β The biggest mistake you can make right now
Do not run USMM and submit results before conducting your own independent licence position review. The first data point you give SAP becomes the anchor for your compliance gap calculation. Submitting an unreviewed measurement is handing SAP the evidence they need to build a seven-figure claim against you.
First: Understand What SAP's Audit Letter Actually Says
Not all SAP audit letters are equal. Before taking any action, your team needs to determine what type of audit SAP is requesting, what contractual basis they're citing, and what timeframe they're imposing. These three factors define your response window and the scope of your obligations.
SAP typically has the right to conduct one measurement per year under your Enterprise Agreement or Master Agreement. However, the specific scope of that right β what systems they can access, what tools they can use, what notice period they must give β varies by contract. Pull your Master Agreement and the relevant Order Forms before you respond to SAP. Understand what you've actually agreed to.
Look specifically for: the measurement frequency provisions, the notice period required, whether SAP is entitled to conduct a basic (self-declaratory) or enhanced (on-site) audit, and what systems and entities are in scope. Many enterprises discover that SAP's audit request goes beyond their contractual entitlement β a position you can challenge before the audit begins if you identify it early. For the full scope differences, read our analysis of SAP basic vs. enhanced audit types.
Audit letter just arrived?
Our SAP audit defence team can be mobilised within 24 hours. We'll review your Master Agreement, assess your contractual obligations, and give you a clear picture of your exposure before you respond to SAP at all. Book an emergency consultation β no waiting list for active audit situations.
Start Your Audit Defence βThe 48-Hour Action Plan: Step by Step
Hour 0β2: Contain the Communication
Immediately designate a single point of contact for all SAP communications. This should be your most senior procurement or legal representative β not a technical contact and not someone who will respond informally. Every word exchanged with SAP from this moment is potentially evidence. Ad hoc responses from different team members create inconsistencies that SAP's commercial team will exploit in settlement negotiations. Send an acknowledgement to SAP confirming receipt and stating that your team is reviewing the request β nothing more.
Hour 2β6: Assemble Your Internal Task Force
An SAP audit response requires cross-functional coordination. The following stakeholders must be briefed immediately: ITAM / SAM (Software Asset Management) lead, SAP Basis administrator, Procurement / Commercial lead, Legal counsel or General Counsel, CFO or Finance representative (given the potential financial exposure), and your CIO or IT Director. Each has a distinct role β technical analysis, contract review, commercial negotiation, and financial provisioning. Brief them simultaneously, not sequentially, to compress the preparation timeline.
Hour 6β12: Pull and Review Your Contract
Retrieve your SAP Master Agreement, all active Order Forms, and the Support Maintenance Schedule. Your legal team needs to confirm three things: (1) SAP's contractual right to conduct this audit β including frequency, notice period, and scope; (2) which legal entities and systems are in scope β M&A activity often creates ambiguity about which entities fall under the original Master Agreement; and (3) any provisions around your right to conduct your own measurement first. Many Master Agreements include a self-measurement option that allows you to run and submit USMM results on your own timeline β which is significantly preferable to SAP conducting the measurement directly.
Hour 12β24: Run an Internal Licence Position Review
Before any data goes to SAP, your SAP Basis team must run USMM internally and conduct an active reclassification exercise. The goal is to understand your current raw licence position β and then actively correct inflated user classifications before the formal submission. Specifically: review all active users and cross-reference assigned transaction codes against actual usage data in your system; identify and remove or reclassify users with Professional-level authorisations who only perform Limited Professional tasks; review technical users, service accounts, and background processing accounts β these are frequently over-counted in USMM; and assess indirect access exposure using LAW (License Administration Workbench) to identify third-party integrations creating document-based licence obligations.
Hour 24β36: Engage Independent Expertise
If you don't have in-house SAP licensing expertise β and most enterprises don't β this is the moment to engage external support. SAP's audit team has conducted hundreds of these exercises. They know exactly which measurement parameters produce the largest compliance gaps, and they know that most customers submit unreviewed USMM output without challenge. An independent SAP audit defence advisor brings counterbalancing expertise: knowledge of SAP's methodology, experience challenging their measurement tools, and familiarity with the settlement structures that are achievable. Engaging now β before you submit anything β is the highest-return investment in your audit outcome.
Hour 36β48: Formulate Your Formal Response
Your formal response to SAP should be drafted by Legal, reviewed by your commercial lead, and sent from a single point of contact. It should confirm engagement with the audit process, state that you are conducting your own internal measurement review in accordance with your contractual rights, and request a formal kick-off meeting with SAP's measurement team β not an ad hoc call β within the next 10β14 business days. Do not offer system access, do not commit to a USMM submission date, and do not disclose any preliminary findings from your internal review at this stage.
What You Must Not Do in the First 48 Hours
The mistakes made in the first 48 hours are often harder to recover from than the underlying licence exposure. These are the actions that consistently produce the worst audit outcomes:
Do not do any of the following:
- Run USMM and submit the results to SAP before conducting your own reclassification exercise β this is the single most expensive mistake in SAP audit management
- Grant SAP's measurement team direct access to your production systems before reviewing your contractual obligations β you may be granting access beyond your legal commitment
- Have informal verbal or email conversations with your SAP account manager about the audit β their commercial agenda is not aligned with your best interest during an audit
- Assume the audit is routine or that you're compliant β SAP audits are commercially motivated and their initial measurement will almost always show a compliance gap
- Disclose the results of your internal licence review to SAP before your legal and commercial teams have assessed the implications
- Accept SAP's initial compliance gap figure as accurate β it is a commercial opening position, not a final liability
- Agree to any licence purchases or software commitments during the audit response phase β these should only be agreed as part of a formal settlement with all terms documented in your Order Form
Need to review your current SAP licence position?
Before the audit gets underway, our SAP licence compliance team can conduct an independent ELP review β identifying your real user counts, mapping indirect access exposure, and producing a defensible position document. Book a free consultation to understand what's at stake.
Get Your Licence Position Reviewed βWhat Happens After the First 48 Hours
The 48-hour window establishes your position and your process. What comes next β the formal measurement phase, SAP's ELP output, and the negotiation of any compliance gap β is a structured process that can run over weeks or months. Here's what to expect:
The Measurement Phase (Weeks 2β6)
Your own internal USMM review continues in parallel with SAP's formal process. The goal is to produce a detailed Effective License Position document β a line-by-line analysis of your licence entitlement versus your actual usage, with supporting evidence for every classification decision. This document is what allows you to challenge SAP's measurement output with specificity rather than generality.
During this phase, engage your SAP Basis team to review USMM configuration settings, particularly the handling of background users and system administration accounts. USMM has documented over-counting behaviour in certain configurations β evidence of this is a valid technical challenge to SAP's findings. For a deep technical guide to USMM, see our comprehensive SAP license audit guide.
SAP's ELP Output and the Compliance Gap Claim
SAP will produce their own ELP document β the formal output of their measurement process β showing what they believe you hold versus what they believe you're using. This document will include a compliance gap figure: the additional licence liability they're claiming. In our experience across dozens of enterprise audits, SAP's initial compliance gap figure is typically 3β5Γ what the customer actually owes after a structured challenge process.
The gap figure is calculated using SAP's measurement methodology, SAP's interpretation of user classifications, and SAP's assumptions about indirect access. All of these are challengeable. Your ELP document, produced independently, is your primary negotiating instrument.
Settlement Negotiation
The settlement is typically structured around one of three outcomes: a cash payment for back-licences and support, a software purchase (SAP's preferred outcome β it creates new revenue and ongoing support obligations), or a licence amendment that adjusts your forward-looking entitlement. Before agreeing to any settlement, ensure it includes a formally documented clean ELP baseline in your Order Form, clear language releasing you from claims for the measurement period, and no forward-looking commitments that weren't explicitly negotiated. Our SAP audit defence advisory service manages the full settlement negotiation on behalf of enterprise customers, achieving 40β60% reductions on initial exposure figures. See our SAP licensing case studies for specific examples.
Key Takeaways: SAP Audit Letter β First 48 Hours
- Designate a single communication point of contact immediately β no informal responses to SAP
- Pull your Master Agreement and Order Forms before responding β understand your contractual obligations first
- Do not run and submit USMM before completing your own reclassification exercise
- Do not grant system access beyond your contractual obligations
- Assemble your cross-functional task force: ITAM, Legal, Procurement, Basis, Finance
- Engage independent SAP audit defence expertise before formal communications begin
- Your formal response should acknowledge, request a structured kick-off, and commit nothing
Received an SAP Audit Letter?
Our team treats audit enquiries as priority β we respond within 4 business hours and can engage within 48 hours of instruction. The first 72 hours of an SAP audit define the outcome.
Get Emergency Triage β Download the Free SAP Audit Guide βIndependent SAP Audit Defence
We have resolved over $200M in SAP audit exposure. If you are facing an active audit, a compliance claim, or want to understand your exposure before SAP comes calling, our SAP audit defence service is the fastest path to a defensible position.
Book a Free Audit Triage Call β