Process: RISK MANAGEMENT

TRANSPARENCY AND BUSINESS ETHICS PROGRAM

Document No: M-SGC-39
Version: 01
Date: 26/05/2022
Written by: Risk Management Group
DOCUMENTO APROBADO POR
REVIEWED BYAPPROVED BY
NameVictor Hugo Riaño DelaossaBoard of Directors
PositionRisk and Compliace Officer LeadN/a
Date26/05/202226/05/2022

1. ÍNDICE

2. HISTORIAL DE VERSIONES

FechaVersiónAutorDescripción
26/05/2022 01Andrea Catalina GarciaCreation

3. TÍTULO 1 TRANSPARENCY AND BUSINESS ETHICS PROGRAM

3.1 COMMITMENT
Sophos Solutions is committed to compliance with the rules aimed at the Prevention of National and Transnational Bribery, adopting policies, procedures and high standards of transparency, honesty, integrity, and legality in the fight against Acts of Corruption through risk management and the strengthening of the Government and our corporate principles.

The purpose of the Transparency and Business Ethics Program (TBEP) is to complement the Anti-Bribery and Anti-Corruption Management System and publicly declare the commitment of Sophos Solutions and the Senior Management to ethical and transparent proceedings before their stakeholders, and to conduct business in a responsible manner, acting under a Zero Tolerance 1 ideology with those situations that would be contracted in the fight against Acts of Corruption and Bribery.

The TBEP provides adequate means and tools to prevent, detect and correct situations that have the potential to become a violation of the Anti-Bribery Law.

For this purpose, Sophos Solutions and its subsidiaries undertake to:
  • Manage the risks of fraud, corruption or bribery associated with the business and with third parties, according to the values established in a strategic and structured way.
  • To constantly promote an ethical culture for the prevention, detection, investigation and management of fraud, corruption or bribery.
  • Enforce the Anti-Bribery and Anti-Corruption Management System, Transparency and Business Ethics Program, Anti-Bribery and Other Forms of Corruption Policy, Gift, Presents, Hospitalities and Others forms of Corruption Policy, Conflict of Interest Policy and any other applicable rules or policies.
  • Promote continuous improvement and compliance with the Anti-Bribery and Anti-Corruption Management System according to the international standards of ISO 37001, and applicable legal regulations of each country, to prevent damage to the image and reputation of Sophos Solutions.


1 The Zero Tolerance ideology refers to the fact that it is strictly forbidden to give, offer, promise, or accept a payment, an object of value or any benefit such as bribery, commission, or any other corrupt form of payment, regardless of its amount or whether it is generated internally, externally, directly, or indirectly.
3.2 SCOPE
This Handbook applies to all Sophos collaborators including parent companies and subsidiaries and all related parties, interest groups, associates, and business partners, understood as customers, partners, contractors, advisers, intermediaries, and suppliers whether domestic or international, and its analogy to the countries that operate the subsidiaries, generally all those with whom any commercial or contractual relationship is established directly or indirectly.

It must be disclosed and applied immediately and obligatorily to all third parties linked to the Organization, in such a way that they can report such events of fraud, corruption and/or bribery.
3.3 GUIDING PRINCIPLES ANTI-BRIBERY AND OTHER FORMS OF CORRUPTION
The following Principles will serve as guidelines for interpretation in the implementation of all measures and actions aimed at the prevention of bribery and other forms of corruption, within which interpretations that seek to give a semblance of legality to conduct or operations, which are classified as contrary to international best practices, such as those described in ISO 37001 and the FCPA Act, as well as those provided in the Anti-Bribery Act, will not be admissible; Therefore, the Policy will be imperative in the Organization.
3.3.1 Principle of morality
In accordance with the principle of morality, all actions to be carried out as a result of compliance with this Policy shall be carried out with fairness, loyalty and honesty towards all levels of the Organization.
3.3.2 Principle of integrity
In accordance with the principle of integrity, all actions to be carried out as a result of the implementation of this Policy, as well as all members of the Organization exercising them, must act under a constant evaluation of the correctness, respect and transparency of all professional interactions carried out in fulfillment of the mission and vision of the Organization.
3.3.3 Consistency principle
In accordance with the principle of consistency, all members of the Organization shall seek to ensure that all their actions in the performance of their duties are consistent with the provisions of this Policy, the Organization’s Code of Ethics, the Business Ethics Program and its corresponding manual, as well as other internal and external rules that may modify the subject matter of these policies.
3.3.4 Efficacy principle
In accordance with the principle of efficacy, all actions to be carried out as a result of compliance with this Policy should always aim to achieve a sufficient degree of planning to achieve the planned results.
3.3.5 Principle of communication
In accordance with the principle of communication, all actions to be carried out as a result of compliance with this Policy, as well as all members of the Organization who exercise them, must emphasize effective, assertive, clear, express and respectful communication, which will allow the continuous improvement of the Organization’s Business Ethics Program.
3.4 DEFINITIONS
Senior Management: They are natural or legal persons, designated in accordance with the social statutes or any other internal provision of the Legal Person and Colombian law, as the case may be, to administer and direct the Legal Person, whether members of collegiate bodies or individuals considered.

