Sophos Speak Out FAQs

What is Sophos “Speak Out” and why do we need a system like EthicsPoint?

I am concerned that the information I provide via EthicsPoint will ultimately reveal my identity. How can you assure me that will not happen?

Is the telephone toll-free hot line confidential and anonymous too?

What if I want to be identified with my report?

It is my understanding that any report I send from a company computer generates a server log that shows every web-site that my PC connects with, and won’t this log identify me as a report originator?

Can I access the EthicsPoint portal and make a report from another computer outside of Sophos and still remain anonymous?

May I report using either the Internet or the telephone?

What should this hotline be used for?

If I see such a concern, shouldn't I just report it to my manager, Security, or Human Resources and let them deal with it?

Why should I report what I know?

Does management really want me to report?

Where do these reports go? Who can access them?

Will anyone else be involved in my report?

What if my boss or other managers are involved in a violation? Will they get a copy of this report?

I am not sure if what I have observed or heard is a violation of company policy, or involves unethical conduct, but it just does not look right to me. What should I do?

What if I do not know the country where the violation occurred, which country do I choose from the dropdown list?

What if I remember something important about the incident after I file the report? Or what if the company has further questions for me concerning my report?

What is Sophos “Speak Out” and why do we need a system like EthicsPoint?

“Speak Out” is Sophos’s third-party reporting system hosted by Navex Global via its EthicsPoint portal and is one of the tools used by Sophos to build on our culture of integrity and ethical decision-making.

Sophos’s value of Authenticity includes a focus on transparency. By creating open channels of communication, Sophos can help to foster a positive work environment for its employees and promote responsible business practices.

I am concerned that the information I provide via EthicsPoint will ultimately reveal my identity. How can you assure me that will not happen?

The EthicsPoint system is designed to protect your anonymity. However, if you wish to remain anonymous, you - as a reporting party - need to ensure that the body of the report does not reveal your identity by accident. For example, “From my cube next to Jan Smith…” or “In my 33 years…”.

Is the telephone toll-free hot line confidential and anonymous too?

Yes. You will be asked to provide the same information that you would provide in an Internet-based report and an interviewer will type your responses into the EthicsPoint portal. These reports have the same security and confidentiality measures.

What if I want to be identified with my report?

The report includes a section to identify yourself, if you choose.

It is my understanding that any report I send from a company computer generates a server log that shows every web-site that my PC connects with, and won’t this log identify me as a report originator?

EthicsPoint does not generate or maintain any internal connection logs with IP addresses, so no information linking your PC to EthicsPoint is available. EthicsPoint is contractually obligated to Sophos not to pursue a reporter’s identity.

Can I access the EthicsPoint portal and make a report from another computer outside of Sophos and still remain anonymous?

Yes. The EthicsPoint portal is available from external networks as well. A report from any computer (home, a neighbor’s computer, or any Internet portal) and any follow-ups via the portal will remain secure and anonymous. Your report key allows you to access your report via the EthicsPoint portal from any network at any time. The EthicsPoint system strips away Internet addresses so that anonymity is maintained.

May I report using either the Internet or the telephone?

Yes. With EthicsPoint, you have the ability to file a confidential, anonymous report via either the telephone or the Internet. The EthicsPoint toll-free hotline is available 24 hours a day, 365 days a year.

What should this hotline be used for?

The “Speak Out” hotline should only be used for reporting any concerns that you have related to the following areas:

  • Bribery (including in relation to a customer or partner of Sophos, insofar as it affects Sophos).
  • Actions by Sophos or Sophos employees which fail to meet professional or ethical standards.
  • Matters that fall within the scope of the UK Public Interest Disclosure Act.
  • Accounting and Auditing Matters.
  • Conflict of Interest.
  • Embezzlement Environmental Protection, Health or Safety Law.
  • Illegal or Fraudulent Conduct.
  • Falsification of Contracts, Reports or Records.
  • Import/Export- Failure to comply with import, export or tax laws.
  • Improper Giving or Receiving of Gifts or Entertainment
  • .
  • Misconduct or Inappropriate Behaviour.
  • Intellectual Property Infringement.
  • Misleading Sales, Marketing & Advertisement.
  • Procurement and Purchasing Practices- Refers to any violation of Corporate Policy governing procurement and purchasing practices.
  • Product Quality.
  • Sabotage or Vandalism.
  • Securities Violations.
  • Side Letters.
  • Theft.
  • Unsafe Working Conditions.
  • Use of Company Property or Resources.
  • Violation of Policy.
  • Violence or threat any other concerns that you feel are appropriate to report via “Speak Out.”

If I see such a concern, shouldn't I just report it to my manager, Security, or Human Resources and let them deal with it?

When you observe behavior that you believe is a concern, Sophos expects you to report it. Your concerns may be brought forward to your direct manager, or other member of our management team, or HR. However, there may be circumstances when you may not be comfortable reporting a concern in this manner. It is for such circumstances that we have partnered with EthicsPoint. We would rather you report anonymously than keep the information to yourself.

Why should I report what I know?

It can be difficult to report, but we believe a report adds value because by working together, we can continue to build a healthy and productive environment for everyone, including you. By reporting concerns, you ensure Sophos has the opportunity to improve and address problems that have been seen, protect you, and protect the Company. We cannot take these steps without your report.

Does management really want me to report?

Yes. And you are highly encouraged to report concerns you have noticed. You know what is going on in the company - both good and bad. You may have firsthand knowledge of an activity that may be cause for concern. Your reporting can minimize the potential negative impact on the Company and on your colleagues. Also, offering positive input may help identify issues that can improve corporate culture and performance.

Where do these reports go? Who can access them?

Reports are entered directly on the EthicsPoint secure server to ensure the information is maintained in a secure and confidential manner. The Sophos Chief Legal Officer and Non-Executive Director are responsible for reviewing reports in line with their ethical obligations. The EthicsPoint system alerts these people when a report has been received.

Will anyone else be involved in my report?

If required as part of the investigation, yes. After reviewing your report other people may need to be involved to gather evidence and further information to support an investigation into the matter raised in your report. It is essential that we gather facts that provide full detail to your report and place your report in context, particularly if follow-up steps are considered and taken.

What if my boss or other managers are involved in a violation? Will they get a copy of this report?

No. The EthicsPoint system and report distribution are designed so that other parties referenced in your report are not notified or granted access to your report.

I am not sure if what I have observed or heard is a violation of company policy, or involves unethical conduct, but it just does not look right to me. What should I do?

File a report. EthicsPoint can help you prepare and file your report, so it can be properly understood. We would rather you report a situation that turns out to be harmless than let possible unethical behavior go unchecked because you unsure whether about the situation was properly within the parameters of the “Speak Out” reporting structure.

What if I do not know the country where the violation occurred, which country do I choose from the dropdown list?

Should this be the case, choose the country where you are located. The country selection is located in the drop-down menu. Be sure to note in your description of the event that this information is missing. If further information is required during the investigation, you will receive a request via the EthicsPoint system to provide additional details.

What if I remember something important about the incident after I file the report? Or what if the company has further questions for me concerning my report?

When you file a report through the EthicsPoint system, you receive a unique report key and are asked to choose a password. You can return to the EthicsPoint system again either by Internet or telephone and access the original report to add more detail or answer questions and add further information that will help resolve open issues.

To ensure confidentiality is maintained, the EthicsPoint system does not communicate back to you at your email or telephone number. You must use your report key and log back in to access your report to see if additional information is required and to view the response to your report.