Cisco Partner Compliance Assessment

(CPCA)

Policies & Requirements

Version 1.2

July 6th, 2022

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

Table of Contents

1 The Cisco Partner Compliance Assessment 3

2 Scope of the Cisco Partner Compliance Assessment 3
3 Cisco CPCA Process 4
3.1 Cisco Notification 4
3.2 CPCA Readiness Review 4
3.3 CPCA Audit 4
3.4 Decision 5
4 Process Activities and Estimated Timeline 6
5 Three-Year Renewal Cycle 7
6 Exceptions for ISO 37001 certified Partners 7
7 Regional / Multi-National Partners 8
8 Role of Audit Participants During Audit 10
8.1 Partner 10
8.2 NSF Auditor 10
8.3 Cisco Representative 10
9 Fees 10
9.1 First Cycle 10
9.2 Reschedule and Cancellation Fee 11
10 CPCA Consulting 11
11 Complaints, Appeals & Disputes 11
12 Cisco Partner Compliance Assessment Requirements 12
13 Revision History 31

Cisco Partner Compliance Assessment Version: 1.2 Page 2 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

1 The Cisco Partner Compliance Assessment

As part of Cisco's commitment to compliant channel management, we continuously evaluate processes
to ensure our business relationships are well managed and honored contractually by both Cisco and
our partners. To ensure our continued success is founded on ethical business conduct and compliance
with the applicable contractual, legal, and regulatory requirements, Cisco has launched the Cisco
Partner Compliance Assessment (CPCA).

2 Scope of the Cisco Partner Compliance Assessment

Cisco expects and requires that all its suppliers, subcontractors, resellers or channel partners,
consultants, agents, and other parties with whom Cisco does business (Business Partners) act at all
times in a professional and ethical manner in conducting their services and contractual obligations with
Cisco, or on Cisco's behalf to a Cisco customer or other third party.

Bribery is a common form of corruption. Cisco defines a bribe as "anything of value" such as gift cards,
home repairs, tickets to a theater or sporting event, guess passes to a private club, a no-bid contract, a
summer job for a teenage family member, free limo/courtesy car service rides, and more, when given to
obtain an improper advantage. Just offering a bribe is a violation, even if the transfer of the item of value
does not occur or the purpose of the bribe is not fulfilled.

Other than bribery, this document applies to other forms of corrupt practices such as fraud, anti-trust,
anti-competition, money-laundering, misrepresentation for the purpose of cheating others, material
omission/failure to disclose where a duty of loyalty exists, unethical and dishonest behaviors, etc. This
also includes improper gains from or taking advantage of, or helping others to gain from, Cisco
programs, discounts, rebates, incentives, and rewards other than the intended purposes of these
programs, discounts, rebates, incentives, and rewards.

Cisco Partner Compliance Assessment Version: 1.2 Page 3 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

3 Cisco CPCA Process

NSF
Cisco NSF Provide summary to
Notify Partner of PCA Conduct the Audit Partner and final report
to Cisco

Cisco Cisco
NSF
Provide Partner's contact Notify Partner of CPCA
Contact Partner to result
details and sample
arrange Audit
orders to NSF

NSF
NSF
Contact Partner to
Schedules and conduct
arrange Readiness
the Readiness Review
Review

3.1 Cisco Notification

Cisco identifies Partner for the Cisco CPCA and notifies the Partner. Partner's contact information will
be handed to NSF (Cisco appointed third-party auditing company).

3.2 CPCA Readiness Review

NSF will arrange with the Partner for a Readiness Review.

The Readiness Review is a consultative exercise designed to help Partner evaluate their level of
compliance and readiness with the Cisco CPCA requirements. An NSF consultant evaluates the
Partner's system against each CPCA requirement, identifies gaps, provides feedback and guidance to
close these gaps, and recommends opportunities for improvement. Partner receives a CPCA Readiness
Review report identifying the gaps compared to the CPCA requirements, with recommendations on
closing these gaps, or if any exist.

The readiness review is a 6-8 hours session conducted remotely.

3.3 CPCA Audit

The Audit must be conducted no later than 6 months from the Readiness Review. NSF will contact
Partner to arrange a mutually agreed date for the audit. Once the date is confirmed, NSF will send the
Audit Confirmation to the Partner.

Cisco Partner Compliance Assessment Version: 1.2 Page 4 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

NSF Auditor will conduct the audit remotely via Cisco Webex remote conferencing tool provided by NSF.
The duration of the audit is 6-8 hours.

The audit will seek objective evidence of compliance with Cisco CPCA requirements. Partner must
provide evidence that may include, but are not limited to:

▪ Processes and procedures

▪ Documentation
▪ Demonstration

All information or documentation provided to the NSF auditor is considered "confidential information,"
as defined in a nondisclosure agreement (NDA) signed by Cisco's third-party auditors and will be treated
accordingly by Cisco and the NSF auditors.

