SAP Clean Core and Audit Risk: How Non-Compliant Extensions Create Indirect Access and Compliance Exposure

Why Clean Core Creates Audit Risk

SAP Clean Core is often discussed exclusively as a technical and architectural topic. But for enterprises with active SAP environments, the transition to Clean Core — and any period of incomplete transition — creates compliance risks that SAP's Global License Audit and Compliance (GLAC) team is increasingly equipped to identify and pursue. Understanding these risks before an audit letter arrives is the only position that gives enterprise buyers any control over the outcome.

The Clean Core audit risk landscape has three dimensions. First, legacy ABAP compliance: what are the licence implications of custom ABAP code that remains in the SAP system while a Clean Core migration is in progress? Second, indirect access through extensions: do BTP side-by-side extensions interact with SAP data in ways that trigger indirect access or Digital Access charges? Third, API boundary violations: do any extensions use SAP APIs that are not part of the officially released API catalogue, and what are the licence consequences if they do? Each of these dimensions creates real exposure, and each requires a different defensive strategy.

The Four Clean Core Audit Risk Scenarios

Legacy ABAP During the Clean Core Transition: Your Compliance Position

One of the most common questions we receive from organisations in the middle of a Clean Core migration is: "Are we compliant during the transition period?" The answer depends entirely on the specific terms of your SAP licence agreement — not on SAP's general marketing materials about Clean Core.

For on-premise S/4HANA customers, the compliance position is generally more straightforward: the on-premise licence agreement is based on named users and application licences, and classical ABAP development is typically within the scope of those licences. The Clean Core mandate is a recommendation, not a contractual requirement, in most on-premise agreements.

For RISE and S/4HANA Cloud Private Edition customers, the position is more complex. The cloud subscription agreement may contain provisions that restrict certain types of customer modification to the managed cloud environment. These restrictions vary by contract version — agreements signed before 2023 have different terms than those signed in 2025. Organisations must review their specific contract language, not rely on general guidance.

Our SAP audit defence team reviews SAP licence agreements specifically for Clean Core compliance provisions as part of our pre-migration advisory engagement. This review takes one to two days and can prevent a compliance exposure that costs multiples of the advisory fee to resolve.

Indirect Access Risk in BTP Extensions: The Technical Boundary

SAP's indirect access risk in the context of BTP extensions is concentrated in three technical patterns that enterprise architects need to understand and document.

• Fan-out scenarios: A BTP extension that receives data from one licensed SAP user and transforms or routes it to multiple downstream users or systems — particularly unlicensed ones — can create indirect access exposure for the downstream touchpoints. Fan-out is a common pattern in integration-heavy architectures and must be reviewed against your specific Digital Access model.
• Data extraction patterns: Extensions that extract SAP data (master data, transactional data, configuration) at scale and store it in non-SAP systems for use by unlicensed users or processes may trigger indirect access claims. The Digital Access model covers document creation and update events, but does not cover all data extraction scenarios, and SAP's contract language around "use" of SAP software is broader than many customers appreciate.
• API call volume monitoring: High-volume API calls from BTP extensions to SAP systems — particularly in automated, non-human-initiated scenarios — can trigger scrutiny in SAP audits. SAP's measurement tools log API call volumes, and patterns inconsistent with the licensed user count can prompt further investigation.

For a comprehensive guide to the indirect access risk in BTP contexts, see our detailed guides on SAP indirect access and SAP Digital Access licensing. Our indirect access advisory service specifically covers BTP extension architectures as part of the compliance review.

Building a Clean Core Compliance Defence

Proactive compliance management is the most cost-effective response to Clean Core audit risk. The following framework defines the key activities that should be part of any enterprise's ongoing SAP compliance programme once a Clean Core migration is underway.

1. Maintain a live inventory of all custom extensions. Every BTP extension and every remaining classical ABAP customisation should be documented with its API usage profile, integration touchpoints, and the business process it supports. This inventory is your first line of defence in an audit — demonstrating that you know exactly what your custom code landscape looks like.
2. Run ATC checks continuously, not just at project milestones. SAP's ABAP Test Cockpit should be configured to run continuously on all ABAP Cloud development, with alerts for any new usage of non-released APIs. Catching violations at development time is orders of magnitude cheaper than discovering them during a GLAC audit.
3. Monitor Digital Access document counts for extension-generated documents. Implement monitoring for SAP Digital Access document counts specifically attributable to BTP extension activity. If extension-generated documents are approaching your contracted Digital Access allowances, address this commercially before it becomes an audit finding.
4. Get a legal review of your RISE contract's Clean Core provisions. Engage your legal team or an independent adviser to identify exactly what your current RISE or S/4HANA Cloud contract says about permitted custom modifications and Clean Core compliance. This review should be refreshed at every contract renewal.
5. Document your Clean Core migration roadmap. If you have legacy ABAP that is not yet compliant, maintain a documented migration roadmap with target dates and progress milestones. SAP's audit teams take a more accommodating position toward customers who can demonstrate active, good-faith migration progress than toward those with no documentation of remediation intent.

What Happens When SAP Finds a Clean Core Violation

If SAP's audit team identifies what they classify as a Clean Core compliance violation during an audit, the typical outcome follows the same pattern as other SAP audit defence scenarios: SAP issues a preliminary finding, quantifies a back-licence claim, and presents a commercial resolution offer that typically includes licence uplift and additional maintenance fees.

The good news is that Clean Core audit claims are technically complex and therefore highly disputable. The boundary between permitted API usage and non-permitted internal API usage is often unclear in practice, and the contractual language defining "permitted use" in the context of Clean Core is open to interpretation. Organisations with well-documented extension architectures and a clear legal analysis of their contract terms are well-positioned to challenge SAP's audit findings — particularly if the alleged violations are in grey-area API usage rather than clear-cut licence exceedances.

Our guide to challenging SAP audit findings covers the technical and legal framework for disputing audit claims. If you have received an audit finding that references Clean Core violations, contact our audit defence team immediately — the position you establish in the first 48 hours of an audit significantly affects your eventual settlement outcome. See our guide on how to respond to an SAP audit letter for immediate action steps.

Related Topics

Clean Core audit risk sits at the intersection of several important SAP licensing and compliance topics. Our broader guides on SAP Clean Core licensing, BTP side-by-side extension licensing, and the SAP audit guide provide additional context. For the audit process itself, our guides on SAP audit timelines and SAP audit settlement negotiation will be essential if you are already in an active audit.