Code Of Conduct Review And Audit Indicators In The United Kingdom
Review indicator | What to check | Review frequency | Evidence sources | Remediation priority |
|---|---|---|---|---|
Governance oversight | ||||
Document has current board or senior management approval | Confirm latest version was approved by the correct authority. | Annually | Board minutes, approval email, policy register, version history. | High |
Policy currency | ||||
Version control is complete and accurate | Check owner, date, version number, changes and next review date. | Quarterly | Policy front page, document control table, intranet archive. | Medium |
Policy reflects relevant UK legal changes | Compare policy wording against recent UK employment, crime, data and corporate law changes. | Event-triggered | Legal update logs, solicitor review notes, compliance tracker. | High |
Anti-bribery rules address gifts, hospitality and facilitation payments | Confirm prohibited conduct, approval thresholds and registers are clearly stated. | Annually | Gifts register, hospitality approvals, anti-bribery procedure, training slides. | High |
Management accountability | ||||
Policy supports adequate procedures against bribery | Check responsibilities, risk assessment, due diligence and monitoring controls. | Annually | Bribery risk assessment, due diligence files, control testing results. | High |
Reporting process | ||||
Whistleblowing reporting routes are clear and protected | Confirm named contacts, anonymous options, escalation and anti-retaliation wording. | Annually | Whistleblowing policy, hotline details, case logs, staff communications. | High |
Policy currency | ||||
Protected disclosure wording reflects UK whistleblowing law | Check that workers are not discouraged from making protected disclosures. | Every two years | Policy legal review, HR guidance, whistleblowing procedure. | High |
Confidentiality and personal data rules are current | Confirm rules cover personal data, security, confidentiality and incident reporting. | Annually | Privacy notices, data protection policy, breach procedure, ICO guidance review. | High |
Training completion | ||||
Employee conduct rules support data protection compliance | Check staff know how to handle, report and protect personal data. | Annually | Training records, breach logs, data handling attestations, audit reports. | High |
Policy currency | ||||
Equality, bullying and harassment standards are explicit | Check prohibited behaviour, protected characteristics and complaint routes. | Annually | Dignity at work policy, grievance records, disciplinary records, training materials. | High |
Employee awareness | ||||
Conduct rules align with Equality Act 2010 duties | Check staff understand discrimination, harassment and victimisation standards. | Every two years | Equality training records, employee surveys, HR case trends. | High |
Policy currency | ||||
Health and safety responsibilities are included | Confirm duty to follow safe systems, report hazards and avoid reckless conduct. | Annually | HSE policy, risk assessments, incident reports, safety training records. | High |
Management accountability | ||||
Code supports employer and employee safety duties | Check managers enforce safe behaviour and escalate serious risks. | Annually | Safety committee minutes, incident investigations, manager briefings. | High |
Reporting process | ||||
Conflicts of interest rules are workable and enforced | Check disclosure triggers, approval process and recusal requirements. | Quarterly | Conflict register, procurement files, board declarations, approval records. | High |
Third-party communication | ||||
Suppliers receive relevant conduct expectations | Confirm supplier code, contract clauses or onboarding materials reference conduct standards. | Annually | Supplier code, contracts, onboarding packs, procurement questionnaires. | Medium |
Modern slavery expectations are communicated to supply chains | Check supplier duties, escalation routes and due diligence are stated. | Annually | Modern slavery statement, supplier audits, contract terms, risk assessments. | High |
Governance oversight | ||||
Supply chain conduct supports modern slavery transparency duties | Check annual statement governance and supplier conduct references where applicable. | Annually | Board-approved statement, website publication, supplier due diligence files. | High |
Training completion | ||||
Mandatory conduct training completion meets target | Compare completion rates by role, location, seniority and risk group. | Monthly | LMS reports, induction checklists, reminder logs, exception reports. | High |
Employee awareness | ||||