At the end of the audit, the Auditor will provide a verbal summary of findings. A written Audit Summary
Report will be provided to the Partner within 24 hours. The Audit Summary will include the following,
among other things:

▪ Partner's Strengths
▪ Opportunities for Improvement
▪ Action Items, if any

If there are any open action items, the Partner will be given an opportunity to provide written evidence
of closure to the Auditor within five business days after completion of the audit. The Auditor will submit
the Audit Final Report to Cisco Partner Compliance Team within five business days of receiving the
Partner's response.

3.4 Decision

Cisco Partner Compliance Team will make the decision on qualification after reviewing the Audit Final
Report. The decision will be communicated to the Partner. There are two possible outcomes:

▪ Pass – Partner met the intent of the Partner Compliance Audit requirements.

▪ Declined & Revisit – Partner did not meet the intent of the Partner Compliance Audit and
therefore did not pass. Due to the non-fulfillment of the assessment requirements, Partner will
be put on a "Get Well" plan to close action items, revisit the recommendations from the
Readiness Review and improve their anti-corruption management system accordingly. The “Get
Well” plan must be completed within 90 days. After which NSF will re-audit the Partner.

Re-audit means a remote revisit conducted by an NSF Auditor to ensure the action item(s) is
satisfactorily closed out. The revisit may be partial or in full, and Cisco Partner Compliance
Team will decide the scope and extent of the revisit.

During the “Get Well’ period, any partner rebates will be placed on hold until all PCA
requirements have been successfully met.

Cisco Partner Compliance Assessment Version: 1.2 Page 5 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

Cisco's decision is final. Should Partner wish to appeal against the decision, they may do so
within ten (10) business days of receiving the decision from Cisco. Please refer to the
Complaints, Appeals, and Disputes section for more details.

4 Process Activities and Estimated Timeline

Timeline
Phase Activity Responsible
(business day)

1st contact to Partner for Readiness

Review date after receiving Partner's NSF 2
contact information from Cisco

Schedule and confirm Readiness

Review date
NSF 5-20
Readiness Review (Note – the Readiness Review must
be conducted within 20 days)

Conduct Readiness Review remotely NSF 1

Provide Readiness Review report to

NSF 2
the Partner

Schedule and confirm audit date NSF 5-20

Conduct audit remotely

(Note – the Audit must be conducted NSF 1
no later than 6 months from the
Readiness Review)
Audit
Provide Audit Summary Report to
NSF 1
Partner

Provide open Action Item responses

Partner 5
to Auditor if any

Provide Audit Final Report to Cisco NSF 5

Decision Review report and decide on results. Cisco 20

Cisco Partner Compliance Assessment Version: 1.2 Page 6 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

5 Three-Year Renewal Cycle

Partners will be contacted by NSF for an initial audit and for the renewal upon the third-anniversary date.
Partners are required to go through the full audit every three years. If the Partner does not respond to
the request from NSF, including all required documentation before the 30th day past their third-
anniversary date (third-anniversary date +30 days), they will be removed from the assessment.

To maintain status, the renewal audit must be conducted no later than 60 days after the Partner's first
CPCA anniversary date (third-anniversary date+60).

6 Exceptions for ISO 37001 certified Partners

For Partners who hold a valid ISO 37001 certification by an independent registrar/certification body, the
following CPCA requirements will be waived:

Section Requirement Description

2
2.1 Anti-Corruption Policy
Anti-Corruption
Policy and
2.2 Anti-Corruption Objectives
Objectives
3
Anti-Corruption 3.1 Anti-Corruption Governance Body
Governing Body,
Compliance 3.2 Anti-Corruption Compliance Function
Function and
Roles, and 3.3 Roles and Responsibilities
Responsibilities
5 5.1 Anti-Corruption Code of Conduct
Anti-Corruption
5.3 Financial Controls
Code of Conduct
and Controls 5.4 Non-financial Controls

6 New staff onboarding Anti-Corruption Awareness and

6.1
Communication, Training
Awareness, and Ongoing Anti-Corruption Communication, Awareness and
Training 6.2
Training

7.1 Employment Condition

7
Employment 7.2 Employee Protection
Process
7.3 Due Diligence on Personnel

8 8.1 Corruption Reporting System (Whistleblowing)

Cisco Partner Compliance Assessment Version: 1.2 Page 7 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

Section Requirement Description

Reporting,
Investigating and
8.2 Investigation and Dealing with Corruption
Dealing with
Corruption
9
Monitoring and 9.1 Anti-Corruption Governance Body Review
Review

Partner must provide the ISO 37001 certificate during the audit. The certificate must be issued to the
Partner (same name and location); or if it is a group certification, must include the Partner (specific name
and location).

