Locations

Resources

Careers

Contact

Contact us

sap license audit

SAP License Audit Playbook for IT Leaders

SAP License Audit

The SAP Audit Process

SAP has the contractual right to audit customers’ software usage, typically on an annual basis. In practice, not every customer is audited every year, but most will undergo a first audit within 1-2 years of signing their SAP agreement, and then periodic audits thereafter.

SAP’s Global License Auditing and Compliance (GLAC) team conducts these audits independently of SAP’s sales department.

The primary goal is to verify that your actual usage aligns with your purchased licenses. If usage exceeds entitlements (or if unlicensed use is found), you’ll be expected to address the shortfall, usually by purchasing additional licenses or adjusting usage.

License Measurement (USMM & LAW):

A cornerstone of the audit is SAP’s measurement tools. SAP systems include a transaction called USMM (User and Software Measurement Management), which you run in each ERP instance (ECC or S/4HANA) to gather data on user counts and used SAP modules.

For customers with multiple systems, the results from each USMM run are consolidated using the License Administration Workbench (LAW). LAW deduplicates users across systems, ensuring that the same individual is not counted twice, and compiles a unified compliance report.

The LAW report shows the number of users of each license type in use and usage metrics for SAP packages or engines (such as HR employees and finance documents). This LAW output is what you ultimately submit to SAP during an audit.

Audit Timeline:

Audits follow a tight timeline. Once SAP decides to audit you, an audit notification email is sent to your organization’s SAP license contact (the letter will outline the scope, systems to include, and deadline).

From that notification, small or mid-sized companies may get about 3 weeks to complete the measurement. In comparison, large enterprises are typically given 4 weeks to collect data and return the LAW reports.

These deadlines are short – intentionally so – leaving little time to analyze or correct issues once the audit clock starts. After you submit the LAW data, SAP’s auditors analyze it and often follow up with clarifying questions or requests for additional information.

The entire process from initial notice to final compliance report and resolution can span several weeks to a few months. It’s critical to manage time wisely during an audit and, if necessary, request extensions from SAP if your environment is especially complex. SAP will sometimes grant extensions for valid reasons, rather than receiving bad data.

Data Requests and Scope:

In a basic audit, SAP primarily requests the LAW measurement results and some self-reported information. Self-declaration means you might need to manually provide metrics for certain products that SAP’s automated tools can’t measure.

For example, you could be asked to report the number of SAP engine metrics like total Employees (for HR modules), revenue (for SAP Sales & Distribution if licensed by revenue), number of Orders processed, or database size for HANA, depending on what you’ve licensed.

SAP usually supplies detailed instructions or templates on how to gather these figures. In an enhanced audit (a more in-depth type of audit, discussed below), the scope can be widened. SAP auditors may request additional evidence, such as user role reports or logon data, or even hold remote or onsite sessions to observe how you use the system.

It’s important to understand the declared audit scope upfront. Typically, the notification letter will list which SAP systems and products are in scope. Ensure this matches your landscape – if you have retired systems or modules, communicate that so you don’t waste effort measuring decommissioned installations.

You should also check if any third-party systems interfacing with SAP (indirect use) are explicitly in scope or likely to be scrutinized (more on indirect use later). Being clear on the scope helps avoid surprises and limits the audit to relevant areas.

Standard User Licensing vs. Indirect Access Audits

SAP’s licensing falls into two broad categories: direct (named user) access and indirect (third-party) access.

An SAP audit will evaluate both.

  • Direct (Named-User) Licensing: This covers the users who log in to SAP systems using an SAP GUI, web portal, Fiori app, etc., with an individual account. Each such user needs an appropriate named user license assigned (e.g., Professional, Limited Professional, Employee, Employee Self-Service, Developer, etc., as per your contract). In an audit, SAP will examine how many users of each type you have and compare it to what you’ve purchased. They will also check whether users are correctly classified: for example, if some users perform advanced activities but only have a basic license, SAP may flag them. Common issues include license type misclassification (e.g., a user performing extensive transactions but assigned a “Limited” license instead of the more expensive “Professional” license) and duplicate or inactive users, which can artificially inflate counts. We’ll discuss later how to prepare for these, but note that SAP’s measurement tools automatically classify any user without a license as a full Professional User by default, so proper classification is crucial.
  • Indirect Access (Digital Access): Indirect access refers to using SAP’s functionality without a human directly logging into SAP, typically via another system or interface. Classic examples include a customer web portal that creates orders in SAP, a third-party CRM (such as Salesforce) that reads or writes data to SAP, or IoT devices inputting data into SAP in the background. Historically, SAP required any indirect usage to be covered by named user licenses as well, which was confusing and led to high-profile disputes. Recent policy changes: In 2018, SAP introduced a new model called Digital Access to better handle indirect usage. Under Digital Access, instead of requiring a named user license for each indirect user, SAP licenses the documents that are created or processed indirectly in the SAP system. SAP identified nine key document types, such as Sales Order documents, Purchase Orders, Invoices, and Deliveries, that incur a license fee when created through third-party access. This was a significant shift from the old “every person needs a license” approach.
    Along with this, SAP clarified an important exception: “Indirect static read” access – where a third-party application queries SAP data in a read-only, non-real-time manner (for example, an occasional data export or report) – does not require additional licenses under the traditional model. This means that not all indirect interactions are chargeable; only those that trigger SAP’s business processes, such as creating or modifying transactions, typically require a license. Digital Access Audits: If you have not formally adopted the Digital Access license model, SAP will still assess indirect usage during an audit. Auditors often look for technical users or interfaces with high transaction counts or data throughput, as these indicate a non-SAP system is using SAP in the background. It’s common for SAP to run a Digital Access evaluation tool (or ask you to apply specific SAP notes that count document usage) to estimate how many of those billable documents your system is processing due to indirect use. This can be eye-opening – for instance, a single interface that automatically creates thousands of sales orders could yield a huge document count. SAP might then present a finding like: “Third-party System X is creating 5 million Sales Order documents in SAP annually, which is not licensed under your current agreement.” They will then propose that you license this by either purchasing enough traditional named users to cover all external users or, more likely, by purchasing the Digital Access documents. SAP’s current policy heavily encourages the Digital Access model as the preferred solution for indirect use. SAP once offered a Digital Access Adoption Program with steep discounts (up to 90% off the list price for document licenses) and forgiveness of past indirect use charges if customers proactively switched to Digital Access. The upshot for IT leaders is that indirect usage is a major focus area – it’s often called the “silent killer” of SAP audits because it’s easy to overlook. Modern integrations, APIs, and extensions can inadvertently put you out of compliance. Being aware of how SAP views indirect access and the existence of the Digital Access licensing option helps you prepare.

Common Triggers for Audits:

While SAP can audit routinely, certain situations raise the likelihood of an audit or a deeper audit:

  • Organizational changes, such as mergers, acquisitions, or divestitures, often trigger the need for an audit. Combining companies or splitting off divisions that use SAP will change license usage, so SAP will want to reassess compliance after the change.
  • System Expansion or Upgrades: Adding new SAP modules, moving to S/4HANA, or significantly increasing the number of users or transactions can prompt an audit. A sudden spike in users or a major project going live is a red flag that usage might outgrow the licenses.
  • Contract Renewal or Negotiation: When you’re up for renewing your SAP support contract or considering a major purchase, SAP may conduct an audit to establish a baseline. They want to ensure that any new agreement accounts for actual usage and covers any shortfall before finalizing a new deal.
  • Indirect Access Indicators: As mentioned, if SAP detects (through support interactions or system data) that you have significant third-party integrations, they may initiate an audit focused on indirect usage. This became especially true after notable legal cases, such as the Diageo case, where a customer was found liable for approximately $54 million due to unlicensed Salesforce-to-SAP connections. Any hint, such as an SAP system report showing lots of IDoc transactions from a non-SAP source, can trigger SAP to investigate indirect use.
  • Previous Audit Findings: If your last audit was painful or uncovered compliance issues that needed remediation, you might be classified as “high risk.” SAP tends to follow up with such customers more frequently through audits to ensure that issues are resolved. Conversely, if you’ve been compliant and stable, they might skip a year – but you should never count on being skipped.

Understanding these triggers can help you anticipate audits more effectively. For example, if you know you’ll be merging with another SAP customer, it’s wise to self-check your license position beforehand because SAP likely will.

Similarly, if you’ve held off on buying extra licenses despite business growth, be prepared for an audit letter. Being proactive can turn a potential surprise audit into a managed event on your terms.

Audit Phases: From Notification to Reconciliation

Navigating an SAP audit is much easier when you know what to expect at each stage. Below is a breakdown of typical audit phases and how to handle them:

1. Audit Notification and Kickoff

The process begins with an official audit notification from SAP GLAC. This usually comes via email to your organization’s nominated license contact or SAP administrator.

The notification will introduce the audit, list the systems in scope, and set a deadline for submitting the data. For a standard audit, it’s often a simple notice with instructions to run the measurement tools.

If it’s an enhanced audit, the notice may also request a kickoff meeting or a conference call with the auditors.

In that meeting, SAP will outline the audit scope in detail and may request items such as remote system access or on-site visits.

As an IT leader, your immediate steps upon notification are:

  • Acknowledge and Organize: Confirm receipt of the audit notice to SAP. Internally, mobilize your audit response team – typically a combination of IT (business administrators, SAP functional leads), software asset management or procurement, and legal counsel, if needed. Assign a single point of contact to coordinate communications with SAP’s auditors.
  • Review Scope: Scrutinize the audit scope. Ensure you understand which installations (production, development, test) are included. SAP typically focuses on production and sometimes QA systems for user counts, but they may list all systems. Clarify any uncertainties now. If you see a system on the list that has been retired or replaced, inform the auditors so they can potentially exclude it or at least avoid misinterpreting the lack of data.
  • Plan the Timeline: Calculate the due date and create a mini project plan to gather data. The window is short, so schedule time immediately to run USMM on each system, consolidate in LAW, and validate the results. If you foresee needing more time (perhaps you have dozens of systems or limited staff availability), politely request an extension early. It’s better to ask upfront than to scramble on day 28 – SAP might be lenient if the reasons are valid.
  • Secure Expert Help (if needed): If you’ve never been through an SAP audit or are unsure of your license position, consider engaging an SAP licensing expert or third-party advisor right at kickoff. An experienced eye can spot pitfalls, such as misclassified users, before you send data to SAP. Some companies even involve their SAP account manager at this stage to keep informed – though remember, the account manager is on the sales side, not the audit side, so involve them cautiously.

By treating the notification as a formal project kickoff, you set a controlled tone for the audit rather than a reactive scramble. Communicate internally that this is a high-priority project with a hard deadline, to ensure everyone gives timely input.

2. Data Gathering and LAW Measurement

This phase is where the heavy lifting happens for your team. The goal is to collect all required usage data and compile the LAW report for SAP.

Key activities include:

  • Run System Measurements (USMM): For each SAP production system (and any other in-scope system), execute transaction USMM. This generates raw data about named users and engine metrics in that system. Before running it, ensure that your classification of each user in the system is up to date (each user ID should be assigned a license type according to your contract). If you haven’t maintained this, do it now – unclassified users default to the highest cost category. Also, USMM allows the exclusion of certain user types (e.g., SAP*, earlyWatch) and consolidation rules. Double-check these settings according to SAP’s measurement guidelines provided in the audit notice.
  • Consolidate in LAW: Transfer all USMM results to the central LAW tool. Typically, LAW can be run on Solution Manager or any central system. LAW will combine the user lists and identify duplicates across systems based on criteria such as username or personnel number. Ensure the deduplication criteria in LAW are correctly configured and consistent, so that the same person is not counted as two users because, for example, their username differs slightly between systems. LAW will output the consolidated counts of each license type needed. Review this output carefully against your entitlements. If LAW says you have, for example, 1,200 Professional Users but you only own 1,000, you have a 200-user gap – now is the time to figure out why, before SAP does. Perhaps many of those users are the same people or some accounts can be archived – resolve what you can prior to submission.
  • Gather Engine and Package Metrics: Alongside LAW, compile the metrics for any modular or engine licenses. SAP’s audit instructions often include spreadsheets for you to fill in, or you may need to run specific reports (for instance, an ABAP report to count the number of HR employee records if HR is licensed by employee count, or use transaction ST03N to get peak dialog users if some component is user-count based). Assign responsible application owners to gather each needed figure. Double-check these numbers and retain evidence, such as screenshots and reports, in case SAP questions them.
  • Indirect Use Information: If SAP’s audit scope indicates a review of indirect access or “Digital Access”, you might be asked to run the Digital Access Evaluation Service program (SAP note tool), which counts those nine document types. Even if not explicitly asked, if you suspect indirect use is significant, you might run it internally to know your exposure. Also, list out any third-party systems that connect to SAP and what interfaces (RFCs, APIs) they use – SAP’s auditors often send a questionnaire about external interfaces. Be transparent but precise in your responses here; don’t volunteer integrations that aren’t in use, but don’t hide active ones either (they can often tell from system logs).
  • Quality Check the Data: Before sending anything to SAP, perform an internal review. Look for anomalies such as users being counted twice, obviously obsolete accounts showing as active, test users exceeding the allowed limit, or any user classified at a higher level than necessary. Clean up the data if possible (for example, if 50 contractor accounts were left active but those people left last year, lock and expire them, then rerun USMM). Check that all engine metrics make sense (e.g., if your sales order count increased by 50% from last year, be prepared to explain the change or verify if the counting method was updated). It’s often useful to compare the new LAW results with the last audit or last year’s measurement (if you have those records) to spot big changes.

Once you are satisfied, package the LAW result file and any supplemental data according to SAP’s instructions (typically uploading it to SAP’s support portal or emailing it to the auditor).

This phase is labor-intensive, but careful effort here can drastically reduce pain later. Submitting clean, well-documented data is your best defense against unwarranted findings.

3. Auditor Analysis and Follow-Up

After submission, the ball is in SAP’s court to analyze the information. Here’s what happens and how you should engage:

  • Initial Analysis by SAP: The SAP auditors will load your LAW results into their systems and compare against your license entitlements on record. They’ll identify any areas where usage exceeds entitlement (these are potential compliance gaps). They also cross-check self-declared metrics and may verify them against what they know. For example, if you declare ‘500 employees in the HR system” but SAP’s support records show you have 700 SAP user accounts, they might flag that discrepancy.
  • Follow-Up Questions: It’s common to get a list of follow-up questions or requests from the auditors. They might ask for clarification on user classifications (e.g., “what activities do users with license type X perform?”), Or they might request logs or additional evidence to validate metric reports. If something looks fishy (say you suddenly locked 300 users right before the measurement), expect them to inquire about it. Treat these questions seriously and respond with factual, documented answers. If you need more time to gather info, communicate that. Keep all correspondence professional and in writing. This helps avoid miscommunication and creates a record of what was explained.
  • Onsite or Remote Audits (for Enhanced Audits): If you are under an enhanced audit, this phase may include interactive sessions. Auditors could request a remote login to your SAP system to run their checks or to observe how you assign licenses. They may also conduct interviews with administrators or business owners to understand processes, such as discussing how user provisioning is managed or how a third-party system updates SAP. Always accompany any auditor during system access (or, better yet, perform actions for them under supervision) to ensure they only see what is agreed upon in scope. Auditors in enhanced audits are looking deeper for any compliance issues that a simple law report might not reveal (such as indirect use, misassigned roles, etc.), so be prepared to explain your system setup.
  • Preliminary Findings: Once SAP has enough data, it will compile its findings. In many cases, they’ll share a draft compliance report or at least communicate the headline results to you. This might say, for example: “You are compliant in most areas but show a shortfall of 50 Professional User licenses and need to license indirect access for System X.” Do not accept or sign off on any findings immediately. At this stage, you should carefully review SAP’s calculations. Ask for the detailed breakdown behind any shortfall: which users are they counting as needing Professional, that you might have counted differently? Which documents or interface usage led to the conclusion of their indirect access? You have the right to understand how each figure was calculated. Often, this is where discrepancies are resolved: you might discover SAP mistakenly counted some test IDs as real users, or you might realize you provided a metric in the wrong units. Work collaboratively (but firmly) with the auditors to correct any inaccuracies. This back-and-forth can take several iterations until the findings are final. It’s in your interest to ensure the final audit report is based on correct data and interpretations before moving to the next phase.

Throughout this analysis phase, maintain a courteous but meticulous approach. Remember that audit outcomes are negotiable to an extent – if you demonstrate an error or a valid alternate interpretation of license terms, SAP can adjust the findings.

Once you and the auditors reach a point of mutual understanding on the numbers, the process moves to closure and negotiation.

4. Negotiation and Final Reconciliation

The last phase is addressing any compliance gap that the audit identified. By now, you should have an official audit report or compliance statement from SAP indicating where they believe you are under-licensed.

Key aspects of this stage:

  • Review and Verify the Audit Report: Ensure the final report aligns with the discussion. It should list your entitlements, your measured usage, and any gap or surplus. Double-check that any concessions or corrections you negotiated (e.g., removing duplicate users, excluding a system, reclassifying some users) are reflected. If anything is still wrong, now is the time to contest it in writing with evidence. Do not proceed to purchase based on an incorrect report.
  • Engage in Commercial Negotiation: Once the compliance position is agreed upon, SAP’s sales team typically takes over to resolve it. (The auditors hand off to sales at this point.) If the audit finds that you need additional licenses, SAP will present a proposal – essentially a quote to purchase the required licenses (often with retroactive maintenance fees for the period during which those licenses were used without a license). This can be a sensitive negotiation. Use whatever leverage you have: If you were already planning an upgrade or new SAP investment, you could negotiate a deal that includes the compliance purchase, potentially with better discounts. SAP sometimes offers to waive penalties or back-maintenance if you commit to a larger future purchase or a migration to one of their strategic products (for example, moving to S/4HANA or a cloud subscription). This bundling can turn a painful audit bill into a more palatable long-term investment – but only if it aligns with your IT strategy. Be cautious about buying shelfware just to satisfy an audit; try to ensure any spend brings value.
  • Escalation and Legal Considerations: If the audit results are unreasonable or if SAP is claiming an exorbitant fee that you firmly dispute, you may need to escalate. This could mean higher-level talks between your executives and SAP’s management. In rare cases where there’s a deep disagreement (e.g., you believe your contract covers certain indirect use and SAP disagrees), it could become a legal standoff. SAP’s contracts usually give them the right to terminate licenses or support if compliance is not achieved, but SAP is generally reluctant to litigate, except in extreme cases. Nonetheless, the specter of cases like Diageo looms, so both sides are aware of the stakes. It’s usually in everyone’s interest to reach a settlement or purchase agreement rather than go to court. In an escalation scenario, involve your legal counsel and ensure all communications with SAP are documented.
  • Final True-Up and Close: Once you negotiate the remedy (e.g., you agree to purchase 200 licenses, or you convert to a digital access license model, etc.), ensure the paperwork clearly states that this purchase resolves all identified compliance issues up to the audit date. You don’t want ambiguity that leaves you exposed. Sign the necessary orders, and SAP will consider the audit closed. They should provide a formal confirmation of closure. Keep all audit documentation on file for future reference (especially useful when the next audit rolls around – you can avoid re-hashing old resolved issues if you have proof of how they were settled).

The negotiation phase is where an IT leader may need to work closely with procurement and the CIO or CFO. It’s as much about financial and relationship management as it is about licensing facts.

Aim for a resolution that satisfies SAP’s compliance requirements without derailing your IT budget. This might mean phasing purchases (buying some licenses now and others later) or opting for a different licensing model if it makes more sense.

For example, some companies facing massive indirect access charges chose to adopt SAP’s digital access model with a negotiated document allowance, rather than buying thousands of named user licenses, trading one type of cost for a potentially lower one. Consider all options.

In summary, by the end of this phase, you either true up (buy what’s needed to become compliant) or convince SAP that nothing is needed (in the best-case scenario, where you have proven you were compliant after all).

With the audit officially closed, make a note of any lessons learned to feed into your future license management practices.

The best outcome of an SAP audit is not just surviving it, but using it to improve how you manage SAP licenses in the future.

Preparation and Internal License Optimization

The best way to handle an SAP audit is to never be caught off guard in the first place. Preparation isn’t a one-time task when an audit hits, but an ongoing discipline.

Here are key preparation and optimization steps to minimize audit risk:

  • Know Your Entitlements: Maintain a clear inventory of your SAP contracts, license types, and quantities. Understand the definitions in your contract – what constitutes a Professional user vs a Limited user, which products are metric-based, and how those metrics are defined. Many contracts have special clauses (for example, some may explicitly allow a certain indirect use scenario or restrict usage to a specific affiliate). Keep these documents handy and ensure your team understands them. If your SAP agreement has undergone many amendments, consolidate a summary of all the entitlements. Being crystal clear on what you own is the baseline for compliance.
  • Maintain an Accurate System Landscape Record: In SAP’s Support Portal, customers list all installations and system IDs. Ensure this is up to date. Mark systems as decommissioned if they are no longer used, and add new systems if you have installed additional instances. SAP’s auditors rely on this list when selecting systems for audit. If you forget to update it, you might be asked to measure a system that was shut down years ago (and scrambling to explain that is not fun during an audit). Regularly review the OSS/System data in the portal and sync it with your current architecture. This also includes deleting any old test systems or clients that were temporary – if they are still marked as active, SAP may count them.
  • Implement Ongoing User Management: User licenses are the biggest area of exposure, but also the easiest to control proactively. Establish processes to manage SAP user accounts: when an employee leaves or no longer needs SAP, lock or delete their account promptly. Periodically (at least quarterly) review all SAP user IDs: identify duplicates (the same person with two accounts – consolidate them if possible or at least only count one), and ensure each user has the correct license type assigned according to their role. If someone’s job has changed and they now use more functionality, update their license assignment in the system, and consider if you need to purchase an upgrade for them. Also, leverage SAP’s built-in rules: for example, SAP allows you to designate certain users as “test users” in production for up to 5-10% of total users – ensure you flag those appropriately so they aren’t counted as productive users in USMM. Similarly, lock and expire any generic or service accounts that aren’t actively in use; if they must remain for technical reasons, see if they can be classified as a special type (some service accounts might not need a full license if used solely for background processing). By keeping user data tidy, your LAW reports will more accurately reflect actual human usage and not overcount ghost users.
  • Clean Up Inactive Usage and Data: Aside from user accounts, look at engines and modules. Uninstall or turn off any SAP modules that you are not licensed for and are not actively using. It’s not uncommon to find that years ago, someone tested an add-on component in your system that was never licensed. If it remains installed and active, the audit might flag it. Similarly, keep an eye on exceeding usage metrics: if your HR module is licensed for 1,000 employees and your company grows to 1,200, you should anticipate the need to true-up that license before SAP forces it. Monitor those metrics (users, employees, orders, system power, etc.) regularly as part of capacity planning. If something approaches a licensed limit, either curtail usage or budget for an expansion license. It’s far better to address predictable growth via a planned purchase (where you can negotiate price) than to be hit with it in an audit (where you have little negotiating power).
  • Use Simulation and Analysis Tools: Don’t wait for SAP to tell you your license position – you can measure it yourself. At least once a year, if not more often, run an internal license audit. Execute USMM in all systems and consolidate with LAW, just as you would for SAP. Analyze the results internally to see if you’re under- or over-licensed. There are also license management tools available. SAP provides some, such as the License Compliance Dashboard in Solution Manager, or newer tools like SAP’s License Management Workbench. Additionally, there are third-party Software Asset Management tools (e.g., Snow Optimizer for SAP, USU, Flexera for SAP) that can automate usage tracking. These tools can often simulate different scenarios, like “if we reclassified these 100 users as Limited, would they still be compliant with usage?” Use these to preemptively find issues. For indirect access, run SAP’s Digital Access estimator periodically if you have a large number of interfaces – this helps determine if adopting the document model is sensible or if your indirect use is minimal.
  • License Optimization and Recycling: Treat SAP licenses as assets that can be reallocated and reused. For instance, if you find you have 200 unused Professional user licenses but a shortage of 50 Limited user licenses, see if some Professional licenses can be downgraded or swapped (SAP often allows some level of converting higher-tier licenses to lower-tier, though you might need to negotiate this). Remove any unnecessary licenses from your support and maintenance as well. If you decommission a system or a division is sold off, work with SAP to terminate the corresponding licenses so you’re not paying maintenance on them indefinitely. Keeping your license count aligned with actual needs not only saves money but also presents a clean compliance state.
  • Documentation and Record-Keeping: Keep a log of all changes related to licensing. Maintain a “license journal” that notes when you added X users or started using Y module, and why that was within your entitlement. Document any special permissions from SAP in writing. When it’s time to audit, this documentation can be a lifesaver in resolving disputes. For example, if an auditor says “you’re using Module A without a license”, you can produce an email or contract clause showing you do have the rights (or at least that SAP sales had approved a trial, etc.). Also, archive past LAW reports and compliance certificates. If last year, SAP agreed you were compliant with 300 Professional and 500 Limited users, and your usage hasn’t changed, you have a strong case if an auditor now tries to re-interpret something.

In essence, treat SAP license compliance as a continual process, not a one-time scramble.

By weaving these practices into your IT operations, audits will become much more routine. You’ll be able to approach an audit with confidence, having already done your homework.

Real-World Audit Exposures and Dispute Examples

It’s helpful to learn from real cases where SAP audits uncovered issues, so you can avoid the same traps.

Here are a few anonymized (but based on real events) examples of audit exposure and disputes:

  • Indirect Access Shock (Manufacturing Co.): A global manufacturing company had integrated its SAP ERP with a third-party order management system used by distributors. Only a couple of technical accounts were set up in SAP for the interface, so the company assumed their SAP named user licenses covered it. During an audit, SAP found that thousands of sales orders were being created in SAP through this interface every week. They calculated that each distributor interacting indirectly would require a license, leading to an astonishing compliance claim of several million dollars. SAP offered an alternative: switch to Digital Access licensing for those documents. This sparked a dispute because the customer felt that the existing licenses (and the nature of the integration, which mostly involved transmitting orders) should be sufficient. After negotiations (and considering the precedent of the Diageo case, where the customer lost on similar arguments), the company agreed to purchase a digital access package at a steep discount. The lesson: indirect use is often the costliest surprise – if you have any non-SAP systems reading or writing SAP data, assume SAP will consider it licensable unless explicitly exempt, and plan accordingly.
  • User License Type Dispute (Energy Co.): In another case, an energy company was audited, and SAP’s report showed 800 Professional users in use. In contrast, the company had only licensed 500, and the rest were Limited Professionals. SAP had reclassified many “Limited” users as “Professional” in the audit because those users had occasionally executed transactions beyond the strict usage scope of a Limited user (for instance, running an advanced report or updating a configuration which SAP’s rules said only a Professional should do). The customer argued that those activities were rare exceptions and didn’t warrant a full Professional license for each user. This became a negotiation point: SAP was technically correct according to the contract definitions, but the customer felt it was overly punitive. In the end, SAP agreed to let the customer purchase a smaller number of Professional licenses to cover the excess, and the customer pledged to further lock down user permissions to prevent out-of-scope activities. This illustrates how ambiguities in user roles vs license definitions can lead to disputes. Clear internal policies on what activities each license type can perform (and monitoring to enforce it) might have prevented SAP from “upselling” those users during the audit.
  • Inactive Users and Back-Maintenance (Retail Co.): A retail company discovered during an audit that it had hundreds of inactive SAP user accounts (employees who left, etc.) that were never properly removed. These accounts were locked but not deleted or set to expire. SAP’s measurement still counted them as active named users. The count exceeded the license entitlement by 15%. SAP not only requested the company to buy additional licenses for these “extra” users, but also tried to levy backdated maintenance fees, arguing that those users had technically been using SAP (even if they hadn’t logged in recently). The company disputed paying back maintenance, citing that the users provided no value and it was an oversight. After the discussion, SAP waived the back maintenance, conditional on the company immediately right-sizing their user count with a license purchase and committing to better user management practices. The moral: SAP will count every account that isn’t properly retired and can charge retroactively for the period of unlicensed use. It’s crucial to purge or correctly mark inactive users before the audit to avoid paying for “shelfware” users.
  • Engine License Overuse (Automotive Co.): An automotive firm had an SAP license for a specific engine – let’s say a SAP CRM module licensed for up to 1 million business partner records. Over the years, the number of customer records in the system grew to 1.5 million. This went unnoticed internally. During the audit, SAP requested the number of business partner records and found that the company was 50% over the licensed limit. This was a black-and-white compliance gap: the contract said 1M was the limit. The company had to purchase an extension for the additional 500k records, plus maintenance from the time the limit was exceeded. The company tried to negotiate by arguing that not all those records were active customers, but SAP held firm that the metric was the metric. Engine metrics (user counts, records, orders, CPUs, etc.) are typically strictly enforced, and unlike user licenses, there’s little wiggle room if you exceed them. The only defense is to keep track of those quantities and possibly negotiate a cushion into your contract before you exceed it, or purge old data if the metric allows (for instance, archiving old records to get below the limit – but that often isn’t practical).

These examples highlight a few themes: indirect access can lead to huge exposures, SAP tends to interpret any grey area in its favor (e.g., user activities needing higher licenses), and even innocuous things like old accounts or data can bite you if not managed.

In many cases, customers have successfully negotiated outcomes, but it’s always easier to prevent an issue than to deal with it after the fact.

Real-world disputes have also prompted SAP to soften some policies (for instance, the introduction of Digital Access and the static read exemption were, in part, responses to customer pushback after cases like Diageo and others).

Still, you should assume SAP will enforce the letter of the contract in an audit, and use that assumption to drive vigilant compliance internally.

SAP’s Enforcement Posture and Negotiation Levers

SAP’s Approach to Auditing:

Over the last several years, SAP has tried to present a friendlier image around audits, but make no mistake – the audit team’s mandate is to ensure compliance and capture revenue for unlicensed use.

The GLAC auditors operate separately from sales, and SAP has stated that audits are initiated based on objective criteria (time since last audit, signs of overuse, etc.) rather than as sales retaliation. In practice, however, the outcome of an audit is very much a sales opportunity for SAP.

Once the auditors identify a compliance gap, they hand it over to the sales or account team to sell you what’s needed to resolve it. SAP views this as just compensation for the software’s use.

They generally do not waive license fees if a genuine shortfall is found, except in cases where part of a larger sales deal is involved, as described below. It’s rare for SAP to immediately take a hardline, punitive stance (like legal action) without first giving the customer a chance to purchase the necessary licenses.

Enforcement and Escalation:

If a customer flat-out refuses to cooperate with an audit or won’t address a known compliance issue, SAP can escalate the matter. Extreme measures (which are seldom used) include: threatening to suspend support agreements, charging penalties/interest as per the contract, or ultimately legal action for breach of contract.

The notorious lawsuits, such as SAP vs. Diageo and SAP vs. AB InBev, were the result of long-standing disputes where customers did not agree to remediate massive indirect usage gaps. SAP prefers not to go to court – it’s costly and can be publicly damaging – so legal action is truly a last resort.

Nonetheless, as an IT leader, you should be aware that if an audit identifies significant unlicensed usage and you don’t engage constructively to resolve it, the issue will be escalated within SAP.

Often, the SAP regional compliance manager or executives will get involved in discussions if millions of dollars are at stake. Your executives, such as the CIO and CFO, will likely need to engage at that point as well.

This is why, even if you dispute the findings, it’s important to keep channels open and work toward a solution.

Negotiation Levers:

The audit outcome is negotiable to a degree. Here are some levers and tactics commonly seen:

  • Data Clarification and Challenges: Your first lever is always to ensure SAP’s findings are accurate. This isn’t “negotiation” in a traditional sense, but by reducing the scope of the compliance gap through accurate data, you effectively reduce what needs to be purchased. For example, proving that 100 of the “Professional users” SAP counted are inactive can eliminate the need to buy those 100 licenses. SAP will usually accept well-supported corrections. Always exhaust these options before talking money.
  • Discounts and Waivers: SAP audits, by default, will price compliance at the list price plus back maintenance. But in negotiation, everything can be discounted. SAP sales can offer discount percentages on the licenses you need to buy, just like any other deal. They might also waive some or all back maintenance fees as a goodwill gesture, especially if you agree to promptly purchase the licenses in the future. If the audit revealed indirect access issues, SAP might offer the Digital Access conversion with a special discount or a bundle of free documents. Always remember that the initial number SAP presents (“we think you owe $X”) is often an opening bid; the final deal could be significantly less once discounts are applied. Use your knowledge of typical discount levels (if you have a benchmark from previous purchases or peers) to gauge what’s reasonable.
  • Future Commitments/Bundling: Perhaps the most common lever is turning the audit true-up into part of a larger sale. SAP account executives love to tie compliance resolution to new sales because it achieves compliance while also helping them meet their sales quota. You can use this to your advantage if you have a need or desire for SAP products. For instance, if you were considering an S/4HANA migration or buying additional SAP cloud services (SuccessFactors, Ariba, etc.), you could negotiate a package where those purchases are made and the audit shortfall is forgiven or heavily discounted. Example: “We’ll sign a new three-year agreement for S/4HANA worth $5M, and in exchange, SAP will drop the $1M audit finding or include those needed licenses at no extra cost.” SAP will evaluate the trade-off economically – often, they’re willing to concede on the one-time audit revenue if it means locking in a larger long-term deal. Be cautious, though, about being pushed into buying something you don’t truly want because of an audit. Sometimes, SAP might propose a product you haven’t budgeted for (“Why not move to our cloud edition, and we can forget about this compliance issue?”). Evaluate such offers strategically – it might be a good opportunity or just sales opportunism. Don’t let the pressure decide for you.
  • Timing and Fiscal Leverage: The End of SAP’s quarter or year can be a moment of leverage. SAP sales might be more generous with discounts or concessions if they are trying to book the deal in the current quarter. While you shouldn’t artificially delay addressing a compliance issue for this reason, being aware of SAP’s sales calendar can be helpful. If an audit finishes in Q1 but you know SAP’s year-end is Q4, they might push to close the compliance purchase sooner; you could hold off (as long as you’re making progress) to negotiate better terms closer to year-end. However, don’t abuse this – dragging out an audit too long can frustrate SAP and lead to negative consequences.

Relationship and Goodwill:

One somewhat intangible factor is your overall relationship with SAP. If you are a cooperative customer who engages transparently, SAP’s auditors and sales team are more likely to work with you on solutions. If you’ve historically been combative or extremely resistant, they may take a tougher line.

It often helps to involve your SAP account manager as an advocate; while they aren’t in control of the audit, they do have an interest in keeping you as a happy customer.

They can sometimes help facilitate compromises or get approvals for special discounting. Just remember, their loyalty is ultimately to SAP, but a good account manager knows that a disastrous audit outcome can sour the account for good.

Escalation Risks:

If negotiations truly break down, the risks escalate. SAP could issue a formal notice of breach of contract, which is serious – it might give you a short window to cure (pay for licenses) or face termination of the software license (meaning you’d have to stop using SAP, an almost unthinkable scenario for most large enterprises without a long runway). It rarely gets this far; usually, cooler heads prevail and a deal is struck.

