A code of conduct rarely fails because the text is “wrong.” It fails because you cannot prove it changes decisions and behavior, and because the organization cannot produce evidence fast when an auditor (or leadership) asks, “show me it works.”
This article is a practical field guide to spot 5 ethical code of conduct red flags and remediate them fast, with an emphasis on audit-ready evidence.
What “good” looks like (in audit language)
A regulator, certification body, internal audit team, or external reviewer typically tests the same three things:
- design: is the code fit for purpose and aligned to your risks, business model, and jurisdictions?
- deployment: was it communicated, trained, acknowledged, and made accessible to the right people (including third parties when relevant)?
- effectiveness: can you demonstrate it is used in decisions, that breaches are handled consistently, and that you improve it based on real signals (cases, controls, incidents, and feedback)?
A fast triage method before you rewrite anything
Before launching a full rewrite (often slow, political, and not always necessary), run this quick triage. The goal is to determine whether you have a content problem, a deployment problem, or an operating model problem.
The 30-minute “proof of life” test
Ask for these five items, and time how long it takes to retrieve them:
- the current code of conduct (latest approved version) and a version history
- proof of approval (who approved, when, and under what governance)
- the communication plan and completion evidence (who received it)
- the training and attestation evidence (who understood and acknowledged)
- the last 12 months of related signals (breaches, questions to compliance, speak-up reports tagged to code topics, disciplinary actions, exceptions)
If retrieval is slow, incomplete, or disputed, your biggest gap is usually not the wording. It is traceability and evidence management.
The 5 ethical code of conduct red flags (and how to remediate fast)
The red flags below are written to be observable, testable, and fixable. For each one, you will get:
- what it looks like in practice
- how to test it quickly
- a fast remediation plan
- what evidence to retain
Red flag 1: the code is generic, not risk-mapped to your reality
What you see: the code reads like a “values poster” or a legal encyclopedia. It does not reflect your risk map, your business processes, or your cross-border exposure (for example, France and Spain differences in anti-corruption expectations, antitrust risk hotspots, third-party reliance, public tender activity).
Why it is dangerous: generic codes create two audit problems.
- you cannot justify why it addresses your highest risks (risk-based design)
- you cannot link it to operational controls and monitoring (effectiveness)
Fast test (same day)
Pick your top 10 compliance risks from your risk map (or, if you do not have a current one, pick the top 10 scenarios your business actually faces). Check whether the code contains:
- a clear “what is prohibited” statement for each risk
- a practical example for each risk (one sentence is enough)
- a “what to do instead” escalation path
If you cannot map the top risks to code sections, the code is not risk-based.
Fast remediation (10 business days)
- run one 60-minute workshop with legal, compliance, HR, procurement, sales, and finance to agree on the top risk scenarios the code must cover
- add a one-page annex titled “high-risk scenarios and what to do,” aligned to your risk map (do not rewrite the whole document yet)
- assign each scenario an operational owner (not compliance) for procedure alignment (for example, gifts approvals owned by sales operations or procurement)
Evidence to keep
- workshop invite list and minutes
- the mapping between risk scenarios and code sections
- the approval record for the updated annex
Red flag 2: the code is not operational, it has rules without decision support
What you see: employees ask the same questions repeatedly (gifts, conflicts of interest, interactions with public officials, third-party use, antitrust “can I attend this meeting?”). The code says “do the right thing” but does not provide a decision path.
Why it is dangerous: without decision support, the code becomes an “after-the-fact document.” In investigations, you will struggle to show that employees had usable guidance at the moment of decision.
Fast test (48 hours)
Pull the last 20 compliance questions, helpline tickets, or speak-up reports that relate to ethics topics. Classify them:
- “lack of clarity in the code”
- “code is clear but people did not know it existed”
- “code is clear but business process pushes opposite behavior”
If more than a few fall into “lack of clarity,” you need operational decision support.
Fast remediation (2 weeks)
Create three tools that fit on one page each:
- a “pause and check” checklist for employees (generic)
- 5 to 8 role-based scenarios for your highest-risk teams (sales, procurement, finance)
- an escalation matrix (who to contact, response time targets, what info to provide)
Keep the code as the formal reference, and use these tools as the practical layer that makes it usable.
Evidence to keep
- the question analysis (your classification)
- the published one-pagers with version control
- distribution logs (who received what)
Red flag 3: you cannot prove adoption, only publication
What you see: the code exists on the intranet, but you cannot evidence who received it, who acknowledged it, and whether third parties were covered (agents, distributors, key subcontractors) when your risk profile requires it.
Why it is dangerous: in Sapin II and ISO-aligned audits, “it was available” is typically weaker than “it was deployed, acknowledged, and refreshed.” Also, adoption evidence is often requested urgently during audits and due diligence.
Fast test (same day)
Try to produce, for a chosen population (for example, sales and procurement in France and Spain):
- distribution proof
- attestation completion
- training completion
If you cannot produce a reliable list within hours, you have an adoption evidence gap.
Fast remediation (30 days)
- define the target populations (employees, subsidiaries, high-risk third parties)
- implement a quarterly attestation cadence for high-risk groups and an annual cadence for everyone else (typical approach, adapt to your risks)
- add a rule: no access to certain processes (for example, onboarding a third party, approving discounts, approving gifts above a threshold) without a current code attestation
Evidence to keep
- population definition and rationale (risk-based)
- completion reports with timestamps
- exception logs (who did not attest, why, and what was done)
Red flag 4: enforcement is inconsistent or opaque (discipline and remediation do not match)
What you see: similar breaches lead to different outcomes depending on seniority, country, or business unit. Or the organization “solves” issues informally, leaving no traceable remediation or disciplinary record.
