The Two Types of SAP Audit: An Overview
SAP's Master Agreements typically provide for periodic licence reviews β the right to verify that customers are using only the software they've licensed, at the licence types they've purchased. In practice, SAP has refined this into two distinct audit modes, each with a different mechanism, different resource investment from SAP's side, and β critically β different commercial intent.
The basic audit is self-declaratory. SAP requests that you run USMM (User System Measurement) and submit the output via SAP for Me or directly to SAP's Global License Audit & Compliance (GLAC) team. SAP reviews your submission and generates an Effective License Position (ELP) from that data. You control the measurement β which means, if prepared, you control the outcome.
The enhanced audit brings SAP's team into your environment. They run their own measurements β typically via Solution Manager's licence management module or via direct system access β and they conduct a broader review that can surface issues that a self-declaration would not. You have less control over the data SAP collects, and the scope of their review is significantly wider. For the full SAP audit defence context, read our complete overview.
| Factor | Basic Audit | Enhanced Audit |
|---|---|---|
| Who runs the measurement? | Customer (self-declaratory via USMM) | SAP's GLAC team (direct system access) |
| Primary tool | USMM β User System Measurement | USMM + LAW + Solution Manager + custom scripts |
| SAP's access to your systems? | No direct system access required | Yes β read access to production systems |
| Indirect access reviewed? | Limited β customer-reported only | Yes β LAW analysis of all integrations |
| Typical duration | 2β6 weeks from notification to ELP | 6β16 weeks from notification to ELP |
| Risk profile | LOWER (if properly prepared) | HIGH |
| Average initial compliance gap | Β£0.5MβΒ£3M (enterprise average) | Β£2MβΒ£15M+ (enterprise average) |
| Customer's ability to challenge | High β you controlled the data | Medium β SAP controlled the data collection |
| Commercial intent | Routine compliance / pre-renewal baseline | Targeted claim / strategic commercial pressure |
What Triggers Each Type of Audit
SAP does not select audit types randomly. The type of audit you receive signals SAP's commercial hypothesis about your situation and the level of exposure they believe exists. Understanding that signal is the first step in shaping your response.
Routine & Renewal-Driven
- Annual contractual measurement period
- 12β18 months before Enterprise Agreement renewal
- Following a significant user count increase in SAP's telemetry
- Post-upgrade or system change notification
- Customer-initiated clean-up before a proactive optimisation exercise
Targeted & High-Stakes
- M&A activity β acquisition of a company with its own SAP landscape
- Significant discrepancy in a prior basic audit submission
- S/4HANA migration or RISE with SAP conversation underway
- Known or suspected third-party integration creating indirect access liability
- A prior basic audit settlement that SAP believes under-declared usage
- Strategic commercial pressure ahead of a major contract renegotiation
The trigger matters because it tells you what SAP already knows β or believes. If you receive an enhanced audit notification after an M&A event, SAP's team likely has detailed intelligence about your new consolidated landscape and is targeting specific gaps in the combined licence position. If you receive it shortly after submitting a basic audit, SAP may believe your self-declaration under-counted users or misclassified indirect access. Knowing the trigger allows you to anticipate their argument before they make it.
Unsure which audit type you're facing?
Our SAP audit defence team will review your audit notification, your Master Agreement, and the commercial context of your SAP relationship β and tell you exactly what SAP's team is likely targeting. Book a free consultation within 24 hours of receiving your audit letter.
Book Free Audit Assessment βPreparing for a Basic (Self-Declaratory) Audit
The basic audit is the most common audit type, and it's the one where enterprise customers have the most control over the outcome β but only if they prepare properly. The central risk is submitting an unreviewed USMM output and creating an inflated Effective License Position that SAP then uses as the basis for a compliance gap claim or a renewal anchor.
Step 1: User Reclassification Before USMM
Before running USMM, conduct a full user access and usage review. Cross-reference each active user's assigned transaction codes against their actual transaction usage data from the SAP usage log. Users with Professional-level authorisations who only perform Limited Professional tasks should be reclassified downward. The Professional licence costs 3β5Γ more than a Limited Professional β every user you correctly reclassify reduces your declared liability and your future renewal baseline.
Pay particular attention to: users with Administrator roles who never use administrative transactions; users on leave or secondment who should be locked rather than active; consultants and contractors with temporary access that was never removed; and system integration accounts that may be incorrectly classified as named users. Our SAP licence compliance team conducts these reviews systematically before any audit submission.
Step 2: USMM Configuration Review
USMM's default configuration settings can over-count background users, technical system users, and service accounts. Before running USMM for submission, your SAP Basis team should review the USMM configuration to ensure that: technical RFC users are correctly excluded from the named user count; background processing accounts are classified appropriately; system administration accounts are handled correctly; and the measurement scope covers only the entities in scope under your Order Form β not additional systems or legal entities that SAP hasn't licensed separately.
Step 3: Produce Your Own ELP Before Submitting
Never submit USMM results to SAP without first producing your own Effective License Position document. This means a line-by-line comparison of your licence entitlement (from your Order Form and licence schedule) against your USMM output, with specific notes on any classifications that differ from SAP's default interpretation. This document is your primary challenge instrument if SAP disputes your submission or produces a different ELP from the same data. For the complete USMM methodology, see our SAP license audit guide for 2026.
Preparing for an Enhanced Audit
An enhanced audit is a materially different exercise. SAP's GLAC team is not reviewing your self-declaration β they are conducting their own measurement, using their own tools, with direct access to your systems. The risk is higher, the timeline is longer, and the potential for unexpected findings is significantly greater.
Scope the Access SAP Is Entitled to Request
Your Master Agreement defines what systems and entities SAP is entitled to audit. Enhanced audit requests frequently go further than the contractual entitlement β particularly in complex group structures where SAP wants to extend the scope to subsidiaries, joint ventures, or recently acquired entities that may not be covered by the original Master Agreement. Before granting any access, have Legal review the request against your contract in detail. You may have legitimate grounds to limit the scope or challenge specific elements of the access request.
Prepare Your Indirect Access and LAW Analysis
Enhanced audits routinely surface indirect access liability through SAP's LAW (License Administration Workbench) analysis. LAW maps your entire system landscape β every integration, every interface, every third-party application that touches SAP β and identifies which connections generate document-type digital access obligations (Orders, Deliveries, Invoices, Materials). Most enterprises have significant undisclosed indirect access exposure because LAW surfaces integration patterns that USMM doesn't capture.
Before an enhanced audit, commission your own independent LAW analysis. Our SAP indirect access advisory team conducts this routinely for enterprise clients β identifying and quantifying exposure before SAP surfaces it, so you can negotiate from a prepared position rather than reacting to SAP's finding with no counter-evidence.
Brief Your Technical Team on What Not to Volunteer
During an enhanced audit, SAP's team will interact directly with your SAP Basis and technical administrators. Well-intentioned technical staff frequently volunteer information β system architecture details, integration documentation, planned upgrades β that extends SAP's audit scope beyond its contractual basis. Before SAP's team arrives, brief your technical team on the exact scope of the audit, who the single point of contact is, and what types of information should be referred to your project lead before being disclosed.
Facing an enhanced audit? This is not a process to manage alone.
Enhanced audits are structured commercial exercises with experienced SAP auditors on the other side. Our SAP audit defence service places our team alongside yours throughout the entire enhanced audit process β from access scoping to measurement challenge to settlement negotiation. Book a consultation now β we can be mobilised within 24 hours.
Start Your Audit Defence βCan a Basic Audit Escalate to an Enhanced Audit?
Yes β and this is one of the most important dynamics to understand. A basic audit is often SAP's first move, not its last. If SAP's review of your USMM submission identifies discrepancies, anomalies, or a pattern of under-declaration relative to what their commercial team believes your actual usage to be, they can escalate to an enhanced audit under their standard audit rights.
This escalation dynamic is precisely why submitting an accurate, properly prepared USMM output β rather than an inflated default output β is so critical. A submission that SAP believes has been deliberately minimised triggers exactly the escalation you want to avoid. A submission that is rigorously documented, defensible, and consistent with your actual usage gives SAP limited grounds to challenge and reduces the probability of escalation.
It's also why our advice is consistent: before you submit any measurement to SAP, have it reviewed by independent experts who understand SAP's methodology and know what SAP's team will look for. Read our guide on how to respond to an SAP audit letter in the first 48 hours for the immediate action steps that determine your trajectory.
How Settlement Differs Between Basic and Enhanced Audits
The settlement dynamics are materially different depending on which audit type you're in. For basic audits, your ELP is based on your own USMM submission, which gives you a stronger technical foundation for challenging SAP's interpretation. The gap between SAP's ELP and your ELP reflects a difference in interpretation, not a difference in measurement β and interpretive disputes are negotiable.
For enhanced audits, SAP has produced the measurement data themselves. This shifts the technical burden β you need to challenge their methodology, their tool configuration, and their interpretation of specific findings rather than simply presenting an alternative calculation. It's harder, but it's still achievable. SAP's measurement tools have documented limitations and known over-counting behaviours. Our audit defence team challenges these on a technical basis, supported by independent system evidence.
In both cases, the settlement process follows the same structure: challenge the ELP, produce counter-evidence, negotiate the gap, and document the agreed position in an Order Form amendment with a formal clean ELP baseline. Don't settle without the clean baseline. Without it, SAP's commercial team retains the ability to re-raise the same underlying data at your next renewal or audit window. Visit our SAP licensing case studies to see the settlement results we've achieved across both audit types.
Key Takeaways: SAP Basic vs Enhanced Audit
- Basic audits are self-declaratory via USMM β you control the data, which means you can control the outcome if prepared
- Enhanced audits involve SAP's GLAC team with direct system access β scope, tools, and risk are significantly higher
- The trigger for an enhanced audit signals SAP's commercial hypothesis β understanding it shapes your response strategy
- Basic audits can escalate to enhanced audits if SAP identifies discrepancies or believes your submission was inflated
- Indirect access (LAW analysis) is rarely fully surfaced in a basic audit β enhanced audits routinely uncover significant additional exposure
- Settlement dynamics differ: basic audits give you stronger technical ground to challenge SAP's ELP interpretation
- Both audit types require a formally documented clean ELP baseline in your Order Form as part of the settlement
Received an SAP Audit Letter?
Our team treats audit enquiries as priority β we respond within 4 business hours and can engage within 48 hours of instruction. The first 72 hours of an SAP audit define the outcome.
Get Emergency Triage β Download the Free SAP Audit Guide βIndependent SAP Audit Defence
We have resolved over $200M in SAP audit exposure. If you are facing an active audit, a compliance claim, or want to understand your exposure before SAP comes calling, our SAP audit defence service is the fastest path to a defensible position.
Book a Free Audit Triage Call β