Sarbanes-Oxley Act – Section 301
Public Company Audit Committees shall establish procedures for
the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.
Activity
Establish procedures for “Whistleblower” process, adapted to the company React on anonymous complaints from employees Keep track of history of all complaints and reactions
Whistle Blower – Functionality
Sending Anonymous Complaints
Employee accesses the SAP Portal or calls a URL in the intranet His/her user will be mapped to a dummy user Customer-definable HTML layouts for entering the complaints Complaint # for possible follow-up by the sender Automatic derivation of receiver and creation of workflow item Complaint will be stored anonymously
Analysis of Anonymous Complaints
Receiver can see all complaints sent to him/her in the SAP Portal Receiver might have been notified by additional anonymous e-mail. Reporting and analysis functions on the complaints
Complaints can also be submitted with the user‘s name.
Both types of complaints can be used in parallel.
Whistle Blower – User Interface
You can integrate the Whistle Blower Complaints into your intranet and make it available to your employees via URL call. Optionally, the functionality can be used within the mySAP Enterprise Portal, as ITS-based iView, integrated in any portal role.
Whistle Blower – Protection of the Issuer
The complaint number is the only documentary evidence of the anonymous complaint. The complaint number should be written down and kept in a secure place. It might be used in order to possibly follow-up the matter or to raise a claim on whistle blower protection in case of retaliation (SOA Whistle Blower Protection Right). For future releases, it is planned to provide an additional unique identification number to the sender of the complaint.
Whistle Blower – Example Form
SAP delivers an example form with read-only text field with instructions from the accounting department A selection field with a drop-down list that helps the user to select the affected company A description field in which the issuer can insert the complaint. The customer may adjust the form has to decide whether to use it anonymously or with the user‘s name has to copy the form if both scenarios shall be supported has to implement the workflow
Internet Service Requests (ISR) for defining web forms, see http://service.sap.com/isr for more detail Workflow Functionality QM Notifications for storing the complaints
System Requirements
R/3 4.6C SP 46 or R/3 Enterprise SP 17 ITS (Internet Transaction Server) Optional: mySAP Enterprise Portal 5.0 or higher
Whistle Blower – Essentials for Anonymization
The Issue
If properly set up, SAP does not store the sender of the complaint. However, there is the issue of logging on several technical levels.
Recommendation
Enforce access through an application level anonymization proxy which does not write any access or forwarding log. Proxy should also enforce access to at least one non-sensitive, common-use scenario (e.g. internal news). Proxy access must be provided via HTTPS. It is recommended to also use Open Software anonymization software to avoid any logging.
Whistle Blower – Roadmap
R/3 4.6C
Delivery via Support Package 46 December 12, 2003
R/3 Enterprise
Delivery via Support Package 17 December 16, 2003
Functionality Sending Anonymous Complaints
Employee accesses the SAP Portal His/her user will be mapped to a dummy user Customer-definable HTML layouts for entering the complaints Complaint # for possible follow-up by the sender Automatic derivation of receiver, option for workflow Complaint will be stored anonymously
Analysis of Anonymous Complaints
Receiver can see all complaints sent to him/her in the SAP Portal Receiver might have been notified by additional anonymous e-mail Reporting and analysis functions on the complaints
Copyright 2003 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of
OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE® is a registered trademark of ORACLE Corporation. UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group. Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and
other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented
and implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves information purposes only. National product specifications may vary.