SAP enhanced audits are the company's most aggressive compliance tool. Unlike basic audits — which ask passive questions and rely on self-reported data — enhanced audits grant SAP direct access to your systems. They deploy sophisticated measurement tools like STAR (System Trace and Analysis Results) and LAW (License Administration Workbench) to extract usage data, measure named users, identify indirect access, and construct claims that are often significantly larger and harder to defend than basic audit findings.
Key Takeaways
- Enhanced audits escalate when SAP suspects high-value compliance gaps, you have RISE with SAP, or you've resisted previous audit findings
- SAP's STAR tool can detect named users, measure system activity, and identify custom code usage — giving SAP forensic visibility into your environment
- Enhanced audits grant SAP deep system access, but you retain the right to audit-managed access (time-boxed, documented, monitored)
- The average enhanced audit takes 8-12 weeks and results in claims 2-3x larger than basic audits for the same environment
- Your technical defence depends on pre-audit documentation, system configuration evidence, and forensic counter-measurement using third-party tools
What Is an SAP Enhanced Audit?
An enhanced audit is an invasive, system-level measurement of your SAP environment. SAP gains direct access to your production systems and deploys measurement tools that can:
- Extract named user lists and trace activity logs
- Measure indirect access (API calls, web services, third-party tool integrations)
- Identify custom code and Z-table usage
- Build transaction frequency maps
- Analyze system landscape complexity
This is categorically different from a basic audit, where SAP sends questionnaires and you provide evidence under your control. In an enhanced audit, SAP controls the measurement methodology.
The 3 Triggers That Escalate to Enhanced Status
Trigger 1: High-Value Compliance Gaps
SAP escalates to enhanced audits when they suspect significant underpayment. This typically means:
- Your last contract renewal was 5+ years ago (SAP assumes pricing has lagged)
- You have significant indirect access exposure through custom integrations
- Your system landscape shows potential for name-user undercount
SAP's commercial team flags high-value targets based on contract history, system complexity, and industry benchmarking.
Trigger 2: RISE with SAP Customers
If you're a RISE with SAP customer, enhanced audits are more common. SAP uses them to lock customers into higher cloud consumption by discovering "additional" indirect access, then negotiating that into your RISE contract renewal.
Trigger 3: Previous Audit Resistance
If you disputed findings in a prior basic audit or refused to negotiate, SAP often escalates to enhanced audit to establish their methodology as unchallengeable. "We'll let the tools speak for themselves" is their implicit message.
SAP's Enhanced Audit Toolkit
STAR (System Trace and Analysis Results)
STAR is SAP's primary measurement tool. It runs continuous tracing on your production systems and extracts:
- Named user data: Every user who logged in, with session duration and transaction history
- Transaction activity: System modules accessed, with frequency metrics
- Custom code execution: Z-programs, enhancements, and modifications
- Indirect access patterns: API calls, web service invocations, third-party integrations
STAR generates enormous data sets. A typical STAR trace on a 1,000-user environment produces millions of records. SAP uses statistical analysis to reduce this into audit claims.
LAW (License Administration Workbench)
LAW is a reporting layer that processes STAR data into licensing metrics. LAW can measure:
- User classification (named user vs. resource user)
- Indirect access volume (transactions per day/month)
- System complexity scoring
- Module usage distribution
LAW output is typically presented as gospel truth in audit findings. Your opportunity to challenge is in the measurement assumptions, not the data.
Custom STAR Scripts
SAP auditors sometimes run custom scripts beyond standard STAR output. These custom scripts can target:
- Specific Z-tables or custom developments
- Particular third-party integrations
- User segments (e.g., contractors, part-timers classified as full named users)
Custom scripts are often where auditors stretch claims. The output lacks standardization, making defensibility harder.
Your Rights During an Enhanced Audit
Despite SAP's invasive access rights, you retain key protections:
- Audit-managed access: You can require SAP auditors to operate under time-boxed, monitored access. You can observe measurements and document the process.
- Confidentiality protection: You can exclude sensitive data from STAR tracing (payroll, HR systems, financial data). SAP must honor these carve-outs.
- Right to challenge methodology: You can dispute STAR assumptions and custom scripts before they're finalized into claims.
- Third-party measurement: You can run parallel measurements using independent tools (e.g., License Optimizer, SPA tools) to challenge STAR findings.
