How to Prepare for a SAP License Audit

How to Prepare for a SAP License Audit

An SAP audit notice has arrived – what now? Preparation is crucial to successfully navigating an SAP license audit. Ideally, preparation for an audit starts well before any official notice, since SAP typically only gives a few weeks to respond​.

This article provides a practical roadmap for SAP customers – from months before the audit, to the moment you receive the audit letter, and through the audit execution. The goal is to make the audit a smooth and controlled exercise, rather than a panicked scramble.

Start Early: Ongoing Preparations

Even if you have no audit notice, assume one is coming in the next year, as annual audits are the norm for most on-premise SAP customers.

Here’s how to continuously stay prepared:

• Maintain an Updated License Inventory: Know exactly what SAP licenses your organization owns – including how many of each user type, and what engines or packages (and their metrics) you’re entitled to. Also, track any changes, such as additional purchases or terminated licenses. This inventory serves as your baseline during an audit, allowing you to compare it against actual usage.
• Ensure System Landscape Accuracy: Regularly update your SAP Support Portal and internal records with the status of all your SAP systems, including production, development, test, and decommissioned systems​. SAP will use the Support Portal’s system list when planning the audit scope. If a system is listed as active there, you may be asked to audit it. For example, if you quietly retired an old ERP instance but didn’t inform SAP, auditors might insist it be measured, causing confusion and possibly counting phantom users​. Keeping this accurate avoids unnecessary work and false compliance issues (such as old test systems reporting usage).
• Implement Periodic Self-Audits: As described in the defense strategy, schedule internal license audits on a quarterly or semiannual basis. Each time, simulate the audit process: run USMM on every production system (and any relevant non-production systems), then run LAW to consolidate the results. Review the results carefully to identify any compliance gaps. This way, you catch problems early. Make it a routine IT task, not an ad-hoc fire drill.
• Clean House Continuously: Develop a habit of monthly or quarterly user and license housekeeping. For example, HR should inform IT of employee departures so their SAP accounts can be locked or deleted promptly. IT should regularly check for inactive users, duplicate user IDs, and correct classification issues. It’s much easier to clean 10 users per month than 500 right before an audit. Many companies find that up to 10-15% of named users can be safely removed or demoted (e.g., test users, service accounts no longer in use, or former employees) – a significant risk reduction.
• Stay informed about SAP Policies: Keep an eye on SAP announcements or user group forums for any updates to audit policies or tools. For instance, SAP might release a new Note to measure a particular engine differently, or introduce a new “SAP for Me” dashboard feature for license usage​. Being aware means you won’t be caught off guard during an audit if SAP asks for data from a new tool or method.

By having these practices in place, when the formal audit comes, about 90% of the work is already done.

When the Audit Notification Arrives

Despite ongoing prep, an official audit letter can still raise anxiety. Here’s how to proceed once SAP notifies you of an audit (often giving ~3-4 weeks to submit data):

1. Read the Notice Carefully: Audit communications from SAP will list the systems in scope, the timeframe to respond, and any specific instructions (such as applying certain SAP Notes for measurement). Check if it’s a standard annual audit or if there’s any indication of a special focus (SAP may sometimes mention, including indirect usage checks). Share this information with your internal SAP team and stakeholders immediately so everyone is on the same page regarding deadlines and expectations.
2. Assemble Your Audit Team: Identify who will be involved in executing the audit. Typically: your SAP Basis administrator or system admin (to run USMM/LAW), your SAM or licensing manager (to compile results and interpret them), perhaps a representative from each functional area (to help classify users or answer usage questions), and procurement/contract managers (to provide entitlements info). Also, line up an external advisor if you plan to use one, so they’re aware of the timing.
3. Apply Required SAP Notes: SAP often includes a list of Support Notes or patches that must be installed in each system before measurement​. These Notes update the measurement programs to the latest version and ensure certain products are measured correctly. For example, SAP might provide a Note to accurately count the usage of a new S/4HANA module. Apply these notes promptly (usually, your Basis admin can do this via SAP Service Marketplace). Pro Tip: Test the Note in a sandbox if possible, to ensure it doesn’t disrupt anything. And document which notes were applied where.
4. Configure Measurement Tools: In the USMM transaction, verify the measurement settings. Ensure that all relevant client systems are set to be measured, and irrelevant ones are excluded (for example, you typically exclude pure test clients or training clients if allowed). In LAW, load the measurement plan (SAP’s audit notice often includes a scope file listing systems to import into LAW)​. This ensures LAW expects data from the right systems. Proper configuration prevents omissions or duplicate counts.
5. Run the Measurement (USMM -> LAW): Schedule the measurements during a period of minimal system activity if possible (to avoid performance impact). Run USMM on each in-scope system. Collect the resulting measurement files. Import them into LAW and perform consolidation. Review the LAW output carefully:
   • Check the total number of named users per license type against your entitlements.
   • LAW will flag if a user has accounts on multiple systems. Ensure that duplicates are properly identified (LAW identifies them by user alias or matching criteria – verify that this works as expected to prevent double counting of the same person).
   • Investigate anomalies: If LAW shows 1,200 professional users but you expected 1,000, dig in. Is it counting deactivated users or ones that should be duplicates? LAW has a user list – use it to spot outliers. Perhaps some users weren’t set to “inactive” properly, or some have different usernames across systems that LAW didn’t link. In this case, you might use LAW’s manual matching to combine them. Also, identify any “Unclassified” users; these default to the highest category (Professional), which can inflate counts if not corrected.
   • For engines, if any show consumption over 100% of the licensed amount, note those. For instance, maybe SAP ERP Human Capital Management reports 1,100 active employees vs. 1,000 licensed. Mark this for action (might need to true up or see if data cleanup is possible, such as for terminated employees still being counted).
   • Save the interim LAW report for internal use.
6. User Classification Adjustments: This step is crucial. The USMM measurement classifies users based on how they are set in each system. Now is the time to correct misclassifications before finalizing results. Common checks:
   • Expired/Locked Users: Ensure that users who have left or are no longer in use are flagged as expired or locked with a date before the audit measurement,so they are not counted. SAP allows excluding users who haven’t logged in within a certain time if properly marked (late logon rules).Multiple Logons: Look for users that may represent the same person, especially if not automatically detected by LAW. Adjust so one person = one license.Dialog vs. Technical: Make sure system or technical accounts are set as “technical” user type if they aren’t meant to count as a named user. Only dialog (interactive) users are usually licensed; background users can often be excluded if properly identified. Developer vs. Operational: Check if any developers were misclassified as end users or vice versa. For example, “WORKBENCH” users (developers) should generally have a Developer license, not a Professional, unless they also do operational tasks. Default Classifications: Any user without a classification will be counted as Professional on production systems​. If you find any, you must classify them to the correct license type they need.
   Use SAP’s tools (USMM allows editing classifications; LAW has a mass update feature) or do changes directly in each system and re-run USMM for those systems if needed. This step can be labor-intensive, but it’s where you ensure the numbers truly reflect reality and no one is over- or under-classified. SAP auditors will ask about things like locked users, multiple logins, and test users​. Proactively addressing them now strengthens your position.
7. Validate Engine Measurements: Beyond users, look at the measurement of engines (SAP calls them “objects” in USMM). For any license based on, say, number of orders, product revenue, CPU cores, etc., ensure the measurement makes sense. If something seems off (e.g., an engine count suddenly spiked), investigate why. It might be a misconfiguration or an old test that got counted​. If an engine is overused, consider reducing its usage or discussing a definite shortfall with procurement. Also, verify that any engines or modules not in use are reflected as having zero usage. Sometimes, outdated data can report usage for a component that is no longer used, due to a forgotten configuration.
8. Compile and Double-Check Data to Submit: Once you’re satisfied with the measured results, compile the final LAW consolidation report and any supplementary documents:
   • LAW Report: This is usually an aggregate summary of users by license type and engine consumption vs licenses.Self-Declaration Forms: SAP may require you to fill out spreadsheets or forms for specific products (e.g., the number of SAP Crystal Reports named users or the number of third-party applications interfacing for indirect use). Fill these out carefully. Get the data from relevant teams if needed. For example, your HR team may need to provide an exact employee headcount if the HR module is licensed per employee. Additional Notes: If there were any special circumstances or manual adjustments, you can prepare a short note or explanation to accompany the data. For example, “We excluded 50 users who are on long-term leave (all locked as of last month) – see Appendix for list” or “Module X was implemented but not actively used; measured usage reflects test data only.” These can preempt questions.
   Before sending to SAP, do an internal review meeting. Compare the numbers to entitlements. Ensure management is aware of any anticipated shortfalls (e.g., “We’re 20 licenses short in module Y; we expect SAP to flag that – we plan to purchase those”). This avoids surprises when SAP responds.
9. Submit to SAP and Confirm Receipt: Send the required data through the channel specified by SAP (often their support portal or email). It’s a good idea to politely ask the SAP auditor for confirmation that they have received all the necessary items. Keep copies of everything sent. After this point, it’s a bit of a waiting game for SAP’s analysis. Use this time to prepare for potential outcomes. If you suspect any compliance gaps, begin strategizing how to address them – see the negotiation section for guidance.