Partner must still go through the CPCA process described in section 3, including the Readiness Review
and Audit.

7 Global / Regional / Multi-Countries Partners

Global/Regional/Multi-Countries Partners may opt for the Regional/Multi-National assessment model.
The following conditions apply:

▪ The Parent (headquarter) and affiliated country must adopt a common and unified corporate
anti-corruption practice.
▪ The Parent country must undergo a full CPCA audit (exceptions for ISO 37001 certification
apply, refer to conditions in section 6).
▪ The affiliated country must undergo a partial CPCA audit as outlined below (exceptions for ISO
37001 certification apply, refer to conditions in section 6) and must be conducted within 90 days
of the last full CPCA audit of the Parent country. Otherwise, the affiliated country will be audited
as a separate and independent entity. For affiliated country undergoing a partial CPCA audit,
evidence of implementation and output of processes will be assessed.

Audit
Section Requirement Description
Parent Affiliated
1
Partner Overview & 1.1 Partner Overview ● ●
Practice

2.1 Anti-Corruption Policy ●

2
Anti-Corruption
2.2 Anti-Corruption Objectives ● ●
Policy and
Objectives
2.3 Cisco Global Anti-Corruption Policy ● ●

3 3.1 Anti-Corruption Governance Body ●

Cisco Partner Compliance Assessment Version: 1.2 Page 8 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

Audit
Section Requirement Description
Parent Affiliated
Anti-Corruption
Governing Body, 3.2 Anti-Corruption Compliance Function ●
Compliance
Function and
Roles, and 3.3 Roles and Responsibilities ●
Responsibilities
Corruption Risk Assessment of
4.1 ● ●
Business Associates

Corruption Risk Assessment of

4.2 ● ●
Partner's Personnel
4 Corruption Risk Assessment for
Corruption Risk Specific Categories of projects,
Assessment 4.3 ● ●
Commitments and Activities, or
Transactions

Review of Corruption Risk

4.4 Assessment, Control and Mitigation ● ●
Measures and Effectiveness

5.1 Anti-Corruption Code of Conduct ●

Gifts, Entertainment, Donations,

5.2 Facilitation Payment, and Similar ●
Benefits
5 5.3 Financial Controls ●
Anti-Corruption
Code of Conduct 5.4 Non-financial Controls ●
and Controls Compliance with Cisco's terms of the
5.5 contract on discounts, incentives, ● ●
grants, and rebate

Compliance with Cisco's Anti-

5.6 ● ●
Corruption Controls on Third Party

New staff onboarding Anti-Corruption

6 6.1 ● ●
Awareness and Training
Communication,
Awareness, and Ongoing Anti-Corruption
Training 6.2 Communication, Awareness and ● ●
Training

7.1 Employment Condition ●

7
Employment 7.2 Employee Protection ●
Process
7.3 Due Diligence on Personnel ●

Cisco Partner Compliance Assessment Version: 1.2 Page 9 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

Audit
Section Requirement Description
Parent Affiliated
Performance, Promotion,
7.4 Compensation, Bonus, and ●
Incentives
8 Corruption Reporting System
Reporting, 8.1 ●
(Whistleblowing)
Investigating and
Dealing with Investigation and Dealing with
8.2 ● ●
Corruption Corruption
9
Anti-Corruption Governance Body
Monitoring and 9.1 ● ●
Review
Review

8 Role of Audit Participants During Audit

8.1 Partner

Before the audit, the Partner is expected to review all the assessment requirements. On the day of the
audit, the Partner must organize the required resources and be prepared to provide evidence,
documentation, and demonstration as required by this CPCA Policies & Requirements Document.

8.2 NSF Auditor

NSF Auditor manages the audit process. During the audit, the Auditor will verify whether the Partner
complies with the spirit and intent of all assessment requirements and compile an audit report describing
the extent of compliance with each requirement. The Auditor will then submit the report and supporting
documents to the Cisco Partner Compliance Team, who will determine whether or not the Partner meets
the assessment requirements. All information or documentation provided to the Auditor is considered
"confidential information," as defined in a nondisclosure agreement (NDA) signed by NSF's auditors.

8.3 Cisco Representative

The Cisco Representative is optional at the audit. If present, Cisco Representative must be fully engaged
throughout the duration. It is the responsibility of the Cisco Representative to address any business
issues during the audit session.

9 Fees

9.1 First Cycle

For Partners notified of the assessment, Cisco will fund the fee for the first cycle, which includes a
Readiness Review and the audit. Any reschedule and cancellation fees will be Partner paid.

