Why Your Documentation Decides Your Audit Outcome
SAP's audit team arrives with one objective: to establish the largest defensible compliance gap possible. They do this by running USMM (User and System Measurement) and LAW (License Administration Workbench) against your landscape, then comparing the output to your current licence entitlements. The gap between those two numbers becomes SAP's opening claim.
What most enterprises fail to understand is that this claim is not final. It is a starting position. Every piece of documentation you can deploy — contract records, historical usage evidence, user classification justifications, system decommission confirmations — is ammunition to challenge, reduce, or eliminate items from SAP's initial finding. Enterprises with strong documentation routinely reduce audit claims by 40–70%. Those without it typically pay close to what SAP asks.
The average SAP audit claim is 3–5× what the customer actually owes after independent challenge. The difference is almost always documentation quality — not the underlying facts of the licence position.
Our SAP audit defence service has resolved over $200M in compliance exposure. In virtually every engagement, the single most valuable action a client can take before audit arrives is assembling a structured documentation set. This guide tells you exactly what that set should contain.
Category 1: Contractual Entitlement Records
These are the foundation of your defence. SAP can only claim non-compliance against what your contract says you are licensed for. If your contract records are incomplete, SAP will use its own versions — which may not reflect negotiated terms, side letters, or amendments you received years ago.
Master Agreement
The governing contract between your organisation and SAP SE. Contains audit rights language, dispute resolution clauses, and licence grant conditions.
Order Forms & BoMs
Every Order Form and Bill of Materials documenting specific product names, user types, quantities, and metric definitions purchased.
Amendments & Side Letters
Any supplemental agreements, addenda, or side letters that modified original licence terms. These are frequently missed during audit preparation.
Support & Maintenance Schedule
The schedule governing annual maintenance and support fees — and critically, any negotiated caps or waivers on true-up obligations.
Critical action: Print and file every document with the exact version that existed at the time of purchase. SAP contracts are periodically revised and different clauses apply to different vintage agreements. A Master Agreement from 2018 may treat indirect access very differently from one signed in 2022.
Category 2: User Classification Evidence
User type misclassification is the single most common source of SAP audit exposure. SAP's USMM tool assigns users to licence categories based on transaction usage patterns — but this automated classification routinely over-assigns. A warehouse operative who occasionally runs a report gets classified as a Professional user. A contractor who logged in once appears in your named-user count permanently.
You need documentation that justifies every user's assigned licence type. This means:
- Job role descriptions — formal HR records or IT governance documents defining what each user category is authorised to do in SAP
- Transaction usage logs — exported from USMM showing actual transaction codes used, not just the system's suggested classification
- Historical reclassification records — any previous exercises where users were downgraded from Professional to Limited Professional or Employee
- Inactive and dormant user reports — evidence of users who should be removed from the measurement count entirely
- Test and developer user justifications — documentation that certain users are correctly classified as Developer licence types
SAP's USMM measures all users with any SAP access, including service accounts, batch users, and interfaces. Without documentation proving these are not human named users, SAP will count them as full Professional licences in your measurement output.
If you need to challenge user classifications with evidence, our SAP licence optimisation team can run a pre-audit reclassification exercise to establish a defensible user count before SAP's measurement team arrives.
Category 3: System Landscape Documentation
SAP's audit scope typically covers your entire SAP landscape — every system registered in your Solution Manager installation. Systems you believed were decommissioned, test environments you thought were excluded, and development landscapes you assumed were out of scope all carry potential licence obligations if they appear in your landscape documentation.
Maintain complete, current records of:
- System IDs (SIDs) and system types — production, quality, development, sandbox, for every SAP system in the landscape
- Decommission confirmations — written records, ideally in SAP's system deregistration format, for any system you have turned off
- Cloud vs on-premise classifications — systems hosted in public cloud versus SAP BTP versus on-premise data centre; cloud-hosted systems may have different measurement rules
- Third-party integration maps — documentation of non-SAP systems that connect to SAP, with the nature of the connection and access type
- Hardware and infrastructure certificates — for engine-based licences (HANA, databases), capacity and configuration records
Uncertain About Your System Landscape Exposure?
Our pre-audit landscape review identifies measurement risks before SAP arrives — including forgotten systems, misconfigured integrations, and interface patterns that create indirect access exposure.
Book a Free ConsultationCategory 4: Digital Access and Indirect Access Records
Since SAP's 2018 introduction of Digital Access as the mechanism for licensing third-party system interactions with SAP, indirect access has become the fastest-growing area of audit exposure. Understanding and documenting your Digital Access position is now non-negotiable.
Digital Access is priced on document volumes — Orders, Deliveries, Invoices, and Material movements created in SAP by non-SAP systems. Without documentation, SAP will estimate volumes based on system transaction counts, which almost always overstates actual exposure.
Documents to maintain in this category:
- Integration architecture maps — every system that reads from or writes to SAP, the middleware involved (MuleSoft, Dell Boomi, SAP Integration Suite), and the document types generated
- Document volume reports — monthly or quarterly exports from SAP showing the actual count of Digital Access document types by integration scenario
- Converted licence records — any agreements where you have migrated legacy indirect access arrangements to Digital Access terms
- Custom development documentation — specifications for any Z-transactions or custom code that interacts with SAP via interfaces, establishing whether they create licensable document events
For a comprehensive treatment of this topic, read our guide to SAP indirect access and how Digital Access pricing works in practice.
Category 5: Previous Audit and Measurement Records
If your organisation has been audited before, those records are among your most valuable assets in a new audit. They establish a documented baseline, constrain SAP's ability to retroactively claim exposure for periods already settled, and demonstrate a pattern of compliance good faith.
Preserve permanently:
- Previous USMM and LAW outputs — the actual measurement files from every annual system measurement and formal audit
- Settlement agreements — signed documents showing what was agreed, paid, or waived at the conclusion of any prior audit
- STAR (SAP True-Up Resolution) or SLAW (SAP License Audit Workbench) reports — any self-declaration documents you have submitted to SAP
- Correspondence records — all written communication with SAP's audit and commercial teams, including emails, meeting notes, and formal letters
- Independent expert reports — any analysis produced by external SAP licensing advisors in connection with prior audits
Settlement agreements from prior audits often contain "release and waiver" clauses that specifically bar SAP from claiming exposure for defined periods or product categories. These clauses are frequently overlooked by both parties — and very valuable when invoked.
How to Organise Your SAP Audit Documentation
Documentation that exists but cannot be quickly located is nearly as useless as documentation that doesn't exist. SAP's audit timeline is deliberately compressed. When SAP requests a document, you typically have days — not weeks — to respond. An organised documentation repository lets you respond decisively and selectively.
We recommend a four-folder structure:
| Folder | Contents | Access Level |
|---|---|---|
| 01 — Contracts | Master Agreement, all Order Forms, BoMs, amendments, side letters, T&Cs | Legal + Licensing team only |
| 02 — User Data | USMM exports, user classification justifications, reclassification records, dormant user reports | Licensing team + Basis team |
| 03 — Landscape | System registry, decommission records, integration maps, HANA sizing certificates | Basis team + Architecture |
| 04 — Audit History | Prior USMM outputs, settlement agreements, STAR/SLAW submissions, SAP correspondence | Legal + Licensing team only |
Store this repository off SAP systems — ideally in a document management platform with full version history and access logging. Never store audit documentation only in SAP itself.
What Not to Share With SAP During an Audit
Documentation management cuts both ways. Producing evidence that helps your position is important. Equally important is knowing what SAP has no right to request — and declining to provide it.
You are not obligated to share:
- Internal commercial analysis — any internal documents assessing your licence position, compliance risk scoring, or pricing benchmarks
- Third-party vendor contracts — agreements with non-SAP vendors, cloud providers, or systems integrators that SAP has no contractual right to inspect
- Future plans and roadmaps — technology roadmaps, migration timelines, or investment plans that SAP could use to construct future upsell strategies
- Legal privilege documents — any communication between your organisation and legal counsel regarding SAP licence risk or audit strategy
- Raw system access — SAP has the right to run specific measurement tools under supervised conditions. They do not have the right to browse your system landscape unsupervised.
For detailed guidance on the data sharing question, read our article on SAP STAR and SLAW self-declaration — which explains what SAP's self-measurement tools actually capture and how to manage your disclosure obligations.
Building an Ongoing Documentation Programme
SAP customers who treat documentation as an audit-time exercise are always behind. SAP's commercial team reviews your measurement data on an ongoing basis. When they identify a pattern that suggests compliance exposure, an audit letter follows. The enterprises that handle audits most effectively are those that maintain a continuous documentation discipline — treating their licence position as a managed asset, not an annual headache.
A sustainable programme includes:
- Quarterly user classification reviews with business unit sign-off on any changes
- Annual contract inventory — confirming every Order Form and amendment is held in your repository
- System landscape reconciliation every six months, deregistering decommissioned systems promptly
- Integration change control that captures any new third-party connections to SAP at point of deployment
- Designated licence management ownership — a named individual in your organisation accountable for SAP licence documentation
If you are building or strengthening an internal licence management programme, our SAP licence compliance advisory service provides the governance frameworks, templates, and ongoing support enterprises need to stay audit-ready.
Don't Build Your Documentation Strategy Alone
Our SAP audit defence specialists work with enterprise teams to build documentation programmes that make audits manageable — and challenges winnable. We know what SAP looks for because we used to conduct these audits.
Get Your SAP Licensing ReviewedNext Steps
If you have an audit in progress or recently received an audit notification letter, the priority is documentation triage — identifying what you have, what you are missing, and what you should produce first. Time spent on this in the first 48 hours typically pays back ten-to-one in reduced compliance exposure.
Read our full guide on how to respond to an SAP audit letter in the first 48 hours, and download our comprehensive SAP Audit Guide for the complete enterprise defence framework.
To discuss your specific situation with an independent SAP licensing expert, book a free consultation. We do not charge for initial assessments, and we are not affiliated with SAP SE.
Received an SAP Audit Letter?
Our team treats audit enquiries as priority — we respond within 4 business hours and can engage within 48 hours of instruction. The first 72 hours of an SAP audit define the outcome.
Get Emergency Triage → Download the Free SAP Audit Guide →Independent SAP Audit Defence
We have resolved over $200M in SAP audit exposure. If you are facing an active audit, a compliance claim, or want to understand your exposure before SAP comes calling, our SAP audit defence service is the fastest path to a defensible position.
Book a Free Audit Triage Call →