Key Takeaways
- Do not respond immediately. The 48-hour window is for preparation, not for sending SAP an acceptance of their proposed process.
- The audit letter invokes a contractual right — read the specific clause before doing anything else. Your obligations are precisely what the contract specifies, no more.
- Your SAP account manager is not your ally in this process. Do not let them manage the response on your behalf.
- Engage independent advisors within 24 hours. The first formal response to SAP should be reviewed by experts before it is sent.
- Document everything from the first moment. Every communication, every verbal commitment, every meeting becomes relevant when you are challenging SAP's ELP 6 months later.
The Moment the SAP Audit Letter Arrives
The SAP audit letter typically arrives by email from a named contact in SAP's Global Licence Auditing & Compliance (GLAC) team. It may simultaneously be cc'd to your SAP account manager. It will cite a specific clause in your licence agreement (usually the audit rights or inspection rights provision) and propose a process for measurement, typically beginning with a kick-off call within 2–3 weeks.
The letter is designed to create urgency. SAP wants you to respond quickly, agree to the proposed scope and timeline, and move into the measurement phase before you have time to prepare a structured challenge. Speed is SAP's ally. Deliberate, structured preparation is yours.
This article is part of our SAP audit process overview series. For context on what triggers audits in the first place, see our guide on what triggers an SAP audit.
The 10-Step First 48 Hours Action Plan
Read the Letter Carefully — And Nothing Else
Read the letter in full. Note the specific contract clause cited, the proposed scope, the proposed timeline, and any specific requests or demands. Do not respond yet. Do not forward the letter broadly within your organisation yet. Do not call your SAP account manager. Read the letter, understand what it is and is not, and move to step 2.
Locate and Read Your SAP Licence Agreement
Retrieve your SAP licence agreement and turn to the audit rights clause cited in the letter. Read the precise language. What does it permit SAP to measure? What notice period does it require? Does it specify a maximum frequency of audits? Does it specify systems or entities that are in or out of scope? Your obligations are exactly — and only — what the contract specifies.
Engage Independent SAP Audit Advisors
Within 24 hours of receiving the letter, contact independent SAP licensing advisors. Not your SAP account manager. Not your SAP implementation partner (who has a commercial relationship with SAP). Independent advisors with no SAP commercial affiliation whose sole interest is reducing your audit liability. This is the single most important action in the 48-hour window. Our SAP audit defence team is available for rapid response engagements.
Assemble Your Internal Response Team
Identify and brief the key internal stakeholders who need to be part of the audit response: Legal or Procurement (to own the contractual engagement with SAP), IT Architecture or Basis (to provide technical evidence and manage system access), Finance (to model financial scenarios), and executive sponsorship at CFO or CIO level. Brief them on what has arrived, that you are assembling a structured response, and that no one should communicate with SAP unilaterally.
Establish a Communication Protocol
All communications with SAP should go through a single designated point of contact — ideally Legal or Procurement, with your independent advisor copied on all significant communications. No verbal commitments to SAP about scope, timing, or data access should be made outside of this channel. This includes your SAP account manager calling informally to "help smooth the process."
Conduct a Preliminary Scope Assessment
Working with your IT architecture team and independent advisors, conduct a preliminary assessment of what the proposed audit scope would actually cover. Which entities are included? Which systems? Does the scope include recently acquired entities that may have M&A grace period protection? Does it include sandbox and training systems that should be excluded? Identify your scope challenges before you respond.
Send an Acknowledgement — Not an Acceptance
Within 2–3 business days of receiving the letter, send a formal acknowledgement. This should be short, professional, and non-committal. It confirms receipt, notes you are reviewing the request against your contractual obligations, and advises that you will respond formally within 10–14 business days. Do not confirm scope. Do not agree to a kick-off call date. Do not provide any data.
Conduct a User Master Record Inventory
Instruct your IT team to produce a current inventory of your SAP user master records: total active named users, users with zero login in the past 12 months, system interface accounts, test and training accounts, locked accounts, and accounts with validity end dates in the past. This inventory is the foundation of your technical challenge and should be compiled before USMM runs.
Pull Your Complete Licence Entitlement Record
Retrieve all SAP licence purchase records: the original licence agreement, all subsequent amendments, ELA schedules, additional licence purchases, and any decommission or reduction agreements. Your independent advisors need a complete picture of what you are legitimately entitled to in order to identify where SAP's claim exceeds your actual obligations. Missing a past licence purchase can make an apparent shortfall disappear entirely.
Prepare Your Formal Response
Working with your independent advisors, prepare a formal written response to SAP's audit notification. This response should: acknowledge the audit right in principle, raise your specific scope objections with supporting contractual references, propose a revised scope and timeline that reflects your reasonable position, and establish the governance framework (single point of contact, all communications in writing) for the process going forward.
The Acknowledgement Email Template
Your initial acknowledgement email should be brief, professional, and completely non-committal. Here is a template:
Dear [SAP GLAC Contact Name],
Thank you for your letter dated [date] notifying us of SAP's intent to conduct a licence compliance review under Article [X] of our licence agreement.
We acknowledge receipt of this notification and are reviewing the request in the context of our contractual obligations. We will respond formally within 10–14 business days to address the proposed scope and process.
Until our formal response is submitted, please direct all audit-related communications to [your single point of contact name and email].
We look forward to engaging constructively on this matter.
Regards,
[Your Name and Title]
⚠ What Not to Say
Never use language in the acknowledgement that implies acceptance of SAP's proposed scope, timeline, or process. Phrases like "we look forward to the measurement exercise next month" or "we'll arrange system access as requested" can be cited by SAP as acceptance of their proposed terms. The acknowledgement should be cordial but legally neutral.
What Happens After the First 48 Hours
The 10 steps above establish the foundation for an effective audit defence. After the first 48 hours, the process moves into scope negotiation — which is the most critical phase of the entire audit and must be completed before any USMM measurement runs. For the detailed scope negotiation framework, see the SAP audit timeline and the challenge methodology guide.
The complete defence framework — from first letter through final settlement — is covered in our SAP audit defence guide. If you have received an audit letter and need immediate advice, our team is available for rapid response consultations.
Timing Reality Check
Enterprises that follow the 10-step first-response framework and engage independent advisors within 24 hours of the audit letter arriving consistently achieve better outcomes than those that begin structured preparation after the first kick-off call with SAP has already taken place. The difference in outcome quality between "before first call" and "after first call" advisor engagement is typically 15–25% of the final settlement value.
Just Received an SAP Audit Letter?
We mobilise within 24 hours. Independent audit defence advisory from day one, before you respond to SAP.
Get Rapid Response → Free ResourceSAP Audit Defence Guide
The complete enterprise buyer's guide to defending against SAP audit claims — including checklists, templates, and settlement benchmarks.
Access the Guide →