Cisco Partner Compliance Assessment Version: 1.2 Page 10 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

9.2 Reschedule and Cancellation Fee

Reschedule and cancellation fees take effect once the readiness review or the audit date is officially
confirmed, and NSF has sent the confirmation email. Partner must submit reschedule or cancellation
request to [email protected]. NSF will reschedule after the Partner has paid the reschedule
fees (see fee chart below).

Reschedule and Cancellation Fee

More than 15 calendar days 15 to 11 calendar days Less than 10 calendar days

$750 $1500 $3000

10 CPCA Consulting
For Partners that would like more assistance in meeting the Cisco CPCA assessment requirements,
they may engage NSF International for the Cisco CPCA consulting service. The consulting is a multi-
day engagement. Please contact NSF directly at [email protected].

11 Complaints, Appeals & Disputes

Partner may appeal against Cisco's decision or make complaints related to NSF's services. All
complaints and appeals should be made in writing and not later than ten (10) business days after the
event. Partner shall email their complaint or appeal to the following:

▪ Appeals: [email protected]
▪ Complaints related to NSF's services: [email protected]

Complaints or appeals received after ten (10) business days of the event will not be processed.

Appeals and complaints will be reviewed by appropriate members of Cisco or NSF management.

Cisco Partner Compliance Assessment Version: 1.2 Page 11 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

12 Cisco Partner Compliance Assessment Requirements

1 Partner Overview & Practice

Requirement Description

1.1 Partner must deliver a company overview at the start of the review
covering the following:
Partner Overview
• company history;

• business focus and value proposition;

• office locations;

• country and region served;

• organization structure and staff strength;

• industry focus and customer profile;

• relationship with Cisco;

• its Cisco Business focus; and

• an overview of its anti-corruption practice.

Evidence must be a presentation of not more than 15 minutes.

Cisco Partner Compliance Assessment Version: 1.2 Page 12 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

2 Anti-Corruption Policy and Objectives

Requirement Description

2.1 Partner must establish and publish an Anti-Corruption Policy. The policy
shall:
Anti-Corruption Policy
• signify the pledge and commitment from the top management for
zero-tolerance towards corruption;

• be formally documented;

• be clear and easy to understand;

• be visible, disseminated, and communicated to all levels and

functions of the organization, and

• be reviewed at least annually.

Evidence must include a documented Anti-Corruption Policy, a description

of how the policy is reviewed regularly, and evidence of such review.
Partner must also demonstrate that the policy is disseminated to all levels
and functions, including evidence such as staff onboarding checklist,
briefing notes, training, or attendance record.

2.2 Partner must establish anti-corruption objectives. The objectives must be:
Anti-Corruption • measurable whenever practicable;
Objectives
• tracked, monitored, and reported, and corrective actions initiated
when the objectives are not met; and

• communicated to the relevant functions and levels.

Evidence must include documented anti-corruption objectives and

evidence of tracking, monitoring, and reporting, and any corrective action.
These may include such as data collection sheets, minutes of review
meetings, and records of improvement or corrective action. Evidence of
communication of objectives may include training and attendance record,
briefing notes, or minutes of the meeting.

2.3 Partner must subscribe to the "Global Anti-Corruption Policy for all
Business Partners of Cisco Systems, Inc. and its affiliates" available here.
Cisco Global Anti-
Corruption Policy
Evidence must include the latest version of Cisco's Global Anti-Corruption
Policy disseminated to and understood by all employees participating in
the Cisco business.

Cisco Partner Compliance Assessment Version: 1.2 Page 13 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

3 Anti-Corruption Governing Body, Compliance Function and Roles, and Responsibilities

Requirement Description

3.1 Partner must establish an anti-corruption governance body whose

functions include:
Anti-Corruption
Governance Body • approving the Anti-Corruption Policy;

• taking ownership and being accountable for the implementation of

the anti-corruption management system; and

• reviewing data related to the anti-corruption management system

to ensure that it is effective.

Evidence must include a defined anti-corruption governance body,

including its members, roles, and responsibilities, and a description of how
the anti-corruption governance body executes the above functions.

Note: Should Partner not have an anti-corruption governance body, these

roles and activities must be conducted, collectively or individually, by the
top management. For example, the board of directors, the chief executive
officer, the chief financial officer, the chief operating officer, or other C-
level executives and must be defined.

Cisco Partner Compliance Assessment Version: 1.2 Page 14 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

3 Anti-Corruption Governing Body, Compliance Function and Roles, and Responsibilities

Requirement Description

3.2 Partner must maintain an anti-corruption compliance function whose key

role is to manage the development and operation of the anti-corruption
Anti-Corruption
management system.
Compliance Function
The anti-corruption compliance function must consist of a team that:

• are esteemed and have the relevant expertise;

• have the control and influence; and

• maintain independence in performing their duties.

The anti-corruption compliance function must be able to communicate with

the anti-corruption governance body (where applicable) and top
management directly.

