Most supplier codes of conduct fail in the same place: they exist as a document, but they do not operate as a control. Then an AFA-style review, an ISO audit, a customer due diligence request, or an internal incident forces the same question: “show me evidence suppliers understood, accepted, and actually followed it.”
If you are reviewing a code of conduct for suppliers this quarter, you can spot the gaps quickly, fix the highest-risk ones fast, and build an evidence trail that stands up to scrutiny.
What “good” looks like (what auditors actually test)
A supplier code of conduct is not only a set of expectations. In practice, it is a package of controls across the third-party lifecycle: onboarding, contracting, training, monitoring, incident handling, and remediation.
This is why supplier codes are frequently reviewed alongside:
- Third-party due diligence expectations under france’s loi Sapin II (in particular, the third-party assessment measures under Article 17 for in-scope entities) and AFA recommendations (which emphasize risk-based, documented evaluation and monitoring of third parties).
- “Business associate” controls under ISO 37001, which explicitly expects organizations to address bribery risks in relationships with business associates (including suppliers) through due diligence and anti-bribery controls.
- Operational effectiveness expectations embedded in UNE 19601 (criminal compliance), both of which reward programs that can show traceability, ownership, and evidence of functioning controls.
A 30-minute red flag scan (before you rewrite anything)
Use this quick scan to decide whether you are dealing with a minor refresh or a structural rebuild.
- Scope check: Does it clearly define which third parties are in scope (suppliers, subcontractors, intermediaries, logistics, consultants, temporary labor, etc.)?
- Risk link: Is it obviously connected to your risk map (anti-bribery, conflicts of interest, competition, fraud, data access, public tender exposure)?
- Flow-down: Does it require suppliers to apply equivalent standards to their own subcontractors when relevant?
- Operational hooks: Does it reference concrete processes (gifts approvals, conflicts disclosures, speak-up channel, audit rights, recordkeeping)?
- Enforcement: Are breaches, investigations, and remediation steps described in a realistic way?
- Evidence: Could you show who received it, who accepted it, and how exceptions are handled?
If you cannot answer “yes” to at least four items, the document is probably not functioning as a control.
The 6 supplier code of conduct red flags (and how to fix them fast)
Red flag 1: It is copied, generic, or disconnected from your risk map
What you see: broad values (“integrity,” “respect”), a long list of topics, and no prioritization. It reads like a web page, not an operational standard.
Why it matters: generic language is hard to test. Under ISO-style audits, you will be asked how the document reflects your specific bribery risk determination (ISO 37001) or compliance risk assessment (UNE frameworks). Under Sapin II logic, third-party measures should be risk-based, not uniform.
Fast fix: add a one-page “risk focus” annex that lists your top supplier-related risks and the related expectations.
Evidence to keep: the mapping between the annex and your risk assessment (workshop notes, scoring rationale, approval record).
Red flag 2: The scope is unclear (who must comply, and when)
What you see: the code says “suppliers” but does not define them, or it excludes common high-risk categories (agents, distributors, subcontractors, consultants, JV partners).
Why it matters: unclear scope leads to inconsistent onboarding, especially cross-border. Teams in France may apply stricter rules because of Sapin II exposure, while teams in Spain apply a different perimeter driven by UNE certifications or customer requirements.
Fast fix: add a scope box at the top:
- Covered entities (legal entities and business units)
- Covered third parties (categories)
- Trigger events (new onboarding, renewal, tender participation, change of scope, subcontracting)
Evidence to keep: your third-party inventory (or at minimum, the list of categories in scope) and a short rationale for what is excluded.
Red flag 3: Acceptance is “signature-only” (no proof of understanding)
What you see: procurement collects signatures, saves PDFs, and considers the job done.
Why it matters: signature-only is weak evidence of adoption. Auditors and reviewers often look for signals of implementation: communication, practical guidance, targeted training for high-risk roles, and a functioning escalation path.
Fast fix: add a short, role-specific acknowledgement flow.
- For low-risk suppliers: e-sign acceptance + a 3-question knowledge check (or a short FAQ they must confirm reading).
- For higher-risk suppliers: acceptance + a short briefing call, or a targeted micro-training (15 minutes) focused on your top scenarios.
Evidence to keep: Acceptance logs, completion records, and the content used (version-controlled).
Red flag 4: It has no operational owner (and procurement is left alone)
What you see: the code exists, but nobody owns exceptions, waivers, or follow-up. Procurement becomes the de facto compliance team.
Why it matters: operational ownership is a recurring weakness in third-party controls. Without it, you cannot show effectiveness, and you cannot reliably remediate.
Fast fix : publish a simple RACI for supplier conduct governance.
Activity | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|
Supplier code content updates | Compliance | Legal | Procurement, business | Leadership |
Supplier onboarding acceptance control | Procurement | Procurement lead | Compliance | Business owner |
High-risk supplier due diligence decision | Compliance | Compliance head | Legal, procurement | Business owner |
Breach intake and triage | Compliance | Compliance head | Legal, HR, procurement | Leadership |
Evidence to keep: the RACI, approval record, and at least one example of an exception handled using the model.
Red flag 5: It is not integrated into onboarding and contracting
What you see: the supplier accepts the code, but the contract does not reflect it, or key clauses are missing (audit rights, termination for cause, flow-down, recordkeeping, cooperation).
