An SAP audit isn't something that happens to you—it's something you prepare for, months in advance. Enterprises that proactively run through this 50-step preparation checklist before SAP's auditors even arrive routinely reduce their audit exposure by 40-70%, uncover unintended licensing gaps, and gain the negotiating leverage that makes the difference between a $2M settlement and a $50K true-up.
But most organizations don't. They wait for the audit letter, panic, and then make reactive decisions that cost millions. SAP knows this. They count on it. Your job is to break that pattern by running this entire process—governance, system analysis, user classification, scope control, and settlement negotiation—on your own terms, before SAP has any visibility into your environment.
This is the definitive roadmap.
Want an Independent View of Your SAP Position?
Our advisors are former SAP insiders working exclusively for enterprise buyers. A free 30-minute discovery call will tell you whether independent advisory would materially change your commercial outcome.
Book a Free Consultation → Download Free SAP Audit Guide →Key Takeaways
- Appoint an audit response lead and assemble a cross-functional team before any SAP contact
- Run USMM simulation and landscape analysis independently—never let SAP be your first measurement
- Reclassify users aggressively and document every decision; SAP often over-classifies to inflate exposure
- Control audit scope with a written scope letter; data you don't volunteer can't be used against you
- Model your own financial exposure and BATNA before SAP presents their preliminary findings
- Engage SAP licensing counsel early—the cost of preparation is a fraction of the cost of a bad settlement
Category 1: Governance & Team Setup (Steps 1–8)
The foundation of audit resilience is an empowered, privileged-protected team. These eight steps establish governance and position your organization to respond quickly and confidently to any SAP communication.
1
Appoint an internal Audit Response Lead with C-suite authority. This person controls all SAP communications, escalations, and decisions. No emails to SAP from Finance or IT without approval. No self-declarations without legal review. This person should report directly to General Counsel or the CFO.
2
Engage independent SAP licensing counsel immediately—before any SAP contact. You need legal privilege on all analysis, advice, and communications. Once SAP sends an audit letter, you're in a legal proceeding. Counsel should be in place before that moment arrives.
3
Establish a cross-functional audit response team. Legal, IT, Finance, and Procurement must all be at the table. IT owns the system landscape and user data. Finance owns budget and settlement authority. Procurement owns contract relationships. Legal owns privilege and strategy.
4
Set up secure, privilege-protected communication channels. All audit discussions should flow through counsel. Create a shared, encrypted workspace accessible only to the response team. Email to SAP should never happen outside this channel. Documentation is evidence.
5
Brief senior stakeholders on audit confidentiality protocols. Everyone in the organization needs to understand that SAP inquiry is a legal matter. Employees should not respond directly to SAP communications. All inquiries go to Legal. This prevents accidental admissions.
6
Review your SAP contract and identify all audit-relevant clauses. Find the audit scope definition. Identify any limits on frequency, notice period, or data access. Document any amendments that favor your position. These clauses are your negotiating foundation.
7
Locate and review the most recent SAP licence schedule. This document defines what you paid for. If your schedule is ambiguous (and SAP's always are), document your interpretation in writing before the audit starts. SAP will argue their interpretation; you need yours on record first.
8
Identify all SAP systems in scope (ERP, BI, BTP, indirect interfaces). Create an inventory: system name, version, purpose, number of users, licensing model. This is your baseline. If SAP asks for systems you haven't documented, you challenge the scope.
Category 2: Contract & Documentation Review (Steps 9–16)
Your contracts are the governing law for this audit. Everything SAP claims must be defensible by your agreement. These steps ensure you control the interpretation.
9
Pull every Order Form, Supplement, and Pricing Schedule. Start a master contract repository. Include all amendments, waivers, and email confirmations of terms. These documents define your entitlement. If you can't produce them, SAP wins the argument by default.
10
Document your contracted licence metric definitions precisely. How is a Professional User defined in your contract? Is it "unique named user" or "concurrent"? Does Employee User include contractors? Does the contract reference a SAP definition or your own? Write this down with evidence.
11
Identify any special licensing terms negotiated. SEAL agreements (Software Escrow and License)? Enterprise Agreements with volume discounts? Custom metrics? Any special terms reduce your exposure because they're contractually protected.
12
Review the most recent maintenance renewal for scope changes. Every renewal is an opportunity for SAP to add products or change licensing terms. Was a new product bundled in? Did your user metric change? This is where many hidden exposures originate.
13
Check for any system landscape changes since last measurement. If you decommissioned SAP instances, added new ones, or migrated to cloud, document the dates. These changes affect your audit scope. If you disabled systems before the audit letter, that's defensible. If you disable them after, it looks like evidence destruction.
14
Gather all correspondence with SAP in the last 3 years. Account team emails, maintenance renewal negotiations, licensing questions—all of it. These emails often contain admissions, clarifications, or promises from SAP that help your position.
15
Locate previous audit results and agreed settlements. If SAP audited you before, get the settlement agreement. What exposure did they claim? What did you settle for? This is your historical leverage. SAP won't want to re-litigate old battles.
16
Document all historical true-up payments and what they covered. Every time you settled an audit finding, that payment established a precedent. If you paid $500K for 200 Professional User licenses in 2021, SAP can't claim each license is now worth $5M in 2026.
Category 3: System Landscape & Technical Preparation (Steps 17–26)
This is where most enterprises fail. They let SAP run their measurement tools (USMM, LAW) without independent analysis first. You must own the data before SAP sees it.
17
Run USMM (User & System Measurement) in simulation mode—no submission. Install USMM on a test system and run it locally. See what it reports about your users, licenses, and exposure. Do this months before any SAP contact. This is your independent baseline.
18
Review all active and inactive user accounts across all systems. Start a user inventory. Who has accounts? When were they created? When were they last used? Inactive accounts should be disabled. Every disabled account reduces your exposure. Document the disablement dates.
19
Identify users with multiple roles that span licence categories. A user with both Finance and HR capabilities might need two Professional User licenses. But if you can reduce roles to match actual job function, you reduce exposure. This is negotiable territory.
20
Review all interface users and service accounts. These often slip under the radar and get classified as Professional Users when they should be Technical Users or included in a flat service account fee. Audit the interfaces independently.
21
Analyse indirect access connections—all third-party systems touching SAP. Every system that reads from or writes to SAP creates licensing exposure if it triggers the Indirect Access rule. Map every interface, every data feed, every integration. This is where auditors hunt for hidden exposure.
22
Review digital access document volumes. If you're on a digital access licensing model, document how many documents you've accessed, processed, or stored in the last 12 months. This is your baseline for comparison against SAP's claims.
23
Check BTP usage against entitlement. How many BTP applications are you running? Are they all licensed? Do they trigger Professional User licensing? BTP adoption often outpaces licensing planning. Audit this independently before SAP does.
24
Review SuccessFactors, Ariba, Concur, Fieldglass (cloud licences). These SAP cloud applications have separate licensing. Are you fully licensed? Are users double-licensed (once in ERP, once in cloud)? This is another hidden exposure zone.
25
Document all SAP systems including development, QA, and sandbox. You probably don't need to license dev/QA/sandbox systems at full production levels, but SAP will argue you do. Find your contract language that justifies non-production discounts or exemptions.
26
Run LAW (Licence Administration Workbench) analysis across the landscape. LAW shows license consumption, user assignments, and entitlements. Run it independently. Cross-reference it against USMM. These tools often disagree. You need to understand the discrepancies before SAP uses them against you.
Want Expert Help Running Through This Checklist?
Our SAP audit defence specialists work through exactly this process with clients—and routinely identify exposure they didn't know existed before SAP's auditors do.
Book a Pre-Audit Review →Category 4: User Classification Review (Steps 27–35)
User classification is where 60% of audit disputes happen. SAP classifies aggressively. You must challenge every classification before the audit starts, not during it.
27
Conduct independent user reclassification before any SAP measurement. Don't accept SAP's default classifications. Go user-by-user. Based on actual job function, what license type should they have? Document every decision. This becomes your audit position.
28
Challenge every Professional User licence—can they be downgraded? Professional User is the most expensive license type. Every user you downgrade to Limited Professional, Employee User, or Service User saves money. Be aggressive here. SAP can challenge you, but your documentation is defensible.
29
Review Employee User assignments—are they receiving full professional capabilities? If an Employee User has access to advanced modules they don't use, downgrade them. Employee User should be limited to core HR/Finance capabilities. Full-module access requires Professional User license.
30
Document all users with infrequent access (less than once per month). Seasonal users, ad-hoc access, emergency accounts—these might not require licenses or could be covered under lower-cost licensing models. Log every login. This is your evidence of actual usage.
31
Identify and document all batch/technical users. These should be classified as Technical Users or included in a systems management license, not Professional User. SAP often tries to classify them as Professional to inflate exposure. Have your documentation ready to counter this.
32
Review and lock down authorisation profiles to match actual job function. Authorizations should be minimalist. If someone has access they don't need, remove it. This does three things: improves security, reduces licensing exposure, and shows SAP you're disciplined about license control.
33
Remove or disable all users who have left the organisation. Every employee who departed but still has an active account inflates your user count. Disable them now, not during the audit. Document the departure dates. This is low-hanging fruit.
34
Validate that Fiori usage is not creating unexpected licence upgrades. SAP's modern interface (Fiori) often triggers Professional User classification automatically. Some users don't need Fiori. Restrict it to those who do. This reduces Fiori-related exposure.
35
Document any contractual user classification definitions you can rely on. Your contract might define "Professional User" differently than SAP's current position. If your definition is favorable, document it with evidence. This is contractual leverage.
Category 5: Scope Control & Communication Strategy (Steps 36–44)
Once SAP arrives, every word you say becomes evidence. Control the narrative by controlling the scope. Data you don't volunteer can't be used against you.
36
Do not volunteer data beyond the contractual audit scope. If SAP asks for system landscape data, provide it. If they ask for user lists, provide it. But don't offer additional information unprompted. Volunteering data is the #1 way enterprises expand their audit exposure.
37
Prepare a written scope confirmation letter before any SAP access. Define exactly which systems, data, and time periods are in scope. Have your response team and counsel sign off. Send this to SAP. This limits what they can claim is in scope later.
38
Negotiate what USMM data SAP can extract—document the agreement. USMM will pull user data. Establish rules: What data fields? Which systems? What time period? Get this in writing. This prevents SAP from running USMM on systems or user populations you haven't authorized.
39
Agree on a single point of contact for all SAP communications. All emails, calls, and meetings go through one person (your Audit Response Lead). This prevents inconsistencies, admissions from different team members, and SAP playing divide-and-conquer tactics.
40
Never allow SAP auditors to interview staff without legal present. SAP will try to interview your IT team or procurement staff directly. Stop this immediately. All conversations happen with counsel present. This protects your team and prevents accidental admissions.
41
Do not submit self-declaration (STAR/SLAW) without independent review. SAP's self-assessment tools (STAR for SAP licensing, SLAW for maintenance) are designed to generate favorable assumptions for SAP. Have counsel and your advisers review every answer before you submit. Better yet, negotiate a modified process.
42
Prepare your own position paper on licence usage before SAP's analysis. Write up your version of the facts: how you understand your licensing, why your user classifications are correct, why your system landscape is in scope. When SAP presents their preliminary findings, you counter with your documented position.
43
Identify all contractual ambiguities in your favour. Where is your contract unclear? Where is SAP's interpretation debatable? Document these ambiguities now. During settlement negotiations, these become your leverage points. Contract language is king.
44
Engage SAP account team separately from the audit team—they have different incentives. Your SAP account manager wants to retain the relationship. The audit team wants to maximize recovery. Play these interests against each other. Use your relationship with the account team to push back on aggressive audit positions.
Category 6: Negotiation & Settlement Preparation (Steps 45–50)
Settlement happens on the numbers. The side with the better financial model wins. Build yours first.
45
Run your own financial exposure model before SAP presents theirs. Calculate what you think you owe based on your interpretation of the contract and your user classifications. Build a sensitivity analysis: best case, likely case, worst case. Know your numbers cold.
46
Identify all offsetting credits, overpayments, and maintenance excess. Did you pay for licenses you didn't use? Did you overpay for maintenance? Are there volume discounts you're entitled to? Every credit reduces your settlement. Document them all.
47
Research current SAP list prices for all potentially under-licensed products. SAP will use current list prices. But if you can argue that historical pricing applies, or that your negotiated rates apply, you reduce the settlement. Know what everything costs.
48
Prepare a BATNA (best alternative to a negotiated agreement). If settlement talks stall, what's your alternative? Litigation? Continuing the audit? Walking away? Knowing your BATNA gives you confidence in negotiations. A strong BATNA often accelerates settlement.
49
Understand SAP's internal approval thresholds for settlement authority. SAP has limits on what their auditors can settle. If the exposure is above a certain threshold, it goes to management. Know these limits if you can. It affects your negotiating strategy.
50
Engage your SAP licensing adviser to validate and pressure-test your position. Your internal team is too close to the numbers. Bring in external experts to review your model, challenge your assumptions, and pressure-test your position. This gives you confidence and often identifies blind spots you missed.
When to Start Preparing—Even Without an Audit Letter
You don't need to wait for an audit letter to run this process. Smart enterprises run this checklist annually, whether or not they expect an audit. Here's why:
SAP follows patterns. They audit the largest customers first. They audit customers with high user counts or complex landscapes. They audit when they suspect under-licensing. If any of these apply to you, your audit clock is ticking. The time to prepare is now.
Beyond timing, running this process annually is defensive hygiene. You discover licensing gaps before SAP does. You can correct them quietly (through negotiated true-ups, not penalties). You maintain compliance. And if an audit does arrive, you're ready.
Common Mistakes That Increase Audit Exposure
These are the errors we see repeatedly. Avoid them:
Letting SAP run USMM unsupervised. You give them credentials, they extract data, they report findings. By then, it's too late to challenge what they saw. Always run USMM independently first and control what SAP can access.
Accepting SAP's preliminary findings without challenge. When SAP presents their draft report, your first instinct might be to accept it. Don't. Challenge every number. Demand evidence. Force them to defend their positions. Preliminary findings are a negotiating document, not gospel.
Classifying all SAP users as Professional Users by default. SAP systems have different user types. Not all users need Professional User licenses. Force yourself to justify each Professional User classification. Many will downgrade to Limited Professional or Employee User, saving money.
Paying maintenance on systems you're not using. If you decommissioned an SAP module or system, stop paying maintenance immediately. SAP counts maintenance payments as evidence you're still using the system. This inflates your exposure.
Not documenting your interpretation of the contract. SAP has one interpretation. You have another. If you don't document yours before the audit, SAP's interpretation wins. Always document your contract interpretation in writing, with evidence.
Volunteering information SAP didn't ask for. Transparency is good. Volunteering. Every piece of data you offer becomes evidence SAP can use against you. Stick to what they ask for. Let them discover unfavorable facts themselves.