Evidence must include a description of the anti-corruption compliance

function's members, roles and responsibilities, reporting structure, and
how the anti-corruption compliance function executes its duty.

Note: Depending on the size of the organization, complexity, and the risk
level, the anti-corruption compliance function may consist of a single
individual, a group, a committee, or a council of the Partner organization,
and members may be part-time or full-time. Some or all of the anti-
corruption compliance function's responsibilities may be outsourced.

Cisco Partner Compliance Assessment Version: 1.2 Page 15 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

3 Anti-Corruption Governing Body, Compliance Function and Roles, and Responsibilities

Requirement Description

3.3 Partner must define the roles and responsibilities of the anti-corruption
through all levels of functions and levels. This must include:
Roles and
Responsibilities • top management;

• anti-corruption governance body;

• anti-corruption compliance function;

• managers at every level; and

• employees.

Evidence must include documented roles and responsibilities of the

above, which may be found in employees' handbooks, process description
documents, job descriptions, code of conduct, etc. This must include at
least all employees participating in the Cisco business.

Cisco Partner Compliance Assessment Version: 1.2 Page 16 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

4 Corruption Risk Assessment

Requirement Description

4.1 Partner must evaluate the corruption risk that their current and potential
business associates pose. Considerations for evaluating the corruption
Corruption Risk
risks may include:
Assessment of
Business Associates • type of business associate (Cisco Business, private, domestic,
foreign, public official, etc.);

• size and organization structure of the business associate;

• type of transaction (supplies, services, joint venture partners, etc.);

• value and frequency of transaction;

• duration of the working relationship; or

• mode of payment (direct, indirect, such as through agents or

intermediaries, cash, local, foreign, commission-based, etc.).

Evidence must include documented corruption risk assessment process,

including the criteria used for assessing corruption risks, documented
output identifying the type of business associate with the corresponding
corruption risks, controls, and mitigation measures.

Note 1: Business associates include clients, customers, joint ventures,

partners, outsourcing providers, contractors, consultants, suppliers,
vendors, third parties, advisors, agents, distributors, representatives,
intermediaries, controlled organizations, and investors.

Note 2: Partner is free to select the corruption risk evaluation criteria.

Whatever risk evaluation criteria are selected, risk controls and mitigation
measures must be put in place for risk levels identified as higher than
"low" or equivalent.

Cisco Partner Compliance Assessment Version: 1.2 Page 17 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

4 Corruption Risk Assessment

Requirement Description

4.2 Partner must analyze, assess, and prioritize the identified corruption risks
of their employee depending on the position and job scope.
Corruption Risk
Considerations for evaluating the corruption risks may include:
Assessment of
Partner's Personnel • job role (e.g., sales, purchasing, finance);

• authority accorded with the job role (approval, granting

permission, acceptance);

• seniority in the job role (e.g., worker, supervisor, manager,

department head, senior executive); or

• the risk level of the business associate he is working with (see

section 4.1).

Evidence must include documented corruption risk assessment

processes, including the criteria used for assessing corruption risks,
documented output identifying the type of personnel associated with the
corresponding corruption risk, controls, and mitigation measures.

Note: Partner is free to select the corruption risk evaluation criteria.

Whatever risk evaluation criteria are selected, risk controls and mitigation
measures must be put in place for risk levels identified as higher than
"low" or equivalent.

Cisco Partner Compliance Assessment Version: 1.2 Page 18 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

4 Corruption Risk Assessment

Requirement Description

4.3 Other than evaluating corruption risk according to the business associate
(4.1) and Partner's personnel (4.2), Partner must ensure due diligence and
Corruption Risk
risk assessment are performed on specific projects, commitments, and
Assessment for
activities or transactions. This enhanced targeted measure allows
Specific Categories of
corruption risk to be detected and mitigated.
projects,
Commitments and Partner must implement a corruption risk assessment procedure that
Activities, or includes:
Transactions
• the criteria for conducting a risk assessment on specific categories
of projects, commitments, and activities, or transactions, which
may include:
o the credibility of the client;
o the connection between parties involved;
o focus and extent of engagement;
o terms/agreement in relation to payment and funding
matters; or
o degree of visibility and control

• the method and criteria of the risk assessment; and

• analyze, assess, and prioritize the identified corruption risks,

controls, and mitigation measures.

Evidence must include a documented corruption risk assessment process,

including the criteria used for assessing corruption risks; documented
output includes risk levels and control and mitigation measures.

Note: Partner is free to select the corruption risk evaluation criteria.

Whatever risk evaluation criteria are selected, risk controls and mitigation
measures must be put in place for risk levels identified as higher than
"low" or equivalent.