But from an IT leadership perspective, you should brief your executive team about this risk if you’re considering taking a principled stand. Sometimes companies decide to make a point and not pay what they deem extortionate, perhaps hoping SAP will back off or they will settle in court.

This is high-risk and typically only undertaken if the audit claim is truly outrageous and negotiation attempts have failed. A more prudent approach is to negotiate a settlement and then, if you’re unhappy with SAP’s models, plan in the long term to reduce dependency on SAP or lobby SAP through user groups for contract changes.

In summary, SAP’s enforcement in audits is firm but usually pragmatic. They want compliance revenue, but they also want to keep you as a customer.

By understanding their tactics (tight timelines, high initial demands, and leveraging audits for upselling) and using your levers (data correctness, smart buying, and strategic bundling), you can navigate audit enforcement in a way that protects your organization’s interests.

Always aim for a resolution that both achieves compliance and aligns with your IT roadmap (if you have to spend money, try to spend it on something that moves you forward, not just a penalty fee).

And importantly, once the dust settles, carry those hard-earned lessons into better license management to avoid repeat showdowns.

Strategies to Minimize Audit Risk and Respond Effectively

Minimizing audit risk is about being proactive, and responding effectively is about being prepared.

Here are actionable strategies for IT leaders:

  • Conduct Regular Internal Audits: Don’t wait for SAP’s official audit. Conduct your own license audits at least annually, if not quarterly. This means running the SAP measurement tools internally and reviewing results. If you find variances, address them proactively (cleanup or purchase additional licenses as needed). Regular self-audits ensure there are no nasty surprises and demonstrate a good-faith effort to SAP should an official audit occur.
  • Utilize Tools and Automation: Take advantage of tools like SAP’s LAW and License Management Cockpit or third-party SAP license management solutions. These can automate monitoring of user counts, identify dormant users, track engine metrics continuously, and even alert you when you’re near a license threshold. For instance, some tools can flag if a user’s activity pattern would qualify them for a higher license type, allowing you to adjust before an audit does it for you. Automation reduces the manual effort and error in tracking compliance in real-time.
  • Optimize License Allocations Continuously: Embed license compliance into your user provisioning and IT change processes. For example, when a new employee who will use SAP is onboarded, decide upfront what license type they should have based on their job role, and only give them permissions suitable for that license. If they need more access, have a governance step to review if a license upgrade is required. Likewise, when someone leaves, immediate de-provisioning from SAP prevents license creep. Periodically review heavy users – do they all need the top-tier license, or can some be adjusted to a lower tier with some role restrictions? Right-size licenses to actual usage patterns. Some organizations set up a cross-functional License Compliance Committee to review such changes on a quarterly basis.
  • Keep Integration Inventory and Controls: Maintain an inventory of all non-SAP systems that interface with SAP, including what data is exchanged and how often. This is crucial to manage indirect access. Where possible, technically limit what external systems can do in SAP. For example, if an external system only needs to retrieve data, ensure it uses a read-only interface and consider caching data outside SAP (to fall under “static read” scenarios that don’t incur licensing). If external systems create transactions in SAP, consider middleware that queues and batches them – maybe you can reduce the document count or at least have clear logs to count them. Essentially, design integrations with license impact in mind. Also, ensure any vendors or partners whose systems connect to your SAP are aware of indirect usage implications – you don’t want a surprise that some team deployed a new tool that quietly hooks into SAP without proper assessment. A governance step for new integrations should include a review of the SAP license impact.
  • Educate and Train Your Teams: SAP licensing is notoriously complex. Invest in training for your SAP basis team, user administration team, and procurement/licensing managers so they understand the rules. Make sure they know the consequences of things like leaving a user unclassified or plugging an unapproved tool into SAP. Sometimes, well-meaning IT staff might temporarily enable a component in SAP for testing – if they know the license implications, they’ll follow proper channels instead. Educate business users as well; for instance, department heads should know that adding 50 contractors to use an SAP-based tool might require additional licenses. When people at all levels are aware of compliance as a shared responsibility, you catch issues earlier.
  • Engage SAP Proactively: Build a partnership with SAP when possible. If you foresee a change that might affect licensing (e.g., a big increase in users due to a new project, or plans to interface a new e-commerce platform with SAP), talk to SAP in advance. They might provide guidance or specific license options to accommodate it, potentially at a better price if done proactively. Sometimes SAP even has audit avoidance programs – for example, if you sign up for certain enterprise agreements or cloud subscriptions, they might suspend some audits. While you should never rely solely on verbal assurances, having an open dialogue can make audits less adversarial. If something is unclear in your contract, ask SAP to clarify in writing. It’s better to clarify grey areas now than to argue about them during an audit.
  • Strong Internal Audit Response Plan: Have an internal audit response playbook. This playbook, similar to this document, should outline the roles and steps to follow when an SAP audit notice arrives. Identify who will gather data from which system, who will interface with SAP, who will validate results, etc. Essentially, treat it like a disaster recovery drill – everyone should know their part. That way, if an audit is announced, your team isn’t panicking; they’re executing a rehearsed plan. Also, pre-assign someone to coordinate with legal and someone to handle communications, so that queries are routed properly. A unified, calm response can set a better tone with SAP’s auditors.
  • During the Audit: Stay Organized and Factual: If you’re in an audit, some best practices in responding include: keep all correspondence with SAP documented (emails, minutes of meetings), respond within agreed deadlines (or request extensions in advance with reason), and never guess or provide unverified data. If unsure, it’s okay to say, “We are looking into that and will get back to you.” All data you give should be checked. Also, funnel communications through a single voice (or a small core team) to avoid contradictory answers. If SAP’s auditors speak to multiple people in your organization, ensure those people have the same story. Inconsistent information can raise red flags. Always be truthful – providing false or misleading data can severely damage trust and escalate the situation, and may even be considered a breach in itself. If there’s a compliance issue you’re aware of, it’s often better to acknowledge it and show a plan to address it rather than to hide it; SAP will likely find it anyway.
  • Negotiate Smartly, Not Defiantly: When it comes to negotiation, do your homework. Know the list prices and typical discounts for the licenses in question so you can recognize a fair offer. Have a clear view of what you’re willing to accept (e.g., we’ll pay up to $X, beyond that we’d rather fight or consider alternatives). If SAP’s proposal is too high, diplomatically explain the impact and why you need better terms, perhaps citing your long relationship or future potential business with SAP. Bring in your executive sponsors for high-level talks if needed – a CIO-to-SAP-VP conversation can sometimes break a deadlock that regular negotiations couldn’t. Throughout, remain professional; emotional or hostile behavior can erode SAP’s willingness to compromise. Show that you’re committed to compliance, but expect reasonable treatment as a customer.
  • Learn and Improve: After an audit (or even after your internal drills), do a retrospective. Identify what led to any compliance gaps and plug those process holes. If, say, a bunch of contractor accounts were left active, implement a stricter offboarding process. If indirect usage surprised you, set up better monitoring on interfaces. Also, take note of any areas SAP focused on – it gives insight into what they care about, which likely means you should care too. Feed this back into your continuous license management program. Essentially, use the audit as a free (well, maybe not free…) consultation on where your license controls could be better.