Most enterprises don't use these rights aggressively. If you do, you significantly reduce the claim.
The Enhanced Audit Timeline
Week 1-2: Notification & Preparation — SAP sends audit letter. You engage counsel, identify system contacts, document baseline data.
Week 3-4: Initial Data Gathering — SAP requests user lists, contracts, system configuration. You provide documentation under audit privilege (through counsel).
Week 5-8: System Access & Measurement — SAP auditors (often third-party firms) deploy STAR and LAW on your systems. You log all access, monitor measurements.
Week 9-10: Preliminary Findings — SAP sends draft audit claim. This is your window to challenge specific findings.
Week 11-12: Final Claim & Settlement Discussion — SAP issues final claim and opens negotiation.
Total timeline: 8-12 weeks minimum. High-complexity environments run longer.
Building Your Defence Before SAP Runs Their Scripts
Documentation Baseline
Create a contemporaneous record of:
- Current named user count with job titles and active dates
- System landscape architecture (production, test, development)
- User segregation policies (who accesses what modules)
- Indirect access points (list of integrations, API consumers, third-party tools)
- Custom code inventory (Z-programs, enhancements, BADI implementations)
This documentation becomes your "effective licence position" (ELP) baseline. If STAR claims exceed your documented ELP, you have grounds to challenge.
System Configuration Hardening
Before the audit:
- Deactivate unused named users (reduce the count STAR will discover)
- Document user role assignments (prove users are assigned to correct modules)
- Catalogue indirect access, with business justification for each integration
- Review custom code for licensing implications (Z-code that extends licensed modules)
SAP can only claim what STAR finds. Lower your findable footprint proactively.
Third-Party Measurement Tools
Hire a forensic SAP licensing firm to run parallel STAR measurements using independent tools. Vendors like Synoptis, SoftwareOne, or Redress can run License Optimizer or equivalent tools simultaneously with SAP's audit.
This generates a counter-measurement that shows where SAP's methodology diverges from independent tools. It's powerful evidence in settlement negotiations.
Data Protection & Confidentiality in Enhanced Audits
You have the right to protect sensitive data from SAP's measurement:
- Payroll/HR data: You can request STAR exclude the HR module entirely
- Financial/GL data: You can carve out the General Ledger and Accounts Payable modules
- Executive/board access: You can anonymize or exclude C-suite users from STAR tracing
SAP may resist, but this is a legitimate negotiation point. Insist on confidentiality protections in the audit agreement before access is granted.
The Negotiation After Enhanced Audit Findings
Once SAP issues preliminary findings (week 9-10), you enter settlement discussion. Your leverage points:
- Third-party measurement data: "Our independent measurement tool shows STAR over-counted indirect access by 40%"
- System configuration evidence: "Your audit found 500 named users, but our role assignment documentation proves only 300 have actual access"
- Custom code carve-outs: "These Z-programs fall outside the licensed modules — they don't generate licence demand"
- Timing disputes: "STAR measured users in May, but we deactivated 60 users in April — your measurement is outdated"
Negotiated settlements on enhanced audits typically achieve 30-50% reductions from the initial claim. If you have strong third-party measurement data, you can push toward 50-70% reductions.
Preventing Future Enhanced Audits
After settlement, protect yourself:
- Audit carve-outs: Negotiate into your settlement agreement specific configurations or user populations that SAP won't audit for 3-5 years
- Measurement agreement: Require SAP to update their tools if they discover your systems differ from their assumptions
- Contract documentation: Explicitly document your licence position in your contract renewal to establish precedent
Facing an Enhanced Audit?
Our forensic SAP licensing experts have defended hundreds of enterprises through enhanced audits. We deploy counter-measurement tools, build technical defences, and negotiate settlements that preserve your budget.
Explore Enhanced Audit DefenceRelated Topics in This Cluster
For deeper dives into specific enhanced audit challenges, see:
- SAP Enhanced Audit vs Basic Audit: What's Different — Side-by-side comparison of scope, tools, timelines, and response strategies
- How to Challenge SAP Audit Findings — Forensic techniques for disputing STAR data and LAW calculations
- SAP Audit Negotiation and Settlement Guide — Complete settlement strategy and negotiation playbook
- SAP USMM Measurement Guide — Understanding SAP's named user and indirect access metrics
- SAP Audit Defence Guide — Full enterprise audit playbook