TSC-CC1.1 Guidance

TSC-CC1.1 requires you to prove your organization’s commitment to integrity and ethical values through documented expectations (Code of Conduct and related policies), leadership accountability, and evidence that the program operates in practice. To operationalize it fast, define “what good looks like,” assign owners, train the workforce, run reporting and enforcement processes, and retain audit-ready proof. ¹

Key takeaways:

• TSC-CC1.1 is an ethics-and-integrity control requirement, not a one-time policy exercise. ¹
• Auditors look for governance ownership plus operational evidence: training, acknowledgments, investigations, and disciplinary consistency. ¹
• Your fastest path is a mapped control set: policy baseline, monitoring, audit trail, and periodic assessment. ¹

The tsc-cc1.1 guidance requirement maps to COSO Principle 1 in the SOC 2 Trust Services Criteria: your entity must demonstrate a commitment to integrity and ethical values. ¹ In a SOC 2 context, this is part of “Control Environment” and sets the tone for whether other controls are believable. Auditors rarely accept aspirational statements alone; they want to see that leadership expectations are defined, communicated, enforced, and reviewed.

Operationally, treat TSC-CC1.1 as an ethics governance control with measurable operations: documented standards of conduct, a functioning speak-up channel, consistent investigation and discipline, and evidence that management reviews program effectiveness. The scope includes employees and contractors, plus third parties where they can affect system integrity, confidentiality, or availability commitments in your SOC 2 boundary.

If you already have a Code of Conduct, your work is usually in the “prove it” layer: governance minutes, training completion records, case management logs, policy exceptions, and periodic assessments that show the program is alive. This page gives requirement-level steps you can execute quickly and defend under audit.

Regulatory text

Excerpt (TSC-CC1.1): “COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.” ¹

What the operator must do: Build and operate an ethics-and-integrity program that is more than written policy. You must be able to show:

• Clear, documented expectations for ethical behavior.
• Leadership endorsement and accountability.
• Practical mechanisms to report concerns and address violations.
• Ongoing monitoring, review, and evidence that controls operate as described. ¹

Plain-English interpretation

Auditors are testing whether people can be trusted to follow the rules that protect customer data and systems. TSC-CC1.1 expects you to set behavioral standards (integrity, ethics, compliance), communicate them, and enforce them consistently. ¹ If your organization tolerates shortcuts, conflicts of interest, falsified records, or retaliation, every security control downstream becomes suspect.

Who it applies to

Entities: Any organization undergoing a SOC 2 audit that includes the Common Criteria. ¹

Operational context (where it shows up):

• SaaS and cloud services handling customer data in production.
• Shared services teams: engineering, IT, customer support, finance, HR.
• Contractors and temps with system access.
• Key third parties that can materially impact the SOC 2 system boundary (for example, support outsourcers, managed service providers, and data-processing partners).

A practical scoping rule: if a person can access production systems or customer data, or can influence security decisions, they are in scope for ethics expectations, training, and enforcement evidence.

What you actually need to do (step-by-step)

1) Define the integrity and ethics baseline (documentation you can audit)

Create or refresh a policy stack that is explicit and enforceable:

• Code of Conduct (core expectations, reporting options, non-retaliation).
• Conflict of Interest policy (disclosure, recusal, approvals).
• Anti-bribery / gifts & hospitality rules (even if lightweight).
• Acceptable Use / access and security responsibilities (tie ethics to system behavior).
• Disciplinary policy (how violations are handled, who decides, documentation rules).

Keep language consistent across documents. A common audit issue is conflicting statements between HR, security, and legal documents.

2) Assign ownership and governance (who runs the control)

Document:

• Executive sponsor (often the CEO, General Counsel, or CCO).
• Program owner (CCO/HR/Compliance).
• Investigation owner(s) (HR + Legal, with Security for technical issues).
• Board or leadership oversight cadence and artifacts (what gets reported up).

You do not need a complex committee structure. You do need named accountability and evidence of oversight.

3) Communicate and train (prove the standard is understood)

Implement:

• Initial training for new hires (Code of Conduct + reporting channel).
• Periodic refresher training (annual works in practice, but set a cadence you can meet).
• Acknowledgment workflow (employees attest they read and understand key policies).
• Targeted training for high-risk roles (procurement, sales, engineering with prod access).

Operational tip: if your HRIS or LMS is weak, start with a controlled spreadsheet plus signed acknowledgments, then migrate later. Auditors accept manual controls if they are consistent and evidenced.

4) Operate a speak-up and case management process (where integrity becomes real)

You need a channel and a process:

• Intake methods (email alias, hotline, web form, ticket type).
• Triage rules (who sees what, escalation thresholds).
• Investigation steps (fact gathering, interviews, evidence handling).
• Outcomes (substantiated/unsubstantiated, corrective actions).
• Non-retaliation checks (especially for manager-involved cases).

Maintain a case log with consistent fields. Redact sensitive details for auditors, but keep enough to prove the workflow ran.

5) Enforce consistently (discipline and corrective action)

Consistency is the exam pressure point. Build:

• A decision framework (what triggers coaching vs formal discipline).
• Documentation requirements for outcomes and approvals.
• HR/legal review for terminations or high-risk matters.
• Security-driven remediation when issues touch systems (access removal, logging review, SDLC fixes).

Auditors do not want names; they want evidence that violations have consequences and the process is repeatable.

6) Monitor, review, and test effectiveness (don’t skip this)

TSC-CC1.1 commonly fails on “prove you review and improve.” Implement:

• Periodic program review (policy review, training effectiveness checks, trend analysis of cases).
• Control testing (internal audit, compliance testing, or management self-assessment).
• Documented changes (policy updates, training updates, process improvements). ¹

If you use Daydream, track these as control records with owners, test steps, and a linked evidence set so audit prep is a retrieval exercise, not a re-creation exercise.

