COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values

COSO Principle 1 sits inside the SOC 2 Common Criteria and is the foundation for a defensible control environment: leadership sets expectations for integrity, people understand them, and the organization acts when those expectations are violated. In a SOC 2 context, this requirement is less about publishing aspirational values and more about proving that ethical expectations operate as a control. Your auditor will test whether your ethics program exists, is communicated, and changes behavior through training, reporting channels, investigations, and consistent remediation.

Operationalizing Principle 1 usually fails for one of two reasons. First, organizations treat it as a “policy-only” requirement and cannot show evidence that anyone read it, was trained on it, or faced consequences for violations. Second, they implement ethics processes, but they are inconsistent across business units, geographies, or third parties, which introduces control exceptions that ripple into other SOC 2 areas (access, change management, incident response, vendor management).

This page gives requirement-level implementation guidance you can execute quickly: who is in scope, what controls to stand up, the artifacts to retain, and what auditors typically challenge.

Regulatory text

Requirement (SOC 2 / Trust Services Criteria): “COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.” ¹

What the operator must do

For SOC 2 purposes, this line means you must be able to show, with evidence, that:

1. leadership has defined integrity and ethical expectations,
2. those expectations are communicated to employees and relevant third parties,
3. the organization reinforces expectations through training and accountability, and
4. suspected misconduct is reported, investigated, and resolved consistently.

Auditors typically treat this as a “control environment” requirement that supports the reliability of every other control. If the ethics program is weak or inconsistently enforced, they may expand testing or challenge whether controls are operating effectively.

Plain-English interpretation

You need a working ethics system, not a poster on the wall. People must know the rules (conflicts of interest, bribery, harassment, misuse of data, falsifying records), know how to report issues without retaliation, and believe leadership will act. When issues occur, your organization must document how it evaluated the facts, who approved outcomes, and what remediation occurred.

SOC 2 does not prescribe one exact ethics program design. It does require that what you choose is implemented, repeatable, and evidenced.

Who it applies to (entity and operational context)

In-scope entities

• Service organizations pursuing or maintaining SOC 2 reports (Type 1 or Type 2) under the AICPA Trust Services Criteria. ¹

In-scope people and functions

• Board / executive leadership: sets expectations, approves key policies, sponsors reporting mechanisms.
• HR / People Ops: onboarding, training, disciplinary processes, investigations workflow.
• Legal / Compliance / Security: hotline intake coordination, investigation standards, case documentation, retaliation controls.
• Procurement / Vendor Management: ethical expectations for third parties, contract clauses, enforcement of breaches.
• All employees and relevant contractors: acknowledgement, training completion, reporting obligations.

Operational contexts that increase scrutiny

• High-growth teams with rapid hiring and decentralized management.
• Use of contractors or offshore operations with uneven onboarding.
• Customer-facing support or billing operations with incentives that could encourage “corner cutting.”
• Significant reliance on third parties that can affect customer data or service delivery.

What you actually need to do (step-by-step)

Step 1: Define ethical expectations in a Code of Conduct (and make it testable)

• Publish a Code of Conduct approved by senior leadership.
• Include at least: conflicts of interest, gifts/entertainment, anti-fraud, accurate records, acceptable use, confidentiality/data handling, reporting obligations, non-retaliation, and consequences for violations.
• Make it specific enough to enforce. Avoid only values language; include “do/don’t” behaviors that managers can apply consistently.

Practical tip: If you already have security policies, don’t bury ethics inside them. Auditors want an ethics artifact that stands on its own and is clearly communicated.

Step 2: Create a reporting and escalation mechanism employees trust

• Provide a reporting channel (email alias, ticket intake, hotline provider, or internal portal).
• Document triage rules: what is “ethics,” what is “HR,” what is “security incident,” and how handoffs occur.
• Assign clear ownership: named role(s) responsible for intake, investigation assignment, and closure approval.

Control design goal: a report can be received, tracked, and closed with documented outcomes.

Step 3: Standardize investigations and outcomes

• Write an investigations procedure with:
  • intake logging requirements,
  • evidence collection expectations,
  • confidentiality boundaries,
  • conflict checks (who cannot investigate),
  • decision authority for outcomes,
  • documentation standards for closure.
• Define a disciplinary framework (not a rigid tariff, but guiding categories) to reduce inconsistent treatment across teams.

What auditors look for: consistent records showing allegations were evaluated and resolved, not “handled offline.”

Step 4: Train and obtain attestations (then prove completion)

• Add ethics training to onboarding and periodic training.
• Require written acknowledgement/attestation to the Code of Conduct.
• Maintain completion evidence in your HRIS/LMS or a controlled spreadsheet with access restrictions.

Minimum viable approach: onboarding training + annual re-attestation is common practice, but your real requirement is to prove the control operates across the population in scope.

Step 5: Extend ethical expectations to third parties

• Add contract language requiring compliance with your Code of Conduct (or a Supplier Code), non-retaliation for reporting, and cooperation with investigations.
• Build a basic workflow to track third-party breaches and remediation (termination, corrective action plan, access removal).

Connection to third-party risk: if a third party can access customer data or production systems, your ethics expectations support your broader SOC 2 control environment.

Step 6: Make leadership reinforcement auditable (“tone at the top” with receipts)

• Capture evidence of leadership communications: all-hands slides, emails, intranet posts, meeting minutes referencing ethics expectations.
• Document leadership review of ethics metrics (case volumes, themes, remediation actions) in a governance forum.

Keep it lightweight: one quarterly governance touchpoint with retained minutes is easier to defend than ad hoc statements.