Cisco Partner Compliance Assessment Version: 1.2 Page 19 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

4 Corruption Risk Assessment

Requirement Description

4.4 Partner must review its corruption risk assessment in 4.1, 4.2, and 4.3;
and the effectiveness of the controls and mitigation measures
Review of Corruption
systematically and regularly, or at least once a year. The review will allow
Risk Assessment,
changes, new and updated data to be evaluated along with existing
Control and Mitigation
controls.
Measures and
Effectiveness Additionally, the corruption risk assessment must be reviewed if any of the
following situations arise:

• there is a significant change to the transactions/activities/structure

of the business; or

• corrupt practice detected.

Evidence must include review records or reports, minutes of the review

meeting, and changes made to the risk assessment, if applicable.

5 Anti-Corruption Code of Conduct and Controls

Requirement Description

5.1 Partner must establish a well-defined anti-corruption code of conduct. The

code of conduct serves as a comprehensive, unambiguous guide for all
Anti-Corruption Code
employees on a uniform standard of conduct and ethics in all areas of
of Conduct
business activities where corruption is likely to occur. Key areas to
address in the code of conduct include:

• corruption behavior – what is and what is not;

• guidelines relating to the high-risk areas where corruption can

occur; and

• conflicts of interest – both internal and external.

Evidence must include a documented anti-corruption code of conduct. The

code of conduct may be included in the employees' handbook, new
employee induction material, or briefing material.

Cisco Partner Compliance Assessment Version: 1.2 Page 20 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

5 Anti-Corruption Code of Conduct and Controls

Requirement Description

5.2 Partner must identify current and potential in-bound and outbound corrupt
activities in relation to gifts, entertainment, donations, facilitation payment,
Gifts, Entertainment,
and similar benefits relevant to its business operation. These may include:
Donations, Facilitation
Payment, and Similar • gifts and entertainment;
Benefits
• facilitation and extortion;

• travel and hospitality;

• political or charitable donations;

• loans from clients/customers;

• sponsorship and training;

• community benefits and club membership;

• personal favors; or

• confidential and privileged information.

Evidence may also include documented scenarios of current and potential

in-bound and outbound corrupt activities and guides to dealing with such
acts or warnings that such acts are not tolerated.

Partner must ensure that neither it nor its employees pay any expenses for
travel, lodging, gifts, hospitality, entertainment, or charitable contributions
for government officials on Cisco's behalf. 'Government official' means:

• any public or elected official or officer, employee (regardless of

rank), or person acting on behalf of a Governmental Entity; and

• any party official or candidate for political office or any person

acting on behalf of such party official or candidate for political
office.

Evidence must include compliance policies, procedures, and any systems

including information with personnel on Cisco business, as well as
contracts, agreements, and purchase orders relating to Cisco orders.

Cisco Partner Compliance Assessment Version: 1.2 Page 21 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

5 Anti-Corruption Code of Conduct and Controls

Requirement Description

5.3 Partner must establish and implement good financial controls to eliminate
and detect a corrupt activity and facilitate investigation in the event of the
Financial Controls
occurrence of corrupt activity. These controls may include:

• clear and accurate recording of transactions;

• verifying completion of work;

• availability of supporting documents;

• separation of duties;

• multi-tier system for payment approval;

• regulating the usage of cash and effective cash control methods;

• rotation of Auditor; or

• independent financial audits.

Evidence must include documented information on the above, where

appropriate.

5.4 Partner must establish and implement additional non-financial controls to

further enhance its anti-corruption management system. These may
Non-financial Controls
include:

• separation of duties;

• defining the criteria for the evaluation and approval process;

• using approved suppliers, contractors, consultants, etc.;

• evaluation of the legitimacy and essentiality of services performed;

• assessing that the work is carried out in accordance with

guidelines;

• awarding contracts after proper, fair, and transparent evaluation;

• ensuring senior management is aware of, and has an oversight of,

potentially high corruption risk transactions; or

• restricting access to sensitive or privileged information.

Evidence must include documented information on the above.

Cisco Partner Compliance Assessment Version: 1.2 Page 22 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

5 Anti-Corruption Code of Conduct and Controls

Requirement Description

5.5 Cisco offers discounts, incentives, grants, and rebates as part of the
business dealings with its Partners. The intent and conditions of such
Compliance with
discounts, incentives, grants, and rebates are defined and documented in
Cisco's terms of the
Cisco's terms of the contract.
contract on discounts,
incentives, grants, and
rebate
Partner must establish and implement controls to ensure that such
discounts, incentives, grants, and rebates are applied, obtained, and used
in accordance with the terms of the contract. The controls must ensure
adherence to the intent and use of these discounts, incentives, grants, and
rebates and be able to prevent, detect and mitigate the corrupt practices in
them. These may include:

• product diversion;

• securing higher discounts through unlawful/unethical means.

