SAP Audit Timeline: From Notification to Resolution — Complete Guide

The Complete SAP Audit Timeline: 8 Stages

From the moment an SAP audit notification letter lands in your inbox to the final resolution and remediation, the process unfolds across eight distinct stages. Each stage has its own timeline, decision points, and risks. Understanding where you stand in the audit journey—and what to expect next—is your first line of defence.

• 1

  Audit Notification (Days 1–5)

  Letter arrives from SAP GAS. Establish response protocol and legal review.

• 2

  Scoping & Agreement (Days 5–21)

  Define audit scope, system access, and data extraction parameters. Negotiate boundaries.

• 3

  Data Extraction (Weeks 3–8)

  USMM and LAW runs, indirect usage data collection. Control the narrative.

• 4

  SAP's Internal Analysis (Weeks 8–14)

  SAP GAS reviews data and calculates licensing position internally. Limited visibility.

• 5

  Preliminary Findings (Weeks 14–18)

  Initial results meeting. SAP presents methodology and findings. Prime negotiation window.

• 6

  Commercial Negotiation (Weeks 18–24)

  Settlement discussions, authority levels determined, leverage points emerge.

• 7

  Resolution & Settlement (Weeks 24–36)

  Final agreement signed. Options: true-up, RISE bundle, contract extension.

• 8

  Post-Audit Compliance (Ongoing)

  Implement remediation, establish ongoing compliance programme, prevent repeat audits.

Stage 1: Audit Notification (Days 1–5)

The Letter Arrives—What It Contains and Who Sent It

An SAP audit starts with a formal notification letter, typically arriving via email from an address within SAP's Global Audit Services (GAS) team. This is not a sales negotiation or a routine compliance check—it is a formal legal notice that SAP intends to conduct a detailed audit of your licensing position.

What the Notification Letter Contains

The audit letter will typically include:

• Legal authority: Citation of the audit rights clause in your contract (usually buried in service description or general terms)
• Scope definition: Initial description of systems to be audited (often deliberately broad)
• Timeline request: Deadline for response and proposed audit start date (usually 10–14 days)
• Access requirements: Request for system access, user data, and licensing information
• Contact assignment: Name and email of your assigned SAP audit contact and their manager
• Escalation path: How to escalate or contest the audit scope

Who Sent It: The GAS Team Structure

SAP's Global Audit Services operates a hierarchical structure:

• GAS Auditor (entry point): The person who drafts the letter and manages day-to-day communication. Typically has limited authority to modify scope but can flag concerns upward.
• GAS Manager (escalation level 1): Oversees multiple auditors. Can approve scope adjustments and timeline extensions within certain limits. Often more flexible than the auditor.
• Regional GAS Director (escalation level 2): Covers a geographic region. Authority to approve major scope limitations or withdraw audits. Rarely engaged unless there's legal or reputational risk.
• SAP Global Sales/Account Executive: Technically separate from GAS but often brought in if settlement negotiations reach a financial threshold. They have authority to approve commercial packages (RISE bundles, contract extensions).

Understanding this structure is critical: if you're negotiating only with the auditor, you're not talking to anyone with real authority. Escalation is your first move.

Your Immediate Actions (Days 1–3)

1. Do not respond to the auditor directly. Alert your legal team, CFO, and IT leadership immediately.
2. Preserve all relevant documents: licences, purchase agreements, service descriptions, amendment letters, system documentation.
3. Engage external SAP audit defence counsel if you lack internal expertise.
4. Map your systems: identify every SAP system in scope, their versions, modules, and user counts.
5. Begin a preliminary licensing position assessment. Do you suspect non-compliance? This shapes your strategy.

By day 5, you should be ready to respond with either acceptance of the audit with scope limitations or a formal request for scope negotiation.

Stage 2: Scoping & Agreement (Days 5–21)

What Systems SAP Wants Access To—And What You Can Push Back On

The audit letter will propose a scope, but this is a starting negotiation point, not a final boundary. Your ability to limit scope directly reduces audit risk.

Common Scope Requests and Negotiation Strategy

What SAP typically requests:

• All ERP systems (S/4HANA, R/3, ECC) across all regions
• All ancillary systems (CRM, BI, SCM, HR, Analytics Cloud)
• Custom-built or legacy systems that integrate with SAP
• All user data from the past 3 years
• Access to system tables, application logs, and usage reports
• Indirect access data (reporting tools, third-party integrations)

What you should push back on:

• Geographic scope: If you have non-critical regional systems, request they be excluded or sampled rather than fully audited.
• Ancillary systems: Challenge inclusion of CRM, BI, or HR systems unless they truly integrate with your ERP core.
• Historical window: Propose limiting data extraction to the past 12–18 months rather than 3 years. SAP often accepts 24 months as a compromise.
• Access method: Request SAP run USMM/LAW reports rather than direct database access. This limits their ability to discover unrelated issues.
• Custom systems: Push hard to exclude or limit scope of custom-built or non-SAP systems unless they materially affect licence count.

The Scope Limitation Strategy

Every system excluded from scope is a system SAP cannot use to build a shortfall claim. Frame your scope pushback in terms of:

• Business justification: "This is a non-production test environment. Including it will skew results."
• Operational burden: "Extracting 3 years of user data will require system downtime. We can provide 18 months."
• Relevance: "This third-party analytics tool is not integrated with our core ERP and won't affect our licensing position."
• Contractual limits: "Our service description specifies three specific production modules. The audit scope should match."

If SAP pushes back, escalate the scope disagreement to the GAS Manager. Document your position in writing and reference your contract terms.

The Scoping Addendum

Once scope is agreed, insist on a written addendum that specifies:

• Exact list of systems in scope with version numbers and module list
• Data extraction date range (e.g., "1 January 2024 to 31 December 2025")
• Specific access methods (e.g., "USMM and LAW reports only; no direct database access")
• Timeline for audit completion
• Systems explicitly excluded from audit scope

A written agreement prevents scope creep. Once signed, SAP cannot unilaterally expand scope.

Stage 3: Data Extraction (Weeks 3–8)

USMM Runs, LAW Reports, and the Indirect Access Puzzle

This is the "black box" phase where SAP collects your data and begins analysis. You have less visibility here, but your role is to ensure data accuracy and control the narrative around what data means.

What Data SAP Collects

USMM (User Master and Material Master):

The most critical report SAP runs. It extracts:

• All active and inactive users
• User type assignments (Full, Limited, Read-Only)
• Module authorizations
• Transaction and report access
• Creation and last-login dates

USMM is used to calculate user-based licence count. If SAP finds more users than your contract specifies, this becomes the basis for a shortfall claim.

LAW (License Analysis Workbench):

A supplementary report that drills deeper into:

• Module usage patterns
• Advanced feature usage
• Named user counts by application
• Concurrent vs. named user profiles

Indirect Access Data:

This is where audits often go wrong. SAP will investigate:

• Reporting tools (BI tools, Tableau, Power BI, Crystal Reports) that pull data from SAP
• Integration platforms and APIs that access SAP data
• Third-party applications that read SAP databases
• Web portals and portlets that expose SAP data to users

If SAP finds indirect access, they may argue that users accessing SAP data through these tools need SAP Named User licences. This is where disputes often emerge.

What You Should Do During Data Extraction

1. Verify data accuracy: SAP will provide you a preliminary USMM extract. Review it line by line. Flag inactive users, test accounts, and system service accounts that should not count.
2. Document assumptions: Provide SAP written explanations for high-risk findings before they draw conclusions. For example: "These 50 users are test accounts created for system validation and have never been used productively."
3. Control the indirect access narrative: For each reporting tool or integration, provide SAP documentation showing:
   • The purpose of the tool
   • Who actually uses it
   • Whether users need SAP credentials to access it
   • Your contractual interpretation of what constitutes "use" under your licence terms
4. Challenge methodology: If SAP's data extraction method seems overly broad, question it in writing. Request clarification on how they're counting users, measuring modules, etc.
5. Preserve your own analysis: Run your own USMM and licensing audit in parallel. You'll need this data for the preliminary findings discussion.

The Indirect Access Minefield

Indirect access is SAP's favourite lever for inflating shortfall claims. SAP's own definition is deliberately broad: any access to SAP data via any application that is not a direct SAP client connection may require licensing.

Protect yourself by:

• Distinguishing between "read-only" and "transactional" access. Read-only access is often not licensable.
• Quantifying actual usage. If your BI tool has 2,000 registered users but only 50 active monthly users, insist SAP count active users.
• Reviewing licence terms carefully. Some contracts explicitly state that read-only reporting access does not require Named User licensing.
• Documenting technical architecture. If your integration uses a service account (not a human user), it may not require Named User licensing at all.

Stage 4: SAP's Internal Analysis (Weeks 8–14)

What Happens Inside GAS and Why Their Methodology Is Often Flawed

After data extraction, you enter a black-box phase where SAP internally analyzes your licensing position and calculates any alleged shortfall. This is where SAP's bias toward overreach becomes most apparent.

The SAP GAS Analysis Process

SAP's internal team will:

1. Extract USMM data from your systems and load it into their analysis platform.
2. Count active users by module and application type. But here's the catch: SAP's definition of "active" is often artificially broad. A user who logged in once in a 24-month window may be counted as active.
3. Apply module assumptions: SAP assumes that if a user has access to a transaction, they "use" that module for licensing purposes. They rarely distinguish between read-only access and actual transactional use.
4. Calculate shortfall: Compare their calculated user count against your licensed user count. Any excess is claimed as a shortfall.
5. Extend findings: If they find a shortfall in modules you contracted for, they often extrapolate violations to ancillary systems or presume indirect access violations.
6. Assign remediation options: They present settlement options (usually favoring SAP's commercial interests).

Common Flaws in SAP's Analysis

Over-counting users: SAP counts any user who has ever logged in as "active," regardless of whether they currently use the system. A user who left your organization three years ago but never had their account deleted is still in USMM and counted.

Assumption of module usage: If a user has access to transaction MM01 (material master), SAP assumes they "use" Materials Management. In reality, they may have been granted that access for one-time data entry five years ago and never use it again.

Misclassification of user types: SAP often reclassifies Limited Users as Full Users if they have access to multiple modules, even if those accesses are compartmentalized and not used concurrently.

Indirect access overreach: SAP presumes that any user with access to reporting tools that read SAP data requires a Named User licence. This overstates indirect access violations by 40–60% in most audits.

Failure to apply contract limits: Your service description may limit scope to specific modules, regions, or user types. SAP's analysis often ignores these contractual boundaries and presents findings as if you have unlimited scope.

Your Limited Visibility at This Stage

You will not have access to SAP's internal analysis workings. You won't see their exact methodology or assumptions until the preliminary findings meeting. This is why documentation during data extraction (Stage 3) is so critical. Your written explanations and data clarifications are your only voice during this phase.

If you suspect SAP is building toward an aggressive finding, you can request an interim checkpoint meeting with the GAS Manager (not the auditor) to discuss preliminary indicators. Frame it as a "data quality checkpoint" rather than a challenge. This gives you a chance to correct errors before final findings are crystallized.

Stage 5: Preliminary Findings (Weeks 14–18)

The Initial Results Meeting and Your Prime Negotiation Window

The preliminary findings meeting is where SAP presents their analysis. This is simultaneously the scariest and most important moment of the audit. Scary because you're seeing the alleged shortfall for the first time. Important because this is your best opportunity to challenge SAP's methodology while their position is still somewhat flexible.

What to Expect in the Preliminary Findings Meeting

SAP will present:

• Their user count by module and user type
• Their assessment of indirect access violations
• Calculated shortfall (in user count or module overage)
• Estimated financial exposure (often presented as a scare tactic)
• Preliminary settlement options

Important: Do not agree to anything in this meeting. Do not acknowledge the findings as accurate. Do not commit to a settlement approach. Your role is to listen, document, and ask clarifying questions.

Questions You Must Ask

• On user count: "What is your definition of 'active user'? How are you determining which users are actually in scope under our contract?"
• On modules: "For the users you count as needing Materials Management licensing, can you show me which transactions they actually accessed? Are you distinguishing between read-only and transactional access?"
• On indirect access: "Which specific reporting tools or integrations are you claiming require Named User licensing? What is your basis for that claim in our contract?"
• On contract interpretation: "Our service description specifies modules X, Y, and Z. How are you justifying findings related to module W?"
• On methodology: "How are you addressing the accounts we flagged as test accounts or system service accounts?"

Request a written summary of their findings and methodology. Insist on receiving their detailed analysis (not just an executive summary) so you can perform a line-by-line review.

Why Most Enterprises Don't Challenge Enough at This Stage

Three reasons:

1. Shock and deference: Many companies are intimidated by SAP's authority and assume the audit team is objective. They're not. The audit team has a commercial incentive to find shortfalls because SAP's sales teams benefit from licensing true-ups.
2. Lack of expertise: Many internal teams don't have deep enough licensing knowledge to identify flaws in SAP's analysis. They don't know how to challenge the methodology confidently.
3. Desire to settle quickly: After months of audit disruption, many companies just want it over. They accept the findings and move to settlement negotiation, conceding leverage they could have retained.

Don't fall into this trap. This is the stage where you must challenge aggressively. Hire external expertise if needed. SAP's findings are not gospel—they are a negotiating position.

Post-Meeting Actions

1. Within 5 business days, request a follow-up meeting with the GAS Manager (not the auditor) to discuss your findings and concerns.
2. Prepare a detailed written response to SAP's findings, addressing:
   • User count discrepancies (with evidence for each flagged user)
   • Module misclassifications
   • Indirect access disputes
   • Contract scope limitations they ignored
3. Propose alternative user counts and module scopes based on your analysis.
4. Begin to condition SAP toward settlement by introducing potential compromise positions (not your final offer).

Stage 6: Commercial Negotiation (Weeks 18–24)

Settlement Discussions and Authority Levels

After preliminary findings are exchanged and positions are clearer, the conversation shifts from "what is the shortfall?" to "how do we resolve it?" This is the commercial negotiation phase, and it's where the real leverage emerges.

Who Has Authority to Negotiate on SAP's Side

This is critical knowledge. SAP's negotiating authority is hierarchical:

• GAS Auditor: No authority to negotiate. Can only explain findings.
• GAS Manager: Can approve modest scope adjustments or user count reductions (up to ~10–15% of claimed shortfall). Cannot approve major commercial concessions.
• Regional GAS Director: Can approve significant reductions and timeline concessions. May have authority to offer discount on remediation costs. Rarely engaged without escalation.
• SAP Sales/Account Executive: Only person with real commercial authority. Can approve RISE migration bundles, contract extensions, discounts, and major restructurings. They answer to revenue targets, not audit process.
• SAP Sales VP or CFO: Ultimate escalation. Engaged only when deal size or reputational risk is substantial.

If you're negotiating only with the GAS Manager, you're not talking to anyone with real power. Your goal is to escalate to the Account Executive.

Leverage Points in Negotiation

You have more leverage than you think. Consider:

• Contract ambiguity: If your contract is silent on indirect access or has conflicting definitions of "user," SAP's position is weaker than they project.
• Flawed methodology: If you can demonstrate that SAP over-counted users or misapplied their own definitions, this weakens their position materially.
• Relationship value: How much does your organization spend with SAP annually on software, support, and professional services? A $10M annual SAP customer is worth far more to SAP than a $500K customer.
• RISE migration threat: If SAP claims a massive shortfall, you can threaten to migrate to a cloud-based ERP (Oracle, Workday, Infor). SAP would rather accept a smaller settlement than lose you to a competitor.
• Reputational risk: If your industry or region has experienced public SAP audit disputes, SAP may be cautious about aggressive tactics that could trigger media scrutiny.
• Contractual limits: If your contract explicitly limits scope or defines user types narrowly, you can reference this in negotiation.

Settlement Options SAP Will Propose

True-Up: You pay for the shortfall at standard or discounted per-user/per-module rates. For example, if SAP claims you owe 100 additional Named User licences at $4,000 per user, the true-up bill is $400,000.

RISE with SAP Bundle: SAP offers to migrate your infrastructure to their cloud platform and "resets" the audit by converting your legacy licensing to cloud entitlements. This often appears cheaper upfront but locks you into SAP's cloud for 5+ years at higher total cost of ownership.

Contract Extension: Rather than paying a one-time true-up, you agree to extend your existing contract by 1–2 years at a negotiated price. SAP gets extended revenue; you defer the cash impact.

Hybrid: A combination of the above (e.g., 50% true-up, 50% contract extension).

How to Negotiate Effectively

1. Never accept the first offer. SAP's initial settlement proposal is always anchored high, leaving room for "concessions."
2. Anchor to a lower position. Before SAP makes their first offer, propose your own settlement based on your analysis. This sets the negotiating midpoint lower.
3. Use data to justify lower positions. Every counter-offer should be backed by your USMM analysis, contract excerpts, or methodology challenges.
4. Introduce non-monetary leverage. If the financial gap is large, propose concessions SAP values: extended support periods, ancillary module purchases, or RISE migration commitments (if it benefits your organization).
5. Escalate selectively. If the GAS Manager won't budge, request involvement of the Account Executive. Frame it as needing "commercial" discussion rather than technical dispute.
6. Create urgency on your timeline. Let SAP know you have budget constraints or acquisition/merger deadlines. Pressure on timing can shift their settlement offer.

Stage 7: Resolution & Settlement (Weeks 24–36)

What a Good Settlement Looks Like

Once both parties agree on terms, the settlement is documented in an amendment to your licence agreement (or a standalone settlement agreement). The quality of this document determines whether the audit truly ends or whether it seeds a future dispute.

Settlement Options Explained

True-Up (Straight Payment):

You pay SAP for the alleged shortfall. Advantages: clears the issue definitively; no future lock-in. Disadvantages: immediate cash impact (often $100K–$2M+); you concede SAP's methodology.

If you choose a true-up, negotiate hard on price. A "standard" per-user rate is not standard—it's inflatable. Ask for equivalent discounts to what you negotiated in your original deal.

RISE with SAP Cloud Migration:

SAP forgives the shortfall (or reduces it significantly) in exchange for you migrating to RISE with SAP (their cloud ERP offering). They reset your licensing model to cloud entitlements, which often appear cheaper initially but lock you in for 5 years.

Advantages: Defers or eliminates the true-up payment; modernizes infrastructure; includes SAP's managed services.

Disadvantages: Long-term contract lock-in; RISE per-user pricing compounds over 5 years; you lose control of your ERP infrastructure; migration costs ($500K–$5M depending on scale).

Contract Extension with Reset:

Rather than paying a lump-sum true-up, you extend your existing contract for 1–3 years at a negotiated price, and SAP resets the licence count to match your actual usage. You spread payments over time; SAP gets extended revenue.

Advantages: Spreads cash impact; maintains your current ERP environment; often includes discounts on support.

Disadvantages: Extends your vendor lock-in; per-year costs may exceed a one-time true-up in total; you're committing to SAP longer.

Red Flags in Settlement Agreements

Before signing any settlement amendment, watch for:

• "Deemed acceptance" language: Some agreements state that if you don't object to a particular audit finding within 30 days, it becomes binding. Reject this. Every finding should remain subject to dispute if needed.
• Broad future audit language: Watch for amendments that expand SAP's audit rights beyond your original contract. Push back to restore original terms.
• Indemnification clauses: Some settlements include language where you indemnify SAP for any past misuse. This is unfair. Limit indemnification to knowingly false statements, not inadvertent compliance gaps.
• Future indirect access assumptions: If the settlement includes assumptions about how you'll handle future indirect access (e.g., "all reporting tool users require licensing"), make sure these align with your contract, not SAP's interpretation.
• Vague scope resets: If the settlement resets your licence scope, ensure it's documented with extreme specificity. "Adjusted to actual usage as determined by audit" is not specific enough. List exact modules, user types, and counts.

Negotiating the Fine Print

1. Require that the settlement amendment explicitly resets all disputed findings and closes the audit with no further retroactive claims.
2. Include language limiting future audit scope to changes made after the settlement date.
3. Restrict SAP's ability to re-audit the same systems for 3–5 years (statute of limitations language).
4. Require that any future audits follow the same scoping and methodology you negotiated in this settlement.
5. If settling on a RISE migration, include specific service levels, migration timeline, and cost containment commitments in the agreement.

Stage 8: Post-Audit Compliance (Ongoing)

Implementing Remediation and Building a Compliance Programme

The audit ends when the settlement is signed, but your work is not finished. In fact, this is when many companies make their biggest mistake: they implement the immediate remediation but fail to build a long-term compliance programme. This leaves them vulnerable to a repeat audit in 2–3 years.

Post-Audit Remediation Tasks

• User account cleanup: Delete inactive user accounts identified in the audit. Set up policies to deactivate accounts 60–90 days after departure.
• User type re-classification: Reclassify any users incorrectly assigned as Full Users when they should be Limited Users. Implement role-based access control to enforce proper user types.
• Module access audit: Remove module authorizations from users who don't actively use them. Document the business reason for each authorization retained.
• Indirect access documentation: For each reporting tool or integration that accesses SAP, document:
  • The list of actual users with access
  • The frequency of use
  • Whether those users require SAP licensing under your contract
• System decommissioning: If you shut down systems identified in the audit, document the decommissioning date and confirm SAP releases those licences.

Building an Ongoing Compliance Programme

To avoid another audit, implement quarterly compliance reviews:

• Quarterly USMM extracts: Run USMM reports quarterly to identify user growth, module drift, or account proliferation before it becomes an audit issue.
• Annual indirect access assessment: Every 12 months, audit your reporting tools and integrations to confirm user counts haven't inflated and access controls are intact.
• User access attestation: Have system owners and business unit leads certify quarterly that user access is still appropriate and actively used. This creates a compliance trail.
• Configuration management: Document all module activations, user type assignments, and access policies in your IT governance system. When SAP audits again, you can show methodical compliance.
• Licence reconciliation: Maintain a licensed vs. actual user count spreadsheet. Update it quarterly. When SAP comes back, you can demonstrate you're monitoring compliance.

The goal: make it visually obvious to SAP that you're running a compliant environment. This deters future aggressive audits.

Preventing Repeat Audits

SAP will not audit you again for 3–5 years if:

1. Your account is managed by a high-touch Account Executive (not a transactional team). Relationship matters.
2. You're a model compliance customer—SAP's internal systems flag you as "low risk."
3. Your spend and growth trajectory are positive. SAP prioritizes auditing stagnant or declining customers (they assume they're gaming the system).
4. You've implemented visible compliance controls. When SAP's risk algorithms analyze you, they see structured governance.

Consider scheduling a post-audit business review with your Account Executive 6 months after settlement. Walk them through your compliance programme. Position it as partnership—you're committed to responsible licensing. This conversation, more than any audit, determines future audit risk.

How Long Does an SAP Audit Really Take?

The timeline above (6–9 months) is ideal. In reality, most audits extend to 12–18 months. Why?

Factors That Extend Timelines

• Scope disputes: If you push back hard on scope, expect an extra 4–8 weeks of negotiation.
• Data extraction complexity: Systems with poor data quality, missing logs, or unusual architectures take longer to analyze. A "clean" extraction might take 4 weeks; a messy one takes 12 weeks.
• Indirect access disputes: If SAP suspects complex indirect access scenarios, they'll spend extra weeks investigating. Each new tool or integration they discover adds 2–3 weeks.
• Internal SAP delays: GAS teams have multiple audits running simultaneously. Your audit may be queued behind higher-revenue customers. It's not malicious—it's resource allocation.
• Settlement negotiation friction: If you and SAP are far apart on findings or settlement options, expect extra 8–12 weeks of back-and-forth discussion.
• Your internal approval delays: If your organization is slow to respond to data requests or schedule meetings, the audit slows proportionally. This is why executive sponsorship is critical.

SAP's Commercial Incentive to Extend

Be aware: SAP has a subtle incentive to extend audits. The longer an audit runs, the more leverage SAP has. Your organization gets tired, budgets shift, executives lose patience. At month 10 of an audit, you're often willing to accept a settlement you would have fought in month 3. Delays serve SAP's negotiating position.

Counteract this by:

• Setting a hard deadline (internally) for the audit to conclude (e.g., "we must resolve by month 8"). Communicate this to SAP as a business constraint, not a threat.
• Escalating slowly but steadily. If you haven't moved from preliminary findings to settlement within 4 weeks, escalate to the GAS Manager. If no progress in 8 weeks, involve the Account Executive.
• Documenting delays in writing. If SAP misses a data request deadline or postpones meetings repeatedly, note it. These delays weaken their position if you challenge findings later.

Critical Milestones You Must Not Miss

SAP audits have hard deadlines and response windows. Missing one can result in forfeiting your rights to challenge findings.

Statute of Limitations

SAP can only audit your compliance for a defined period (typically the past 3 years from the audit start date, as specified in your contract). Do not waive this. If SAP requests access to data older than your contractual limit, refuse unless you have strategic reason to provide it.

After the settlement is signed, ensure the amendment explicitly states that SAP's audit rights for this review period are exhausted. This prevents them from revisiting the same timeframe.

Response Deadlines

• Audit notification: Respond within 10–14 days (as stated in the letter). Silence is sometimes construed as acceptance of proposed scope.
• Data request: Provide data extracts within the timeframe requested (usually 2–4 weeks). Delays give SAP reason to extend the audit.
• Preliminary findings response: Provide your written response within 2–4 weeks of the preliminary findings meeting. Beyond 4 weeks, SAP assumes you concede their position.
• Settlement agreement review: Review and return the draft amendment within 2 weeks. Legal teams often sit on this; don't let that happen.

When Silence Is Deemed Acceptance

Read your audit agreement carefully. Some agreements include language such as:

"If the Customer does not respond to preliminary findings within 30 days, the findings are deemed accepted."

This is unacceptable. If you see this language, request it be removed or modified to state: "If the Customer does not respond within 30 days, the audit timeline will be extended; however, Customer's right to challenge findings is not waived."

Even if you can't change the language, respond within the deadline (even if just to say "we acknowledge receipt; detailed response to follow"). This preserves your challenge rights.

Red Flags at Each Stage

Certain patterns signal that SAP is building toward an aggressive settlement. Watch for these:

Scoping Phase Red Flags

• Scope creep: SAP includes systems not mentioned in the initial letter. (Red flag: they're fishing for additional shortfall sources.)
• Refusal to limit scope: SAP rejects all your pushback on geographical or module limitations. (Red flag: they believe they'll find violations and want maximum access.)
• Demand for unlimited historical data: SAP insists on 4+ years of user data instead of standard 3-year look-back. (Red flag: they're building a case for systemic non-compliance.)

Data Extraction Red Flags

• Repeated data requests: SAP requests the same data twice, asking for clarifications, then requests it a third time. (Red flag: they're stress-testing your consistency or hunting for contradictions.)
• Escalation of auditor communication: The GAS Manager or Director suddenly joins calls, asking "difficult" questions. (Red flag: initial analysis has surfaced significant findings and they're escalating internally.)
• Focus shift to indirect access: After weeks of quiet, SAP suddenly focuses heavily on your reporting tools, integrations, and third-party access. (Red flag: they may have found user count issues in core systems and are pivoting to indirect access to inflate the shortfall.)

Preliminary Findings Red Flags

• Methodology not explained: SAP presents findings but is vague about how they calculated user counts or applied licensing rules. (Red flag: when you ask specifics, their logic falls apart.)
• Extrapolated findings: SAP finds a violation in one system and assumes it across all similar systems without evidence. (Red flag: lazy audit; their position is weak.)
• Indirect access overreach: SAP claims that any user with access to any reporting tool requires SAP Named User licensing. (Red flag: they're inflating the shortfall beyond defensible positions.)
• Unexpected large shortfall: The claimed shortfall is dramatically larger than your contract would suggest (e.g., claiming you need 500 additional Named Users when your contract specifies 200 total). (Red flag: either your contract is catastrophically under-licensed, or SAP's analysis is flawed.)

Negotiation Red Flags

• No movement on first settlement offer: SAP presents a settlement (e.g., $2M true-up) and doesn't adjust it after your counter-offer. (Red flag: they believe they have you over a barrel and are testing your resolve.)
• Sudden pressure to settle quickly: After months of slow pace, SAP suddenly insists on settlement within 2 weeks. (Red flag: either their fiscal year is ending and they need to close the deal for revenue, or they sense you're about to escalate and want to lock in before you do.)
• Refusal to escalate to Account Executive: When you ask for commercial discussion, SAP insists only GAS can negotiate. (Red flag: Account Executive has told GAS not to concede, signaling SAP believes they have leverage.)
• Threats of legal action: SAP mentions willful infringement, liquidated damages, or other legal consequences if you don't settle. (Red flag: this is pressure tactics; SAP rarely sues enterprise customers over licensing disputes because litigation is risky and expensive.)

What to Do When You See Red Flags

1. Document immediately. Create a log of red flags with dates and specifics. You'll need this for escalation or future dispute.
2. Escalate aggressively. Don't wait for the issue to resolve itself. Move up the chain: GAS Manager → Regional Director → Account Executive → SAP General Counsel (if necessary).
3. Bring in external expertise. If you lack confidence in your internal team's ability to challenge SAP, hire SAP licensing counsel. External voice often shifts SAP's negotiating posture.
4. Prepare alternative scenarios. What's your walk-away position? At what settlement amount would you accept, vs. refuse and prepare for post-settlement dispute?