New starters receive the code during induction | Check code issue, explanation and acknowledgement before or soon after start date. | Monthly | Onboarding checklist, HRIS record, signed acknowledgement, induction slides. | Medium |
Employees complete annual code attestations | Confirm staff acknowledge reading, understanding and complying with the code. | Annually | Attestation reports, HRIS records, reminder emails, exception lists. | Medium |
Code is easy for employees to access | Check intranet location, format, language clarity and availability to non-desk staff. | Quarterly | Intranet analytics, noticeboards, handbook links, staff survey responses. | Medium |
Reporting process | ||||
Reporting channels are tested and operational | Test email, hotline, web form and escalation contacts for availability. | Quarterly | Test reports, service desk tickets, hotline provider reports, screenshots. | High |
Record keeping | ||||
Conduct concerns are triaged and investigated promptly | Compare case handling against internal triage and investigation timescales. | Monthly | Case management system, investigation plans, outcome letters, SLA reports. | High |
Investigation records are complete and confidential | Check evidence, interviews, decisions, confidentiality controls and retention. | Quarterly | Investigation files, access logs, retention schedule, legal hold records. | High |
Management accountability | ||||
Sanctions for breaches are consistent and proportionate | Compare outcomes for similar breaches and check rationale is recorded. | Quarterly | Disciplinary records, outcome letters, HR review notes, appeal outcomes. | High |
Managers escalate conduct issues correctly | Check managers report issues, avoid informal suppression and follow process. | Quarterly | Manager training records, case logs, HR advice notes, audit interviews. | High |
Governance oversight | ||||
Senior leaders visibly support the code | Check leadership communications, meeting references and participation in training. | Annually | CEO messages, town hall slides, board minutes, training completion by leaders. | Medium |
Board receives conduct risk reporting | Confirm board sees trends, serious cases, training gaps and remediation actions. | Quarterly | Board packs, risk committee minutes, conduct dashboards, action trackers. | High |
Workforce culture is monitored where governance code applies | Check board reviews culture indicators and workforce engagement outputs. | Annually | Culture dashboard, engagement survey, workforce forum minutes, annual report extracts. | Medium |
Policy currency | ||||
Fraud, theft and false accounting standards are clear | Confirm code prohibits dishonest records, expense abuse and asset misuse. | Annually | Finance policies, expense audits, fraud reports, internal audit findings. | High |
Sanctions and trade restrictions are addressed where relevant | Check employee duties for screening, escalation and restricted dealings. | Event-triggered | Sanctions policy, screening logs, OFSI updates, trade compliance records. | High |
Social media and public communications rules are current | Check rules on confidentiality, discrimination, brand use and authorised statements. | Annually | Social media policy, communications approvals, disciplinary cases, staff guidance. | Medium |
Remote working conduct expectations are covered | Check rules on security, confidentiality, equipment use and respectful communication. | Annually | Hybrid working policy, IT policy, incident logs, employee guidance. | Medium |
Sector-specific conduct obligations are reflected | Check FCA, charity, healthcare, education or other regulator expectations where applicable. | Event-triggered | Regulatory horizon scan, compliance manuals, regulator correspondence, gap analysis. | High |
Training completion | ||||
FCA conduct expectations are included for regulated firms | Check relevant staff receive conduct rules training and breach reporting guidance. | Annually | SMCR training records, breach logs, certification files, compliance attestations. | High |
Governance oversight | ||||
Named policy owner is active and accountable | Confirm owner reviews incidents, updates policy and reports overdue actions. | Quarterly | RACI matrix, job description, action tracker, review meeting minutes. | Medium |
Employee awareness | ||||
Employees understand key conduct expectations | Use surveys or testing to confirm understanding of key scenarios. | Annually | Pulse surveys, quiz scores, focus group notes, training assessments. | Medium |
Reporting process | ||||
