CODE OF BUSINESS CONDUCT

The Code of Business Conduct for employees and the Executive Board expresses the high standards that we require from our employees and Executive Board members and how we deal with customers, business partners, and shareholders. SAP sees its Code of Business Conduct as the standard applicable to all dealings involving customers, business partners, vendors, shareholders, and competitors. By implementing the Code of Business Conduct, SAP safeguards against misleading them and against unfair competitive practices and corruption.

RISK MANAGEMENT AT SAP

In German stock corporation and commercial law, there are special requirements for internal risk management that apply to SAP. Our global risk management system therefore supports risk planning, identification, analysis, handling, and resolution. We also create standard documentation of all our internal control mechanisms and continually evaluate their effectiveness.

Furthermore, the provisions of the Sarbanes-Oxley Act apply to SAP as a company listed on the U.S. stock exchange. In 2006, we successfully completed the first assessment of our internal control system for financial reporting on the basis of the complex requirements in the Sarbanes- Oxley Act, section 404.

As the auditor for the SAP Group, KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft (KPMG) audited the Executive Board’s evaluation of the functioning of the internal control system for financial reporting and this system’s effectiveness on December 31, 2006, and issued an unqualified audit opinion.

The management of SAP’s subsidiaries uses our internal certification system to confirm, among other things, the accuracy of its financial reporting. In particular, it confirms that, in all key areas, the financial data appropriately reflects the assets, finances, income, and cash flows of the units in the reports. SAP must also confirm that the management of each unit has verified its own disclosure controls and procedures and found that they were working at the end of the reporting period in question. This confirmation – in addition to the confirmation of adequate procedures from Executive Board members and regional management – forms the basis for the certifications that, according to the Sarbanes-Oxley Act, the CEO and CFO must sign and submit to the U.S. Securities and Exchange Commission (SEC) along with the Form 20-F annual report. In the certifications, SAP’s CEO and CFO confirm that the details in Form 20-F are correct and that SAP’s financial statements appropriately reflect the assets, finances, and income in all key areas. They also confirm that the functioning of the disclosure controls and procedures was evaluated and that Form 20-F reports on the outcome of this evaluation and on any significant changes to it. These processes are supported by a standard software product, which SAP developed for the purpose, the management of internal controls (MIC) tool. Another control mechanism at SAP besides the processes described above is standardized reporting across the Group. The internal audit service, the disclosure committee, and the Supervisory Board are also closely involved in risk management.