Back

Establish, implement, and maintain a Code of Conduct.


CONTROL ID
04897
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Human Resources management, CC ID: 00763

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a code of conduct for financial recommendations., CC ID: 16649
  • Include anti-coercion requirements and anti-tying requirements in the Code of Conduct., CC ID: 16720
  • Include limitations on referrals for products and services in the Code of Conduct., CC ID: 16719
  • Include classifications of ethics violations in the Code of Conduct., CC ID: 14769
  • Include definitions of ethics violations in the Code of Conduct., CC ID: 14768
  • Include exercising due professional care in the Code of Conduct., CC ID: 14210
  • Include health and safety provisions in the Code of Conduct., CC ID: 16206
  • Include organizational values in the Code of Conduct., CC ID: 12919
  • Include key policies in the Code of Conduct., CC ID: 12890
  • Include the vision statement in the Code of Conduct., CC ID: 12889
  • Include the organization's mission in the Code of Conduct., CC ID: 12875
  • Include classifications of desired conduct in the Code of Conduct., CC ID: 12851
  • Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment., CC ID: 12029
  • Include environmental responsibility criteria in the Code of Conduct., CC ID: 16209
  • Include social responsibility criteria in the Code of Conduct., CC ID: 16210
  • Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment., CC ID: 04580
  • Include labor rights criteria in the Code of Conduct., CC ID: 16208
  • Include the employee's legal responsibilities and rights in the Terms and Conditions of employment., CC ID: 15701
  • Implement a sanctions process for personnel who fail to comply to the organizational compliance program., CC ID: 01442
  • Include the legal intellectual property responsibilities in the Code of Conduct., CC ID: 04898
  • Include definitions of desirable conduct in the Code of Conduct., CC ID: 12846
  • Include notification procedures for allegations of undesirable conduct in the Code of Conduct., CC ID: 12855
  • Include procedures to identify positive outcomes in the Code of Conduct., CC ID: 12854
  • Take disciplinary actions against individuals who violate the Code of Conduct., CC ID: 06435
  • Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment., CC ID: 06664