Partners: These are natural or legal persons who have contributed money, work or other appreciable assets in money to a company in exchange for fees, interest shares, shares or any other form of participation provided for in Colombian law.

Compliance Audit: It is the systematic, critical and periodic review regarding the proper implementation of the Anti-Bribery and Anti-Corruption Management System, including the Business Ethics Program and its policies.

Contractor: It refers, in the context of an international business or transaction, to any third party providing services to or having a contractual legal relationship of any nature with a Legal Person. Contractors may include, but are not limited to, suppliers, brokers, agents, distributors, advisers, consultants, and persons who are parties to collaborative or risk-sharing contracts with the Legal Person.

Due Diligence: It refers to the periodic review to be made of the legal, accounting, and financial aspects related to an international business or transaction, the purpose of which is to identify and assess the risks of Transnational Bribery that may affect a Legal Person, its Subordinate Companies and Contractors.

Occupational Fraud: It is an act that an employee, manager, official or owner of a company commits to the detriment of that organization. The three main types of fraud in the workplace are: corruption, misappropriation of assets, and fraudulent statements.

Public Official: It is any natural person who holds public office in Colombia in any branch of public power, autonomous bodies, or control bodies, regardless of whether they are national, departmental, municipal; whether his form of election is popular, merit-based or free-to-appoint and removal; their hierarchy; or if in Colombian norms they are called members of corporations, public employees, or official workers. Likewise, members of the security forces, individuals who exercise public functions on a permanent or temporary basis, officials, and employees of autonomous bodies such as the Banco de la República or collaborating bodies for decentralization such as Public Notaries and Registration Offices are considered public officials.

Official / Compliance Function: Is the natural person appointed by the Senior Management to lead and administer the Anti-Bribery and Anti-Corruption Management System including the Business Ethics Program and its policies.

Restrictive Lists: are lists that relate individuals and companies that, according to the agency that publishes them, may be linked to illegal or criminal activities, such as the lists of the United Nations Security Council, OFAC, INTERPOL, National Police, etc.

Compliance Policies: These are the general policies adopted by the Senior Management of a Legal Person to enable the latter to conduct its business in an ethical, transparent and honest manner and to be able to identify, detect, prevent and mitigate the risks associated with Transnational Bribery and other corrupt practices.

Principles: They are aimed at the implementation of the Transnational Bribery Risk Management Systems.

Business Ethics Program: These are the specific procedures under the Compliance Officer, aimed at operationalizing the Compliance Policies, in order to identify, detect, prevent, manage and mitigate the risks of Transnational Bribery, as well as others that relate to any act of corruption that may affect a Legal Person.

Foreign Public Servant: Any person holding a legislative, administrative or judicial office in a State, its political subdivisions or local authorities, or a foreign jurisdiction, regardless of whether the individual has been appointed or elected, any person exercising a public function for a State, its political subdivisions or local authorities, or in a foreign jurisdiction, whether within a public body, or a State enterprise or entity whose decision-making power is subject to the will of the State, its political subdivisions or local authorities, or a foreign jurisdiction.

Anti-Bribery and Anti-Corruption Management System: It is the system oriented to the correct articulation of the Compliance Policies and elements of the company interrelated that interact to establish policies, objectives and processes to achieve compliance with international regulations and the Program of Business Ethics, as its proper implementation in the Legal Person.

Bribery: It is the act of giving, offering, promising, soliciting or receiving any gift or thing of value in exchange for a benefit or any other consideration, or in exchange for performing or omitting an act inherent in a public or private function, regardless of whether the offer, promise, or solicitation is for yourself or a third party, or on behalf of that person or on behalf of a third party.

Transnational Bribery: It is the act by which a legal person, through its employees, administrators, associates, contractors or subordinate companies, gives, offers or promises to a foreign public servant, directly or indirectly: (i) sums of money, (ii) objects of pecuniary value or (iii) any profit or profit in exchange for that public servant performing, omitting or delaying any act related to his functions and in connection with an international business or transaction.

Subordinated Company: A company shall be subordinated or controlled when its decision-making power is subject to the will of another or other persons who will be its parent or controller, either directly, in which case it shall be called a subsidiary or with the assistance of or through the subordinates of the parent, in which case it shall be called a subsidiary.

Business Partner: External party with which the organization has, or plans to establish, some kind of commercial or contractual relationship.
3.5 ANTI-BRIBERY AND ANTI-CORRUPTION MANAGEMENT SYSTEM
Sophos Solutions has an Anti-Bribery and Anti-Corruption Management System in which compliance with the rules aimed at the Prevention of National and Transnational Bribery is integrated, adopting policies, procedures and high standards of transparency, honesty, integrity and legality in the fight against Acts of Corruption.

