CPCA Polices and Requirements v2.0 May 2023

Cisco Partner Compliance Assessment
(CPCA)
Policies & Requirements

Version 2.0
May 1, 2023
© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partner use only. Not for distribution
CISCO CONFIDENTIAL
Table of Contents
1 The Cisco Partner Compliance Assessment 3

2 Scope of the Cisco Partner Compliance Assessment 3
3 Cisco CPCA Process 4
3.1 Cisco Notification 4
3.2 CPCA Readiness Review 4
3.3 CPCA Audit 4
3.4 Decision 5
4 Process Activities and Estimated Timeline 6
5 Three-Year Renewal Cycle 7
6 Exemptions for ISO 37001 certified Partners 7
7 Global / Regional / Multi-Countries Partners 8
8 Role of Audit Participants 10
8.1 Partner 10
8.2 NSF Auditor 10
8.3 Cisco Representative 10
9 Fees 10
9.1 First Cycle 10
9.2 Reschedule and Cancellation Fee 10
10 CPCA Consulting 11
11 Complaints, Appeals & Disputes 11
12 Cisco Partner Compliance Assessment Requirements 12
13 Revision History 29
Cisco Partner Compliance Assessment Version: 2.0 Page 2 of 29
CISCO CONFIDENTIAL
1 The Cisco Partner Compliance Assessment

As part of Cisco's commitment to compliant channel management, we continuously evaluate processes
to ensure our business relationships are well managed and honored contractually by both Cisco and
our partners. To ensure our continued success is founded on ethical business conduct and compliance
with the applicable contractual, legal, and regulatory requirements, Cisco has launched the Cisco
Partner Compliance Assessment (CPCA).
2 Scope of the Cisco Partner Compliance Assessment

Cisco expects and requires that all its suppliers, subcontractors, resellers or channel partners,
consultants, agents, and other parties with whom Cisco does business (Business Partners) act at all
times in a professional and ethical manner in conducting their services and contractual obligations with
Cisco, or on Cisco's behalf to a Cisco customer or other third party.
Bribery is a common form of corruption. Cisco defines a bribe as "anything of value" such as gift cards,
home repairs, tickets to a theater or sporting event, guest passes to a private club, a no-bid contract, a
summer job for a teenage family member, free limo/courtesy car service rides, and more, when given to
obtain an improper advantage. Just offering a bribe is a violation, even if the transfer of the item of value
does not occur or the purpose of the bribe is not fulfilled.
Other than bribery, this document applies to other forms of corrupt practices such as fraud, anti-trust,
anti-competition, money laundering, misrepresentation for the purpose of cheating others, material
omission/failure to disclose where a duty of loyalty exists, unethical and dishonest behaviors, etc. This
also includes improper gains from or taking advantage of, or helping others to gain from, Cisco
programs, discounts, rebates, incentives, and rewards other than the intended purposes of these
programs, discounts, rebates, incentives, and rewards.
CISCO CONFIDENTIAL
3 Cisco CPCA Process
NSF
Cisco NSF Provide summary to
Notify Partner of PCA Conduct the Audit Partner and final report
to Cisco
Cisco Cisco
NSF
Provide Partner's contact Notify Partner of CPCA
Contact Partner to result
details and sample
arrange Audit
orders to NSF
NSF
NSF
Contact Partner to
Schedules and conduct
arrange Readiness
the Readiness Review
Review
3.1 Cisco Notification
Cisco identifies Partner for the Cisco CPCA and notifies the Partner. Partner's contact information will
be handed to NSF (Cisco appointed third-party auditing company).
3.2 CPCA Readiness Review
NSF will arrange with the Partner for a Readiness Review.
The Readiness Review is a consultative exercise designed to help Partner evaluate their level of
compliance and readiness with the Cisco CPCA requirements. An NSF consultant evaluates the
Partner's system against each CPCA requirement, identifies gaps, provides feedback and guidance to
close these gaps, and recommends opportunities for improvement. Partner receives a CPCA Readiness
Review report identifying the gaps compared to the CPCA requirements, with recommendations on
closing these gaps, or if any exist.
The readiness review is a 6-8 hours session conducted remotely.
3.3 CPCA Audit
The audit must be conducted no later than 6 months from the Readiness Review. NSF will contact
Partner to arrange a mutually agreed date for the audit. Once the date is confirmed, NSF will send the
Audit Confirmation to the Partner.
CISCO CONFIDENTIAL
NSF Auditor will conduct the audit remotely via Cisco Webex remote conferencing tool provided by NSF.
The duration of the audit is 6-8 hours.
The audit will seek objective evidence of compliance with Cisco CPCA requirements. Partner must
provide evidence that may include, but are not limited to:
▪ Processes and procedures

