SAP License Compliance 101 – Indirect Use, Audits, and How to Stay Protected
Introduction – Why SAP Compliance Matters
SAP license compliance issues can lead to unbudgeted multi-million-euro penalties.
In recent years, disputes over “indirect use” (when third-party systems access SAP without proper licenses) have resulted in huge bills and even lawsuits.
Clearly, SAP compliance is not just a technical detail – it’s a serious business risk that can hit the bottom line unexpectedly.
Beyond avoiding penalties, compliance is about cost control and risk management. SAP is known for conducting frequent license audits and strictly enforcing its contracts, sometimes as a means to drive revenue.
CIOs, CFOs, and IT leaders must be proactive in treating SAP license compliance as an ongoing discipline. That means staying ahead of audits, understanding your entitlements, and ensuring that actual usage stays within licensed bounds.
Indirect Access vs Digital Access
A major licensing risk with SAP is indirect access. This refers to the use of SAP software via third-party applications or external users.
Historically, if non-SAP systems or external people interacted with SAP data (even without logging in directly), SAP required a user license for that indirect use.
Many customers ended up with substantial penalties when audits uncovered these unlicensed interfaces into SAP.
To address this pain point, SAP introduced Digital Access – a licensing model that charges based on documents rather than users.
Under Digital Access, certain document types (sales orders, invoices, purchase orders, etc.) are counted whenever they are created in the SAP system, no matter if triggered by an internal user or an external application.
Customers buy a quota of these documents, and each creation uses up one count. SAP encourages this model through the Digital Access Adoption Program (DAAP), offering incentives to switch to the document-based approach.
Digital Access brings clarity, but it doesn’t eliminate risk – it just changes it.
Now, companies must watch document counts to avoid overages, while those staying on the old model must vigilantly manage integrations.
In short, whether you license external use via users or via documents, you need strong oversight. The table below compares the two models:
| Access Type | How It Works | Risks | Mitigation Strategy |
|---|---|---|---|
| Indirect Access (legacy model) | External systems or users indirectly use SAP data or functions. Requires a named user license for any person or system that triggers SAP activity. | Hard to track; hidden usage can lead to surprise audit findings and hefty fees. Ambiguity in scope has led to disputes over what counts as indirect use. | Inventory all SAP integrations and ensure each is licensed or explicitly exempt. Negotiate contract clauses that clearly define indirect use to prevent surprises. Consider moving to Digital Access if indirect usage is significant or hard to monitor. |
| Digital Access (document model) | Licensing based on counting specific document types (e.g. orders, invoices) created in SAP, instead of counting users. You purchase a document quota, and usage is metered against it. | Requires diligent tracking of document creation. Spikes in transactions can exhaust your quota and incur unplanned cost. Some ambiguity in what qualifies as a countable “document” in complex scenarios. | Use SAP’s tools or studies to estimate document volumes before switching. Monitor document usage continuously. Negotiate a buffer or flexibility for excess documents in your contract to avoid financial surprises. |
SAP License Audits – What to Expect
Regular audits are a fact of life for SAP customers. Typically, each year, SAP asks you to run their measurement programs (like USMM for user counts and LAW for consolidated usage) and submit the results.
This is the basic audit process, and it verifies your usage against what you’ve purchased. If everything matches up, you’re in the clear. If not, for example, you have more active users than licenses or an SAP component is overused, SAP will point that out and usually ask you to purchase the necessary licenses to cover the difference.
Sometimes, SAP will initiate an enhanced audit, which is a more in-depth review. This might be triggered if SAP suspects major compliance gaps (say, signs of unlicensed indirect use or a lot of user misuse).
In an enhanced audit, SAP auditors dig into details: they may request detailed user lists, usage logs, and even conduct interviews or remote sessions to see how you’re using the software.
They’ll look for things like users with the wrong license type, or interfaces that weren’t disclosed. Enhanced audits are less common, but they do happen, especially with large customers or complex environments.
Note that SAP audits are also a revenue opportunity for SAP. It’s common for them to present an initial audit finding with a hefty price tag. Always remember that the first number is not set in stone. You have the chance to clarify and negotiate.
Often, you can resolve issues by adjusting data (for example, removing duplicate or inactive users from the count) or by reaching a deal (perhaps converting to a newer licensing model) instead of paying a straight penalty.
Treat an audit as the start of a dialogue. Provide accurate information, push back on questionable findings, and work toward a settlement that addresses compliance without breaking your budget.
Key Compliance Challenges
Keep an eye on these common SAP compliance risk areas (an internal checklist for your team):
- Indirect or third-party usage: Review all external systems that interface with SAP to ensure any indirect access is properly licensed.
- User license classification: Verify each SAP user is assigned the correct license type for their role. Avoid under-licensing (too low) or over-licensing (too high) users.
- Package/engine consumption: Track usage of SAP modules that have specific metrics (users, orders, revenue, employees, etc.) and ensure you’re within your licensed limits.
- Shelfware (unused licenses): Identify SAP licenses or subscriptions you’re paying for but not using. These could potentially be reduced or reallocated to save costs.
- Internal audit process: Don’t wait for SAP – run periodic internal license audits yourself to catch and fix issues early.
Modern Developments in Compliance
SAP’s push into cloud and subscription models (e.g., RISE with SAP and other SaaS offerings) is changing compliance dynamics. In the cloud, you might not get formally “audited” with scripts; instead, SAP monitors your consumption as part of the service.
If you exceed your subscription limits (like the number of users or volume of transactions you paid for), you’ll be required to adjust (usually by purchasing more). Compliance in the cloud is more about staying within contracted usage levels.
SAP’s licensing complexity is evolving, not disappearing. Digital Access is one example of the shift toward measuring actual system activity. Cloud bundles also introduce new metrics and rules.
On the plus side, a cloud subscription can reduce some traditional worries (for instance, user counts are pre-agreed in your contract), but it introduces new ones, like ensuring you don’t exceed what’s in your subscription.
The modern approach to SAP compliance is continuous monitoring – whether on-premise or cloud, keep a close watch on how your usage compares to your entitlements at all times.
How to Stay Protected (Preview)
To safeguard your organization from SAP compliance issues, consider these strategies:
- Run your own SAP license audits: Regularly use SAP’s license measurement tools internally to check usage vs. entitlements and catch issues early.
- Utilize SAP tools and notes: Make sure you’re using SAP’s latest measurement tools (USMM, LAW, etc.) correctly and applying any SAP notes that improve counting accuracy.
- Evaluate DAAP for indirect use: If indirect access is a major concern, see if SAP’s Digital Access Adoption Program can offer a cost-effective conversion to document licensing.
- Negotiate before paying: Never accept an audit finding at face value – always discuss and negotiate with SAP. Initial demands can often be reduced through clarification or deal-making.
- Contractual protections: When renewing or signing SAP agreements, include clear definitions and limits (for indirect use, audit frequency, etc.) to prevent future disputes.
(Each of these points is explored further in our dedicated guides on SAP audit defense and license management.)
Internal Links / Further Reading
For deeper exploration of these topics, check out our related articles:
- Indirect vs. Digital Access – Deep Dive: Detailed comparison and guidance on choosing and managing the right model for your scenario.
- SAP Audit Defense Strategies: How to prepare for audits, handle interactions with SAP’s auditors, and successfully negotiate outcomes.
- SAP License Optimization Best Practices: Ongoing tactics to optimize license usage, eliminate waste, and align your SAP investment with actual needs.
- SAP License Audit Process Explained – USMM, LAW, SLAW2, and LMBI
FAQs
What triggers an SAP audit?
Usually it’s routine – expect a license audit every year or two. Significant events like a major increase in usage or a merger can also prompt one. In short, periodic audits are normal if you use SAP.
How does Digital Access licensing work?
Digital Access is SAP’s document-based licensing model. Instead of licensing each user for indirect access, you license a certain number of documents (e.g. orders, invoices). Whenever one of those documents is created in SAP – whether by a person or an external system – it counts against your purchased quantity. If you reach your limit, you need to buy more documents.
Can SAP force me to adopt Digital Access?
No. SAP cannot force existing customers onto Digital Access. They may strongly encourage it (with incentives like DAAP or during contract talks), but it’s your choice. You can stay on the old model if you prefer, as long as you remain compliant under those rules.
What’s the risk with third-party integrations?
Third-party systems connecting to SAP can inadvertently create licensing liabilities. If an external system pushes or pulls data in SAP, that activity might require an SAP license (or consume Digital Access documents). Often this is overlooked until an audit finds it. The best practice is to document all integrations and ensure a suitable SAP license covers each.
Do SAP audits apply in the cloud (RISE)?
In SAP’s cloud offerings like RISE, the traditional audit process is different. SAP already measures your usage in the cloud so that you won’t run USMM yourself. However, if you exceed the limits in your cloud subscription (for example, more users or transactions than agreed), SAP will require you to correct it (usually by purchasing additional capacity). Compliance still matters in the cloud, but it’s managed via the subscription terms rather than on-premise audit tools.
Five Expert Recommendations
- Treat SAP audits as a commercial negotiation. An audit result is often an opening offer – you can engage and push back to seek a more reasonable outcome.
- Map all SAP integrations. Keep an updated list/diagram of every system interfacing with SAP to spot indirect use and ensure it’s properly licensed.
- Right-size user licenses regularly. Periodically review and adjust user license assignments so you’re not over-paying for unused permissions or leaving any heavy users under-licensed.
- Lock in clear terms with SAP. In your contracts, get precise definitions for license use and audit procedures, so there’s less grey area that could be used against you later.
- Do internal compliance checkups. Don’t wait for SAP’s audit – run your own mini-audits and license checks to find and fix issues on your terms.
Read about our SAP Advisory Services