Code links to grievance and disciplinary procedures | Check employees can identify how concerns and breaches are handled. | Every two years | Employee handbook, disciplinary policy, grievance policy, intranet links. | Medium |
Record keeping | ||||
Conduct records retention is defined | Check retention periods for training, attestations, reports and investigations. | Annually | Retention schedule, privacy notice, deletion logs, case archive. | Medium |
Conduct incidents are analysed for trends | Check themes by location, team, breach type, root cause and outcome. | Quarterly | Conduct dashboard, root cause analysis, HR analytics, risk committee reports. | Medium |
Reporting process | ||||
Retaliation after reports is monitored | Check follow-up with reporters and action against victimisation or detriment. | Quarterly | Follow-up notes, HR case files, exit interviews, grievance records. | High |
Third-party communication | ||||
Third parties can raise conduct concerns | Confirm suppliers, contractors and agents know how to report concerns. | Annually | Supplier portal, contract clauses, onboarding emails, hotline scope documents. | Medium |
Contractors and agency workers are covered where appropriate | Check contracts and onboarding impose relevant conduct standards. | Annually | Agency agreements, contractor onboarding packs, site rules, access records. | Medium |
Policy currency | ||||
Policy is reviewed after mergers or major restructuring | Check organisational changes, new entities, cultures and reporting lines are reflected. | Event-triggered | Integration plans, organisational charts, legal entity lists, HR communications. | Medium |
Governance oversight | ||||
Speak-up culture metrics are monitored | Review reporting volumes, anonymous reports, substantiation rates and survey confidence. | Quarterly | Whistleblowing dashboard, engagement survey, hotline reports, board papers. | Medium |
Policy currency | ||||
Code is consistent with related policies | Compare against HR, IT, finance, procurement, data and safety policies. | Annually | Policy map, gap analysis, cross-reference table, handbook review notes. | Medium |
Training completion | ||||
High-risk roles receive enhanced conduct training | Check targeted modules for sales, procurement, finance, managers and regulated staff. | Quarterly | Role risk matrix, LMS assignments, completion reports, assessment scores. | High |
Governance oversight | ||||
Previous code audit actions are closed on time | Review overdue actions, accountable owners and evidence of completion. | Monthly | Audit action tracker, internal audit reports, closure evidence, risk committee minutes. | Medium |
How Often Should A UK Code Of Conduct Be Reviewed?
A UK code of conduct should normally be checked annually, with event-triggered reviews after legal, regulatory, ownership, operational or workforce changes. Higher-risk areas such as whistleblowing, bribery, sanctions, data protection and health and safety need faster review because outdated wording can weaken statutory compliance and board oversight.
What Evidence Shows A Code Of Conduct Is Working?
Useful audit evidence includes board approval minutes, version histories, staff attestations, training completion reports, whistleblowing logs, disciplinary outcomes, supplier onboarding records, gifts and hospitality registers, and investigation files. The strongest evidence links the policy to actual decisions, reporting routes and management action rather than merely showing that a document exists.
Which UK Legal Risks Should Be Reflected In The Review?
- Bribery and facilitation payments: anti-bribery controls should align with the Bribery Act 2010 and Ministry of Justice guidance on adequate procedures.
- Whistleblowing: reporting channels should reflect protected disclosure rights under the Employment Rights Act 1996 and relevant regulator expectations.
- Data protection: confidentiality, monitoring, reporting and records should support UK GDPR and Data Protection Act 2018 obligations.
- Health and safety: conduct expectations should not conflict with employer duties under the Health and Safety at Work etc. Act 1974.
- Modern slavery and supply chains: supplier communication should support transparency duties where the Modern Slavery Act 2015 applies.
What Should Be Prioritised First After A Weak Review?
High-priority gaps are those affecting legal reporting routes, board accountability, bribery controls, whistleblowing protection, investigation records, discrimination or harassment standards, and third-party communication. These issues can create regulatory, employment tribunal, criminal, procurement and reputational exposure in the UK.

FAQs
You Might Also Be Interested In