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • An organization of providers of information and communications services may establish and implement a code of conduct applicable to providers of information and communications services with an objective to protect users and render information and communications services in a safer and more reliable … (Article 44-4 ¶ 1, Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • A credit provider or credit reporting agency must not perform an act or engage in a practice that breaches the Code of Conduct. (§ 18B, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The Commission and the Board shall encourage and facilitate the drawing up of codes of conduct intended to foster the voluntary application to AI systems of requirements related for example to environmental sustainability, accessibility for persons with a disability, stakeholders participation in th… (Article 69 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Codes of conduct may be drawn up by individual providers of AI systems or by organisations representing them or by both, including with the involvement of users and any interested stakeholders and their representative organisations. Codes of conduct may cover one or more AI systems taking into accou… (Article 69 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The Commission and the Member States shall encourage and facilitate the drawing up of codes of conduct intended to foster the voluntary application to AI systems other than high-risk AI systems of the requirements set out in Title III, Chapter 2 on the basis of technical specifications and solutions… (Article 69 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • A firm must observe proper standards of market conduct. (2.1.1 Principle 5 Market conduct, Principles for Businesses)
  • In domestically implementing the principles of Parts Two and Three, Member countries should establish administrative, legal, or other procedures or institutions to protect privacy and individual liberties with respect to personal data. Member countries should support and encourage self-regulation, s… (¶ 19(b), OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data)
  • whether the commitments stipulate respecting human rights; (Disclosure 2-23 ¶ 1(a)(iv), GRI 2: General Disclosures, 2021)
  • The organization should report the expectations, values, principles, and norms of behavior set out in the policy commitments. (Guidance to 2-23-a ¶ 1, GRI 2: General Disclosures, 2021)
  • seek advice on implementing the organization's policies and practices for responsible business conduct; (Disclosure 2-26 ¶ 1(a)(i), GRI 2: General Disclosures, 2021)
  • Determine the types of desired conduct including definitions, classifications, and procedures necessary to identify those who contribute to positive outcomes and those who notify the organization when they identify allegations or indications of undesirable conduct. (OCEG GRC Capability Model, v. 3.0, P5.1 Define Desired Conduct, OCEG GRC Capability Model, v 3.0)
  • Work with appropriate stakeholders to develop codes of conduct that address the organizational mission, vision, values, key policies, and expected business conduct. (OCEG GRC Capability Model, v. 3.0, P2.1 Develop Codes of Conduct, OCEG GRC Capability Model, v 3.0)
  • Implement policies and associated procedures to address opportunities, threats and requirements and set clear expectations of conduct for the governing authority, management, the workforce and the extended enterprise. (OCEG GRC Capability Model, v. 3.0, P2 Policies, OCEG GRC Capability Model, v 3.0)
  • The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners. (§ 3 Principle 1 Points of Focus: Establishes Standards of Conduct, COSO Internal Control - Integrated Framework (2013))
  • Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action as necessary. (§ 3 Principle 5 Points of Focus: Enforces Accountability through Structures, Authorities, and Responsibilities, COSO Internal Control - Integrated Framework (2013))
  • The development of a compliance culture requires the active, visible, consistent and sustained commitment of the governing body, top management and management towards a common, published standard of behaviour that is required throughout every area of the organization. (§ 7.3.2.3 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Controls should be put in place to manage the identified compliance obligations and associated compliance risk and to achieve desired behaviour. (§ 8.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • contributes to the prevention of misconduct; (§ 6.7.3.3 ¶ 3 Bullet 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Act in good faith and in the best interest of the organization. (Table 2 Column 2 Row 2 Bullet 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Act ethically and in a compliant manner. (Table 2 Column 2 Row 2 Bullet 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: (§ 5 ¶ 2 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; (§ 6.7.3.3 ¶ 3 Bullet 4, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; (§ 6.3.3.2.2 ¶ 2 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The entity may use an alternative code of conduct and audit process to the RBA VAP, if the code of conduct and audit process are similar in scope and criteria to the VAP (i.e., an equivalent code of conduct). At a minimum, the criteria of an equivalent code of conduct shall include: (TC-ES-320a.2. (3), Electronic Manufacturing Services & Original Design Manufacturing Sustainability Accounting Standard, Version 2018-10)
  • The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. (CC1.1 ¶ 3 Bullet 2 Establishes Standards of Conduct, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner. (CC1.1 ¶ 4 Bullet 1 Considers Contractors and Vendor Employees in Demonstrating Its Commitment, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. (CC1.5 ¶ 3 Bullet 1 Enforces Accountability Through Structures, Authorities, and Responsibilities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Aligning individual behavior with culture is critical. The most powerful influence comes from management who creates and sustains the organizational agenda. Explicitly, the organization develops policies, rules, and standards of conduct. Implicitly, the organization should lead by example to reflect… (Embracing a Risk-Aware Culture ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management provides guidance to personnel so they understand the risks. Management also demonstrates leadership by communicating the expectations of conduct for all aspects of enterprise risk management. Such leadership from the top helps to establish and enforce accountability and a common purpose. (Enforcing Accountability ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management and the board of directors clearly communicating the expectations (e.g., developing and enforcing standards of conduct). (Enforcing Accountability ¶ 3 Bullet 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Verify the practitioner in charge of the engagement has an understanding of the aicpa's code of professional conduct. (Ques. AT411 Item 1, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Reading documents about the service organization's security awareness and training programs, communication of code of conduct, employee handbooks, information security policies, incident notification procedures, and other available documentation to understand the service organization's processes for… (¶ 3.59 Bullet 8, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. (CC1.5 Enforces Accountability Through Structures, Authorities, and Responsibilities, Trust Services Criteria)
  • The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity's standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners. (CC1.1 Establishes Standards of Conduct, Trust Services Criteria)
  • Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. (CC1.5 ¶ 2 Bullet 1 Enforces Accountability Through Structures, Authorities, and Responsibilities, Trust Services Criteria, (includes March 2020 updates))
  • The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. (CC1.1 ¶ 3 Bullet 2 Establishes Standards of Conduct, Trust Services Criteria, (includes March 2020 updates))
  • The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and system requirements as they relate to [insert the principle(s) addressed by the engagement: security, … (CC1.4, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Written standards of conduct must be maintained by the grantee to govern the performance of employees who are involved in the award and administration of contracts. The standards should include the following: that employees, officers, or agents may not participate in selecting, awarding, or administ… (§ 495.348(c), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • CODE OF ETHICS DISCLOSURE.—The Commission shall issue rules to require each issuer, together with periodic reports required pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934, to disclose whether or not, and if not, the reason therefor, such issuer has adopted a code of ethi… (§ 406(a), The Sarbanes-Oxley Act of 2002 (SOX), July 30, 2002.)
  • Agencies that maintain a system of records shall develop rules of conduct for personnel involved in designing, developing, maintaining, or operating a system of records or in maintaining records and train persons on the rules and requirements, including, but not limited to, other rules and procedure… (§ 552a(e)(9), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • Personnel policies and practices are in effect; (TIER II OBJECTIVES AND PROCEDURES E.1. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Does the Credit Union personnel policy include a Code of Ethics policy or fraud policy? (IT - Policy Checklist Q 29, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization must provide employees, third parties, and contractors with the Terms and Conditions of employment, their legal rights, the expectations of conduct, their duties, and their responsibilities. (SG.PS-9 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Entities or associations that represent users of or persons responsible for privately-held data banks may create professional practice codes of conduct that establish the rules for processing personal data that tend to improve and assure the operational conditions of the information systems based on… (§ 30, Argentina Personal Data Protection Act)