01. The Challenge: A CHF 25 Million SAP Audit Claim
When SAP's compliance team delivered its audit findings to a leading Swiss multinational, the financial exposure was severe: CHF 25 million in alleged non-compliance. For a company with operations spanning more than 50 countries, SAP systems that underpinned supply chain management, financial consolidation, and human resources for over 100,000 employees, this was not merely a financial shock. It threatened to derail technology budgets, strain the relationship with a critical vendor, and expose the IT leadership team to uncomfortable board-level scrutiny.
The company's SAP estate was extensive and complex. Multiple SAP ERP instances served regional operations across Europe, Asia, and the Americas. SuccessFactors managed global HR processes. SAP BW supported enterprise-wide reporting. Dozens of third-party systems and custom interfaces connected to SAP through various integration points. SAP's audit report identified discrepancies across three principal areas: indirect access (third-party systems accessing SAP data without corresponding named user licences), licensing misalignments (users classified under incorrect licence types), and unreported usage across global operations.
🌍
50+ countries. Global operations across Europe, Asia-Pacific, and the Americas, each with regional SAP instances and local system integrations creating complex licence mapping challenges.
👥
100,000+ employees. A workforce spanning manufacturing, logistics, finance, and corporate functions, all interacting with SAP systems through direct access, self-service portals, and integrated third-party applications.
💻
Multiple SAP instances. Regional ERP deployments, a global SuccessFactors implementation, SAP BW for analytics, and dozens of custom interfaces connecting third-party systems to SAP data.
02. Understanding SAP's Audit Methodology and Its Weaknesses
Before constructing a defence strategy, it is essential to understand how SAP builds its audit claims. SAP's compliance programme operates under contractual audit rights embedded in the standard SAP licence agreement. In practice, SAP audits rely on system measurement reports (typically generated by SAP's License Administration Workbench, or LAW), combined with transaction usage data, user master records, and RFC connection logs. However, SAP's audit methodology contains structural weaknesses that experienced advisors can identify and challenge.
Indirect access inflation. SAP historically counted every system or interface that reads or writes SAP data as requiring named user licences for each individual who might trigger such access, even if those individuals never log into SAP directly. This single issue can account for 40-60% of a large audit claim. Since SAP's 2018 introduction of digital access licensing, the rules have evolved, but audits frequently apply the most conservative (and expensive) interpretation to pre-existing indirect access scenarios.
User classification errors. SAP audits frequently reclassify users into more expensive licence types based on transaction log analysis. A user who executed a single SAP Professional-level transaction in a 12-month period may be classified as requiring a Professional licence (approximately EUR 4,500) rather than a Limited Professional licence (approximately EUR 1,500). The audit methodology does not typically account for accidental, one-time, or test-related transaction executions.
Dormant and duplicate accounts. SAP's LAW measurement counts all active user accounts, including those belonging to departed employees, service accounts, and test users. In large global environments with 100,000+ employees, the gap between "active accounts in SAP" and "actual users who need licences" can be substantial.
SAP audits are not neutral assessments. They are commercial events where SAP's compliance team has a financial incentive to interpret ambiguous scenarios conservatively, meaning in SAP's favour. Every finding must be verified independently, because in our experience, 50-70% of initial SAP audit claims contain material inaccuracies that can be successfully challenged.
03. Our Approach: Systematic Audit Deconstruction
Redress Compliance deployed a structured four-phase approach to dismantle SAP's audit claims, validate the company's actual licence position, and negotiate a settlement that reflected genuine usage rather than inflated assumptions.
1
Phase 1: Comprehensive Audit Review and Analysis (Weeks 1-4). We conducted a line-by-line review of SAP's audit report, cross-referencing every claim against the company's actual contracts, historical purchase records, and system data. This phase identified the specific areas where SAP's findings were overstated, including indirect access claims that applied incorrect licensing metrics to pre-2018 integration scenarios. We also reviewed all historical licence agreements and amendments across 15+ years to identify entitlements that SAP's audit team had failed to account for.
2
Phase 2: Usage Validation and Optimisation (Weeks 5-10). We performed an independent usage analysis across all SAP instances globally, validating actual user activity against SAP's licence classifications. This involved analysing transaction logs for over 85,000 named user accounts to determine genuine licence requirements versus SAP's assumptions. We identified thousands of dormant accounts, duplicate user records across regional instances, and users who had been incorrectly classified into higher-cost licence tiers.
3
Phase 3: Strategic Negotiations with SAP (Weeks 11-16). Armed with a corrected usage report that demonstrated material discrepancies in SAP's original findings, we entered structured negotiations with SAP's compliance and commercial teams. Our approach combined technical evidence (corrected user counts, validated indirect access scenarios) with commercial strategy (the company's long-standing SAP partnership, future investment plans, and the reputational risk to SAP of pursuing an indefensible claim).
4
Phase 4: Governance Implementation (Weeks 16-18). With the settlement agreed, we developed an internal compliance governance framework to prevent future audit exposure. This included automated licence monitoring tools, standardised user provisioning and deprovisioning processes, an indirect access register for all SAP-connected systems, and training programmes for IT and procurement teams across all major regions.
04. Challenge One: Dismantling Indirect Access Claims
Indirect access represented the largest component of SAP's CHF 25 million claim, approximately CHF 14 million. SAP alleged that dozens of third-party systems (CRM platforms, e-commerce portals, supply chain tools, and customer-facing applications) were accessing SAP data without corresponding named user licences.
