Audit Defence (Part 5)

SAP Audit Questionnaire: What SAP Is Really Asking and How to Respond Strategically

Published March 25, 2026 15 min read

The Audit Questionnaire Is Not Neutral

When SAP sends you an audit questionnaire—often delivered via email or through a formal audit notification letter—it appears innocuous. Just a series of factual questions about your SAP environment. It's not. The questionnaire is a reconnaissance tool designed to systematically map your SAP system landscape, identify integration points, discover indirect access exposures, and uncover user classification discrepancies before SAP deploys measurement tools.

SAP's audit questionnaire serves multiple strategic purposes. First, it identifies all SAP systems in your environment—including test systems, development environments, and legacy systems that SAP might not have visibility into through your Effective License Position (ELP). Second, it flags integration points and third-party connections, which creates openings for indirect access claims. Third, it discovers which affiliate entities, subsidiaries, and partner organisations touch SAP, expanding SAP's potential claiming universe beyond your original licensee scope.

The questionnaire is not a neutral discovery document. It's designed to maximise the scope of SAP's audit claim. Every answer you provide becomes evidence in SAP's audit file—and SAP will use it later to support claims you may not expect. This is why responding strategically is critical.

The 8 Most Dangerous Questions in SAP's Audit Questionnaire

1. "List all SAP systems in your landscape"
Risk: Over-disclosure trap. The question asks for "all" systems, but you should only list systems covered under your specific Enterprise License Position (ELP).
Strategic response: Limit your answer to systems explicitly covered under your ELP agreement. State: "The following SAP systems are covered under our ELP, valid as of [date]. Other systems exist in our environment but are outside the scope of our licensing agreement." This sets boundaries and prevents SAP from claiming that unlicensed systems mentioned in your response create audit obligations.
2. "Describe all third-party integrations with SAP"
Risk: Indirect access trap. Naming integrations (portals, APIs, middleware) can trigger SAP's indirect access claims. SAP will argue that any system that reads SAP data via integration constitutes "digital access" requiring licensing.
Strategic response: Provide limited information. Only describe integrations that are contractually relevant to your ELP. For any others, respond: "We have third-party integrations with SAP, but these are outside the scope of our current licensing agreement. For detailed integration architecture, SAP will need to execute a technical audit under the audit clause of our Master Agreement, with appropriate scope limitations." This forces SAP to justify why each integration creates a licensing obligation, rather than you justifying why it doesn't.
3. "How many users access SAP via third-party portals or apps?"
Risk: Digital access quantification. By providing user counts, you give SAP the numerator for their indirect access claim. They'll argue these users are "digitally accessing" SAP and require licensing.
Strategic response: Don't estimate; don't speculate. State: "We are unable to provide precise user counts for digital access without a comprehensive system measurement using SAP's USMM tool. We recommend SAP define the scope of 'digital access' relevant to our licensing position before we undertake measurement." This puts the burden on SAP to define what actually constitutes a licensing exposure, rather than you volunteering data they'll weaponise.
4. "Provide access to Solution Manager / Landscape Administration for audit purposes"
Risk: Unrestricted SAP access. Granting full Solution Manager access gives SAP visibility into your entire technical environment, including test systems, abandoned projects, and infrastructure they might leverage for additional claims.
Strategic response: Refuse blanket access. Respond: "We will provide SAP with read-only access to SAP systems covered under our ELP, limited to data relevant to our specific licensing position. We require SAP to specify what technical data is required for compliance verification of our ELP." Control the data flow. Don't let SAP fishing expeditions into your technical estate determine scope.
5. "List all subsidiaries and affiliates that access SAP"
Risk: Scope expansion. By naming subsidiaries, you're inviting SAP to claim they're licensees or covered under your agreement, expanding audit exposure across your group.
Strategic response: Distinguish between your licensed entity and related parties. State: "SAP licensing is held under [Company Name] ELP. [Subsidiary/Affiliate names] have separate arrangements with SAP, if any. For any affiliate access to SAP systems, SAP should reference those entities' individual license agreements." This prevents SAP from automatically consolidating your entire group under a single audit.
6. "What modules are in use in your SAP environment?"
Risk: Module usage inflation. If you list modules you have licensing rights to but don't actively use, SAP might claim you're under-utilising your licence—and therefore exposed on modules you thought were covered but aren't actually active.
Strategic response: Distinguish between licensed modules and deployed modules. State: "Our ELP includes licensing for [specific modules]. Our current active deployment includes [specific modules in active use]. Some licensed modules are not currently deployed." This documentation protects you if SAP tries to claim unused module capacity creates exposure elsewhere.
7. "What is your current user count by user type?"
Risk: Self-reporting trap. Without a prior independent USMM measurement, self-reported user counts are guesses. SAP will use them as baseline data to argue you're under-compliant and extract audit findings.
Strategic response: Don't self-report. State: "Our user counts are based on [prior measurement date]. We recommend SAP conduct an independent USMM measurement to verify current user classification under our licensing model. We are prepared to cooperate with a formal measurement process." This shifts the burden to SAP and prevents you from volunteering data that becomes your official position.
8. "Do any non-SAP employees access SAP?"
Risk: Contractor/partner licensing scope. Naming contractors, consultants, or service partners creates exposure. SAP will argue they're "named users" requiring licensing, or that their access constitutes indirect access exposure.
Strategic response: Limit scope to your employee base. State: "Our licensing is structured for named employees in [specific roles]. Contractors and service providers have access under separate engagement terms. For any third-party access requiring licensing, please specify what licensing provision in our ELP applies." This prevents SAP from automatically expanding your licensing obligation to include all temporary access.

