SAP LAW Report: What Auditors Look For

Key Takeaways

LAW is a consolidation tool, not a neutral aggregator. Deduplication quality is the critical variable, and poor deduplication amplifies the ELP rather than reducing it.
User ID mismatches are the most common source of LAW inflation. Any user who appears under different IDs across systems will be counted multiple times unless matched correctly.
System scope in LAW is a contractual question, not a technical one. Auditors will include as many systems as possible; the contract determines what should be included.
Cross-system licence type upgrades are embedded in LAW logic. A user's highest licence type across all systems becomes their consolidated classification.
Enterprise acquisitions create LAW complexity that SAP exploits. Acquired entity systems may not be in scope under the original licence agreement.

If USMM is the instrument that measures individual SAP systems, then LAW — the Licence Administration Workbench — is the instrument that assembles those individual measurements into the consolidated picture SAP presents as your total licence liability. The SAP LAW report audit process is where multi-system enterprises face their greatest exposure, because it is here that every counting error, deduplication failure, and scope dispute becomes amplified across the full enterprise landscape.

Most enterprise SAP environments run multiple systems: an ERP production system, perhaps an HR system, a CRM system, a procurement system, various legacy platforms, and increasingly S/4HANA components alongside ECC. Each of these systems produces a USMM measurement. LAW's job is to consolidate these measurements into a single enterprise count that avoids counting users who legitimately have access to multiple systems more than once. When it works correctly, LAW provides a net position that reflects actual licence consumption. When it fails — through poor deduplication, incorrect scope, or configuration errors — it produces an inflated number that SAP's audit team uses to construct an inflated ELP.

1. How LAW Works: The Consolidation Architecture

LAW runs as an ABAP application within a designated SAP system. The enterprise — or SAP's audit team — imports the USMM measurement files from all systems in scope into the LAW consolidation system. LAW then processes these files through its deduplication engine to produce a single, consolidated user count.

The deduplication engine operates on the following logic: for each user that appears in the measurement files, LAW attempts to determine whether that user appears in multiple systems. If a user is found in multiple systems, LAW retains the highest licence type assigned to that user across all systems and counts the user only once at that highest level.

This architecture creates two structural risks for enterprises. First, deduplication failure means that users who genuinely appear in multiple systems are counted multiple times rather than once — directly inflating the total. Second, cross-system licence type maximisation means that a user who is a Limited Professional in their primary system but has a single Professional transaction in a secondary system will be elevated to Professional User across the entire consolidation.

2. The Four Types of LAW Deduplication Failure

Deduplication failure is the central challenge in LAW analysis. There are four distinct types of failure, each with a different cause and a different remediation approach.

Type 1: User ID Format Mismatches

LAW's primary deduplication key is the User ID — the account identifier used to log into each SAP system. If a user has different User IDs across different systems (which is common in enterprise environments that have grown through acquisition, IT consolidation, or organic expansion), LAW cannot automatically identify them as the same person.

Common User ID format variations that cause deduplication failure include: different naming conventions across systems (e.g., "JSMITH" vs "J.SMITH" vs "JOHNSMITH"), system-specific prefixes or suffixes (e.g., "ERP_JSMITH" vs "HR_JSMITH"), and completely different identifier schemes in acquired entity systems.

Type 2: Missing Email-Based Deduplication

More recent versions of LAW support deduplication on email address as an alternative or supplement to User ID matching. Email addresses are generally more consistent across enterprise systems than User IDs because they are typically managed centrally through the email directory. However, email-based deduplication is not always enabled in LAW configurations, and auditors will not always activate it when running the consolidation — particularly when doing so would reduce the apparent licence gap.

Type 3: System Scope Over-Inclusion

Auditors include every system they can access in the LAW consolidation, unless the enterprise explicitly challenges the scope. Systems that should not be in scope — test environments, development systems, pre-production copies, recently divested entities, and systems acquired after the licence effective date — are routinely included in LAW consolidations unless the enterprise actively argues for their exclusion.

Scope is a Contractual Determination

The question of which systems are in scope for a LAW consolidation is not determined by which systems exist or which systems SAP can access. It is determined by the language of the licence agreement — specifically the system landscape definitions, the permitted use clauses, and any schedules that explicitly identify the systems covered by the licence. Most enterprises do not review these provisions before allowing SAP to include systems in the LAW scope. This is a systematic disadvantage that well-prepared enterprises can eliminate.

Type 4: Acquired Entity System Inclusion

Enterprise acquisitions create a specific and frequently exploited LAW scope problem. When an enterprise acquires another company, the acquired entity typically has its own SAP systems with its own user population. These users are not covered by the acquiring entity's SAP licence agreement — they require either their own licence entitlement or a contractual expansion that brings them within the acquiring entity's licence.

SAP's audit team will often include acquired entity systems in the LAW consolidation without distinguishing them from systems covered by the original licence. The effect is to add the acquired entity's user population to the ELP shortfall, even though those users may be covered by the acquired entity's own licence agreements, may be in the process of being migrated, or may be subject to specific contractual arrangements that SAP's audit team is not accounting for.

3. What SAP Auditors Actually Examine in the LAW Report

When SAP's audit team reviews a LAW report, they are looking for three things: the consolidated user count by licence type, the size of the gap between that count and the contracted entitlement, and any inconsistencies or anomalies in the consolidation that might affect the ELP figure.

Importantly, SAP's auditors are not typically reviewing the LAW report in order to find reductions. They are reviewing it to support the highest defensible ELP number. Enterprise teams that understand this dynamic approach the LAW review with appropriate scepticism and perform their own independent analysis before engaging with SAP's conclusions.

The Cross-System Upgrade Problem

One specific aspect of LAW logic that auditors rely on — and that enterprise teams often miss — is the cross-system licence type upgrade. As noted above, LAW applies the highest licence type found for each user across all consolidated systems. This means that a user who is adequately licenced in their primary system (where they are correctly classified as, for example, a Limited Professional) may be upgraded to Professional User if any secondary system they have access to contains a Professional-level role assignment.

In complex landscapes, many users have access to secondary systems for historical or technical reasons that do not reflect their actual work. An HR system that was imported into the LAW consolidation may assign Professional-level roles to a population of users because that is the system's default configuration — regardless of whether those users are genuinely Professional Users in their primary work context.

The Highest Licence Across All Systems

LAW's cross-system upgrade logic can turn an accurate per-system USMM into a significantly inflated consolidated position. An enterprise where 70% of users are correctly classified as Limited Professional at the individual system level may find that 40% of those users are upgraded to Professional User in the LAW consolidation because of role assignments in secondary systems that do not reflect their actual use patterns. This is a specific, documented, and challengeable source of ELP inflation.

4. Running Your Own LAW Consolidation Before the Audit

The most effective approach to managing LAW risk is to run the consolidation independently before SAP's audit team does. This allows the enterprise to identify deduplication failures, scope disputes, and cross-system upgrade issues in advance and address them before the audit measurement becomes the basis for a commercial claim.

An independent LAW run requires access to all systems in scope, a LAW consolidation environment, and the technical expertise to configure the deduplication parameters appropriately. For most enterprises, this work benefits from specialist support — both because the technical configuration is complex and because the contractual scope analysis requires expertise in SAP licence agreement interpretation that is not typically held by IT teams.

This is described in detail in our guide on preparing your systems before SAP runs USMM. The broader audit defence context is available in our comprehensive SAP audit guide. Our SAP audit defence advisory service includes independent LAW analysis as a standard component of audit preparation engagements.

5. How to Contest the LAW Report: Practical Approach

When SAP presents a LAW-based ELP, contesting it effectively requires a systematic approach:

Scope challenge first — before challenging any deduplication or classification detail, establish which systems are legitimately in scope under the contract. If out-of-scope systems are included, their removal may dramatically reduce the ELP before any other work is needed.
User ID mapping review — produce an independent mapping of all User IDs across all systems and identify where the same individual appears under multiple IDs. Present this mapping with corroborating HR data to demonstrate correct deduplication.
Cross-system upgrade analysis — identify users who have been upgraded in the LAW consolidation due to secondary system role assignments that do not reflect their primary work. Prepare evidence that the upgraded classification does not reflect actual usage.
Acquired entity separation — if acquired entity systems are included, clearly identify the contractual basis (or lack thereof) for their inclusion and prepare a separation analysis showing the acquired entity user population as distinct from the in-scope population.
Parallel consolidation — present SAP with an independent LAW consolidation that reflects the corrected deduplication and scope. SAP's audit team is more likely to negotiate when confronted with a structured counter-analysis than with a verbal challenge to their numbers.

The full strategic context for challenging SAP's Effective Licence Position — including how LAW challenges fit into the broader audit negotiation — is covered in the series pillar: SAP USMM & LAW Tools: The Complete Enterprise Guide for 2026. Our team provides hands-on support for enterprises managing active SAP audit disputes through our SAP audit defence service.

Our Services