When SAP launches an audit, the most critical question is not whether you're compliant — it's what type of audit are you facing? Basic audits and enhanced audits are fundamentally different animals. They have different scopes, different tools, different timelines, and entirely different defensive strategies. Confusing the two can cost you hundreds of thousands in unnecessary spend.
Key Takeaways
- Basic audits are passive, questionnaire-driven, and rely on your documentation. Enhanced audits grant SAP direct system access with automated measurement tools like STAR and LAW
- Basic audit claims average $100-300K; enhanced audit claims average $300-800K or more. Enhanced audits produce 2-3x larger findings on the same environment
- Basic audits take 6-10 weeks; enhanced audits take 8-12 weeks minimum. Basic audits rely on self-reported data; enhanced audits use forensic measurement
- Your defensive strategy changes completely: basic audits require documentation and interpretive arguments; enhanced audits require technical counter-measurement and system evidence
- If you're facing a basic audit, you control the narrative. If you're facing an enhanced audit, you must control SAP's access and monitor their measurement methodology
Side-by-Side Comparison: Basic vs Enhanced
| Dimension | Basic Audit | Enhanced Audit |
|---|---|---|
| Access Type | Passive questionnaire + document request | Direct system access with measurement tools |
| Tools Used | None (relies on self-reported data) | STAR, LAW, custom scripts |
| Typical Timeline | 6-10 weeks | 8-12+ weeks |
| Average Claim Size | $100-300K | $300-800K+ |
| Data Control | You control what you submit | SAP controls what they measure |
| Your Defence | Documentation + interpretation | Technical counter-measurement |
| Negotiation Leverage | High (you control narrative) | Lower (SAP controls measurement) |
How to Identify Which Type You're Facing
SAP's audit letter should explicitly state whether it's a basic or enhanced audit. Look for these phrases:
- Basic audit language: "We request you complete the attached questionnaire..." or "Please provide documentation of..."
- Enhanced audit language: "We require direct access to your systems..." or "Our audit team will deploy measurement tools on your environment..."
If the letter is ambiguous, ask SAP directly: "Will this audit include direct system access and automated measurement tools?" The answer determines your entire response strategy.
Basic Audit Strategy: Passive Response, Active Documentation
The Basic Audit Process
SAP sends a questionnaire asking about:
- Current user populations (named users, service users, batch users)
- System landscape (production, test, dev)
- Custom code and extensions
- Indirect access integrations
- Contract history
You respond with documentation you control. SAP compares your responses against their assumptions about licensing. If gaps emerge, they quantify the claim.
Your Defensive Advantage in Basic Audits
You control the narrative. You answer the questionnaire. Your documentation is your evidence. If your documentation is thorough and defensible, you limit SAP's claim significantly.
Strategy: For each questionnaire response, provide contemporaneous evidence (system reports, user configuration screenshots, integration documentation). Make it impossible for SAP to dispute your answers without forensic contradictory evidence (which they don't have in a basic audit).
Common Basic Audit Traps
- Over-responsive answers: Answering beyond what was asked opens discovery. Answer the question asked, support with documentation, stop.
- Inconsistent documentation: If your Q4 2025 user report shows 200 named users but your Q1 2026 report shows 150, SAP will challenge both. Reconcile inconsistencies before submitting.
- Self-incriminating admissions: "We've been uncertain about how to license this feature..." is an invitation for SAP to challenge. Provide definitive positions backed by evidence.
Enhanced Audit Strategy: Active Monitoring, Technical Counters
The Enhanced Audit Process
SAP deploys auditors (often third-party firms) to your site. They:
- Run STAR and LAW tools on your production systems
- Extract system data and measure named users, indirect access, custom code
- Generate preliminary findings based on automated measurement
- Present findings and open settlement negotiation
You are not in control of the measurement. SAP controls both the tool and the methodology.
Your Defensive Advantage in Enhanced Audits
You control system access and measurement observation. You can:
- Require audit-managed access (monitored, time-boxed, logged)
- Document all measurement activities and challenge assumptions
- Run parallel measurements using independent tools to generate counter-evidence
- Exclude sensitive data carve-outs (payroll, financial, executive)
Strategy: Before SAP begins measurement, engage forensic counsel and third-party measurement tools. Document your system baseline. As SAP measures, log their activities and challenge methodology in real-time. Use third-party measurements to generate counter-claims before the final audit findings.
Enhanced Audit Preparation Steps
Week 1 (immediately upon audit notification):
- Engage forensic SAP licensing counsel
- Engage third-party measurement vendor (License Optimizer, Synoptis, etc.)
- Run baseline user and system reports before SAP accesses systems
- Identify sensitive data to carve out from measurement
- Document current licence position as audit baseline
Week 2-3 (during initial access setup):
- Grant SAP system access with audit-managed controls (monitoring, logging, time-box)
- Deploy third-party measurement tools simultaneously with STAR
- Log all SAP access activities
- Identify any discrepancies between SAP's STAR output and your baseline
Week 4-8 (during measurement):
- Monitor STAR/LAW output daily
- Challenge methodology assumptions in real-time
- Gather third-party counter-measurement data
- Prepare technical rebuttals to preliminary findings
Week 9+ (preliminary findings & negotiation):
- Compare SAP findings against your baseline and third-party measurements
- Quantify discrepancies and build technical defence
- Negotiate from position of counter-measurement evidence
Decision Tree: Is This Audit Defendable?
Are you facing a BASIC audit?
- Is your documentation comprehensive and up-to-date? → YES: Respond with full documentation. NO: Fill gaps before responding.
- Does your documentation contradict SAP's assumptions about licensing? → YES: Prepare interpretive defences. NO: Expect a claim based on SAP's assumptions.
Are you facing an ENHANCED audit?
- Can you afford third-party measurement tools ($30-75K)? → YES: Deploy immediately. NO: Consider basic settlement.
- Is your system documentation solid? → YES: Prepare technical defences. NO: Reduce scope and settle quickly.
- Do you have IT bandwidth to monitor SAP's access? → YES: Monitor aggressively. NO: Negotiate time-boxed access to manage burden.
Unsure Which Type of Audit You're Facing?
Our audit advisors can review your SAP notification letter and immediately identify the audit type, timeline, and optimal defence strategy.
Get Audit Type AssessmentThe Bottom Line: Response Strategy Depends on Audit Type
Basic audits are beatable through documentation and clear, defensible answers. Your advantage is information control.
Enhanced audits are more invasive but also more challengeable through third-party measurement and technical counter-evidence. Your advantage is measurement transparency and parallel validation.
Know which type you're facing before you respond. The defensive playbook is completely different.
Related Reading
- SAP Enhanced Audit Tactics: Complete Guide — Deep dive on STAR, LAW, and forensic defence
- How to Challenge SAP Audit Findings — Technical techniques for both audit types
- SAP Audit Negotiation and Settlement — Settlement strategy for both audit types
- SAP Audit Defence Guide — Full playbook