The overarching strategy is proactive governance of SAP licenses and measured, informed action during audits. Companies that approach SAP license management as a continuous discipline tend to have smoother audits and far fewer financial surprises.

Yes, it requires effort – but given the high cost of non-compliance, that effort pays for itself many times over.

Recommendations for IT Leaders

In navigating SAP license audits, certain best practices consistently emerge as game-changers.

Below is a summary of key recommendations for IT leaders to put into action:

  • Establish Year-Round License Governance: Don’t treat compliance as an annual fire drill. Set up a dedicated team or process to continuously monitor SAP license usage. Regularly review user lists, license allocations, and usage metrics to catch issues early.
  • Keep Contract Knowledge Current: Maintain a clear understanding of your SAP contracts to ensure accuracy and compliance. Know exactly what you’re entitled to and under what conditions. Update this knowledge when you purchase new licenses or SAP updates its policies, such as changes in indirect access rules. This ensures you always negotiate and comply from a position of clarity.
  • Proactively Audit Yourself: Schedule internal SAP license audits before SAP does. Ideally, run a full measurement and compliance check before your annual renewal or SAP’s expected audit cycle. This internal review lets you fix missteps (or budget for shortfalls) on your terms, without the time pressure of an official audit.
  • Optimize and Clean House Regularly: Implement automated checks to flag dormant users and unused licenses. Reclaim and recycle licenses when employees leave or projects come to an end. Periodically, require business units to certify whether their SAP users still need access. Small, routine cleanup tasks prevent massive cleanup costs later.
  • Manage Indirect Access Deliberately: Inventory all third-party integrations to SAP and assess their license impact. Where possible, design integrations to minimize the creation of licensable events (e.g., use data caching and aggregate transactions). Consider adopting SAP’s Digital Access model if analysis shows it could be more cost-effective for your usage patterns – but negotiate the terms to avoid unwarranted expense. Make indirect access a focal point of architecture reviews.
  • Prepare an Audit Response Plan: Have a documented playbook for what to do when an SAP audit notice arrives. Assign roles (who coordinates, who gathers data from which system, who liaises with SAP), define timelines, and list tools/resources needed. Essentially, treat it like an incident response plan. Practice it, if possible, with a mock audit so that your team is comfortable and ready.
  • Engage with SAP Constructively: Build a rapport with your SAP account manager and involve them in discussions about your license usage and future needs. While they’re separate from audits, their guidance can be valuable, and they can advocate for you internally. If you anticipate a growth or change that will affect licenses, inform SAP and see if you can pre-empt audit pain with a negotiated adjustment. It shows goodwill and can earn leniency.
  • During Audits: Be Transparent but Vigilant: When under audit, provide SAP with the requested data promptly and cooperate, but also verify everything. Keep communications factual and don’t volunteer more than asked, but don’t hide things they’ll inevitably find. Monitor the auditors’ activities and findings closely; correct any mistakes in their understanding early. Essentially, manage the audit actively – don’t just hope for the best passively.
  • Thoroughly Vet Audit Findings: Never accept SAP’s audit conclusions at face value without your analysis. Reconcile their numbers with your data. If something looks off (e.g., user counts seem inflated), raise questions. Bring in external licensing experts if needed to challenge questionable findings. A polite challenge can save you from unjustified costs – SAP does make mistakes or may default to assumptions that you can disprove.
  • Negotiate Strategically, Not Fearfully: If an audit shows you need to buy licenses, approach the negotiation as you would any significant purchase. Leverage timing, consider bundling with planned investments, and negotiate for discounts or concessions, such as waiving back fees. Remember, you have leverage too – SAP wants to maintain your business and avoid public disputes. Aim for a settlement that addresses compliance while also aligning with your tech roadmap or budget constraints.
  • Document Everything: Throughout the audit process (and in everyday operations), maintain thorough documentation. Record what data was provided, how figures were calculated, and any agreements made. After the audit, compile an audit report file including SAP’s final letter. This documentation will serve as your reference in case of future audits or if questions arise later. It also helps train your team by learning from this experience.
  • Foster a Compliance Culture: Finally, instill in both IT and business stakeholders the importance of software license compliance. Make it part of the organizational culture that using software responsibly (and legally) is everyone’s job. When teams plan projects that involve SAP, they should automatically consider the impact on licenses. When managers request new SAP access for an employee, they understand that there is a cost and a process attached. A culture that respects licensing reduces risky behaviors that lead to audits.

By following these recommendations, IT leaders can significantly reduce the risk of an SAP audit turning into a costly crisis. Instead, you’ll approach audits as routine checkpoints, confident in your compliance posture and prepared to address any gaps in a controlled, strategic manner.

In the realm of SAP, knowledge and preparation are truly powerful – wield them, and you’ll navigate even the toughest audits with poise.

Author
  • Fredrik Filipsson

    Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, improving organizational efficiency.

    View all posts