Step 7: Document the control and retain operating evidence (SOC 2-ready)

Turn the above into a control narrative that states:

• control owner,
• frequency (ongoing, onboarding, periodic),
• population (employees/contractors/third parties),
• systems of record (HRIS, LMS, case tool),
• evidence produced each cycle.

If you use Daydream to manage control design and evidence collection, set up an evidence request schedule tied to onboarding events and recurring attestations, and store investigation logs and governance minutes with consistent naming and access controls.

Required evidence and artifacts to retain

Use this as your SOC 2 evidence checklist:

Policies and standards

• Code of Conduct (approved version + revision history)
• Non-retaliation statement (can be within the Code)
• Investigations procedure / case management SOP
• Disciplinary standards guidance (HR policy or internal standard)
• Third-party code or contractual ethics clauses (template + executed examples)

Operating evidence (what auditors test)

• Employee attestations/acknowledgements (population coverage)
• Training completion records (new hires and periodic refreshers)
• Reporting channel proof (hotline configuration, inbox ownership, access list)
• Case log with timestamps, status, investigator assignment, outcome, remediation notes (redacted as needed)
• Examples of closed cases with evidence of consistent handling (appropriately anonymized)
• Leadership communications and governance minutes referencing ethics oversight

Access and confidentiality controls for ethics data

• Role-based access list for case files
• Retention rules for investigation records (documented and followed)

Common exam/audit questions and hangups

1. “Show me the Code of Conduct and proof employees acknowledged it.” Hangup: missing attestations for contractors or recently acquired entities.
2. “How can an employee report anonymously, and what happens next?” Hangup: no documented triage; issues routed informally in Slack.
3. “Give me evidence of investigations and outcomes.” Hangup: privacy concerns lead to zero evidence; you need redacted samples and a case log.
4. “How does leadership reinforce ethics?” Hangup: verbal culture claims without retained artifacts.
5. “How do you apply expectations to third parties?” Hangup: contracts lack ethics clauses; third parties are not in onboarding/training expectations.

Frequent implementation mistakes and how to avoid them

• Mistake: Policy exists, but no operating proof. Fix: make attestations and training completion reports a standard evidence pack.
• Mistake: Investigations handled entirely in email/DMs. Fix: require a case ID and minimum documentation fields for every report.
• Mistake: Inconsistent discipline across teams. Fix: define decision authority and require HR/Compliance sign-off for certain categories.
• Mistake: No non-retaliation control. Fix: publish explicit non-retaliation language and include retaliation checks in case closure.
• Mistake: Third parties ignored. Fix: add ethics clauses to templates and track exceptions with approvals.

Risk implications (why auditors care)

A weak commitment to integrity and ethical values increases the likelihood of:

• falsified operational records (which undermines SOC 2 evidence reliability),
• insider misuse of customer data,
• bribery/conflicts affecting procurement and third-party selection,
• suppressed incident reporting due to retaliation fears.

Even when no incident occurs, poor evidence and inconsistent enforcement can create SOC 2 control exceptions because auditors cannot conclude the control environment supports other controls.

Practical 30/60/90-day execution plan

Days 1–30: Establish the baseline and stop obvious audit gaps

• Confirm SOC 2 scope: entities, teams, contractors, key third parties.
• Publish/refresh Code of Conduct with leadership approval.
• Stand up a reporting channel with documented ownership and basic triage categories.
• Create a simple case log template and require all reports be logged.
• Add Code acknowledgement to onboarding for all in-scope worker types.

Deliverables: approved Code, reporting workflow, case log template, onboarding attestation mechanism.

Days 31–60: Make it operational and auditable

• Write investigations SOP and disciplinary decision workflow.
• Roll out training and capture completion evidence.
• Run a tabletop test of an ethics report: intake → triage → investigation → closure.
• Add third-party ethics clauses to contract templates and start using them for new engagements.

Deliverables: investigations SOP, training completion report, tabletop records, updated templates.

Days 61–90: Mature governance and evidence quality

• Implement quarterly ethics governance review with minutes retained.
• Review a sample of closed cases for documentation quality and consistency.
• Build an evidence binder (or Daydream workspace) organized by: policy, training, attestations, reporting, cases, governance.
• Identify recurring themes and document remediation actions (policy updates, manager coaching, control tweaks).

Deliverables: governance minutes, QA review results, SOC 2-ready evidence set, remediation log.

Frequently Asked Questions

Do we need a hotline provider to satisfy COSO Principle 1?

No. You need a reliable reporting mechanism with clear ownership, confidentiality controls, and evidence of intake-to-closure handling. A third-party hotline can help, but an internal channel can pass if it is documented and operating.

How do we provide investigation evidence without exposing sensitive HR details?

Maintain a case register with non-sensitive fields, then provide redacted case samples that still show the control operated (dates, steps taken, approvers, outcome category, remediation). Align redaction rules with Legal/HR before the audit.

Does SOC 2 require annual ethics training?

SOC 2 does not mandate a specific cadence in the excerpted requirement. Set a cadence you can execute consistently, document it, and retain completion evidence for the period under review.

Are contractors and temps in scope for Code of Conduct acknowledgement?

If they are part of the SOC 2 system boundary (for example, they access production systems or handle customer data), treat them as in scope for communication and acknowledgement. Document any exclusions as formal exceptions with compensating controls.

What if we have zero ethics cases to show during the audit period?

Auditors can still test design and operating effectiveness through training/attestations, reporting channel configuration, and governance records. Run a documented simulation (tabletop) to show the workflow works, and retain the artifacts.

How does this connect to third-party risk management?

Ethical expectations reduce the chance that third parties engage in bribery, conflicts of interest, or data misuse that can impact your services. Contract clauses and tracked breaches also create evidence that your control environment extends beyond employees.

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. AICPA TSC 2017