Preparing for an SAP Audit?

Our SAP Audit Defence service includes comprehensive questionnaire review, response strategy, and legal coordination to protect your interests throughout the audit process.

Get Audit Defence Support

How to Respond Strategically to the Audit Questionnaire

Principle 1: Get Legal Counsel Involved Before Responding

Before your finance or IT team drafts a single response, involve your legal counsel. Audit responses are contractual documents. They can be used against you in a dispute if they contradict your ELP or contain admissions of non-compliance. Your legal team should review all responses for accuracy, contractual consistency, and risk mitigation.

Principle 2: Designate a Single Point of Contact

Do not allow SAP auditors to directly interview your IT team, finance staff, or system administrators. Create a single point of contact—ideally your procurement or legal counsel—who coordinates all audit communication. This prevents SAP from gathering conflicting information from different stakeholders and using discrepancies to support claims.

Principle 3: Respond Only to Contractual Requirements

Your SAP Master Agreement contains an audit clause that defines what information you're obligated to provide. Typically, this is limited to data necessary to verify compliance with your Effective License Position. SAP often requests far more data than your contract requires. Don't provide it. For each question, ask: "Is this information required to verify compliance with our ELP?" If not, decline politely.

Principle 4: Respond in Writing; Avoid Verbal Answers

Verbal responses can be misremembered, misquoted, or misrepresented. Always respond in writing. This creates a record. If SAP later claims you said something you didn't, you have documentation to contradict them.

Principle 5: Request SAP to Specify Contractual Basis for Each Question

For every question in SAP's questionnaire, you can ask SAP: "Which audit clause in our Master Agreement requires us to provide this information?" SAP's audit rights are contractual, not unlimited. If a question isn't contractually grounded, decline to answer.

Principle 6: Provide Only Verified, Confirmed Data

Don't estimate, speculate, or round. If you don't have precise data, say so. State: "We do not have reliable data on this metric without a formal measurement. We recommend SAP use its measurement tools to verify this data point." This puts the burden on SAP to prove non-compliance through measurement, not on you to provide admissions through self-reporting.

What You're Legally Required to Provide vs. What SAP "Requests"

This is the critical distinction. Your SAP Master Agreement audit clause typically grants SAP the right to audit your compliance with your Effective License Position. This is a contractual audit right, not a blank check for unlimited information access.

Contractually required information usually includes: proof that you have not exceeded your named user count, evidence that you have not deployed modules outside your licensed scope, and documentation of your current user classifications. That's it. SAP is entitled to verify the specific terms of your ELP—nothing more.

SAP often requests additional information: detailed system architecture, integration diagrams, user access logs, business process documentation, etc. These "requests" are not contractually required. You can decline them. SAP will sometimes assert these are "necessary to conduct a thorough audit," but "thorough" ≠ "contractually required." Protect your environment. Limit SAP's access to what your contract actually requires.

The STAR/SLAW Self-Declaration Alternative: Hidden Risk

SAP sometimes offers STAR (Self-Declaration Tool) or SLAW (License Administration Workbench) as an alternative to a full audit. These seem attractive: less intrusive, faster, self-declared. But they carry risk.

When you use STAR/SLAW for self-declaration, you're creating a formal baseline record. SAP stores this declaration and uses it in future audits. If your environment changes (new users, new modules, new integrations), future audit findings will be compared against your STAR/SLAW baseline. You've essentially locked in your position. If SAP later discovers you under-reported in STAR, they'll claim the discrepancy is evidence of deliberate non-compliance, even if it was an honest mistake.

Self-declarations are useful only if: (1) you're confident your baseline data is 100% accurate, (2) you don't expect significant environment changes in the next 3-5 years, and (3) you've run independent USMM measurement to verify your position before declaring. Otherwise, avoid them.

Practical Response Framework: Building Your Audit Response Policy

Step 1: Centralise Audit Communication

Create an internal audit response team: procurement, legal, finance, and IT. All SAP audit requests flow through your legal team. No side conversations with SAP. This prevents inconsistency and ensures legal review.

Step 2: Run Independent USMM Before Responding

Before you answer any user count or system deployment questions, run an independent USMM measurement. This gives you verified baseline data. When SAP asks "How many users?", you respond with USMM data, not estimates. This shifts control to verified metrics.

Step 3: Map Questionnaire to Your ELP

For each question, determine: Is this information required to verify compliance with our ELP? If yes, answer with verified data. If no, decline politely with language like: "This information is not required to verify compliance with our ELP under our Master Agreement. We're prepared to provide data specifically related to [your ELP terms]."

Step 4: Draft Formal Written Responses

Don't email loose answers. Draft a formal response document. For each question, state: your response, the source of the information (measurement tool, ELP, etc.), and the date. Create a record that's defensible in a dispute.

Step 5: Request Clarification on SAP's Legal Basis

In your formal response, include a statement: "Please confirm the specific audit clause in our Master Agreement that requires provision of each of the above data points." This forces SAP to justify their requests contractually. If they can't, you have grounds to deny future requests.

Step 6: Engage Independent Advisor if Risk Detected

If SAP's questionnaire reveals potential compliance gaps (e.g., they're asking about integrations that might constitute indirect access), engage an independent SAP licensing advisor before responding. They can help assess risk and formulate defensible responses that don't create audit findings.

Need Help Responding to SAP's Audit Questionnaire?

Our SAP Audit Defence specialists review questionnaires, identify risk areas, and coordinate response strategy to protect your licensing position.

Schedule Audit Consultation

Key Takeaways

  • SAP's audit questionnaire is not neutral. It's designed to expand audit scope and identify compliance gaps. Respond strategically, not openly.
  • The most dangerous questions involve system inventories, integrations, user counts, and affiliate access. Each is a trap door for expanded audit claims.
  • Never estimate user counts or system access. Require SAP to conduct independent measurement using USMM. Self-reported data becomes your position and SAP's baseline for future claims.
  • Involve legal counsel before responding. Audit responses are contractual documents and can be used against you in disputes.
  • Centralise all audit communication through your legal team. Prevent SAP from gathering conflicting information from different internal stakeholders.
  • Limit responses to information contractually required under your audit clause. Decline requests for information that exceeds your ELP scope.
  • Run independent USMM before responding to user count questions. Verified measurement data is more defensible than estimates.
  • Self-declarations (STAR/SLAW) lock in your position. Only use them after independent verification and legal review.
  • Request that SAP specify the contractual basis for each question. Many audit requests exceed contractual rights.

Related Articles

Audit Defence

SAP System Measurement (USMM): Understanding the Tool and Protecting Your Data

Deep dive into USMM functionality, measurement methodology, and how to control what data SAP accesses during system measurement.

Read Article →
Audit Defence

STAR and SLAW Self-Declarations: Risk and Timing Strategy

Analysis of self-declaration tools, when they're useful, and how to use them strategically without locking yourself into unfavourable positions.

Read Article →
Audit Defence

SAP Audit Letter Received: Your First 48 Hours Action Plan

Step-by-step guide to immediate actions after receiving an SAP audit notification, including legal review, team coordination, and timing strategy.

Read Article →
Audit Defence

SAP Audit Defence Playbook: 10 Strategies to Minimise Findings

Comprehensive playbook covering pre-audit preparation, audit scoping, finding contestation, and settlement negotiation strategies.

Read Article →

SAP Licensing Experts Team

25+ years of SAP audit defence experience. Our team includes former SAP audit professionals who understand SAP's playbook from the inside. We've helped 300+ enterprises respond to audit questionnaires and minimize findings. We work exclusively for buyers.

Received an SAP Audit Letter?

Our team treats audit enquiries as priority — we respond within 4 business hours and can engage within 48 hours of instruction. The first 72 hours of an SAP audit define the outcome.

Get Emergency Triage → Download the Free SAP Audit Guide →

Independent SAP Audit Defence

We have resolved over $200M in SAP audit exposure. If you are facing an active audit, a compliance claim, or want to understand your exposure before SAP comes calling, our SAP audit defence service is the fastest path to a defensible position.

Book a Free Audit Triage Call →