The System is currently composed of:
  • Anti-Bribery and Anti-Corruption Management System Manual
  • Transparency and Business Ethics Program
  • Anti-Bribery Policy and Other Forms of Corruption
  • Gift Policy, Gifts, Hospitalities and others
  • Conflict of interest policy

In addition, the system is aligned with the internal processes of the company which generates adherence and integration with:
  • Rules of Procedure
  • Code of Ethics
  • Code of Good Governance
  • Minor Cash Policy
  • Purchasing Policy
  • Travel Policy.
  • Manual of Reimbursement of Expenses
  • And all policies associated with Commissions and/or Remunerations

Normativity
The Anti-Bribery and Anti-Corruption Management System is based on good practices of international standards such as ISO 3700, FCPA Act, UK Bribery Act, among others. The applicable regulations in detail can be found in the system manual.

However, in order to comply with the Transparency and Business Ethics Program, Sophos Solutions complies with all current legal regulations and is based on the following legal framework:

2016 External Circular 100-00003:
Guide to implement business ethics programs for the prevention of conduct under Section 20 of Act 1778 of 2016, which provides the Organization for Economic Co-operation and Development’s Guide to Good Practices in Internal Controls, Ethics and Compliance and the Guidelines on Compliance Programs related to the United States Foreign Corrupt Practices Act and the United Kingdom Anti-Bribery Act.

2021 External Circular 100-00011:
Comprehensive amendment to External Circular No.100-000003 of 26 July 2016 and addition of Chapter XIII of the Basic Legal Circular 2017
3.5.1 Risk identification and assessment
Sophos Solutions has the G-SGC-01 Risk Assessment Guide which establishes assessment guidelines that are proportional to the materiality, size, structure, nature, countries of operation and specific activities of the company.

It also sets out the methodology for identifying, assessing and controlling risks taking into account factors such as country, economic and third-party risks.

Each internal process of the company has the risk matrix and annually updates the risks taking into account the changes presented in each of the threads and will take into account the implications that can be had about the risks of corruption, bribery and transnational bribery.
3.5.2 Due diligence
Sophos Solutions has Instructive for Due Diligence, Know Your Customer, Security Studies and Extended Due Diligence, which establish procedures to carry out the knowledge of third parties with the objective of performing due diligence on certain transactions, projects, activities, business partners, candidates, or collaborators of the company to assess the scope, scale and nature of the risk obtaining prior knowledge of the counterparty through various validations, this is executed prior to the binding or establishment of the contractual relationship and updated annually.

It also aims to act as an additional specific control in the prevention and detection of the risk of corruption, bribery and transnational bribery, and to inform the decision of Sophos Solutions on the desirability of postponing, suspending or reviewing such transactions, projects or relationships with business partners or collaborators (contracting, transferring or promoted)
3.5.3 Gifts, presents, hospitality and others
The company has the PL-SGC-05 Policy of Gifts, Presents, Hospitality and Other Sophos with which we seek to protect the good name of Sophos Solutions and each of the members of the senior management and its collaborators by being immersed in a conflict of real or potential interest, associated with gifts, presents, hospitality, attentions and others.

The policy allows you to identify:
  • General Rules
  • Reception
  • Grant
  • Charitable Contributions, Donations and Sponsorships
  • Political contributions
  • Internal Benefits

PL-SGC-05 Policy on Gifts, presents, Hospitality and Others recognizes that in business, invitations to meals, attentions and in limited circumstances, modest or symbolic gifts are considered as courtesy. For example, gifts of merchandising and/or corporate branding or hospitality delivered or received which must be proportionate and reasonable and in accordance with Sophos Policies, which are generally distributed for promotional purposes, or during the celebration of some holiday, such as Christmas.

Each time a gift, care or other benefit is received, it must be reported in writing to the email: funcioncumplimientoaa@sophossolutions.com, this will allow proper control of the attentions or other incentives received in order to safeguard the company against any potential or real risk of corruption, bribery and transnational bribery.
3.5.4 Commissions and/or remuneration policy
Sophos has various methods of extra remuneration for its employees, in order to encourage the fulfillment of goals or the fulfillment of a purpose, without generating undue pressure for the fulfillment of them.

The procedure for each remuneration is documented in:
  • Integrated Performance Management System
  • Compensation for Referrals Recruitment
  • Prog. Referrals for Consultants Associated with Sophos Solutions
  • Model Policy of Talent Attraction Commissions
  • Policies Models Commissions Commercial Area
  • Extralegal Policy Leaders

These extra bonuses are not categorized as bribery, nor can they be used as the means for performing an act that contravenes the laws of Anti-Corruption and Anti-Bribery.
3.5.5 Travel and accommodation costs
Sophos has a unique Travel process, which specifies the reasons why travel and allowance may be granted and the means to make requests, taking into account the relevant approvals.

Sophos prohibits the use of its resources for personal entertainment, the resources are for the exclusive use of the company’s work activities. For further information please refer to the PL-VJS-01 Travel and Accommodation Policy and the M-SGC-20 Cost Reimbursement Manual.
3.5.6 Doubts and concerns
Sophos allows collaborators or any third party to receive advice from an appropriate person (Officer/Compliance Function) on what to do if you are faced with a problem or situation that could involve corruption, bribery and transnational bribery, also ensuring that the complaint or report generated will be kept confidential and properly analyzed.

Any consultation, suspicion or suggestion should be channeled through the following communication mechanism:
3.5.7 Channels of communication
Sophos Solutions will treat all complaints with the utmost confidentiality and will be properly analyzed and the necessary protection will be provided when reporting them in order to avoid reprisal or retaliation. Likewise, regardless of whether the communications are anonymous or not anonymous, Sophos will take legal measures to protect the confidentiality and anonymity of any complaints made.

The mechanisms established by Sophos for the filing of complaints are:
  • E-mail: lineaetica@sophossolutions.com
  • Website: https://www.sophossolutions.com/canal-etico/

It should also be mentioned that Sophos Solutions, being a company monitored by SuperSocieties, promotes the Transnational Bribery Complaints Channel and the Corruption Complaints Channel of the Transparency Secretariat.

Transnational Bribery Complaints Channel
https://www.supersociedades.gov.co/delegatura_aec/Paginas/Canal-deDenuncias-SobornoInternacional.aspx

Channel of Complaints for Acts of Corruption
http://www.secretariatransparencia.gov.co/observatorio-anticorrupcion/portalanticorrupcion
3.6 ROLES AND RESPONSIBILITIES
Sophos Solutions makes the following allocation of responsibilities according to applicable regulations:
3.6.1 Board of Directors
The Board of Directors as the highest body must demonstrate its leadership and commitment to the Transparency and Business Ethics Program through:
  1. Issue and define the Transparency and Business Ethics Program.
  2. Define the Compliance Officer profile in accordance with the Compliance Policy.
  3. Appoint the Compliance Officer.
  4. Approve the document under the TBEP.
  5. Undertake a commitment aimed at preventing the risks of corruption and transnational bribery, so that the Obliged Entity can conduct its business ethically, transparently and honestly.
  6. Ensure the provision of the economic, human and technological resources required by the Compliance Officer for the performance of his or her work.
  7. Order appropriate actions against Associates, who have management and administration functions in the Obliged Entity, Employees, and administrators, when any of the above violates the provisions of the TBEP.
  8. Lead an appropriate communication and pedagogy strategy to ensure effective dissemination and knowledge of Compliance and TBEP Policies to Employees, Partners, Contractors and other identified stakeholders.
  9. Fulfillment of the explicit functions of the Anti-Bribery and Anti-Corruption Management System
3.6.2 Legal Representative
It stipulates compliance with:
  1. Submit the proposal of the TBEP with the Compliance Officer for approval by the board of directors or the highest social body.
  2. Ensure that the TBEP is articulated with the Compliance Policies adopted by the board of directors or the highest social body.
  3. Provide effective, efficient, and timely support to the Compliance Officer in the design, direction, supervision, and monitoring of the TBEP.
  4. In cases where there is no board of directors, the legal representative shall propose the person who will serve as the Compliance Officer for appointment by the highest social body.
  5. To certify to the Superintendency of Companies compliance with the provisions of this Chapter, when required by this Superintendency.
  6. To ensure that activities resulting from the development of the TBEP are duly documented, so that information is allowed to meet criteria of integrity, reliability, availability, compliance, effectiveness, efficiency, and confidentiality. Documentary material must be kept in accordance with the provisions of article 28 of Law 962 of 2005, or the rule amending or replacing it.
3.6.3 Official / Compliance Function
The Board of Directors appoints the Officer/Compliance Function with responsibility and authority to:
  1. Present with the legal representative, for approval of the board of directors, the proposal of the TBEP.
  2. Submit reports to the board of directors at least once a year.
  3. To ensure the proper coordination of compliance policies with the Corporate Ethics Program and to submit to the senior management, at least every three months, reports on its management as Compliance Officer.
  4. Ensure that the TBEP is articulated with the Compliance Policies adopted by the board of directors.
  5. Ensure effective, efficient, and timely compliance with the TBEP.
  6. Implement a Risk Matrix and update it according to the specific needs of the Obliged Entity, its Risk Factors, the materiality of the C/ST Risk and in accordance with the Compliance Policy
  7. Define, adopt, and monitor actions and tools for C/ST Risk detection, in accordance with the Compliance Policy to Prevent C/ST Risk and the Risk Matrix
  8. Ensure the implementation of appropriate channels to allow anyone to report, confidentially and securely, breaches of the TBEP and possible suspicious activities related to Corruption
  9. Verify the proper application of whistleblower protection.
  10. Establish internal investigation procedures to detect violations of the TBEP and acts of corruption.
  11. Coordinate the development of internal training programs
  12. Verify compliance with due diligence procedures
  13. Ensure adequate archiving of documentary media and other information relating to the management and prevention of C/ST Risk.
  14. Design the methodologies for classification, identification, measurement, and control of C/ST Risk that will be part of the TBEP.
  15. Perform the assessment of compliance with the TBEP and C/ST Risk
  16. Without limiting the explicit responsibilities of the Anti-Bribery and Anti-Corruption Management System
3.6.4 Tax Review

The statutory auditor shall report to the competent authorities any acts of corruption that he/she knows in the course of his/her duties. In fact, Article 32 of Law 1778 of 2016, which adds the fifth paragraph of Article 26 of Law 43 of 1990, imposes on tax reviewers the express obligation to report to the criminal, disciplinary and administrative authorities, for the alleged commission of offenses, which it detects in the exercise of its office, even though professional secrecy, in the following terms:

“Statutory auditors shall be required to report to the criminal, disciplinary and administrative authorities act of corruption, as well as the alleged commission of an offense against the public administration, an offense against the economic and social order, or an offense against the economic assets which they have detected in the exercise of their office. They must also bring these facts to the attention of the social bodies and the administration of society. Complaints must be lodged within six months of the date on which the statutory auditor became aware of the facts. For the purposes of this Article, the system of professional secrecy applicable to statutory auditors shall not apply.”

3.6.5 Collaborators
Any person linked to Sophos Solutions shall:
  1. Comply with the policies, procedures and guidelines of the Anti-Bribery and Anti-Corruption System, in order to prevent, detect, investigate, and correct fraud, corruption and/or bribery events.
  2. Promote ethical culture within and outside the company, in order to prevent fraud, corruption and/or bribery.
  3. To support the identification of risks and their treatment in anti-bribery and anti-corruption associated with the process.
  4. Immediately report any suspected violation of the Anti-Bribery and Anti-Corruption Laws, the Code of Ethics, Policy, or any behavior, potential or existing, illegal or immoral that they have knowledge of.
  5. Report any illegal event or event that offers any financial or non-financial advantage.
  6. Report any details, gifts or hospitality given or received by a third party.
  7. Contribute to the continuous improvement against the Anti-Bribery and Anti-Corruption System.
3.7 COMPLIANCE OFFICER
Due to the level of complexity that can be derived from the necessary analysis of all risk mitigation variables of Corruption and Transnational Bribery (C/ST), it is recognized the importance of designating the compliance function or compliance officer with the necessary suitability, experience, and leadership to manage such risks and any other related to an act of corruption.

The following requirements are also taken into account for the designation of the Compliance Officer
  • Have the ability to make decisions to manage C/ST Risk and have direct communication with, and report directly to, the board of directors.
  • Have sufficient knowledge of C/ST Risk management and understand the ordinary course of Sophos activities.
  • Have the support of a team of human and technical work, according to the C/ST Risk and the size of the Company.
  • Do not belong to the administration, to the social bodies or belong to the statutory auditor body or who performs similar functions or acts in Sophos
  • Do not serve as a Principal or Alternate Compliance Officer in more than ten (10) Companies.
  • Where there is a business group or a declared control situation, the Compliance Officer of the parent or controller may be the same person for all the companies that make up the group or conglomerate, irrespective of the number of companies that make up the group or conglomerate.
  • Be domiciled in Colombia.

Accordingly, the Officer/Compliance function role will be responsible for the implementation of this manual and will have designated functions of:
  1. To ensure the proper coordination of compliance policies with the Corporate Ethics Program and to submit to the senior management, at least every three months, reports on its management as Compliance Officer.
  2. Lead the structuring of the Business Ethics Program, which should be contained in a Compliance Manual, the content of which will be mandatory for all administrators, employees, and associates.
  3. Lead regular risk assessment activities for Transnational Bribery. Such processes may be carried out with Partners selected by the Compliance Officer or even through third parties contracted by Sophos for such purposes.
  4. Delegate to other officials, if authorized by the Senior Management, the administration of the Transnational Bribery Risk Management System in those subordinate companies that are domiciled outside the country. In any case, the Compliance Officer shall be considered to be the highest authority in the field of transnational bribery risk management at Sophos Solutions and its subordinate companies.
  5. Inform the company’s administrators of any violations committed by any Employee in respect of the Business Ethics Program, so that the corresponding sanction procedures are carried out in accordance with the internal working rules
  6. Facilitate the constant training of Collaborators in the prevention of Corruption, Bribery and Transnational Bribery.
  7. Establish ongoing support and guidance for the Partners, Partners and associates in the implementation of the Business Ethics Program.
  8. Manage the system to receive complaints from anyone regarding a case of Transnational Bribery or any other corrupt practice.
  9. Establish internal investigation procedures, through the use of its own human and technological resources or through third parties specialized in these matters, when it is suspected that a violation of Law 1778 or the Business Ethics Program has been committed.
  10. Fulfillment of the explicit functions of the Anti-Bribery and Anti-Corruption Management System
3.8 RELATIONSHIP OR TREATMENT WITH THIRD PARTIES
All collaborators and third parties acting on behalf of Sophos are prohibited from negotiating, receiving, offering, promising, paying, providing or authorizing (directly or indirectly) bribes, undue advantages, payments, gifts, travel, the transfer of any Kind of Value to any person, whether public official or not, to influence or reward any action, omission, favorable treatment or decision of such person for the benefit of Sophos.

Anti-corruption and anti-bribery laws penalize people who pay bribes, and those who acted to incentivize the payment of bribes, that is, they apply to any individual who:
  • Approve payment of the bribe.
  • Provide or accept fraudulently issued invoices.
  • They relay instructions for the payment of the bribe.
  • They cover the payment of the bribe.
  • They cooperate with the payment of the bribe.

Sophos prohibits the offer, promise, authorization, payment, receipt and performance of Bribery, the facilitation payment that under the FCPA Act is the payment made to promote routine actions of the government, is an exception that is made solely by Migration Management and is stipulated the procedure of the Area Policies.
No person shall receive a repression, reprimand, or penalty for loss of business resulting from declining to pay or receive a bribe.

The payment of bribes to contractors and suppliers in the name of Sophos is prohibited, we also refuse to do business with third parties that have a reputation and integrity questioned, and it is not admitted, under any circumstances, that a third party exercises any kind of inappropriate influence for the benefit of the company on any person, whether this public official or not performing due diligence on each of the third parties to check the background.

Moreover, all contracts entered into with national or international legal or natural persons should include the Anti-Bribery and Anti-Corruption Clauses of performance for both parties, to ensure compliance with anti-corruption laws and therefore acceptance of sanctions that may be generated by their non-compliance.

All purchasing processes must be conducted on the basis of merit and respect for rules and policies, and not through the improper use of influence over any person, whether public official or not. No collaborator or third party acting on behalf of Sophos may receive or offer any kind of gift, present, advantage, benefit or care, from or for any person, natural or legal, whether public official or not.

And finally, in the context of merger operations, asset purchases, shares, quotas or parties of interest or any other corporate restructuring procedure, in which the company participates as a potential acquirer, will be evaluated from the board of directors and also due diligence will be carried out aimed at identifying liabilities and contingencies related to possible acts of Transnational Bribery.
3.9 WARNING SIGNS
To ensure compliance with this policy, contributors and third parties should be alerted to warning signs that may indicate what benefits or undue payments may be occurring. Warning signs are not necessarily evidence of fraud, bribery, or corruption. However, they raise suspicions that must be verified through the investigation.

The following warning signs are listed below in Circular 100-000011 of 9 August 2021 of the Superintendency of Societies but are not limited or excluded to those mentioned in the Anti-Bribery Policy and other forms of corruption.
  1. In the analysis of accounting records, transactions, or financial statements:
    1. Invoices that appear to be false or do not reflect the reality of a transaction or are inflated and contain excess discounts or rebates.
    2. Overseas operations whose contractual terms are highly sophisticated.
    3. Transfer of funds to countries considered as tax havens.
    4. Transactions that do not have a logical, economic, or practical explanation.
    5. Operations that are out of the ordinary course of business.
    6. Transactions in which the identity of the parties or the origin of the funds is unclear.
    7. Goods or rights, included in the financial statements, that have no actual value or that do not exist.

  2. In the corporate structure or corporate purpose:
    1. Complex or international legal structures with no apparent commercial, legal or tax benefits or to own and control a legal entity with no commercial objective, particularly if located abroad.
    2. Legal entities with structures in which there are national trusts or foreign trusts, or non-profit foundations.
    3. Legal entities with offshore entities or offshore bank accounts structures.
    4. Non-operating companies within the meaning of Law 1955 of 2019 or that by the conduct of business may be considered as shell entities, that is, they reasonably do not fulfill any commercial purpose.
    5. Companies declared as fictitious suppliers by DIAN.
    6. Legal entities where the Final Beneficiary is not identified

  3. In the analysis of transactions or contracts:
    1. Frequently resort to consultancy contracts, brokering and the use of joint ventures.
    2. Contracts with Contractors or State entities that appear to be lawful and do not reflect precise contractual obligations and must.
    3. Contracts with Contractors providing services to a single customer.
    4. Unusual gains or losses in contracts with contractors or state entities or significant changes without commercial justification.
    5. Contracts containing variable remuneration that is unreasonable or contains payments in cash, in Virtual Assets or in kind.
    6. Payments to PEPs or people close to PEPs.
    7. Payments to related parties (Associates, Employees, Subordinated Companies, branches, etc.) without apparent justification.
3.10 DISCLOSURE OF COMPLIANCE POLICIES
Awareness-raising and training
Sophos Solutions facilitates awareness raising and appropriate anti-bribery and anti-corruption training for all partners, through various activities.

The training covers the following topics:
  1. The Anti-Bribery and Anti-Corruption Management System, the Transparency and Business Ethics Program, the Anti-Bribery and Other Forms of Corruption Policy, the Gift, Presents, Hospitality and Other Policy, the procedures, and your duty to comply with them
  2. The risks of bribery, corruption and fraud and the harm that may result from bribery, corruption, and fraud to them and to the company
  3. The circumstances in which bribery, corruption and fraud may occur in relation to their functions, and how to recognize these circumstances
  4. How to recognize and respond to requests or offers for bribes
  5. How they can help prevent and avoid bribery, corruption and fraud and recognize risk indicators of bribery, corruption and fraud
  6. Its contribution to the effectiveness of the Anti-Bribery and Anti-Corruption Management System, including the benefits of improved anti-bribery and anti-corruption performance and reporting any suspected acts of bribery, corruption, and fraud
  7. The implications and potential consequences of non-compliance with the requirements of the AntiBribery and Anti-Corruption Management System and policies
  8. How and to whom they should report any concerns
  9. Information on training and available resources

Taking into account the identified risks of fraud and bribery, Sophos implements procedures that provide for anti-bribery awareness and training of business partners acting on behalf of or for the benefit of the company, establishing an exclusive communications plan for the Anti-Bribery and Anti-Corruption Management System that is documented in the Anti-Bribery and Anti-Corruption Management System Communications Plan and the Annual Internal Communications Plan that is updated annually

Communication
Sophos Solutions will make the relevant internal and external communications of the Anti-Bribery and AntiCorruption Management System, taking into account:
  1. What to communicate
  2. When communicating
  3. To whom to communicate
  4. How to communicate
  5. Who communicates?
  6. In what language to communicate

In addition, Sophos makes available to all staff of the organization and business partners the Transparency and Business Ethics Program, the Anti-Bribery Policy and other forms of corruption, the Gift, presents Hospitalities and Others Policy, the anti-corruption, anti-bribery laws, which are published through external communication channels such as the website and the internal communication channel that is the Quality Management System in Strategic Policies.

All information regarding communications will be stipulated in the Communications Plan Anti-Bribery and Anti-Corruption Management System and the Annual Internal Communications Plan.
3.11 DOCUMENTED INFORMATION
The Anti-Bribery and Anti-Corruption Management System includes:
  1. The documented information required by ISO 37001
  2. The documented information required by the current legal regulations (Law, Circular)
  3. Documented information demonstrating that the bribery risk assessment has been carried out, and has been used to design or improve the Anti-Bribery and Anti-Corruption Management System
  4. Documented information on the objectives of the Anti-Bribery and Anti-Corruption Management System.
  5. The documented information that the organization determines is necessary for the effectiveness of the Anti-Bribery and Anti-Corruption Management System

Creating and Updating
By creating and updating the documented information, Sophos ensures through the Quality System:
  1. Identification and description
  2. The format
  3. The review and approval with respect to suitability and adequacy.

The Handbook will be updated whenever changes in the company’s activity occur that alter or may alter the degree of risk of Corruption, Bribery and Transnational Bribery or at least every two (2) years.
Control of documented information
The documented information required by the Anti-Bribery and Anti-Corruption Management System, in compliance with the Quality Management and Information Security System, states:
  1. Be available and suitable for use, where and when needed
  2. Be adequately protected

In addition, documents and records to comply with policies, guidelines, procedures and controls related to the Anti-Bribery and Anti-Corruption Management System are kept and protected by the current legal term, under the standards established by the company.

All transactions shall be recorded in a complete, accurate, approved and detailed manner so that the purpose and amount of the transactions are clear. It is the duty of Sophos and its Collaborators to maintain books, records and accounts reflecting, in a detailed, accurate and correct manner, all transactions. To combat corruption, it is important that transactions are transparent, fully documented and classified into accounts that accurately and fully reflect their nature.

Ensuring that all transactions must be fully recorded, accurately in the accounting classification, the respective approval and in sufficient detail, so that the purpose and amount of each transaction is clear. It is prohibited to establish hidden or undeclared funds or assets of Sophos for any purpose. False, deceptive, or artificial records should never be entered into books and records, regardless of the reason for them.
3.12 CONTROL AND MONITORING
Due to the nature and growth of international business or transactions that Sophos Solutions performs, they will also change the exposure to the risks of Corruption and Bribery that they may face. Therefore, the suitability and effectiveness of the Anti-Bribery and Anti-Corruption Management System will be continuously and regularly assessed through different methods, such as internal audits and compliance, due diligence procedures, supervision by the Officer/Compliance Function and review by management, taking into account legislative and regulatory changes occurring in the different countries where Sophos is currently operating or in which it wishes to venture.

