Back

Establish, implement, and maintain an ethical culture.


CONTROL ID
12781
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an ethics program., CC ID: 11496

This Control has the following implementation support Control(s):
  • Analyze the organizational climate regarding support for expectation of responsible behavior and integrity., CC ID: 12873
  • Analyze the organizational climate regarding the expectation of responsible behavior and integrity., CC ID: 12872
  • Refrain from practicing false advertising., CC ID: 14253


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A firm must conduct its business with integrity. (2.1.1 Principle 1 Integrity, Principles for Businesses)
  • Define the elements of a control environment for IT, aligned with the enterprise's management philosophy and operating style. These elements should include expectations/requirements regarding delivery of value from IT investments, appetite for risk, integrity, ethical values, staff competence, accou… (PO6.1 IT Policy and Control Environment, CobiT, Version 4.1)
  • creating an environment where the reporting of noncompliance is encouraged and the reporting employee will be safe from retaliation; (§ 7.3.2.2 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Behaviour that creates and supports compliance should be encouraged and behaviour that compromises compliance should not be tolerated. (§ 7.3.2.1 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • an ethical culture; (§ 5 ¶ 2 c) 1), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • fairness in the treatment of, and engagement with, stakeholders; (§ 5 ¶ 2 c) 3), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization defines the desired behaviors that characterize the entity's desired culture. (Principle 3: Defines Desired Culture, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • In the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others. (2.100.001.01, AICPA Code of Professional Conduct, August 31, 2016)
  • In the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others. (1.100.001.01, AICPA Code of Professional Conduct, August 31, 2016)
  • The public interest aspect of members' services requires that such services be consistent with acceptable professional behavior for members. Integrity requires that service and the public trust not be subordinated to personal gain and advantage. Objectivity and independence require that members be f… (0.300.070.02, AICPA Code of Professional Conduct, August 31, 2016)
  • Responsibilities principle. In carrying out their responsibilities as professionals, members should exercise sensitive professional and moral judgments in all their activities. (0.300.020.01, AICPA Code of Professional Conduct, August 31, 2016)
  • Due care principle. A member should observe the profession's technical and ethical standards, strive continually to improve competence and the quality of services, and discharge professional responsibility to the best of the member's ability. (0.300.060.01, AICPA Code of Professional Conduct, August 31, 2016)
  • Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving (GV.RR-01, The NIST Cybersecurity Framework, v2.0)