European Universal Bank: How We Settled a $200M SAP Audit Claim in the $10M to $20M Range

The Situation

The bank had completed the acquisition of a mid-sized regional competitor 18 months before the audit letter arrived. SAP's account team had monitored the integration closely. When the combined ECC estate stabilised, SAP escalated from a basic audit to an enhanced audit. The cited rationale was material change in the licensed user population and a likely deviation between contracted entitlements and observed usage. The enhanced audit gave SAP the right to send its own measurement team on-site and to demand SLAW output for both legacy entities.

SAP's measurement team ran USMM and LAW across the combined estate, treating every active SAP_ALL or SAP_NEW dialog user as a Professional licence consumer. The methodology counted every user who had logged in at least once in the past 12 months. It made no allowance for service accounts, dormant test users, contract staff whose access had expired but whose user IDs remained active, or shared functional accounts. SAP's claim broke down roughly as follows: $130M to $150M in back-licence for newly counted Professional users, $30M to $40M in retroactive support and maintenance, and the balance in indirect access exposure tied to the acquired entity's third-party data warehouse.

The bank's internal SAP team had submitted USMM results to SAP without independent validation, expecting a routine compliance discussion. Within six weeks of that submission, the audit moved to enhanced, the claim quantified, and SAP's commercial team opened a discussion about a remediation package that included an early move to RISE with SAP. We were retained by the General Counsel's office at that point, ahead of any further response to SAP.

What We Did

1. Stopped further data flow and isolated what had already gone. We instructed internal SAP teams to suspend new submissions until we had reviewed exactly what SAP had received. The bank had shared SLAW output for both legacy entities together, presenting a unified population. We argued that the acquired entity's pre-integration position should be assessed against its own pre-M&A contract, not against the surviving entity's Master Agreement.
2. Forensic review of the user population. Our team ran a 6-week parallel analysis of every counted user. We classified each user by job function, transaction profile from STAR, login frequency, and contractual eligibility for each licence type. The exercise identified that approximately 40 percent of the SAP-counted Professional users met the contractual definition of Limited Professional, around 12 percent were service or batch accounts that should never have been counted as Named Users, and a further 8 percent were users whose access had been provisioned but whose engagement had ended.
3. Challenged the Limited Professional eligibility test. SAP's measurement applies a narrow test that triggers Professional classification on the presence of certain transaction codes. We argued from the contract that Limited Professional eligibility is defined by the role's primary purpose, not by the transaction code list. We submitted role definitions, business process documentation, and HR job descriptions to support the reclassification of 4,800 users to Limited Professional. SAP eventually accepted the reclassification for the substantial majority of the population.
4. Argued M&A continuity under the acquired entity's contract. The acquired bank had a separate, older Master Agreement with a more favourable user count clause and a price hold that had not yet expired. We argued that the M&A transaction transferred contractual rights to the surviving entity for the duration of the acquired contract. SAP initially resisted. After two months and the production of legal opinions on both sides, SAP accepted a hybrid position where the acquired population was assessed under the older contract through its remaining term.
5. Restructured indirect access into a forward subscription. The data warehouse exposure was real but smaller than SAP had quantified. We applied the Digital Access price list rules precisely, eliminated double-counted Material Documents, and converted the residual exposure into a 36-month forward subscription rather than a one-shot back-licence.
6. Negotiated a structured settlement with audit closure. The final settlement was structured as a true-up payment plus a forward 36-month commitment, with explicit contractual language closing the audit, releasing all claims for the audited period, and capping the next measurement scope. Total cash impact landed in the $10M to $20M range, depending on how the deferred annual elements are amortised.

The Outcome

SAP's initial claim of approximately $200M settled in the $10M to $20M range, structured over a 36-month period with no further back-licence exposure for the audited period. The two-thirds of the bank's user population reclassified to Limited Professional generated an ongoing annual licence cost reduction in the $4M to $6M range, independent of the audit settlement itself. The M&A continuity argument preserved $40M to $50M of contractual value that would otherwise have been lost on integration.

The settlement included three structural protections beyond the headline number. First, an audit standstill clause prevented SAP from initiating another enhanced audit for 36 months absent a material change event. Second, the scope of future measurement was contractually defined, limiting SAP's ability to expand discovery in a future cycle. Third, the contractual definition of Limited Professional was updated in the new Order Form to reflect the role-based test the bank had argued, rather than the transaction-code test SAP had applied.

What Other Enterprises Can Take From This

Enhanced audits are not random. They follow a pattern: M&A activity, a major upgrade or migration, a public restructure, or a contract renewal cycle that SAP wants to pre-position. If your organisation is in any of those windows, the audit conversation is not a hypothetical risk. Banks face the additional complication that prudential regulators expect contractual certainty over IT cost. An open audit claim of $200M sitting on the books for 18 months is itself a regulatory issue. SAP's commercial team knows this, and the pressure that knowledge creates is part of the playbook.

The single most expensive mistake is submitting unmodified USMM and SLAW output before independent review. The tools count what SAP designed them to count. They do not test contractual eligibility, they do not test role-based licensing tests, and they do not adjust for inactive or dormant accounts. Every figure those tools produce is challengeable from the contract. The defence requires evidence: HR records, role definitions, transaction analytics, login history, and the contractual definitions that determine licence type. None of that evidence is in the SAP-produced output.

The M&A continuity argument is also under-used. Acquired entities frequently sit on older, more favourable SAP contracts. When the surviving entity integrates, SAP's default position is to apply the surviving contract to the entire combined population, which usually costs the buyer money. The transfer of contractual rights through M&A is a legal question with substantial commercial impact. For the underlying mechanics of how SAP runs enhanced audits and what to expect from the process, our SAP audit defence guide walks through the USMM and LAW behaviour, the enhanced audit triggers, and the contractual definitions that drive these claims.