Evidence must include documented scenarios of the above actual or

potential corrupt activities and the action to prevent, detect, and mitigate
them. Action must also include regular review of the application and use of
the discounts, incentives, grants, and rebates, with the review results
documented, such as review reports or minutes of the meeting.

Cisco Partner Compliance Assessment Version: 1.2 Page 23 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

5 Anti-Corruption Code of Conduct and Controls

Requirement Description

5.6 Partner must comply with the following for third parties associated with
Cisco deals:
Compliance with
Cisco's Anti-Corruption
Controls on Third
Disclosure
Party
Partner must disclose, upon request, to Cisco or its authorized agent the
third parties associated with selected deals. Partner must provide to Cisco
or its authorized agent the requested information.

Due Diligence
Partner must conduct due diligence on third parties associated with all
Cisco deals. Evidence of due diligence must be provided. The evidence of
due diligence must be consistent with the risks and risk assessment
consistent with the Partner's anti-corruption practice (refer to sections 4.1
and 4.3).

Additional Due Diligence Check

Cisco may require Partner to provide additional evidence of due diligence
on specific third parties associated with Cisco deals. The identified third
parties and the required evidence will be communicated to the Partner.

Anti-Corruption Requirements in Contractual Documents

Anti-corruption requirements must be built into the contractual
requirements with third parties associated with Cisco deals. Such
requirements must be sufficient to ensure third parties' adherence to
policies no less comprehensive than Cisco's Global Anti-Corruption Policy
for Partners. Evidence may include contracts, agreements, purchase
orders, and anti-corruption policies and procedures, and how anti-
corruption requirements and monitoring are built into such documents.

Cisco Partner Compliance Assessment Version: 1.2 Page 24 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

6 Communication, Awareness, and Training

Requirement Description

6.1 Partner must provide adequate and appropriate anti-corruption awareness

and training to new joiners within a suitable timeframe. Awareness and
New staff onboarding
training must include:
Anti-Corruption
Awareness and • anti-corruption policy (2.1);
Training
• anti-corruption objectives (2.2);

• Cisco's Global Anti-Corruption Policy (2.3);

• roles and responsibilities (3.3);

• anti-corruption code of conduct (5.1);

• gifts, entertainment, donations, facilitation payment, and similar

benefits (5.2); and

• corruption reporting system (whistleblowing) (8.1)

Evidence must include training records, attendance records,

acknowledgment records, etc., for all personnel on Cisco business.

6.2 Partner must provide ongoing awareness and training to refresh and
enhance employees' understanding of:
Ongoing Anti-
Corruption • anti-corruption policy and procedures;
Communication,
• their duties to comply;
Awareness and
Training • the corruption risks and damages to them and the organization;

• recognizing and responding to solicitations or offers of corruption;

and

• how and to whom they can report any concerns.

Evidence must include training records, attendance records,

acknowledgment records, etc., for all personnel on Cisco business.

Cisco Partner Compliance Assessment Version: 1.2 Page 25 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

7 Employment Process

Requirement Description

7.1 Partner must have employment conditions indicating that:

Employment Condition ▪ the employee must abide by the anti-corruption policy and
procedures; and
▪ non-compliant employee to face disciplinary action set out by the
organization.

Evidence must include the above as part of the employment contract,

employees' handbook, or other binding documents between the employee
and the Partner.

7.2 Partner must establish and implement processes and procedures to

protect the employees from discrimination, reprisal, or disciplinary action
Employee Protection
for:

• not participating in an activity that was assessed to be of a

significant risk that the Partner has not mitigated; and

• any concerns and reporting made in good faith, of attempted,

actual, or suspected corruption.

Evidence must include documented processes and procedures that

protect the employees from the above.

Note: discrimination or disciplinary action may include threats, isolation,

demotion, preventing advancement, transfer, dismissal, bullying,
victimization, or other forms of harassment.

Cisco Partner Compliance Assessment Version: 1.2 Page 26 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

7 Employment Process

Requirement Description

7.3 Partner must establish and implement due diligence processes and
procedures when employing personnel or job roles with a risk level of
Due Diligence on
higher than "low" in the risk assessment (section 4.2). The controls may
Personnel
include taking reasonable steps to:

• verify prospective employee's qualifications and information

furnished are accurate;

• obtain references from prospective employee's past workplaces;

• assess if the prospective employee had been involved in

corruption;

• identify the prospective employee's links to public officials; or

• verify that the successful recruitment of employee is by no means:

o intended to secure an improper advantage for the
organization; and
o in return for having benefitted the organization in their
previous employment.

Evidence must include due diligence check records such as prospective

employee's employment history, interview record, internal meeting
minutes, and external supporting documents of the above.

