This Handbook applies to all Sophos collaborators including parent companies and subsidiaries and all related parties, interest groups, associates, and business partners, understood as customers, partners, contractors, advisers, intermediaries, and suppliers whether domestic or international, and its analogy to the countries that operate the subsidiaries, generally all those with whom any commercial or contractual relationship is established directly or indirectly.
It must be disclosed and applied immediately and obligatorily to all third parties linked to the Organization, in such a way that they can report such events of fraud, corruption and/or bribery.
The following Principles will serve as guidelines for interpretation in the implementation of all measures and actions aimed at the prevention of bribery and other forms of corruption, within which interpretations that seek to give a semblance of legality to conduct or operations, which are classified as contrary to international best practices, such as those described in ISO 37001 and the FCPA Act, as well as those provided in the Anti-Bribery Act, will not be admissible; Therefore, the Policy will be imperative in the Organization.
In accordance with the principle of morality, all actions to be carried out as a result of compliance with this Policy shall be carried out with fairness, loyalty and honesty towards all levels of the Organization.
In accordance with the principle of integrity, all actions to be carried out as a result of the implementation of this Policy, as well as all members of the Organization exercising them, must act under a constant evaluation of the correctness, respect and transparency of all professional interactions carried out in fulfillment of the mission and vision of the Organization.
In accordance with the principle of consistency, all members of the Organization shall seek to ensure that all their actions in the performance of their duties are consistent with the provisions of this Policy, the Organization’s Code of Ethics, the Business Ethics Program and its corresponding manual, as well as other internal and external rules that may modify the subject matter of these policies.
In accordance with the principle of efficacy, all actions to be carried out as a result of compliance with this Policy should always aim to achieve a sufficient degree of planning to achieve the planned results.
In accordance with the principle of communication, all actions to be carried out as a result of compliance with this Policy, as well as all members of the Organization who exercise them, must emphasize effective, assertive, clear, express and respectful communication, which will allow the continuous improvement of the Organization’s Business Ethics Program.
Senior Management: They are natural or legal persons, designated in accordance with the social statutes or any other internal provision of the Legal Person and Colombian law, as the case may be, to administer and direct the Legal Person, whether members of collegiate bodies or individuals considered.
Partners: These are natural or legal persons who have contributed money, work or other appreciable assets in money to a company in exchange for fees, interest shares, shares or any other form of participation provided for in Colombian law.
Compliance Audit: It is the systematic, critical and periodic review regarding the proper implementation of the Anti-Bribery and Anti-Corruption Management System, including the Business Ethics Program and its policies.
Contractor: It refers, in the context of an international business or transaction, to any third party providing services to or having a contractual legal relationship of any nature with a Legal Person. Contractors may include, but are not limited to, suppliers, brokers, agents, distributors, advisers, consultants, and persons who are parties to collaborative or risk-sharing contracts with the Legal Person.
Due Diligence: It refers to the periodic review to be made of the legal, accounting, and financial aspects related to an international business or transaction, the purpose of which is to identify and assess the risks of Transnational Bribery that may affect a Legal Person, its Subordinate Companies and Contractors.
Occupational Fraud: It is an act that an employee, manager, official or owner of a company commits to the detriment of that organization. The three main types of fraud in the workplace are: corruption, misappropriation of assets, and fraudulent statements.
Public Official: It is any natural person who holds public office in Colombia in any branch of public power, autonomous bodies, or control bodies, regardless of whether they are national, departmental, municipal; whether his form of election is popular, merit-based or free-to-appoint and removal; their hierarchy; or if in Colombian norms they are called members of corporations, public employees, or official workers. Likewise, members of the security forces, individuals who exercise public functions on a permanent or temporary basis, officials, and employees of autonomous bodies such as the Banco de la República or collaborating bodies for decentralization such as Public Notaries and Registration Offices are considered public officials.
Official / Compliance Function: Is the natural person appointed by the Senior Management to lead and administer the Anti-Bribery and Anti-Corruption Management System including the Business Ethics Program and its policies.
Restrictive Lists: are lists that relate individuals and companies that, according to the agency that publishes them, may be linked to illegal or criminal activities, such as the lists of the United Nations Security Council, OFAC, INTERPOL, National Police, etc.
Compliance Policies: These are the general policies adopted by the Senior Management of a Legal Person to enable the latter to conduct its business in an ethical, transparent and honest manner and to be able to identify, detect, prevent and mitigate the risks associated with Transnational Bribery and other corrupt practices.
Principles: They are aimed at the implementation of the Transnational Bribery Risk Management Systems.
Business Ethics Program: These are the specific procedures under the Compliance Officer, aimed at operationalizing the Compliance Policies, in order to identify, detect, prevent, manage and mitigate the risks of Transnational Bribery, as well as others that relate to any act of corruption that may affect a Legal Person.
Foreign Public Servant: Any person holding a legislative, administrative or judicial office in a State, its political subdivisions or local authorities, or a foreign jurisdiction, regardless of whether the individual has been appointed or elected, any person exercising a public function for a State, its political subdivisions or local authorities, or in a foreign jurisdiction, whether within a public body, or a State enterprise or entity whose decision-making power is subject to the will of the State, its political subdivisions or local authorities, or a foreign jurisdiction.
Anti-Bribery and Anti-Corruption Management System: It is the system oriented to the correct articulation of the Compliance Policies and elements of the company interrelated that interact to establish
policies, objectives and processes to achieve compliance with international regulations and the Program of Business Ethics, as its proper implementation in the Legal Person.
Bribery: It is the act of giving, offering, promising, soliciting or receiving any gift or thing of value in exchange for a benefit or any other consideration, or in exchange for performing or omitting an act inherent in a public or private function, regardless of whether the offer, promise, or solicitation is for yourself or a third party, or on behalf of that person or on behalf of a third party.
Transnational Bribery: It is the act by which a legal person, through its employees, administrators, associates, contractors or subordinate companies, gives, offers or promises to a foreign public servant,
directly or indirectly: (i) sums of money, (ii) objects of pecuniary value or (iii) any profit or profit in exchange for that public servant performing, omitting or delaying any act related to his functions and in connection with an international business or transaction.
Subordinated Company: A company shall be subordinated or controlled when its decision-making power is subject to the will of another or other persons who will be its parent or controller, either directly, in which case it shall be called a subsidiary or with the assistance of or through the subordinates of the parent, in which case it shall be called a subsidiary.
Business Partner: External party with which the organization has, or plans to establish, some kind of commercial or contractual relationship.
Sophos Solutions has the G-SGC-01 Risk Assessment Guide which establishes assessment guidelines that are proportional to the materiality, size, structure, nature, countries of operation and specific activities of the company.
It also sets out the methodology for identifying, assessing and controlling risks taking into account factors such as country, economic and third-party risks.
Each internal process of the company has the risk matrix and annually updates the risks taking into account the changes presented in each of the threads and will take into account the implications that can be had about the risks of corruption, bribery and transnational bribery.
Sophos Solutions has Instructive for Due Diligence, Know Your Customer, Security Studies and Extended Due Diligence, which establish procedures to carry out the knowledge of third parties with the objective of performing due diligence on certain transactions, projects, activities, business partners, candidates, or collaborators of the company to assess the scope, scale and nature of the risk obtaining prior knowledge of the counterparty through various validations, this is executed prior to the binding or establishment of the contractual relationship and updated annually.
It also aims to act as an additional specific control in the prevention and detection of the risk of corruption, bribery and transnational bribery, and to inform the decision of Sophos Solutions on the desirability of postponing, suspending or reviewing such transactions, projects or relationships with business partners or collaborators (contracting, transferring or promoted)
Sophos has a unique Travel process, which specifies the reasons why travel and allowance may be granted and the means to make requests, taking into account the relevant approvals.
Sophos prohibits the use of its resources for personal entertainment, the resources are for the exclusive use of the company’s work activities. For further information please refer to the PL-VJS-01 Travel and Accommodation Policy and the M-SGC-20 Cost Reimbursement Manual.
Sophos Solutions makes the following allocation of responsibilities according to applicable regulations:
All collaborators and third parties acting on behalf of Sophos are prohibited from negotiating, receiving, offering, promising, paying, providing or authorizing (directly or indirectly) bribes, undue advantages, payments, gifts, travel, the transfer of any Kind of Value to any person, whether public official or not, to influence or reward any action, omission, favorable treatment or decision of such person for the benefit of Sophos.
Anti-corruption and anti-bribery laws penalize people who pay bribes, and those who acted to incentivize the payment of bribes, that is, they apply to any individual who:
- Approve payment of the bribe.
- Provide or accept fraudulently issued invoices.
- They relay instructions for the payment of the bribe.
- They cover the payment of the bribe.
- They cooperate with the payment of the bribe.
Sophos prohibits the offer, promise, authorization, payment, receipt and performance of Bribery, the facilitation payment that under the FCPA Act is the payment made to promote routine actions of the government, is an exception that is made solely by Migration Management and is stipulated the procedure of the Area Policies.
No person shall receive a repression, reprimand, or penalty for loss of business resulting from declining to pay or receive a bribe.
The payment of bribes to contractors and suppliers in the name of Sophos is prohibited, we also refuse to do business with third parties that have a reputation and integrity questioned, and it is not admitted, under any circumstances, that a third party exercises any kind of inappropriate influence for the benefit of the company on any person, whether this public official or not performing due diligence on each of the third parties to check the background.
Moreover, all contracts entered into with national or international legal or natural persons should include the Anti-Bribery and Anti-Corruption Clauses of performance for both parties, to ensure compliance with anti-corruption laws and therefore acceptance of sanctions that may be generated by their non-compliance.
All purchasing processes must be conducted on the basis of merit and respect for rules and policies, and not through the improper use of influence over any person, whether public official or not. No collaborator or third party acting on behalf of Sophos may receive or offer any kind of gift, present, advantage, benefit or care, from or for any person, natural or legal, whether public official or not.
And finally, in the context of merger operations, asset purchases, shares, quotas or parties of interest or any other corporate restructuring procedure, in which the company participates as a potential acquirer, will
be evaluated from the board of directors and also due diligence will be carried out aimed at identifying liabilities and contingencies related to possible acts of Transnational Bribery.
The Anti-Bribery and Anti-Corruption Management System includes:
- The documented information required by ISO 37001
- The documented information required by the current legal regulations (Law, Circular)
- Documented information demonstrating that the bribery risk assessment has been carried out, and has been used to design or improve the Anti-Bribery and Anti-Corruption Management System
- Documented information on the objectives of the Anti-Bribery and Anti-Corruption Management System.
- The documented information that the organization determines is necessary for the effectiveness of the Anti-Bribery and Anti-Corruption Management System
Creating and UpdatingBy creating and updating the documented information, Sophos ensures through the Quality System:
- Identification and description
- The format
- The review and approval with respect to suitability and adequacy.
The Handbook will be updated whenever changes in the company’s activity occur that alter or may alter the degree of risk of Corruption, Bribery and Transnational Bribery or at least every two (2) years.
Control of documented informationThe documented information required by the Anti-Bribery and Anti-Corruption Management System, in compliance with the Quality Management and Information Security System, states:
- Be available and suitable for use, where and when needed
- Be adequately protected
In addition, documents and records to comply with policies, guidelines, procedures and controls related to the Anti-Bribery and Anti-Corruption Management System are kept and protected by the current legal term, under the standards established by the company.
All transactions shall be recorded in a complete, accurate, approved and detailed manner so that the purpose and amount of the transactions are clear. It is the duty of Sophos and its Collaborators to maintain books, records and accounts reflecting, in a detailed, accurate and correct manner, all transactions. To combat corruption, it is important that transactions are transparent, fully documented and classified into accounts that accurately and fully reflect their nature.
Ensuring that all transactions must be fully recorded, accurately in the accounting classification, the respective approval and in sufficient detail, so that the purpose and amount of each transaction is clear. It is prohibited to establish hidden or undeclared funds or assets of Sophos for any purpose. False, deceptive,
or artificial records should never be entered into books and records, regardless of the reason for them.
Sophos Solutions considers as SERIOUS MISCONDUCT the non-compliance with the Anti-Bribery and Anti-Corruption Management System, the Transparency and Business Ethics Program, the Anti-Bribery and Other Forms of Corruption Policy, the Gift, Presents Hospitalities and Others Policy, the failure or noncompliance with the Code of Ethics, the Internal Labor Regulations, the Employment Contract and any of the controls, information handling or other guidelines defined here for the prevention, detection and control of activities that would be contrary to the fight against Bribery and Corruption, without prejudice to the applicable legal sanctions. As a result, serious infringement and unfulfillment of the employee’s duties towards the Company arise, for which the Company will take disciplinary and/or legal action as the case may be.
In the case of Sophos collaborators, the penalty procedure to be followed is that determined in the section “SCALE OF DISCIPLINARY MISDEMEANORS AND PENALTIES” of the Internal Labor Regulations, without prejudice to the applicable legal sanctions. For those linked to the company, the penalties set out in the contracts and/or in the law as appropriate will be taken into consideration.
Legal sanctions against bribery and corruption are serious and may involve fines, administrative or criminal penalties, such as imprisonment for persons who are subject to as stipulated by international laws in which prison sentences are agreed upon 7 to 10 years and/or unlimited fines.
In addition, Sophos Solutions could face serious fines or other criminal penalties for bribery and corrupt activities by third parties. However, Sophos will investigate any activity that violates this Program and, where appropriate, inform the competent authorities of any event of fraud, corruption or bribery and will undertake and accompany the appropriate legal actions, as well as take appropriate disciplinary measures and penalties that may involve even termination of employment, contract or business relationship.
Lack of awareness or inadequate understanding of this policy does not empower its recipients to breach it.
“Sophos Solutions S.A.S. reserves the right to modify this document according to the changes that arise within the company or legal provisions that so determine, it is the duty of the employees, administrators and others linked to know the different updates and changes that are made.”