Why it is dangerous: inconsistent enforcement is one of the fastest ways to destroy credibility. It also undermines the “tone from the top” expectation common across anti-corruption, criminal compliance, and competition compliance frameworks.
Fast test (one week)
Take the last 10 substantiated ethics or compliance cases related to code topics and check whether you have:
- a documented qualification of the breach (what rule was violated)
- a documented decision rationale (why this outcome)
- documented corrective actions (control fixes, training, process changes)
If these are missing or inconsistent, your red flag is not the code. It is enforcement governance.
Fast remediation (30 to 45 days)
- publish a short “case handling and consequences” standard (not the details of each case, but the decision principles)
- implement a simple outcomes matrix (for example, coaching, training, written warning, termination, third-party offboarding), aligned with HR and legal
- require root-cause analysis for substantiated cases (what control failed, what process enabled it) and track remediation to completion
Evidence to keep
- the outcomes matrix and approval
- case files with decision records
- remediation tracking logs (owner, due date, completion proof)
Red flag 5: the code is disconnected from controls, testing, and KPIs
What you see: the code is maintained by legal or compliance as a document, while operational controls live elsewhere (procurement onboarding, accounting controls, gifts register, competition meeting protocols). As a result, you cannot test whether the code is followed, only whether it exists.
Why it is dangerous: modern reviews focus on control effectiveness, not policy volume. If your code is not tied to controls and monitoring, you will struggle to demonstrate effectiveness under scrutiny.
Fast test (72 hours)
Pick three high-risk topics typically covered by a code of conduct:
- gifts and hospitality
- conflicts of interest
- third-party engagements
For each, ask:
- what is the operational control (approval, register, due diligence, accounting check)?
- who owns it in the first line?
- what evidence is produced automatically?
- when was it last tested?
If the answers are unclear, your code is not connected to execution.
Fast remediation (6 weeks)
- create a “code-to-control map” for the top 10 code topics (one table, not a new framework)
- separate control design from control testing (different owners and cadence, where feasible)
- define 3 to 5 KPIs that show effectiveness, not activity (for example, remediation cycle time, repeat issue rate, policy exceptions trend)
Evidence to keep
- the code-to-control map
- test plans and test results
- KPI definitions, data sources, and trends
One table to manage the red flags (owners, tests, evidence)
Use this as a lightweight operating model. It is intentionally simple so it can survive in mid-size companies.
Red flag | quickest test | primary owner to fix | audit-ready evidence to retain |
|---|---|---|---|
Not risk-mapped | map top risks to code sections | compliance with business process owners | mapping, workshop minutes, approvals |
Not operational | analyze last 20 questions/cases | compliance and HR, with business | one-pagers, scenario sets, distribution logs |
No adoption proof | produce attestation and training list fast | HR (deployment), compliance (scope) | completion reports, exceptions, population rationale |
Inconsistent enforcement | review last 10 substantiated cases | HR and legal, with compliance oversight | decision records, outcomes matrix, remediation logs |
Not linked to controls | code-to-control mapping for top topics | first line process owners | control maps, test results, KPIs and trends |
A practical template: the “ethical code of conduct health check” (copy/paste)
Use this template for a quarterly review. Keep answers short and evidence-linked.
- scope: which entities, countries, and third parties are covered?
- top risks: what changed in our risk map this quarter that affects the code?
- deployment: who joined, moved roles, or needs refreshed attestation?
- signals: what are the top 5 recurring questions or allegations?
- breaches: do we see repeat issues in the same process or team?
- controls: which controls support the code topics, and what did testing show?
- improvements: what changes will we make this quarter (text, tools, training, controls)?
- approvals: who approved changes and when?
How naltilia can help
If your main gap is speed and evidence, automation can make the code “live” operationally. Naltilia can support a more auditable operating rhythm by helping teams structure risk assessments, link code topics to controls and remediation actions, automate data collection for evidence, and keep a centralized evidence library for audits across France and Spain. This is especially useful when you need consistent workflows across functions (HR, procurement, finance) and board-ready KPIs without chasing people at quarter-end.
Contact Naltilia to discuss your use case: book a 30-minute call.
Frequently asked questions
Is a code of conduct mandatory under loi Sapin II? For companies in scope of loi Sapin II article 17, a code of conduct is one of the required measures. See the law text on Légifrance.
What evidence do auditors typically ask for to assess code effectiveness? Typically they ask for version control and approvals, distribution and attestation records, training evidence, consistent case handling records, and proof that issues lead to remediation (controls, processes, or training updates).
Should we rewrite the whole code when we find red flags? Not necessarily. Often the fastest improvement comes from adding risk-mapped annexes, decision tools, and linking the code to controls and case remediation, while planning a later rewrite if needed.
How do we handle France and Spain differences without creating two codes? A common approach is one group-wide code plus localized annexes for country-specific requirements and examples, with consistent governance, attestations, and a shared evidence model.
How often should a code of conduct be reviewed? There is no single rule, but review should be risk-based. Many organizations run at least an annual review, plus ad hoc updates when risks, controls, or regulations change, and quarterly monitoring of signals (cases, questions, training outcomes).
This article is general information, not legal advice.