Practical Tips and Examples

• Example – User Cleanup: A company preparing for an audit found 300 users who hadn’t logged into SAP in over a year. They locked these accounts and set an expiration date before running USMM, which excluded those users from the count. This action brought their named user count below their license count, avoiding a non-compliance finding for inactive users.
• Example – Duplicate Users: In a law consolidation, an SAP admin notices that “J. Smith” in ERP and “John Smith” in CRM were not automatically matched, causing the user to be counted twice. They use LAW’s manual mapping to link these as one person, thus reducing the total count by one, and accurately representing the license requirement.
• Test User Allowance: SAP generally allows a small percentage of users to be designated as test users on production (commonly up to 5-10%) who don’t require a full license, as long as they are marked. Ensure you leverage this if applicable – for example, if you have accounts used only for testing or training, label them properly (SAP Note often provides guidance on how to do this). Auditors will check if you exceeded the allowed number of test IDs.
• Involve the Business: If certain numbers seem odd, talk to business process owners. For example, engine usage for “SAP Payroll” is higher than expected – HR might explain that a lot of contractors were processed through the system this year, which increased the count. That intel prepares you to explain it to SAP or consider buying extra capacity.
• Dry Run with an Expert: If the budget allows, some companies engage an SAP licensing consultant or use a SAM tool right before submission to do a “sanity check.” They might catch things you missed – say, a specific license type definition misinterpreted. As one Software Asset Manager put it, “We treat the internal results almost like an internal audit report, and we had a third-party review it, similar to a financial statements audit, to ensure we weren’t misreading anything before it went to SAP.”​

By the time you hand over data to SAP, you want to be in a position where you more or less know what SAP will find. There should be no dread of the unknown because you’ve already measured and analyzed your usage.

During the Audit: Communication and Queries

After submission, SAP’s auditors may come back with questions or requests for clarification. Some tips:

• Be Responsive and Factual: Reply to SAP’s questions within a reasonable time and stick to factual answers. If they ask, “Why did your Professional user count drop from last year?”, you might answer, “We conducted a cleanup of unused accounts and optimized license assignments, which reduced the count.” This shows you actively manage licenses (a positive impression).
• Don’t Volunteer Unasked Data: Provide exactly what is requested, nothing extra. Oversharing can lead to unintended scrutiny. For example, if SAP didn’t ask about a specific system, you don’t need to highlight an issue there. Stay scope-focused.
• Keep it Professional: Even if you suspect SAP might be gearing up to claim non-compliance, maintain a cordial and cooperative tone. Firmness and defense come later during negotiation, if needed. At the preparation stage, the goal is to demonstrate your competence and good faith.
• Ask for Clarification if Needed: If SAP asks for something unclear, it’s okay to ask them to specify. For instance, “Please provide user-level details for indirect access.” You can reply to seek clarification on what format or data they exactly need. This avoids miscommunication and delays.

Final Check Before Audit Conclusion

If SAP provides a preliminary finding or gives you a chance to review their report draft, use it. Double-check their interpretation of the data. Sometimes auditors make mistakes (e.g., counting a user twice or misidentifying a metric).

You can politely dispute or clarify at this stage, which might correct the record before the final audit report is issued.

By following these steps, you put yourself in the best possible position during an SAP audit: organized, aware of your license position, and ready to address the findings.

This preparation often leads to better outcomes, whether that means a clean compliance report or at least a smaller true-up bill with no surprises.

Recommendations (Preparing for Audit)

• Practice “Continuous Audit Readiness”: Treat SAP license compliance as a year-round activity. Regularly run SAP’s license measurement tools internally and address issues long before any official audit notice​. Being continuously audit-ready means less stress and urgency when the real audit starts.
• Know Your License Entitlements Cold: Keep an updated summary of what you’ve purchased and any special contract terms. When preparing for the audit, refer to this to ensure you don’t exceed entitlements. This helps you focus remediation on real gaps and confidently assert compliance where you meet the terms​.
• Thoroughly Clean and Verify Data: Before submitting anything to SAP, do an exhaustive cleanup of user accounts and license assignments​. Double-check consolidated results (LAW) for duplicates or anomalies. It’s far easier to correct data on your side first than to explain discrepancies to SAP later.
• Involve the Right People: Audit prep isn’t just an IT task. Engage HR (for user status), department heads (to validate the needs of critical users), and procurement and legal (for contract insights) early in the preparation process. A coordinated approach ensures that all angles are covered and no surprises (e.g., a branch office setting up a new SAP system without central IT’s knowledge – that needs to be in scope!).
• Use Available Tools and Notes: Always apply the latest SAP measurement notes and use tools like LAW properly​. They exist to help get accurate data. If you’re unsure about tool settings or outputs, seek expert help before submitting your work. It’s part of the preparation to ensure you wield the tools correctly for a fair outcome.
• Anticipated Focus Areas: Based on SAP’s audit trends, expect indirect usage, user classification, and engine metrics to be the primary areas of focus. Proactively gather information and rationales for these areas during prep. For example, if you know you have a Salesforce integration, prepare an explanation of how those users are licensed (or why they don’t need a license under your contract). Being one step ahead in addressing likely questions can shorten the audit and build credibility with the auditors.

Read our SAP Audit Defense Strategy.

Do you want to know more about our SAP Audit Defense Service?

Please enable JavaScript in your browser to complete this form.

Name *

Email *

Company

Message *

Submit