Automotive — Michigan, USA · SAP Indirect Usage / Digital Access · 22,000 Employees
01 The Challenge: SAP Indirect Usage Audit Claim
The Michigan automotive supplier is a Tier 1 manufacturer supplying major global OEMs with precision-engineered components and sub-assemblies. The company received an unexpected SAP licence audit notification focused specifically on indirect usage, also known as digital access.
SAP's audit team alleged that several internal systems and third-party platforms were accessing SAP data and executing transactions without appropriate licensing. They issued a preliminary non-compliance claim totalling millions of dollars in back-dated licence fees plus ongoing annual costs.
The claim represented a material financial exposure that threatened the company's IT budget allocations and raised fundamental questions about whether the existing enterprise integration architecture would need to be redesigned or relicensed at enormous cost.
What SAP's Audit Targeted
The audit claim was based on automated data flows between the company's SAP ERP system and multiple external applications.
Manufacturing Execution Systems (MES)
MES platforms reported production quantities and quality data back to SAP. SAP classified each of these interactions as unlicensed digital access requiring either named user licences or digital access document licences.
Logistics and Warehouse Management
Logistics platforms triggered goods movements and shipping confirmations within SAP. The audit counted every goods movement document created through these interfaces as a separately licensable event.
Customer Ordering Portals
Customer portals created sales orders and delivery requests in SAP. SAP's methodology treated every sales order generated through the portal as an indirect access instance requiring licensing.
Supplier Collaboration Platforms
Supplier platforms processed purchase orders and invoice reconciliations. Each document created in SAP through these platforms was counted as a licensable digital access event.
SAP's audit methodology did not distinguish between documents created by automated machine processes and those initiated by human users. It did not account for licensing provisions already included in the company's existing SAP agreements. And it did not reflect SAP's own published guidance on how digital access scenarios should be evaluated.
02 The Client's Position: Belief in Existing Compliance
The company's IT leadership, including the CIO and Director of Enterprise Applications, believed strongly that their integration architecture complied with SAP's licensing terms under existing agreements.
The interfaces between SAP and external systems had been designed deliberately and methodically, with specific attention to how data flows would operate, what SAP transactions would be invoked, and what licensing implications each integration pattern carried.
Importantly, the architecture had been discussed with SAP during previous licensing conversations. Both during the original SAP implementation and during subsequent contract renewals, the company believed SAP had been fully informed of the integration patterns and had understood how digital interfaces would be handled within the existing licensing framework.
However, the documentation supporting this compliance position was not consolidated in a single, audit-ready format. Historical communications, architectural approval records, licensing discussion notes, contract amendments, and internal design documents were distributed across multiple departments, email archives spanning several years, and shared drives. Key individuals who had participated in the original licensing discussions had moved to other roles or left the organisation.
03 Redress Compliance Engagement: Approach and Methodology
The company engaged Redress Compliance to independently assess the audit findings, evaluate the validity and accuracy of SAP's claims, identify specific weaknesses and factual errors in SAP's audit methodology, and build a comprehensive fact-based defence.
The engagement followed Redress Compliance's structured SAP audit defence methodology, designed specifically to challenge vendor audit claims through rigorous technical analysis, detailed contractual interpretation, and systematic evidence assembly. For methodology details, see: SAP Licence Audit Defence Service.
Interface Mapping and Transaction Review
Every non-SAP system connected to the ERP environment was identified and mapped. This included specific integration protocols (RFC, BAPI, IDoc, web service, flat file), the direction and frequency of data flows, the SAP transaction codes and function modules invoked, and the volume and type of SAP documents created by each interface. This mapping provided a complete picture of how external systems interacted with SAP.
Usage Categorisation
The analysis separated automated system actions (machine-triggered status updates, material postings from MES systems, batch-processed logistics confirmations) from human-driven processes where an identifiable user initiated an action that ultimately created or modified SAP data. This distinction was critical because many transactions SAP flagged as indirect access were automated system-to-system integrations with no human user involved.
Historical Documentation Assembly
Historical communications between the company and SAP, including emails, meeting minutes, architectural diagrams shared during licensing discussions, and contract amendment records, were gathered, organised, and analysed. This documentation demonstrated that SAP had been informed of the integration architecture during previous licensing negotiations.