7.4 Employee evaluation is commonly used to assess work performance and

may lead to promotion, compensation, bonus, and incentive payment –
Performance,
this may inadvertently induce outbound corruption or non-action to a
Promotion,
corrupt activity in order to secure better performance.
Compensation, Bonus,
and Incentives
The employee must be informed of the consequence that failing to comply
with the anti-corruption policy in an attempt to achieve better work
performance will not be tolerated and will face disciplinary action as set
out by the organization.

Evidence must include regular review of criteria used to evaluate

employee performance for employees identified as having a corruption risk
of higher than "low" in section 4.2.

Cisco Partner Compliance Assessment Version: 1.2 Page 27 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

8 Reporting, Investigating and Dealing with Corruption

Requirement Description

8.1 Partner must establish a robust reporting or whistleblowing system. The

reporting system must:
Corruption Reporting
System • allow for anonymous reporting;
(Whistleblowing)
• ensure the confidentiality of the whistleblower (if known) and
protect the whistleblower from fear of reprisal and reprimand if the
disclosure is made in good faith;

• encourage whistleblower to make a report with the information

specified by the Partner (e.g., the identity and roles of parties
involved) where possible;

• provide convenient and accessible reporting channels (such as

designated phone number, email address, or drop-box in a
discreet location); and

• provide diligent follow-up with the informant (if known) on the

outcome of the investigation.

Evidence must include a documented description of how whistleblowers

can make a report and evidence of the investigation.
Partner must report to Cisco should there be any confirmed case of
corruption related to Cisco deals:

• Online: Ethics WebForm for anonymous reporting.

• Phone: The multilingual EthicsLine is available 24 hours a day,
seven days a week, worldwide, with country-based, toll-free phone
numbers. To call from any phone, visit the EthicsLine page. The
EthicsLine is staffed by a leading, third-party reporting service.

Cisco supports a speak-up culture when it comes to ethics. Any attempts to

retaliate against a party who reports ethics concerns will be subject to
discipline, up to and including termination of the Cisco relationship.

Cisco Partner Compliance Assessment Version: 1.2 Page 28 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

8 Reporting, Investigating and Dealing with Corruption

Requirement Description

8.2 Partner must implement a procedure for assessment, investigation, and

reporting of corruption event, which is reported, detected, or reasonably
Investigation and
suspected. The procedure must require:
Dealing with
Corruption • all reported, detected, or suspected corruption event be assessed,
and where appropriate, investigated;

• assessment and investigation be conducted by person(s) not

involved in the issue;

• the investigation be carried out in confidence and with

confidentiality, where the output of the investigation is kept
confidential;

• the status and results of the investigation are reported to the anti-
corruption compliance function, the anti-corruption governance
body, and the top management as appropriate; and *

• corruption risk assessment (section 4) be re-evaluated for

adequacy and effectiveness after the detection of a corrupt
practice (refer to 4.4).

Evidence must include documented assessment and investigation

procedures, assessment, and investigation reports.
*Cisco requests that any corruption pertaining to Cisco business/orders be
reported to Cisco

Cisco Partner Compliance Assessment Version: 1.2 Page 29 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

9 Monitoring and Review

Requirement Description

9.1 The anti-corruption governance body must conduct regular reviews of the
effectiveness of the anti-corruption management system. The review must
Anti-Corruption
be conducted at least annually and include the following:
Governance Body
Review • anti-corruption objectives (2.2);

• changes to the corruption risk assessment;

• feedback from the anti-corruption compliance function;

• corruption events and outcome of the investigation;

• effectiveness of communication, training, and awareness; and

• effectiveness of the employment process in support of the anti-

corruption system.

Evidence must include review reports or minutes of the review meetings.

The review must be conducted at least annually.

Cisco Partner Compliance Assessment Version: 1.2 Page 30 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
 CISCO CONFIDENTIAL

13 Revision History

Version Summary of Changes Publication Date

1.0 Initial Release. June 17 2021

1.1 • 3.4 - clarified Cisco communicating the assessment April 19 2022

outcome to the partner.

• Added the consequences for the failure outcome and re-

audit period and definition.

• 11 - updated Cisco alias for appeals

[email protected]

1.2 • Added Cisco logo and standard confidentiality statement. July 6 2022

• 3 - Changed the format and complemented the process

flow specifying the step about NSF providing the
summary report to the partner and audit report to Cisco.

• Clarified the duration for the get-well plan and Cisco

withholding rebates during this period.

• Added exceptions for ISO 37001 certified partners.

• Added regional / multi-national partners.

• Added Cisco Ethics Line information and non-retaliation

paragraph in control 8.1.

• Added note about Cisco requesting any corruption

pertaining to Cisco business/orders be reported to Cisco
in control 8.2

Cisco Partner Compliance Assessment Version: 1.2 Page 31 of 31

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution