Avoiding Common SAP Audit Pitfalls
SAP software audits often catch enterprises off guard, revealing compliance gaps that lead to unbudgeted license fees.
This advisory highlights common SAP audit pitfalls – from indirect usage to misclassified licenses – and guides how to avoid them. By understanding SAP’s rules and proactively managing licenses in both ECC and S/4HANA environments, organizations can prevent costly surprises.
Indirect Access and Third-Party Usage
Many SAP customers overlook indirect access when third-party systems or external users interact with SAP data without a direct login.
Classic examples include customer portals, e-commerce sites, or integrations (like CRM or IoT systems) that create or retrieve data from SAP in the background.
SAP requires a license for any indirect use of its software, a fact that has led to headline-grabbing disputes.
For instance, one company was ordered to pay over £50 million due to unlicensed Salesforce-to-SAP connections, and another faced a $600 million claim for widespread indirect access via third-party platforms. These cases highlight the severity of this pitfall.
SAP’s newer “Digital Access” licensing model (for S/4HANA) offers a way to handle indirect use by licensing documents (e.g,. sales orders, invoices) instead of named users. This can be more cost-effective when thousands of external users or devices are involved.
Pitfall: Many organizations haven’t assessed their indirect usage at all, assuming that if a person isn’t directly logged into SAP, it’s not licensable – a dangerous misconception. An audit can reveal that interfaces have been creating SAP transactions for years without proper licenses.
Solution: Inventory all third-party systems and interfaces connected to SAP. Decide on a strategy – either acquire named-user licenses for those external users or adopt SAP’s Digital Access licenses to cover document transactions.
Estimate the volume of documents or external transactions regularly (SAP provides tools for this) to ensure you’re licensed for the actual usage. Addressing indirect access proactively is far cheaper than a surprise audit penalty.
Read Preparing for an SAP Licensing Audit.
Misclassified User License Types
Another common audit pitfall is misclassification of user licenses. SAP offers different user license types (e.g. Professional, Limited, Employee Self-Service, Developer), each with specific usage rights and costs.
A common mistake is assigning users a license type that is too expensive for their activities. For example, suppose a power user performing broad transactions is given a “Limited” license to save money.
In that case, an audit will flag them as under-licensed – you should have assigned a Professional license.
Conversely, failing to assign a license type at all means SAP’s audit tools default that user to the highest category (Professional), which can inflate compliance gaps.
This misclassification has a direct financial impact. A Professional user license might cost several thousand dollars (plus ~22% annual support), whereas a Limited or Employee license is only a fraction of that.
Multiply that gap across dozens of users, and the true-up cost in an audit can be huge. Below is a simplified comparison of common on-premises SAP user licenses and their scope:
| User License Type | Typical Cost (One-Time + Annual Support) | Intended Usage | Risk if Misused |
|---|---|---|---|
| Professional User | ~$3,000–$4,000 (+ 22%/yr) | Full access to all SAP modules/functions | If a heavy user is misclassified as a lower type, you’ll be short on licenses (audit will require costly upgrades). |
| Limited Professional | ~$1,500–$2,000 (+ 22%/yr) | Restricted scope (specific modules or tasks) | If the user performs tasks beyond this scope, they actually need a Professional license – creating a compliance gap. |
| Employee Self-Service (ESS) | ~$500–$1,000 (+ 22%/yr) | Self-service only (e.g. HR self-updates, time entry) | Using ESS users for operational tasks violates license terms; they must be upgraded to a higher category. |
| Developer User | ~$1,000+ (+ 22%/yr) | For configuration and programming in non-production systems | If a developer executes regular business transactions in production, a Professional user license is also required for that person. |
Pitfall: Companies sometimes assign everyone a lower-tier license to cut costs, or neglect to update a user’s license when their role expands. This “license drift” results in many users being out of compliance.
Solution: Diligently map each user’s role to the correct license type from the start.
For instance, a finance clerk might be a Limited Professional, while a department manager who only approves leave requests could be an ESS. Review these assignments at least once a year (roles change over time).
Additionally, utilize SAP’s user measurement reports to identify anomalies – for example, an ESS user executing purchase orders is a notable red flag. By ensuring users are properly classified and no one is left as “unclassified” (which defaults to the priciest category), you can avoid a significant audit hit.
Read SAP Audit Tools and Resources.
Inactive and Duplicate User Accounts
SAP’s licensing is based on named users, meaning every unique login ID that is active may count as a license.
A huge audit pitfall is failing to clean up old or duplicate accounts. It’s not uncommon to find that 10–15% of SAP user IDs in a system belong to former employees or contractors who left, or are duplicate accounts for the same person in different systems.
If these accounts remain active (even if unused), SAP’s audit tools will count them as needing a license. The result? You appear to be using more licenses than you need, and SAP may demand you purchase additional licenses to cover these “ghost users.”
Pitfall: Poor user management can lead to paying maintenance on licenses for individuals who are no longer with the company, or purchasing extra licenses when, in reality, you already have sufficient licenses that have simply not been reassigned.
It’s essentially throwing money away, and an audit will not distinguish if an account is just dormant – if it’s active in the system, it counts.
Solution: Implement a strict joiner-mover-leaver process integrated with HR. When employees leave, make sure their SAP accounts are promptly locked or deleted. Schedule regular (e.g., quarterly) reviews to purge or deactivate any user IDs that haven’t been used in, say, 90 days.
Use SAP’s License Administration Workbench (LAW) to consolidate duplicate users (so the same person with two accounts is counted once). By keeping the user list clean and up-to-date, you’ll reduce compliance risk and avoid unnecessary license costs.
Engine License Overuse and Package Metrics
Not all SAP licenses are user-based; SAP also sells package or “engine” licenses for specific functionalities, measured by metrics such as the number of employees, revenue, orders, or system capacity.
Examples include SAP Payroll (licensed by employee headcount), SAP Warehouse Management (licensed by the number of storage bins), or SAP ERP modules licensed by annual sales volume. A common pitfall is ignoring these metric-based licenses after the initial purchase.
If your usage exceeds what you purchased (e.g., your HR system now has 1,100 employees active but you only licensed up to 1,000), you are technically under-licensed. An audit will flag this overuse of the engine or package.
Pitfall: Companies may deploy an SAP component and then grow past the licensed metric limits without realizing it. Since these engines often tie to business growth (which is good news for you), it’s easy to inadvertently outgrow your license entitlements.
The bad news is that in an audit, SAP will require you to purchase the excess usage, often at list price, potentially with back maintenance fees for the period you were over.
For example, exceeding a licensed limit by 100 employees or 100,000 orders could result in a significant true-up cost, plus retroactive support fees.
Solution: Continuously monitor the usage metrics of any SAP package licenses you own. Assign internal owners for each metric (e.g., HR monitors employee count for Payroll licenses, finance monitors revenue for financial metrics) and track those numbers against your contract entitlements.
If you see you’re nearing a licensed threshold, you have two choices: optimize usage (if possible) or proactively negotiate an expansion of the license before SAP audits you.
By planning true-ups, you can often get better commercial terms rather than scrambling under audit pressure. The key is to stay ahead of usage growth – make it a routine to review engine metrics on an annual or even quarterly basis.
Misuse of Development/Test Licenses in Production
SAP provides lower-cost licenses for non-production purposes – for example, developer licenses for configuring and coding in development systems, or temporary test system licenses.
These come with strict restrictions: they’re not meant for day-to-day business operations. A notable audit pitfall is when companies misuse development or trial licenses in production environments.
For instance, a user with only a Developer license might log into the production system to execute transactions or fix data, effectively acting as a normal business user without a proper license.
Alternatively, an organization might use a “test” SAP system (licensed only for sandbox or training use) to run a live workload, thereby avoiding the need to purchase additional production licenses.
These scenarios violate SAP’s terms and will be flagged in an audit if detected (SAP auditors do check if any users classified as “Test” or “Developer” have activity in production logs).
Pitfall: It’s tempting to save money by letting a technical user or a training system handle some extra tasks, but in SAP’s eyes, all use of the software in any environment must be appropriately licensed. Using a cut-rate license for real work is considered unlicensed use.
Solution: Maintain a clear separation between development/test and production environments.
If developers or contractors occasionally need to work in production, ensure they are assigned a proper Professional user license in addition to their developer credentials. Never run production business processes on a system labeled or licensed for test/trial.
Periodically review user activity logs – if a user with a supposed non-production license shows production activity, address it immediately (either stop that practice or provide them with the correct license). It’s better to spend a bit more on the right licenses than to face penalties for unlicensed use in an audit.
Contract Ambiguities and Organizational Changes
Sometimes the biggest audit surprises come not from technical usage, but from the fine print in your SAP contracts. SAP’s license agreements and pricing conditions are complex, and older contracts may contain vague clauses that create pitfalls.
One example is the definition of “use” in many contracts: it often includes any indirect access by third-party systems.
If you weren’t aware of this, you might unknowingly violate the contract (this was the crux of the famous Diageo case – their contract language allowed SAP to charge for any Salesforce system accessing SAP data).
Similarly, contracts typically forbid “multiplexing” – using a technical intermediary to funnel multiple users through one account – without proper licensing. If your architecture does this (perhaps unintentionally), you could be in breach.
Another contract area to watch is geographical or affiliate restrictions. Your license may be limited to certain entities or regions.
If your company undergoes a merger or acquisition, or if you start allowing a new subsidiary or partner to use your SAP system, those users might not be covered under your current contract. For example, if you acquire a smaller company and allow them to use SAP, you may need to formally add those users or the entity to your license scope.
Conversely, if you divest a part of the business, the departing group may lose the rights to use the SAP system unless this is addressed in the contract. Many customers forget to update their contracts when there are business changes, leading to compliance issues later.
Pitfall: Assuming that your contract automatically covers new usage scenarios can land you in hot water.
Unclear terms or old agreements might not reflect your current SAP landscape, especially if you’re transitioning from SAP ECC to S/4HANA. In the move to S/4HANA, SAP often requires reclassifying or converting your licenses (for instance, older user licenses might need to be mapped to new S/4HANA user categories, and some legacy engines might be retired or converted to new metrics).
If these conversions aren’t handled correctly, you could inadvertently be under-licensed in the new system even if you were compliant in the old one.
Solution: Familiarize yourself with your contracts thoroughly. Have your software asset management team and legal counsel review the SAP license agreement and any SAP Software Use Rights documents for clauses related to indirect use, virtualization, affiliate use, and other relevant provisions. If something is ambiguous, obtain written clarification from SAP or negotiate an amendment.
Also, proactively reach out to SAP before major organizational changes or a migration project. It’s often possible to get contract addendums to cover new subsidiaries or to agree on license conversion terms for S/4HANA upfront.
By aligning your contract with your current and future usage, you prevent the scenario of an audit revealing that “you’re not allowed to do that” with your SAP system. In short: don’t assume – verify and update your SAP agreements as your business evolves.
Shelfware and Over-Licensing Risks
Not all pitfalls are about under-licensing – some companies overreact to audits by over-purchasing licenses, resulting in shelfware (licenses you paid for but don’t use).
Shelfware itself won’t cause an audit penalty (SAP won’t mind you owning more than you use), but it is a budget pitfall.
You’re paying annual maintenance (typically ~20% of license cost) on software that isn’t delivering value. This often happens when organizations, out of fear of compliance issues, buy a cushion of extra licenses “just in case,” or fail to re-harvest licenses after downsizing or efficiency improvements.
Pitfall: Shelfware represents tied-up capital and ongoing expense. For example, if you bought 500 extra licenses as a safety margin and each cost $1,000, that’s $ 500,000 sitting on the shelf, plus $ 110,000/year in support fees for nothing. Over time, this erodes ROI on your SAP investment.
And suppose the licenses are tied to old products or users (such as legacy SAP ERP seats), and you migrate to S/4HANA or cloud solutions. In that case, those unused licenses may not transfer easily, potentially resulting in wasted money.
Solution: Regularly optimize your license portfolio. Identify unused licenses and see if they can be terminated or repurposed. Unfortunately, SAP’s policies usually don’t allow you to simply return licenses for a refund or drop maintenance on a subset of licenses without penalty.
However, you can leverage shelfware in negotiations. For instance, if you plan a major upgrade or an S/4HANA migration, consider discussing with SAP the conversion of unused on-premise licenses into credits toward new licenses or cloud subscriptions.
SAP has been known to offer trade-in programs or flexibility as part of large contract renewals. In the meantime, ensure you’re utilizing the licenses you have – e.g., if you own 100 Professional user licenses but only 80 are in use, new hires should utilize those remaining 20 rather than purchasing more.
The goal is to minimize waste: stay compliant but avoid overspending “just to be safe” without a clear strategy. Effective license management strikes a balance between having too few and too many licenses.
Recommendations
To avoid SAP audit nightmares, enterprises should adopt a proactive and disciplined approach to license management.
Key recommendations include:
- Conduct regular internal license audits: Don’t wait for SAP’s audit. Use SAP’s tools (USMM, LAW) or third-party software to simulate audits at least annually. Clean up inactive users, correct license assignments, and address any shortfalls internally first.
- Monitor indirect usage and interfaces: Keep an up-to-date log of all third-party systems and apps interfacing with SAP. If new integrations are added (e.g., a new e-commerce site), evaluate their licensing impact. Consider adopting SAP’s digital access documents licensing if it aligns with your usage pattern, and regularly quantify indirect usage to stay ahead of it.
- Track engine metrics against entitlements: Assign clear ownership for each SAP package/engine metric (HR owns employee count, sales owns order volume, etc.). Review these metrics quarterly to compare them with what you’ve licensed. If you’re nearing a limit, plan a true-up or negotiate an extension before an audit forces your hand.
- Educate stakeholders and enforce processes: Make licensing compliance everyone’s concern – project managers, IT architects, and admins should all understand the basics of SAP licensing. Implement checkpoints in change processes (like new system rollouts or user onboarding) to ensure compliance considerations are addressed before changes go live.
- Review and update contracts after changes: Whenever your business undergoes a significant change (such as a merger, acquisition, divestiture, or migration to S/4HANA), review your SAP contract. Negotiate amendments to cover new entities or altered usage, and clarify any vague terms. It’s far better to resolve contract ambiguities with SAP upfront than under the scrutiny of an audit.
- Leverage expert tools or advisors for complex environments: In large SAP landscapes, consider dedicated license management solutions (from vendors like Snow, Flexera, or VOQUZ) to continuously analyze usage. Engage independent SAP licensing experts or consultants, especially before big audits or negotiations – their experience can help identify hidden risks and save costs.
- Plan for audits as an ongoing discipline: Have an internal SAP audit response team ready (IT, finance, procurement, legal). Define a playbook for how to collect data and engage with SAP’s auditors. Being prepared and organized sends a message to SAP that you take compliance seriously, which can sometimes lead to a more favorable audit experience or even less frequent audits.
By following these best practices, you can greatly reduce the risk of unpleasant surprises from SAP audits. The goal is to make compliance a routine part of SAP management, so when the official auditors do come knocking, everything is under control.
FAQ
Q1: How often does SAP audit customers, and what triggers an audit?
A: Most SAP contracts allow for an annual audit, but in practice, many enterprises are audited every 2-3 years. Various factors can trigger audits. Significant changes in your SAP usage (such as a big increase in users or a new system integration) can raise flags. Mergers and acquisitions often prompt SAP to check compliance, and approaching the end of a license agreement or a large contract renewal can also invite an audit. Sometimes, it’s simply a matter of random selection or a routine schedule. The key is to always be prepared, since you may not get much warning beyond the contractual notice period.
Q2: What exactly is “indirect access,” and how do we license it properly?
A: Indirect access refers to any scenario where a person or system uses SAP’s data or functions without directly logging into SAP. For example, if a customer places an order on a website and that goes into SAP, or your Salesforce CRM pulls data from SAP – that’s indirect usage. To license it, you have two main options:
- Named user licenses for each external user or system (which can be impractical if hundreds or thousands of users or devices are involved).
- SAP Digital Access (Document Licensing): a model where you purchase a certain number of document transactions (e.g., sales orders, invoices, etc.) that cover those indirect interactions.
Many companies evaluate the volumes of documents created indirectly to decide which model is more cost-effective. In some cases, a mix of both is used. It’s important to discuss this with SAP and include clear terms in your contract. SAP also provides an estimation tool to help customers quantify indirect document usage. The bottom line: Identify where indirect access is occurring in your landscape and ensure it’s appropriately licensed via one of these methods.
Q3: Are SAP S/4HANA license compliance issues different from those in SAP ECC?
A: The core compliance principles remain the same, but there are some differences. S/4HANA (SAP’s newer ERP) still utilizes named user licenses and package licenses, so issues such as indirect access, user misclassification, and engine overuse persist. However, S/4HANA introduced some new license categories and metrics. For example, S/4HANA has a concept called Full Usage Equivalents (FUE) to allow mixing license types, and there are new user types (like “functional” users) with different privileges. Also, the Digital Access model was pushed alongside S/4HANA for indirect use. A significant consideration is the migration from ECC to S/4HANA, as you need to convert your existing licenses to S/4HANA equivalents. If that conversion isn’t done correctly, you might end up with some users or components not properly licensed in S/4HANA. In summary, S/4HANA doesn’t remove compliance concerns. You should study the S/4HANA licensing guide, ensure all old licenses are mapped to new ones, and remain just as vigilant with user counts and usage metrics. The good news is that SAP has updated some of its audit tools for S/4HANA, which can provide better insight into compliance if used properly.
Q4: How can we tell if our users are correctly classified in the right license type?
A: Start by reviewing each user’s role and what they do in SAP. Compare that against SAP’s definitions of license types (usually found in the SAP Software Use Rights document or your contract). For example, if an “Employee Self-Service” user is entering sales orders, that’s clearly outside the allowed scope. SAP’s system measurement tools can help: when you run a user measurement, any users shown as “Professional (Unclassified)” are ones that weren’t assigned a specific license type in some systems – those will default to Professional in an audit count, which might indicate misclassification or simply an oversight in classification. It’s useful to run transaction reports (SAP has usage reports and audit logs) to see the highest level of activity each user performs. If someone is performing high-level transactions, ensure they have a high-level license. There are also third-party tools that analyze user behavior and suggest optimal license types. A practical step is to conduct an internal license audit or engage an SAP licensing expert for a health check – they can often identify users who are out of category. Regularly recertify licenses as part of user access reviews to identify any discrepancies before an official audit is conducted.
Q5: What can we do about unused SAP licenses (shelfware) – can they be optimized or returned?
A: Unused licenses (also known as shelfware) are a common issue. While you generally cannot return licenses for a refund or stop paying maintenance on them unilaterally (SAP’s maintenance agreements often treat licenses as an all-or-nothing block per product), there are strategies to get value from them. First, ensure you’re utilizing all the licenses you have before purchasing more – reallocate existing licenses to new users wherever possible. When it comes to excess licenses you truly don’t need, the best approach is to address them during contract negotiation or renewal. SAP may allow you to trade-in or convert shelfware toward new investments – for example, you could convert older on-premise licenses into cloud subscription credits, or into a different product that you do need, as part of a deal. Additionally, if you’re planning a move to S/4HANA or a big purchasing cycle, bring up your shelfware then; SAP sales teams are often more flexible at that time to keep you as a customer. Outside of negotiations, you should also audit why the shelfware exists – was it over-purchased initially, or did usage drop? Learning can help avoid over-licensing in the future. While you can’t simply get your money back for unused licenses, treating them as a negotiable asset in future dealings with SAP is the next best thing to reduce the waste.
Read more about our SAP License Audit Defense Service.