Licensing Rule Application
SAP's audit methodology had counted entire user populations and complete transaction sets as indirect usage, even when access was batch-processed through middleware, executed by system service accounts rather than human users, or subject to authentication outside SAP. Redress applied SAP's own published guidance and the specific contract terms to demonstrate why SAP's counting methodology was factually incorrect and contractually unsupported.
04 The Formal Rebuttal: Evidence-Based Challenge
Redress Compliance prepared a detailed formal rebuttal document, supported by usage logs, architectural diagrams, transaction analysis, historical correspondence, and legal licence interpretations, that systematically challenged each element of SAP's audit claim.
The rebuttal was structured to address SAP's specific audit findings point by point, providing evidence for why each claimed non-compliance instance was either already covered under existing licences, misclassified as indirect access when it did not meet the contractual definition, or counted using a methodology inconsistent with SAP's own published guidance on digital access licensing.
Redress Compliance facilitated direct discussions between the company's leadership team and SAP's audit and legal representatives. These discussions were structured to present the technical evidence clearly and allow SAP's team to evaluate the rebuttal on its factual merits, rather than drifting toward commercial negotiation or settlement discussions before the factual basis of the claim had been properly examined.
05 Key Defence Arguments: Why the Claim Was Invalid
Automated System-to-System Transactions Are Not Indirect Access
A significant portion of the flagged transactions were machine-generated. MES systems posting production confirmations, logistics platforms triggering goods movements, and batch processes executing material postings. These were automated system integrations with no human user initiating the SAP interaction. The company's agreement did not require licensing for fully automated system-to-system data flows.
Prior SAP Awareness of Integration Architecture
Historical documentation demonstrated that SAP had been informed of the company's integration patterns during previous licensing discussions. The interfaces were not hidden or undisclosed. They had been part of the architectural landscape that SAP was aware of when the current licensing agreements were negotiated and renewed.
Over-Counting Through Flawed Methodology
SAP's audit team had applied a methodology that counted every transaction created by an external system as an indirect access instance, including duplicate entries, batch-processing repetitions, and system test transactions. The actual volume of licensable indirect access was a fraction of what SAP had claimed.
Existing Licensing Already Covered Legitimate Indirect Access
For the limited number of transactions that did involve human-initiated indirect access, the company's existing SAP licensing entitlements already included provisions that covered this usage. The audit claim had not properly accounted for the company's full licence entitlement.
SAP's Own Guidance Contradicted the Audit Position
SAP's published digital access licensing guidance, including FAQs and programme documentation, contained provisions and examples that supported the company's interpretation. Redress cited these materials to demonstrate that SAP's audit team had applied a more restrictive interpretation than SAP's own published guidance supported.
06 The Results: Full Claim Withdrawal
The outcome was decisive and unambiguous. After reviewing the formal rebuttal, the supporting technical evidence, the historical documentation, and the points raised during direct discussions, SAP withdrew the indirect access compliance claim in its entirety.
The original multi-million dollar non-compliance finding was retracted completely. SAP acknowledged that the supplier's digital integrations were covered under existing agreements and that proper licensing interpretations supported the company's position.
No additional licensing was required. Not a single additional named user licence, not a single digital access document licence, and no retroactive fees.
| Metric | Before Engagement | After Engagement |
|---|---|---|
| SAP audit claim | Multi-million dollar non-compliance finding | Fully withdrawn. $0 compliance payment |
| Additional licences required | SAP demanded extensive new licensing | None. Existing entitlements confirmed sufficient |
| Architecture impact | Integration strategy under threat | Architecture validated and protected |
| Audit documentation | Distributed and unorganised | Centralised compliance framework established |
07 Post-Audit Governance: Preventing Future Exposure
Beyond defeating the immediate audit claim, the engagement established a permanent compliance governance framework that would protect the company against future SAP audit exposure.
Interface Documentation Process
A formal documentation process for all system interface reviews, requiring that every new connection between an external system and SAP is evaluated for indirect access licensing implications before the integration is deployed to production.
Ongoing Audit-Ready Records
Comprehensive audit logs and licence-use mapping procedures to maintain a continuously updated, audit-ready record of how all indirect and digital access is managed, including transaction volumes, integration types, and the licensing provisions covering each scenario.