Why it matters: a code without contractual hooks is hard to enforce. ISO 37001 expects controls proportionate to the bribery risk posed by business associates. In practice, that often means contract terms and the ability to verify.
Fast fix: create a “minimum clause pack” aligned to your risk tiers.
- A baseline clause set for all suppliers (compliance with the code, cooperation, speak-up and non-retaliation, recordkeeping).
- Enhanced clauses for higher-risk suppliers (audit rights, subcontractor flow-down, training obligations, certifications, approval for use of intermediaries).
Evidence to keep: a clause library (version-controlled) and sample signed contracts showing the clauses are actually used.
Red flag 6: It lacks monitoring and a credible breach process
What you see: the code lists prohibited conduct, but it does not explain how issues are detected, reported, investigated, and remediated.
Why it matters: “paper compliance” is a known failure mode. Reviewers increasingly expect a loop: detection, triage, investigation, corrective action, and lessons learned. This aligns with the control effectiveness mindset across Sapin II practices, ISO standards, and UNE frameworks.
Fast fix (same month): add two operational sections.
- How to raise a concern (supplier-facing): channel, language availability, confidentiality, what happens next, expected response times.
- How breaches are handled (internal-facing): triage criteria, escalation thresholds, remediation actions, and when termination is considered.
Evidence to keep: a breach register (even if small), triage records, remediation actions, and proof of closure.
A simple decision tree for applying the code proportionately
A supplier code becomes defensible when it drives differentiated actions (not one uniform process).
Use this lightweight decision model to align scope, diligence, and monitoring.
Supplier risk indicators (examples) | Suggested tier | Minimum actions |
|---|---|---|
Low spend, no public sector touchpoints, no access to sensitive data | Low | Accept code, basic screening, renewal check |
Handles personal data, interacts with customers, operates in higher-risk markets | Medium | Accept code, enhanced questionnaire, periodic review |
Uses intermediaries, interacts with public officials, involved in tenders, high commissions | High | Accept code, deep due diligence, contractual enhancements, monitoring plan |
What to store as audit-ready evidence (the “supplier code evidence pack”)
If you want to prove effectiveness, aim to retrieve the following within 30 minutes during an audit or internal review.
- Current version of the supplier code (and previous versions) with approval dates
- Scope definition and tiering criteria
- Distribution and acceptance logs (by supplier, date, entity)
- Contractual clause evidence (samples per tier)
- Training or briefing records for high-risk suppliers (where used)
- Monitoring evidence (screening results, review reports, audit reports, follow-up actions)
- Breach handling records (intake, triage, remediation, closure)
- Metrics showing coverage and follow-through (see below)
Metrics that show effectiveness (not just activity)
Supplier conduct metrics should answer two leadership questions: are we covering the right perimeter, and are issues detected and resolved fast enough?
Metric | What it tells you | Typical evidence source |
|---|---|---|
Coverage rate by tier | Whether high-risk suppliers are actually in the process | Supplier master data + tiering field |
Acceptance freshness | Whether acceptance is current (new and renewals) | E-sign logs |
Due diligence cycle time (medium/high) | Whether the process is operationally viable | Case tracker |
Remediation velocity | Whether findings lead to closure, not stagnation | Action plan register |
Breach triage time | Whether the channel is trusted and responsive | Speak-up or incident log |
Repeat findings rate | Whether fixes stick (control effectiveness signal) | Monitoring reports |
If you report only “number of suppliers signed,” you are reporting activity, not effectiveness.
How naltilia can help
If your main pain point is turning the supplier code into an operational, auditable system, Naltilia can support the workflow behind it: maintaining a living risk map that drives supplier tiering, automating evidence collection (acceptance logs, attestations, document requests), tracking remediation actions with owners and deadlines, and producing board-ready KPIs. This is particularly useful when you need consistency across entities while still keeping controls proportionate by supplier risk.
If you want to discuss your compliance setup and what an audit-ready workflow could look like, you can contact Naltilia.
Frequently asked questions
Is a supplier code of conduct required under Sapin II? Sapin II (Article 17) requires an internal code of conduct for in-scope entities, and it also requires third-party assessment measures. A supplier code is a common and practical way to support third-party expectations, but it should be part of a broader, risk-based third-party control framework.
How often should we update our supplier code of conduct? Typically when your risk assessment changes, when regulations or standards you follow evolve, or when incidents reveal gaps. Many organizations also set a regular review cycle (for example, annually) with an off-cycle update trigger.
Do we need suppliers to complete training, or is acceptance enough? Acceptance may be sufficient for low-risk suppliers. For higher-risk suppliers, training or briefings are often a stronger control because it supports understanding and creates better evidence of implementation.
What is the fastest way to make the supplier code audit-ready? Focus on traceability: clear scope, tiering, acceptance logs, contract clause linkage, and a basic monitoring and breach-handling loop. Those elements typically create the quickest improvement in defensibility.
How do we avoid antitrust risk when writing supplier conduct requirements? Avoid language that requests or encourages our suppliers sharing competitively sensitive information from your competitors (pricing intentions, competitor terms, market allocation). Keep expectations focused on lawful behavior, escalation, and records.
This article is general information, not legal advice.