Required evidence and artifacts to retain

Keep evidence mapped to “design” and “operating effectiveness.”

Design evidence (what you said you would do)

• Approved Code of Conduct and ethics-related policies (version history).
• Governance charter or responsibility matrix (RACI).
• Training content (slides, LMS modules, quizzes).
• Speak-up process documentation (SOP, workflow, triage matrix).

Operating evidence (what you actually did)

• Employee/contractor acknowledgments (export from HRIS/LMS or signed forms).
• Training completion reports and exceptions handling (waivers, make-up training).
• Case management log (intake, triage, disposition, corrective actions).
• Disciplinary documentation (redacted samples, approval trail).
• Management/board oversight artifacts (agenda items, minutes excerpts, dashboards).
• Periodic assessment and testing results plus remediation tracking. ¹

Evidence rule that avoids pain: for each control activity, keep at least a few representative samples per period plus a complete population report where feasible.

Common exam/audit questions and hangups

Expect questions like:

• “Show the Code of Conduct approval and last review date.” ¹
• “How do you ensure all staff acknowledge the Code of Conduct?” ¹
• “What are the reporting channels and how are reports triaged?” ¹
• “Provide evidence of investigations and disciplinary actions (redacted).” ¹
• “How does leadership oversee ethics and integrity?” ¹
• “What testing do you perform to confirm the process works?” ¹

Hangups that slow audits:

• Training completion gaps with no documented follow-up.
• Case logs missing dispositions or timestamps.
• “We handle it ad hoc” responses without SOPs or artifacts.
• Policies posted but not acknowledged.

Frequent implementation mistakes and how to avoid them

1. Policy-only compliance. Fix: tie each policy to a workflow (training, acknowledgment, reporting, discipline) and keep evidence. ¹
2. No proof of enforcement. Fix: maintain a redaction-ready set of closed-case examples with outcome documentation.
3. Retaliation risk ignored. Fix: document non-retaliation language, manager guidance, and follow-up checks in the case process.
4. Undefined scope. Fix: explicitly include contractors with access and define third-party expectations in onboarding and contracts where relevant.
5. No periodic review. Fix: set a recurring review, record attendance, decisions, and resulting changes. ¹

Enforcement context and risk implications

SOC 2 is an audit framework, not a regulatory enforcement regime, so you should not expect “TSC-CC1.1 fines” or regulator case law tied directly to this criterion. ¹ The real risk is commercial and operational: failing CC1.1 can drive SOC 2 exceptions, undermine customer trust, and force remediation under tight sales timelines. Integrity failures also increase the likelihood that incidents (security, privacy, financial reporting) become harder to detect and investigate because staff do not escalate issues early.

Practical 30/60/90-day execution plan

Days 1–30: Establish baseline and close obvious gaps

• Confirm SOC 2 boundary and in-scope populations (employees, contractors, key third parties).
• Publish or refresh Code of Conduct and non-retaliation statement. ¹
• Assign owners and document governance (RACI, escalation path).
• Stand up a speak-up intake channel (even if simple) and write the SOP.
• Create an evidence folder structure and naming convention aligned to the controls.

Days 31–60: Operationalize and generate first-cycle evidence

• Roll out training and collect acknowledgments.
• Start case log operations; run a tabletop scenario to validate triage and escalation.
• Produce a first management oversight artifact (dashboard or memo) summarizing training status and any cases (counts can be internal; share redacted summaries externally).
• Document exception handling (late training, policy exceptions, access removals tied to violations).

Days 61–90: Test, tune, and get audit-ready

• Perform a periodic assessment of the ethics program (self-assessment against your SOPs). ¹
• Test a sample of training records, acknowledgments, and case files for completeness.
• Remediate gaps and record corrective actions.
• Prepare an auditor-ready “CC1.1 packet” that includes policies, governance evidence, and redacted operating samples.

Frequently Asked Questions

Do we need a formal whistleblower hotline for TSC-CC1.1?

TSC-CC1.1 requires a functioning way to report concerns and evidence that reports are handled. ¹ A hotline helps, but an email alias or web form can work if you can show triage, investigation, and non-retaliation controls.

How do we show “tone at the top” without board minutes?

Provide leadership communications (all-hands notes, policy approval memos) and evidence of management review of ethics metrics. ¹ If you lack formal board minutes, document executive oversight in a recurring compliance review meeting with recorded decisions.

Do contractors need Code of Conduct training and acknowledgment?

If contractors have system access or can affect the SOC 2 boundary, include them in the ethics expectations and retain evidence. ¹ Many teams use contract clauses plus an acknowledgment form instead of full LMS training.

What evidence is acceptable for investigations if we must keep matters confidential?

Maintain a redacted case file sample set that shows timestamps, workflow steps, approvals, and outcomes without names or sensitive facts. ¹ Keep the full files internally under legal/HR controls.

We have a Code of Conduct, but no periodic review. Is that a problem?

Yes, auditors often look for evidence of monitoring and review because CC1.1 is about demonstrated commitment, not static documents. ¹ Start a scheduled review and record actions taken from the review.

How can Daydream help with TSC-CC1.1 audit readiness without adding bureaucracy?

Use Daydream to assign owners, map each control activity to evidence requests, and keep time-stamped artifacts in one place for retrieval. That reduces scramble during SOC 2 fieldwork and supports consistent testing and remediation tracking. ¹

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. AICPA TSC 2017