Audit and monitoring
Sophos will periodically conduct reviews to assess compliance with applicable anti-corruption, anti-bribery laws, as well as this handbook and the Policies concerned.

The organization must conduct internal audits at planned intervals to provide information on whether the Anti-Bribery and Anti-Corruption Management System:
  1. Conforms to:
    • The organization’s own requirements.
    • The requirements of ISO 37001.
    • Law 1778 of 2016 and its respective updates
    • 2016 External Circular 100-00003 and the regulations it applies
  2. It is effectively implemented and maintained

Sophos Solutions shall:
  1. Plan, establish, implement and maintain one or more audit programs including frequency, methods, responsibilities, planning requirements and reporting, which should take into account the importance of the processes involved, and the results of previous audits.
  2. Define audit criteria and scope for each audit.
  3. Select the competent auditors and carry out audits to ensure the objectivity and impartiality of the audit process.
  4. Ensure that audit results are reported to the relevant management, relevant management levels, the Anti-Bribery and Anti-Corruption Compliance Function, senior management and, where appropriate, the governing body.
  5. Retain documented information as evidence of the implementation of the audit program and audit results.

Such audits should be reasonable, proportionate, and risk based. These audits should consist of internal audit processes or other procedures that review procedures, controls, and systems to:
  1. Bribery, Corruption, Fraud or suspected Bribery
  2. Violation of the requirements of the Anti-Bribery Policy and other forms of corruption or the AntiBribery and Anti-Corruption Management System
  3. Failure of business partners to comply with the applicable anti-bribery requirements of the organization
  4. Weaknesses or opportunities for improvement in the Anti-Bribery and Anti-Corruption Management System

To ensure the objectivity and impartiality of these audit programs, the organization should ensure that these audits are carried out by:
  1. An independent function or by personnel established or designated for this process
  2. The Anti-Bribery and Anti-Corruption Compliance Officer/Function (unless the scope of the audit includes an assessment of the Anti-Bribery and Anti-Corruption Management System itself, or similar work for which the Officer/Anti-Bribery and Anti-Corruption Compliance Function is responsible)
  3. An appropriate person in a department or function other than the one being audited.
  4. A proper third

The organization must ensure that no auditor is auditing its own area of work and, furthermore, that the control and audit system, as determined by Article 207 of the Commercial Code and the applicable accounting rules, allows the statutory auditor to verify the fidelity of the accounts and to ensure that in transfers of money or other property occurring between Sophos and its subsidiaries, no direct or indirect payments related to bribes or other corrupt conduct are hidden.
3.13 PENALTIES
Sophos Solutions considers as SERIOUS MISCONDUCT the non-compliance with the Anti-Bribery and Anti-Corruption Management System, the Transparency and Business Ethics Program, the Anti-Bribery and Other Forms of Corruption Policy, the Gift, Presents Hospitalities and Others Policy, the failure or noncompliance with the Code of Ethics, the Internal Labor Regulations, the Employment Contract and any of the controls, information handling or other guidelines defined here for the prevention, detection and control of activities that would be contrary to the fight against Bribery and Corruption, without prejudice to the applicable legal sanctions. As a result, serious infringement and unfulfillment of the employee’s duties towards the Company arise, for which the Company will take disciplinary and/or legal action as the case may be.

In the case of Sophos collaborators, the penalty procedure to be followed is that determined in the section “SCALE OF DISCIPLINARY MISDEMEANORS AND PENALTIES” of the Internal Labor Regulations, without prejudice to the applicable legal sanctions. For those linked to the company, the penalties set out in the contracts and/or in the law as appropriate will be taken into consideration.

Legal sanctions against bribery and corruption are serious and may involve fines, administrative or criminal penalties, such as imprisonment for persons who are subject to as stipulated by international laws in which prison sentences are agreed upon 7 to 10 years and/or unlimited fines.

In addition, Sophos Solutions could face serious fines or other criminal penalties for bribery and corrupt activities by third parties. However, Sophos will investigate any activity that violates this Program and, where appropriate, inform the competent authorities of any event of fraud, corruption or bribery and will undertake and accompany the appropriate legal actions, as well as take appropriate disciplinary measures and penalties that may involve even termination of employment, contract or business relationship.

Lack of awareness or inadequate understanding of this policy does not empower its recipients to breach it.

“Sophos Solutions S.A.S. reserves the right to modify this document according to the changes that arise within the company or legal provisions that so determine, it is the duty of the employees, administrators and others linked to know the different updates and changes that are made.”