▪ Documentation
▪ Demonstration of process usage and testing
All information or documentation provided to the NSF auditor is considered "confidential information,"
as defined in a nondisclosure agreement (NDA) signed by Cisco's third-party auditors and will be treated
accordingly by Cisco and the NSF auditors.
At the end of the audit, the Auditor will provide a verbal summary of findings. A written Audit Summary
Report will be provided to the Partner within 24 hours. The Audit Summary will include the following,
among other things:
▪ Partner's Strengths
▪ Opportunities for Improvement
▪ Action Items, if any
If there are any open action items, the Partner will be given an opportunity to provide written evidence
of closure to the Auditor within five business days after the completion of the audit. The Auditor will
submit the Audit Final Report to Cisco Partner Compliance Team within five business days of receiving
the Partner's response.
3.4 Decision
Cisco Partner Compliance Team will make the decision on qualification after reviewing the Audit Final
Report. The decision will be communicated to the Partner. There are two possible outcomes:
▪ Pass – Partner met the intent of the Partner Compliance Audit requirements.
▪ Declined & Revisit – Partner did not meet the intent of the Partner Compliance Audit and
therefore did not pass. Due to the non-fulfillment of the assessment requirements, Partner will
be put on a "Get Well" plan to close action items, review the recommendations from the audit
and improve their anti-corruption management system accordingly. The "Get Well" plan must
be completed within 90 days. After which, NSF will conduct a revisit.
Revisit means a remote audit conducted by an NSF Auditor to ensure that all the action item(s)
identified in the Audit Summary Report are satisfactorily closed out.
During the "Get Well' period, partner rebates' payment will be placed on hold until all PCA
requirements have been successfully met. If the revisit is not completed within 90 days from the
CISCO CONFIDENTIAL
date of the failure notification or failure of the revisit, Cisco may review Partner's participation
as a Cisco Authorized Channel.
Cisco's decision is final. Should Partner wish to appeal against the decision, they may do so
within ten (10) business days of receiving the decision from Cisco. Please refer to the
Complaints, Appeals, and Disputes section for more details.
4 Process Activities and Estimated Timeline
Timeline
Phase Activity Responsible
(business day)
1st contact to Partner for Readiness

Review date after receiving Partner's NSF 2
contact information from Cisco
Schedule and confirm Readiness

Review date
NSF 5-20
Readiness Review (Note – the Readiness Review must
be conducted within 20 days)
Conduct Readiness Review remotely NSF 1
Provide Readiness Review report to

NSF 2
the Partner
Schedule and confirm audit date NSF 5-20
Conduct audit remotely

(Note – the audit must be conducted NSF 1
no later than 6 months from the
Readiness Review)
Audit
Provide Audit Summary Report to
NSF 1
Partner
Provide open Action Item responses

Partner 5
to Auditor if any
Provide Audit Final Report to Cisco NSF 5
Review report and decide on the

Decision Cisco 20
qualification.
CISCO CONFIDENTIAL
5 Three-Year Renewal Cycle

Partners will be contacted by NSF for an initial audit and for the renewal upon the third-anniversary date.
Partners are required to go through the full audit every three years. If the Partner does not respond to
the request from NSF, including all required documentation before the 30th day past their third-
anniversary date (third-anniversary date +30 days), they will be removed from the assessment.
To maintain status, the renewal audit must be conducted no later than 60 days after the Partner's first
CPCA anniversary date (third-anniversary date+60).
6 Exemptions for ISO 37001 certified Partners

For Partners who hold a valid ISO 37001 certification by an independent registrar/certification body, the
following CPCA requirements will be waived:
Section Exemption Description
2
2.1 Anti-Corruption Policy
Anti-Corruption
Policy and
2.2 Anti-Corruption Objectives
Objectives
3
Anti-Corruption 3.1 Anti-Corruption Governance Body
Governing Body,
Compliance 3.2 Anti-Corruption Compliance Function
Function and
Roles, and 3.3 Roles and Responsibilities
Responsibilities
5 5.1 Anti-Corruption Code of Conduct
Anti-Corruption
5.3 Financial Controls
Code of Conduct
and Controls 5.4 Non-financial Controls
6 New staff onboarding Anti-Corruption Awareness and

6.1
Communication, Training
Awareness, and Ongoing Anti-Corruption Communication, Awareness and
Training 6.2
Training
7.1 Employment Condition

