cannot report completion status by business unit and manager, you will struggle in audits because you cannot demonstrate coverage.

Step 4: Operationalize speak-up, investigations, and consistent consequences

Integrity becomes real when misconduct is handled consistently.

• Maintain reporting channels (hotline, webform, manager intake path).
• Triage intake with documented severity logic.
• Assign investigations with documented independence expectations (avoid conflicts).
• Document outcomes, corrective actions, and disciplinary actions.
• Track remediation to closure and verify it occurred.

Tie this to a recurring control health check: sample cases, confirm timestamps, approvals, and that remediation closed ¹.

Step 5: Extend expectations to third parties (where they represent you)

You do not need to treat every supplier the same. You do need a rule that identifies when a third party can create ethics exposure (agents, intermediaries, outsourced customer support, consultants with access to confidential data). Minimum operational steps:

• Contractual code-of-conduct clauses (or equivalent).
• Onboarding due diligence aligned to risk.
• Documented approval for exceptions.
• Clear termination and remediation rights.

Step 6: Put governance around “tone at the top”

Auditors ask for proof that leadership behavior matches stated values. Build simple governance:

• Board or committee receives periodic ethics metrics (trends, themes, remediation status).
• Leadership communications are scheduled and archived.
• Incentive programs are reviewed for misconduct risk (for example, clawback or disciplinary linkage, where applicable).

Required evidence and artifacts to retain (minimum evidence bundle)

Define an evidence bundle per execution cycle ². Keep artifacts in a single repository with consistent naming.

Control component	Evidence you should retain	Common tester expectation
Code of conduct governance	Current policy, version history, approvals	Shows ownership, currency, approvals
Training	Assignment rules, completion reports, overdue escalations	Demonstrates coverage and enforcement
Attestations	Signed acknowledgments, COI disclosures, review outcomes	Proves awareness and review
Speak-up program	Hotline procedures, intake logs, triage criteria	Shows reports are handled consistently
Investigations	Case files, findings, outcome approvals	Shows independence and documentation
Discipline and remediation	Corrective action plans, HR discipline records, closure validation	Shows consequences are consistent
Leadership communications	Email memos, town hall decks, intranet posts	Shows tone at top is active
Control health checks	Testing samples, issues log, remediation tracking	Shows sustained operation

Retention period depends on your internal policy, legal holds, and sector obligations. Set a retention rule and follow it consistently; inconsistency is what creates audit pain.

Common exam/audit questions and hangups

Expect questions like:

• “Who owns Principle 1, and how do you know it’s operating?”
• “Show me the last policy approval and distribution evidence.”
• “How do you ensure all employees completed the code-of-conduct training?”
• “How do you prevent retaliation, and how do you detect it?”
• “Walk me through three recent investigations from intake to closure.”
• “How are exceptions approved, and how do you prevent management override abuse?”

Hangups that slow audits:

• Evidence scattered across email, HR systems, and ticketing tools without a clear index.
• Case management notes that are incomplete or lack approvals.
• Training completion reports that do not reconcile to a population source of truth.

Frequent implementation mistakes and how to avoid them

1. Mistake: Policy-only compliance.
   Avoidance: Pair each policy with an operating procedure and evidence bundle. If you cannot test it, it is not a control.

2. Mistake: “Tone at the top” with no “mood in the middle.”
   Avoidance: Add manager enablement: talking points, escalation expectations, and manager attestations.

3. Mistake: Exceptions are informal.
   Avoidance: Require written rationale, approver, expiry date, and compensating controls for every exception.

4. Mistake: Investigations are undocumented to “reduce liability.”
   Avoidance: Work with Legal to define a documentation standard and privilege approach. Auditors accept privileged handling; they do not accept missing process evidence.

5. Mistake: Third parties are out of scope by default.
   Avoidance: Define which third parties can bind the company’s ethics risk, then apply targeted controls.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific actions. Practically, weak integrity controls increase the likelihood of fraud, financial misstatement risk, procurement misconduct, and retaliation claims. In a COSO assessment, Principle 1 weaknesses often cascade into adverse findings across multiple control areas because other controls depend on ethical execution ¹.

Practical 30/60/90-day execution plan

Use phased execution that produces evidence quickly and then hardens operations.

First 30 days (stabilize and make testable)

• Name an accountable owner and backup for Principle 1.
• Publish the Requirement Control Card (owner, scope, cadence, steps, exceptions).
• Inventory existing artifacts (code, training, hotline, investigations workflow).
• Define the minimum evidence bundle and a single retention location ².

Days 31–60 (operate controls and close obvious gaps)

• Update or re-approve code of conduct and key ethics policies where stale.
• Launch or refresh training and attestations; implement overdue escalation.
• Implement a documented triage and investigations workflow; standardize case file templates.
• Start a control health check routine and log remediation items to closure ¹.

Days 61–90 (prove sustainability and expand coverage)

• Add manager reinforcement: scripts, quarterly reminders, escalation playbook.
• Extend integrity expectations to relevant third parties (contract clauses, onboarding checks, exception handling).
• Deliver a board/committee-ready integrity dashboard (themes, remediation status, training completion status, significant cases without sensitive detail).
• Run a formal walkthrough with Internal Audit or your SOX/testing partner using your evidence bundle.

Where Daydream fits (if you need speed and audit-readiness)

If you are building this under time pressure, Daydream is a practical way to standardize your Requirement Control Card, define evidence bundles per cycle, and run recurring control health checks with tracked remediation. That reduces the “we have it, but we can’t prove it” gap that commonly drives findings ¹.

Frequently Asked Questions

How do I prove “tone at the top” without relying on subjective statements?

Keep objective artifacts: leadership communications, policy approval records, and documented decisions where ethics concerns changed an outcome (redacted as needed). Auditors accept a curated set if it is consistent and tied to your governance cadence.

Does Principle 1 require a hotline?

COSO does not prescribe a single mechanism in the provided excerpt, but you need a reliable way for personnel to report concerns and for the organization to respond. If you do not run a hotline, document the alternative channels and show they are used and governed ¹.

How far do we extend integrity controls to third parties?

Focus on third parties that can represent you, access sensitive data, or influence regulated outcomes. Document the scoping rule and apply consistent onboarding, contracting, and exception approvals for that subset.

What evidence is most likely to fail an audit because it’s missing?

Attestation records tied to a population source, investigation case documentation (intake, actions, outcomes, approvals), and proof that overdue training is escalated. Missing evidence usually indicates the control is informal rather than operating.

We have policies, but business leaders ignore them. What’s the fastest fix?

Tie policies to decision points: approvals, performance reviews, incentive eligibility, and procurement gates. Add a visible exception process so leadership cannot bypass standards without leaving a record.

How do I handle documentation when Legal wants everything privileged?

Agree on a two-layer approach: a privileged investigation file and a non-privileged process record (dates, category, assigned owner, closure status). Auditors typically need proof of process operation even if details are protected.

Footnotes

1. COSO IC framework overview

2. COSO Internal Control guidance page

3. COSO Internal Control guidance page; Weaver summary of COSO 17 principles