Quarterly Interface Reviews
Quarterly reviews of all SAP-connected interfaces to verify that no new integrations have been deployed without licensing assessment and approval. Plus annual reconciliation of indirect access transaction volumes against current licensing entitlements.
Designated Audit Response Team
A designated SAP audit response team with clearly defined roles, documented escalation procedures, and immediate access to the centralised compliance documentation repository. Plus a formal change management process requiring licensing impact assessment for any SAP-connected infrastructure changes.
For SAP digital access advisory guidance, see: SAP Digital Access Advisory Service.
08 Client Perspective
"This was a wake-up call. We were confident in our design, but without Redress's help in organising the evidence and pushing back on SAP's assumptions, we could have paid millions unnecessarily. The difference was having someone who understood both the technical architecture and SAP's licensing rules, and who could present our position in a way that SAP's audit team had to take seriously."
"This isn't just about the money we saved. It's about defending our architecture and protecting how we run our business. The integration patterns SAP was challenging are fundamental to how we operate our manufacturing and logistics. If we had accepted the claim, we would have been forced to either pay millions for licences we didn't believe we needed or redesign our systems. Neither option was acceptable, and Redress helped us prove that neither was necessary."
09 Lessons for Organisations Facing SAP Indirect Usage Audits
Do Not Accept Claims at Face Value
SAP's audit methodology for indirect access can be aggressive and commercially motivated, counting entire transaction sets without properly accounting for automated processes, duplicate entries, test transactions, existing entitlements, or the specific contractual terms of the customer's agreement. The gap between SAP's initial claim and the actual compliance position can be enormous.
Document Integration Architecture Proactively
The most valuable defence asset in this case was historical documentation showing that SAP had been informed of the integration architecture during previous licensing discussions. Organisations should maintain comprehensive, centralised records of all SAP-related architectural discussions, licensing conversations, and contract negotiations.
Separate Automated from Human-Driven Access
The distinction between fully automated system-to-system transactions and human-initiated indirect access is central to most digital access audit disputes and is frequently the largest single factor in determining whether an audit claim is valid or overstated. Organisations should proactively categorise all SAP interfaces and maintain detailed transaction logs.
Frequently Asked Questions
SAP indirect usage (also called digital access) occurs when users or external systems access SAP data or create SAP documents through a non-SAP interface rather than logging directly into the SAP GUI. Common examples include customer portals that create sales orders in SAP, manufacturing execution systems that post production data, and third-party applications that read or write SAP data through APIs or middleware.
Yes. SAP audit claims, including indirect usage claims, can and should be challenged when the facts support the customer's compliance position. SAP's audit methodology can overcount licensable access by including automated system transactions, duplicate entries, test data, and transactions already covered by existing licensing. Independent expert analysis consistently reveals significant gaps between SAP's initial claims and actual licensing obligations.
Through a structured four-phase approach: comprehensive interface mapping of all SAP-connected systems, categorisation of automated versus human-driven transactions, assembly of historical documentation proving SAP's prior awareness of the integration architecture, and application of SAP's own licensing rules to demonstrate the audit methodology was flawed. The evidence-based rebuttal led to full claim withdrawal.
This is frequently disputed. SAP's audit teams sometimes count all external transactions regardless of whether a human user is involved. However, many SAP customer agreements and SAP's own published guidance distinguish between fully automated machine-to-machine data flows and human-initiated indirect access. The contractual terms of each individual agreement are the determining factor.
Proactive preparation includes: maintaining a current inventory of all SAP-connected interfaces with documentation of integration types and transaction volumes, categorising each interface as automated or human-driven, preserving all historical licensing correspondence and architectural discussions with SAP, conducting regular reconciliation of indirect access transactions against current entitlements, and engaging independent advisory support before responding to audit claims.
📚 Related Reading
UK Financial Services: SAP Named User Cost Reduction → Massachusetts University: SAP Licensing Cost Reduction → SAP Digital Access Adoption Program (DAAP) → SAP Licence Audit Defence Service → SAP Contract Negotiation Service → SAP Licence Optimisation Services → SAP Knowledge Hub →SAP Audit Defence
Service
SAP Digital Access Advisory
Service
SAP Contract Negotiation
Service
SAP Knowledge Hub
Knowledge Hub