7
Employment 7.2 Employee Protection
Process
7.3 Due Diligence on Personnel
8 8.1 Corruption Reporting System (Whistleblowing)
CISCO CONFIDENTIAL
Section Exemption Description
Reporting,
Investigating and
8.2 Investigation and Dealing with Corruption
Dealing with
Corruption
9
Monitoring and 9.1 Anti-Corruption Governance Body Review
Review
Partner must provide the ISO 37001 certificate during the audit. The certificate must be issued to the
Partner (same name and location), or if it is a group certification, it must include the Partner (specific
name and location).
Partner must still go through the CPCA process described in section 3, including the Readiness Review
and Audit.
7 Global / Regional / Multi-Countries Partners

Global/Regional/Multi-Countries Partners may opt for the Regional/Multi-Countries assessment model.
The following conditions apply:
▪ The Parent (headquarter) and affiliated country must adopt a common and unified corporate
anti-corruption practice.
▪ The Parent country must undergo a full CPCA audit (exemptions for ISO 37001 certification
apply, refer to conditions in section 6).
▪ The affiliated country must undergo a partial CPCA audit as outlined below (exemptions for ISO
37001 certification apply, refer to conditions in section 6) and must be conducted within 90 days
of the last full CPCA audit of the Parent country. Otherwise, the affiliated country will be audited
as a separate and independent entity. For affiliated country undergoing a partial CPCA audit,
evidence of implementation and output of processes will be assessed.
Audit
Section Requirement Description
Parent Affiliated
1
Partner Overview & 1.1 Partner Overview ● ●
Practice
2.1 Anti-Corruption Policy ●

2
Anti-Corruption
2.2 Anti-Corruption Objectives ● ●
Policy and
Objectives
2.3 Cisco Global Anti-Corruption Policy ● ●
3 3.1 Anti-Corruption Governance Body ●
CISCO CONFIDENTIAL
Audit
Parent Affiliated
Anti-Corruption
Governing Body, 3.2 Anti-Corruption Compliance Function ●
Compliance
Function and
Roles, and 3.3 Roles and Responsibilities ●
Responsibilities
Corruption Risk Assessment of
4.1 ● ●
Business Associates
4 Corruption Risk Assessment of

4.2 ● ●
Corruption Risk Partner's Personnel
Assessment
Review of Corruption Risk
4.3 Assessment, Control and Mitigation ● ●
Measures and Effectiveness
5.1 Anti-Corruption Code of Conduct ●
Gifts, Entertainment, Hospitality and

5.2 ●
5 Similar Benefits
Anti-Corruption
5.3 Financial Controls ●
Code of Conduct
and Controls 5.4 Non-financial Controls ●
Compliance with Cisco's Anti-

5.5 ● ●
Corruption Controls on Third Party
New staff onboarding Anti-Corruption

6 6.1 ● ●
Awareness and Training
Communication,
Awareness, and Ongoing Anti-Corruption
Training 6.2 Communication, Awareness and ● ●
Training
7.1 Employment Condition ●
7.2 Employee Protection ●

7 7.3 Due Diligence on Personnel ●
Employment
Process Review of Criteria Used for
Employee Performance, Promotion,
7.4 ●
Compensation, Bonus, and
Incentives
8 Corruption Reporting System
Reporting, 8.1 ●
(Whistleblowing)
Investigating and
Dealing with Investigation and Dealing with
8.2 ● ●
Corruption Corruption
CISCO CONFIDENTIAL
Audit
Parent Affiliated
9
Anti-Corruption Governance Body
Monitoring and 9.1 ● ●
Review
Review
8 Role of Audit Participants
8.1 Partner
Before the audit, the Partner is expected to review all the assessment requirements. On the day of the
audit, the Partner must organize the required resources and be prepared to provide evidence,
documentation, and demonstration as required by this CPCA Policies & Requirements Document.
8.2 NSF Auditor
NSF Auditor manages the audit process. During the audit, the Auditor will verify whether the Partner
complies with the spirit and intent of all assessment requirements and compile an audit report describing
the extent of compliance with each requirement. The Auditor will then submit the report and supporting
documents to the Cisco Partner Compliance Team, who will determine whether or not the Partner meets
the assessment requirements. All information or documentation provided to the Auditor is considered
"confidential information," as defined in a nondisclosure agreement (NDA) signed by NSF's auditors.
8.3 Cisco Representative
Cisco Representative is optional at the readiness review and audit. Cisco Representative must obtain
prior approval and meeting details from the Partner directly for attending these sessions. Cisco
Representative can observe the readiness review and audit but cannot participate in the discussion.
The Cisco Representative is responsible for addressing any business issues during the session.
9 Fees
9.1 First Cycle
For Partners notified of the assessment, Cisco will fund the fee for the first cycle, which includes a
Readiness Review and the audit. Any reschedule and cancellation fees will be Partner paid.
9.2 Reschedule and Cancellation Fee
Reschedule and cancellation fees take effect once the readiness review or the audit date is officially
confirmed, and NSF has sent the confirmation email. Partner must submit reschedule or cancellation
request to CPCASupportTeam@nsf.org. NSF will reschedule after the Partner has paid the reschedule
fees (see fee chart below).
CISCO CONFIDENTIAL
Reschedule and Cancellation Fee
More than 15 calendar days 15 to 11 calendar days Less than 10 calendar days
$750 $1500 $3000
10 CPCA Consulting
For Partners that would like more assistance in meeting the CPCA requirements, they may engage any
qualified company for such consultation services or NSF International for the consulting services. This
is an independent engagement where the partner can contact NSF directly at
CPCASupportTeam@nsf.org.
The use of any consulting company to help design and implement Partner's anti-bribery, anti-corruption
process and practice has no bearing on the outcome of the audit.
11 Complaints, Appeals & Disputes

Partner may appeal against Cisco's decision or make complaints related to NSF's services. All
complaints and appeals should be made in writing and not later than ten (10) business days after the
event. Partner must email their complaint or appeal to the following:
▪ Appeals: CPCAsupport@cisco.com
▪ Complaints related to NSF's services: CPCASupportTeam@nsf.org
Complaints or appeals received after ten (10) business days of the event will not be processed.
Appeals and complaints will be reviewed by appropriate members of Cisco or NSF management.
CISCO CONFIDENTIAL
12 Cisco Partner Compliance Assessment Requirements
1 Partner Overview & Practice
Requirement Description
1.1 Partner must deliver a company overview at the start of the review
covering the following:
Partner Overview
• company history;
• business focus and value proposition;
• office locations;
• country and region served;
• organization structure and staff strength;
• industry focus and customer profile;
• relationship with Cisco;
• its Cisco Business focus; and
• an overview of its anti-corruption practice.
Evidence must be a presentation of not more than 15 minutes.
CISCO CONFIDENTIAL
2 Anti-Corruption Policy and Objectives
2.1 Partner must establish and publish an Anti-Corruption Policy. The policy
must:
Anti-Corruption Policy
• signify the pledge and commitment from the top management for
zero-tolerance towards corruption;
• be formally documented;
• be clear and easy to understand;
• be visible, disseminated, and communicated to all levels and

functions of the organization, and
• be reviewed at least annually.
Evidence must include a documented Anti-Corruption Policy, a description

of how the policy is reviewed regularly, and evidence of such review.
Partner must also demonstrate that the policy is disseminated to all levels
and functions, including evidence such as staff onboarding checklist,
briefing notes, training, or attendance record.
2.2 Partner must establish anti-corruption objectives. The objectives must be:
Anti-Corruption • measurable whenever practicable;
Objectives
• tracked, monitored, and reported, and corrective actions initiated
when the objectives are not met; and
• communicated to the relevant functions and levels.
Evidence must include documented anti-corruption objectives and

evidence of tracking, monitoring, and reporting, and any corrective action.
These may include such as data collection sheets, minutes of review
meetings, and records of improvement or corrective action. Evidence of
communication of objectives may include training and attendance record,
briefing notes, or minutes of the meeting.
2.3 Partner must comply with the "Global Anti-Corruption Policy for all
Business Partners of Cisco Systems, Inc. and its affiliates (Cisco)" which
Cisco Global Anti-
is available here.
Corruption Policy
Evidence must include the latest version of Cisco's Global Anti-Corruption

Policy disseminated to all employees participating in the Cisco business.
CISCO CONFIDENTIAL
3 Anti-Corruption Governing Body, Compliance Function and Roles, and Responsibilities
3.1 Partner must establish an anti-corruption governance body whose

functions include:
Anti-Corruption
Governance Body • approving the Anti-Corruption Policy;
• taking ownership and being accountable for the implementation of

the anti-corruption management system; and
• reviewing data related to the anti-corruption management system

to ensure effectiveness.
Evidence must include a documented anti-corruption governance body,

including its members, roles, and responsibilities, and a description of how
the anti-corruption governance body executes the above functions.
Note: Should Partner not have an anti-corruption governance body, these

roles and activities must be conducted, collectively or individually, by the
top management. For example, the board of directors, the chief executive
officer, the chief financial officer, the chief operating officer, or other C-
level executives and must be defined.
CISCO CONFIDENTIAL
3.2 Partner must maintain an anti-corruption compliance function whose key

role is to manage the development and operation of the anti-corruption
Anti-Corruption
management system.
Compliance Function
The anti-corruption compliance function must consist of a team that:
• are esteemed and have the relevant expertise;
• have the control and influence; and
• maintain independence in performing their duties.
The anti-corruption compliance function must be able to communicate with

the anti-corruption governance body (where applicable) and top
management directly.
Evidence must include a documented anti-corruption compliance function,

including its members, roles and responsibilities, reporting structure, and
how the anti-corruption compliance function executes its duty.
Note: Depending on the size of the organization, complexity, and risk

level, the anti-corruption compliance function may consist of a single
individual, a group, a committee, or a council of the Partner organization,
and members may be part-time or full-time. Some or all of the anti-
corruption compliance function's responsibilities may be outsourced.
CISCO CONFIDENTIAL
3.3 Partner must define the roles and responsibilities of the anti-corruption
through all levels of functions and levels. This must include:
Roles and
Responsibilities • top management;
• anti-corruption governance body;
• anti-corruption compliance function;
• managers at every level; and
• employees.
Evidence must include documented roles and responsibilities of the

above, which may be found in employees' handbooks, process description
documents, job descriptions, code of conduct, etc. This must include at
least all employees participating in the Cisco business.
CISCO CONFIDENTIAL
4 Corruption Risk Assessment
4.1 Partner must evaluate the corruption risk that their current and potential
business associates pose. Considerations for evaluating the corruption
Corruption Risk
risks may include:
Assessment of
Business Associates • type of business associate (Cisco Business, private, domestic,
foreign, public official, etc.);
• size and organization structure of the business associate;
• type of transaction (supplies, services, joint venture partners, etc.);
• value and frequency of transaction;
• duration of the working relationship; or
• mode of payment (direct, indirect, such as through agents or

intermediaries, cash, local, foreign, commission-based, etc.).
Evidence must include documented corruption risk assessment process,

including the criteria used for assessing corruption risks, documented
output identifying the type of business associate with the corresponding
corruption risks, controls, and mitigation measures.
Note 1: Business associates include clients, customers, joint ventures,

partners, outsourcing providers, contractors, consultants, suppliers,
vendors, third parties, advisors, agents, distributors, representatives,
intermediaries, controlled organizations, and investors.
Note 2: Partner is free to select the corruption risk evaluation criteria.

Whatever risk evaluation criteria are selected, risk controls and mitigation
measures must be put in place for risk levels identified as higher than
"low" or equivalent.
CISCO CONFIDENTIAL
4 Corruption Risk Assessment
4.2 Partner must analyze, assess, and prioritize the identified corruption risks
of their employee depending on the position and job scope.
Corruption Risk
Considerations for evaluating the corruption risks may include:
Assessment of
Partner's Personnel • job role (e.g., sales, purchasing, finance);
• authority accorded with the job role (approval, granting

permission, acceptance);
• seniority in the job role (e.g., worker, supervisor, manager,

department head, senior executive); or
• the risk level of the business associate he is working with (see

section 4.1).
Evidence must include documented corruption risk assessment

processes, including the criteria used for assessing corruption risks,
documented output identifying the type of personnel associated with the
corresponding corruption risk, controls, and mitigation measures.
Note: Partner is free to select the corruption risk evaluation criteria.

Whatever risk evaluation criteria are selected, risk controls and mitigation
measures must be put in place for risk levels identified as higher than
"low" or equivalent.
4.3 Partner must review its corruption risk assessment in 4.1 and 4.2; and the
effectiveness of the controls and mitigation measures systematically and
Review of Corruption
regularly, or at least once a year. The review will allow changes, new and
Risk Assessment,
updated data to be evaluated along with existing controls.
Control and Mitigation
Measures and Additionally, the corruption risk assessment must be reviewed if any of the
Effectiveness following situations arise:
• there is a significant change to the transactions/activities/structure

of the business; or
• corrupt practice detected.
Evidence must include review records or reports, minutes of the review

meeting, and changes made to the risk assessment, if applicable.
CISCO CONFIDENTIAL
5 Anti-Corruption Code of Conduct and Controls
5.1 Partner must establish a well-defined anti-corruption code of conduct. The

code of conduct serves as a comprehensive, unambiguous guide for all
Anti-Corruption Code
employees on a uniform standard of conduct and ethics in all areas of
of Conduct
business activities where corruption is likely to occur. Key areas to
address in the code of conduct include:
• corruption behavior – what is and what is not;
• guidelines relating to the high-risk areas where corruption can

occur; and
• conflicts of interest – both internal and external.
Evidence must include a documented anti-corruption code of conduct. The

code of conduct may be included in the employees' handbook, new
employee induction material, or briefing material.
5.2 Partner must document the policies and procedures for common inbound
(acceptance) and outbound (offering or provision) activities that could be
Gifts, Entertainment,
perceived as corruption. These activities must include:
Hospitality and Similar
Benefits • gifts;
• entertainment;
• hospitality;
• travel; and
• personal favors.
The policies and procedures may be a total prohibition or permitting with

conditions and/or controls. The Partner should consider the legislations
and regulations, customs and culture, and risks in defining these controls
to suit its business needs.
Partner must also identify other current and potential inbound and
outbound corrupt activities and establish appropriate policies and
procedures to deal with such activities, where appropriate. These may
include:
• donations;
• expenses;
CISCO CONFIDENTIAL
• loans;
• facilitation payment;
• sponsorship and training;
• community benefits and club membership; or
• confidential and privileged information.
Evidence must include documented scenarios of current and potential

inbound and outbound corrupt activities, policies and procedures in
dealing with such acts or warnings that such acts are not tolerated.
Partner must ensure that neither the company nor its employees pay any
expenses for travel, lodging, gifts, hospitality, entertainment, or charitable
contributions for government officials on Cisco's behalf. 'Government
official' means:
• any public or elected official or officer, employee (regardless of

rank), or person acting on behalf of a Governmental Entity; and
• any party official or candidate for political office or any person

acting on behalf of such party official or candidate for political
office.
Evidence must include documented compliance policies or procedures

such as the code of conduct, employees' handbook, briefing materials or
guides disseminated to personnel on Cisco business.
CISCO CONFIDENTIAL
5.3 Partner must establish and implement good financial controls to eliminate
and detect corrupt activity and facilitate investigation in the event of the
Financial Controls
occurrence or suspicion of corrupt activity. These controls may include:
• clear and accurate recording of transactions;
• verifying completion of work;
• availability of supporting documents;
• separation of duties;
• multi-tier system for payment approval;
• regulating the usage of cash and effective cash control methods;
• rotation of Auditor; or
• independent financial audits.
Evidence must include documented information on the above, where

appropriate.
5.4 Partner must establish and implement additional non-financial controls to

further enhance its anti-corruption management system. These may
Non-financial Controls
include:
• separation of duties;
• defining the criteria for the evaluation and approval process;
• using approved suppliers, contractors, consultants, etc.;
• evaluation of the legitimacy and essentiality of services performed;
• assessing that the work is carried out in accordance with

guidelines;
• awarding contracts after proper, fair, and transparent evaluation;
• ensuring senior management is aware of, and has an oversight of,

potentially high corruption risk transactions; or
• restricting access to sensitive or privileged information.
Evidence must include documented information on the above.
CISCO CONFIDENTIAL
5.5 Partner must comply with the following for third parties associated with
Cisco deals:
Compliance with
Cisco's Anti-Corruption
Controls on Third
Disclosure
Party
Partner must disclose, upon request, to Cisco or its authorized agent the
third parties associated with selected deals. Partner must provide Cisco or
its authorized agent with the requested information.
Due Diligence
Partner must conduct due diligence on third parties associated with all
Cisco deals. Evidence of due diligence must be provided. Third party due
diligence checks must include criteria related to corruption.
Anti-Corruption Requirements in Contractual Documents

Partner's Anti-corruption requirements must be built into the contractual
requirements with third parties associated with Cisco deals. Evidence may
include contracts, agreements, purchase orders, and anti-corruption
policies and procedures.
Note: A third-party vendor is a company or entity subcontracted by the

Partner to provide products or services to your customers on your
organization's behalf. Third-party vendors contribute to the development,
delivery, and implementation of a Cisco solution. It can be any external
company working on (but not limited to) consultation, design,
transportation, installation, cabling, wiring, electrical configuration, etc.,
during the execution of a project containing Cisco products and services.
CISCO CONFIDENTIAL
6 Communication, Awareness, and Training
6.1 Partner must provide adequate and appropriate anti-corruption awareness

and training to new joiners within a suitable timeframe. Awareness and
New staff onboarding
training must include:
Anti-Corruption
Awareness and • anti-corruption policy (2.1);
Training
• anti-corruption objectives (2.2);
• Cisco's Global Anti-Corruption Policy (2.3);
• roles and responsibilities (3.3);
• anti-corruption code of conduct (5.1);
• gifts, entertainment, donations, facilitation payment, and similar

benefits (5.2); and
• corruption reporting system (whistleblowing) (8.1)
Evidence must include training records, attendance records,

acknowledgment records, etc., for all personnel on Cisco business.
6.2 Partner must provide ongoing awareness and training to refresh and
enhance employees' understanding of:
Ongoing Anti-
Corruption • anti-corruption policy and procedures;
Communication,
• their duties to comply;
Awareness and
Training • the corruption risks and damages to them and the organization;
• recognizing and responding to solicitations or offers of corruption;

and
• how and to whom they can report any concerns.
Evidence must include training records, attendance records,

acknowledgment records, etc., for all personnel on Cisco business.
CISCO CONFIDENTIAL
7 Employment Process
7.1 Partner must have employment conditions indicating that:

Employment Condition ▪ the employee must abide by the anti-corruption policy and
procedures; and
▪ non-compliant employee to face disciplinary action set out by the
organization.
Evidence must include the above as part of the employment contract,

employees' handbook, or other binding documents between the employee
and the Partner.
7.2 Partner must establish and implement processes and procedures to

protect the employees from discrimination, reprisal, or disciplinary action
Employee Protection
for:
• not participating in an activity that was assessed to be of a

significant risk that the Partner has not mitigated; and
• any concerns and reporting made in good faith, of attempted,

actual, or suspected corruption.
Evidence must include documented processes and procedures that

protect the employees from the above.
Note: Discrimination or disciplinary action may include threats, isolation,

demotion, preventing advancement, transfer, dismissal, bullying,
victimization, or other forms of harassment.
CISCO CONFIDENTIAL
7 Employment Process
7.3 Partner must establish and implement due diligence processes and
procedures when employing personnel or job roles with a risk level higher
Due Diligence on
than "low" in the risk assessment (section 4.2). The controls may include
Personnel
taking reasonable steps to:
• verify prospective employee's qualifications and information

furnished are accurate;
• obtain references from prospective employee's past workplaces;
• assess if the prospective employee had been involved in

corruption;
• identify the prospective employee's links to public officials; or
• verify that the successful recruitment of employee is by no means:

o intended to secure an improper advantage for the
organization; and
o in return for having benefitted the organization in their
previous employment.
Evidence must include due diligence checks records such as prospective

employees' employment history, interview records, internal meeting
minutes, and external supporting documents of the above.
7.4 Partner must review the criteria used for employee performance,
promotion, compensation, bonus, and incentives to ensure that they do
Review of Criteria
not inadvertently induce outbound corruption or non-action to a corrupt
Used for Employee
activity in order to secure better performance.
Performance,
Promotion,
Compensation, Bonus,
Evidence must include regular review of criteria used, such as the meeting
and Incentives
minutes, HR report, management report and etc.
CISCO CONFIDENTIAL
8 Reporting, Investigating and Dealing with Corruption
8.1 Partner must establish a robust reporting or whistleblowing system. The

reporting system must:
Corruption Reporting
System • allow for anonymous reporting;
(Whistleblowing)
• ensure the confidentiality of the whistleblower (if known) and
protect the whistleblower from fear of reprisal and reprimand if the
disclosure is made in good faith;
• encourage whistleblower to make a report with the information

specified by the Partner (e.g., the identity and roles of parties
involved) where possible;
• provide convenient and accessible reporting channels (such as

designated phone number, email address, or drop-box in a
discreet location); and
• provide diligent follow-up with the informant (if known) on the

outcome of the investigation.
Evidence must include a documented description of how whistleblowers

can make a report and evidence of the investigation.
CISCO CONFIDENTIAL
8 Reporting, Investigating and Dealing with Corruption
8.2 Partner must implement a procedure for assessment, investigation, and

reporting of corruption event which is reported, detected or reasonably
Investigation and
suspected. The procedure must require:
Dealing with
Corruption • all reported, detected, or suspected corruption events be
assessed and, where appropriate, investigated;
• assessment and investigation be conducted by person(s) not

involved in the issue;
• the investigation be carried out in confidence and with

confidentiality, where the output of the investigation is kept
confidential;
• the status and results of the investigation are reported to the anti-
corruption compliance function, the anti-corruption governance
body, and the top management as appropriate; and *
• corruption risk assessment (section 4) be re-evaluated for

adequacy and effectiveness after the detection of a corrupt
practice (refer to 4.3).
Evidence must include documented assessment and investigation

procedures, assessment, and investigation reports.
Partner must report to Cisco should there be any confirmed case of

corruption related to Cisco deals:
• Online: Ethics WebForm for anonymous reporting.

• Phone: The multilingual EthicsLine is available 24 hours a day,
seven days a week, worldwide, with country-based, toll-free phone
numbers. To call from any phone, visit the EthicsLine page. The
EthicsLine is staffed by a leading third-party reporting service.
Note: Cisco supports a speak-up culture when it comes to ethics. Any

attempts to retaliate against a party who reports ethics concerns will be
subject to discipline, up to and including termination of the Cisco
relationship.
CISCO CONFIDENTIAL
9 Monitoring and Review
9.1 The anti-corruption governance body must conduct regular reviews of the
effectiveness of the anti-corruption management system. The review must
Anti-Corruption
be conducted at least annually and include the following:
Governance Body
Review • anti-corruption objectives (2.2);
• changes to the corruption risk assessment;
• feedback from the anti-corruption compliance function;
• corruption events and outcome of the investigation;
• effectiveness of communication, training, and awareness; and
• effectiveness of the employment process in support of the anti-

corruption system.
Evidence must include review reports or minutes of the review meetings.

