CC1.1 SOC 2

SOC 2 CC1.1: COSO Principle 1: Demonstrates Commitment to Integrity and Ethical Values

What This Control Requires

The entity demonstrates a commitment to integrity and ethical values through its governance structure, organizational culture, and actions of the board of directors and management. The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.

In Plain Language

Auditors call this "tone at the top" and it's one of the first things they assess. If leadership cuts corners or ignores policies, the entire control environment falls apart - no amount of documentation will compensate for a culture that doesn't take integrity seriously.

This control is about building a culture where doing the right thing is the norm. Organisations need formal codes of conduct, ethics policies, and whistleblower mechanisms. But beyond the paperwork, leadership must model the behaviours they expect from others. When employees see executives bypassing policies, every other control becomes weaker.

Assessors look for evidence that ethical standards are actively enforced, not just documented. They evaluate whether you have processes for addressing ethical violations, whether the board provides independent oversight of management conduct, and whether the tone at the top genuinely promotes integrity.

How to Implement

Establish a formal Code of Conduct that clearly articulates your ethical standards and expectations. Have the board review and approve it, covering areas like conflicts of interest, acceptable use of company resources, confidentiality obligations, and reporting of unethical behaviour.

Roll out a comprehensive ethics training programme. All employees, including new hires, should receive training on the Code of Conduct during onboarding, with annual refreshers. Track completion rates and keep training records as evidence.

Set up a whistleblower or ethics hotline that allows anonymous reporting. Communicate it widely and make sure employees trust it won't lead to retaliation. Document all reports received, investigations conducted, and outcomes.

The board of directors should have a formal charter that includes oversight of ethical conduct. Board meeting minutes should reflect discussions about organisational culture, ethical issues, and management accountability. If you have an audit or ethics committee, ensure they meet regularly and document their activities.

Run annual assessments of organisational culture through surveys or other mechanisms. Use results to identify areas for improvement and track progress over time. Management should review and act on findings, documenting corrective actions taken.

Tie ethical leadership to performance evaluations. Include criteria related to ethical conduct and adherence to organisational values in management reviews. This reinforces that ethical behaviour is a core expectation linked to career progression, not an afterthought.

Evidence Your Auditor Will Request

Board-approved Code of Conduct or Ethics Policy with version history and employee acknowledgment records
Ethics training completion records showing participation rates across all organizational levels
Whistleblower/ethics hotline reports, investigation logs, and resolution documentation
Board or audit committee meeting minutes reflecting discussions of integrity and ethical oversight
Annual organizational culture assessment results and corresponding action plans

Common Mistakes

Code of Conduct exists but has not been updated in several years and does not reflect current organizational risks
Ethics training is only provided during onboarding with no annual refresher or tracking of completion
Whistleblower mechanism exists on paper but employees are unaware of it or fear retaliation for using it
Board meeting minutes lack evidence of discussions about organizational culture or ethical conduct
No formal process for addressing ethical violations, leading to inconsistent enforcement of standards

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.1	Related
ISO 27001	A.6.2	Partial overlap
nist-csf	GV.OC-01	Related

Frequently Asked Questions

Does our organization need a separate ethics committee for CC1.1?

Not necessarily. A dedicated ethics committee is great for larger organisations, but smaller companies can meet this through the board of directors or an audit committee that includes ethics oversight in its charter. The key is that someone at the governance level is responsible for overseeing ethical conduct.

How often should the Code of Conduct be reviewed and updated?

Review it annually and update whenever there are significant changes to the business, regulatory environment, or organisational structure. At minimum, review every two years and make sure all employees acknowledge the latest version.

What if we are a startup without a formal board of directors?

Your leadership team or founders serve the governance function. Document your leadership structure, establish written ethical standards, and make sure leadership regularly discusses and reinforces ethical expectations. Auditors assess the control environment relative to your size and complexity - they're not expecting a five-person startup to have a formal board with independent directors.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment