Best Practices: The Code of Conduct

The Code of Conduct can be a "compliance" tool, and even an enabler of company culture. It sets the expectations of employee behaviours.


The Code of Conduct is a divisive topic. Some clients see it as a “tick-the-box” that is meaningless in practice, while others see it as a critical management tool. In either case, it’s an important control practice often stipulated as a requirement in contracts with enterprise customers and expected in every SOC 2 report.


What’s the purpose of a code of conduct?

Why should you document one?



A Code of Conduct defines and documents the expected behaviours of employees. This often includes obvious behaviours of professionalism and appropriate personal conduct like honesty and integrity. It defines “hygiene” practices like dress code, working hours, equality and respect for others.


Tech start-up companies bring together employees from a wide variety of backgrounds. The Code of Conduct is an opportunity to define company culture and the desired behaviours to represent your company. It may not be all about what you must do and what you can not do, but also about what employees are encouraged to do.


Many SaaS startups benefit from a social culture of “work hard, play hard”. Encouraging employees to participate in social events, working flexible hours that suit their work style and life situation, and being open and inclusive with others. While encouraging these sorts of behaviours, it should also set the boundaries, to ensure it’s applied in a manner that supports the business needs and objectives.


Of course, the Code of Conduct itself is just a document. The 'tone-at-the-top' by management to encourage and enforce the right behaviours is much more important than the document. But by documenting it and having new employees sign up to it, it ensures everyone is on the same page from day-1. It provides a reference point for when conduct is inappropriate or has crossed the defined boundaries. It often includes or should be linked to a Discipline Policy that sets out what happens in the event that the Code of Conduct is materially breached. That also supports legal compliance.


Employee behaviours are critical to the success of any company. The employees represent the business to customers and other stakeholders. The internal effectiveness of the business relies on how well employees work together. The Code of Conduct often links in with the Acceptable Use Policy.


The SOC 2 Perspective


The Code of Conduct is an expected practice for the two criteria below. It is one of the "must-have" control practices in SOC 2 reports, whether it's as a Code of Conduct, Employee Handbook, or performed in a different way with the same principles applied.


COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.


COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.



AssuranceLab's Best Practices Series


AssuranceLab's best practices series, is about highlighting the "real operational benefits" that comes from effective control practices. At best, they support your company culture, provide structure and clarity, and enable scalable growth. At worst, they tick the boxes for what your customers expect, reduce the reactive "firefighting" and time-wasting, and help you demonstrate your compliance with leading standards like SOC 2 and ISO 27001.

The Code of Conduct can be a "compliance" tool, or an enabler of company culture. It sets the expectations of employee behaviour.