The review must be conducted at least annually.
CISCO CONFIDENTIAL
13 Revision History
Version Summary of Changes Publication Date
1.0 Initial Release. June 17, 2021
1.1 • 3.4 - clarified Cisco communicating the assessment April 19, 2022
outcome to the partner.
• Added the consequences for the failure outcome and re-

audit period and definition.
• 11 - updated Cisco alias for appeals

CPCAsupport@cisco.com
1.2 • Added Cisco logo and standard confidentiality statement. July 6, 2022
• 3 - Changed the format and complemented the process

flow specifying the step about NSF providing the
summary report to the partner and audit report to Cisco.
• Clarified the duration for the get-well plan and Cisco

withholding rebates during this period.
• Added exceptions for ISO 37001 certified partners.
• Added regional / multi-national partners.
• Added Cisco Ethics Line information and non-retaliation

paragraph in control 8.1.
• Added note about Cisco requesting any corruption

pertaining to Cisco business/orders be reported to Cisco
in control 8.2
2.0 • Editorial changes. May 1, 2023
• Added clarification on failure to complete or pass the

revisit within 90 days.
• Removed controls 4.3 and 5.5 and renumbered the

remaining controls.
• Added clarifications to control 5.2.
• Simplified control 5.6.

CPCA Polices and Requirements v2.0 May 2023

Uploaded by

Copyright:

Available Formats

CPCA Polices and Requirements v2.0 May 2023

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CPCA Polices and Requirements v2.0 May 2023

Uploaded by

Copyright:

Available Formats

Cisco Partner Compliance Assessment

Policies & Requirements

1 The Cisco Partner Compliance Assessment 3

Cisco Partner Compliance Assessment Version: 2.0 Page 2 of 29

1 The Cisco Partner Compliance Assessment

2 Scope of the Cisco Partner Compliance Assessment

Cisco Partner Compliance Assessment Version: 2.0 Page 3 of 29

3 Cisco CPCA Process

3.1 Cisco Notification

3.2 CPCA Readiness Review

NSF will arrange with the Partner for a Readiness Review.

The readiness review is a 6-8 hours session conducted remotely.

3.3 CPCA Audit

Cisco Partner Compliance Assessment Version: 2.0 Page 4 of 29

▪ Processes and procedures

Cisco Partner Compliance Assessment Version: 2.0 Page 5 of 29

4 Process Activities and Estimated Timeline

1st contact to Partner for Readiness

Schedule and confirm Readiness

Conduct Readiness Review remotely NSF 1

Provide Readiness Review report to

Schedule and confirm audit date NSF 5-20

Conduct audit remotely

Provide open Action Item responses

Provide Audit Final Report to Cisco NSF 5

Review report and decide on the

Cisco Partner Compliance Assessment Version: 2.0 Page 6 of 29

5 Three-Year Renewal Cycle

6 Exemptions for ISO 37001 certified Partners

Section Exemption Description

6 New staff onboarding Anti-Corruption Awareness and

7.1 Employment Condition

8 8.1 Corruption Reporting System (Whistleblowing)

Cisco Partner Compliance Assessment Version: 2.0 Page 7 of 29

Section Exemption Description

7 Global / Regional / Multi-Countries Partners

2.1 Anti-Corruption Policy ●

3 3.1 Anti-Corruption Governance Body ●

Cisco Partner Compliance Assessment Version: 2.0 Page 8 of 29

4 Corruption Risk Assessment of

5.1 Anti-Corruption Code of Conduct ●

Gifts, Entertainment, Hospitality and

Compliance with Cisco's Anti-

New staff onboarding Anti-Corruption

7.1 Employment Condition ●

7.2 Employee Protection ●

Cisco Partner Compliance Assessment Version: 2.0 Page 9 of 29

8 Role of Audit Participants

8.2 NSF Auditor

8.3 Cisco Representative

9.1 First Cycle

9.2 Reschedule and Cancellation Fee

Cisco Partner Compliance Assessment Version: 2.0 Page 10 of 29

Reschedule and Cancellation Fee

$750 $1500 $3000

11 Complaints, Appeals & Disputes

Cisco Partner Compliance Assessment Version: 2.0 Page 11 of 29

12 Cisco Partner Compliance Assessment Requirements

1 Partner Overview & Practice