The CRM integration claim: CHF 6.2 million challenged. SAP claimed that all 8,500 Salesforce CRM users required SAP named user licences because the CRM accessed SAP master data. Our analysis mapped the actual data flows: the integration was read-only for pricing reference data and used a single RFC connection for batch synchronisation. Individual CRM users never initiated SAP transactions. Under SAP's own digital access licensing framework (introduced in 2018), this scenario was appropriately licensed through digital access documents rather than named users. We demonstrated that the CRM integration required digital access licensing for approximately 50,000 order documents per year rather than 8,500 named user licences. The cost differential: approximately CHF 180,000 for digital access versus CHF 6.2 million for named users. SAP accepted our analysis, reducing this single claim by over 97%.
Similar patterns repeated across the company's other integration points. An e-commerce platform that created sales orders in SAP was claimed as requiring named user licences for all website visitors. A supplier portal that allowed vendors to check invoice status through a web interface was claimed as indirect access for all 12,000 registered suppliers. In each case, we mapped the actual technical integration, identified the correct licensing mechanism, and presented SAP with evidence that their claims were overstated by orders of magnitude.
05. Challenge Two: Correcting User Classification Overstatements
SAP's audit reclassified approximately 15,000 users from lower-cost licence types (Limited Professional, Employee Self-Service) to the most expensive Professional licence tier. The basis for this reclassification was transaction log data showing that these users had, at some point during the measurement period, executed at least one transaction that SAP classified as requiring Professional-level access.
One-time or accidental transactions: 4,200 users had executed a Professional-tier transaction exactly once in the 12-month measurement period. In most cases, this was an accidental menu click, a training exercise, or a test during system migration. SAP's methodology did not distinguish between sustained use and a single event.
Service and batch accounts: 1,800 accounts flagged as Professional users were actually system service accounts (used for automated batch processing), test accounts (used during development and QA), or integration accounts. These should not have been counted as named user licences at all.
Departed employees: 3,400 user accounts belonged to employees who had left the company but whose accounts had not been deactivated in SAP. These dormant accounts inflated the user count without representing any actual licence requirement.
Duplicate accounts across regions: 2,100 users had accounts in multiple regional SAP instances. SAP's audit counted each account separately, doubling the licence requirement for these individuals.
Incorrect licence type mapping: 3,500 users who genuinely needed access were classified as Professional when their actual transaction patterns warranted Limited Professional or Employee Self-Service licences.
| Category | SAP's Claim | Our Verified Position | Reduction |
|---|
| Indirect access (named users claimed) | CHF 14.0M | CHF 0.4M (digital access) | 97% |
| User reclassification (Professional tier) | CHF 8.5M | CHF 0.8M (genuine shortfall) | 91% |
| Unreported regional usage | CHF 2.5M | CHF 0.3M (after deduplication) | 88% |
| Total | CHF 25.0M | CHF 1.5M | 94% |
06. Challenge Three: Resolving Unreported Regional Usage
The third component of SAP's claim, CHF 2.5 million for unreported usage, related to SAP deployments in regional offices that had not been captured in the company's central licence register. Over two decades of growth and acquisitions, several business units had deployed SAP modules locally without formal licence procurement through the central IT organisation.
Account deduplication. SAP counted users in regional instances who already held licences under the global enterprise agreement. After deduplication, 60% of the "unreported" users were already legitimately licensed.
Decommissioned systems. Two of the flagged regional instances had been decommissioned during a recent infrastructure consolidation project. SAP's audit data was based on historical system measurement reports that predated the decommissioning.
Correct licence type. The remaining genuine shortfall (approximately 400 users in acquired subsidiaries) required SAP Business One licences at approximately EUR 700 each, not the full ERP Professional licences at EUR 4,500 that SAP had assumed.
CHF 2.5M reduced to CHF 0.3M. After deduplication, decommissioning verification, and correct licence type mapping, the unreported usage component reduced from CHF 2.5M to approximately CHF 300,000.
07. The Negotiation: From CHF 25 Million to CHF 1.5 Million
With our independent analysis complete, we entered structured negotiations with SAP. The negotiation strategy combined technical evidence with commercial positioning.
1
Lead with technical evidence. We presented SAP's compliance team with a 120-page corrected usage report that systematically dismantled every inflated claim. Each finding was supported by data flow diagrams, transaction log extracts, HR records, and contract references. The quality and depth of this evidence made it clear that SAP could not sustain its original position in any formal dispute.
2
Frame the commercial context. We positioned the negotiation within the company's broader SAP investment. The company was evaluating a potential RISE with SAP migration, SuccessFactors expansion, and BTP adoption, representing significant future revenue for SAP. An aggressive audit settlement risked souring a relationship worth far more to SAP than a one-time compliance payment.
3
Offer genuine remediation. Rather than simply rejecting SAP's claims, we acknowledged the genuine compliance shortfalls (approximately 2,200 incorrectly classified users and 400 unreported regional users) and proposed a fair resolution. This credibility, accepting responsibility for legitimate gaps while challenging inflated ones, was essential to reaching a productive settlement.
Final settlement structure. CHF 1.5 million total, comprising approximately CHF 800,000 for user classification corrections, CHF 400,000 for digital access licensing to address indirect access scenarios properly, and CHF 300,000 for regularising the acquired subsidiary deployments. The settlement included a restructured licence agreement with additional licensing flexibility, pre-agreed pricing for the anticipated SuccessFactors expansion, and a commitment from SAP to adopt digital access licensing going forward. Net result: CHF 25 million reduced to CHF 1.5 million, a 94% reduction.
"Redress Compliance's expertise in SAP audit defence was transformative. Their strategic approach reduced our financial exposure and strengthened our internal processes. They were a trusted partner throughout this challenging experience." CIO, Swiss Multinational
08. Governance Implementation: Preventing Future Audit Exposure
Resolving an audit claim is only half the engagement. Without governance improvements, the same conditions that created the original exposure will generate future compliance risks.
Automated licence monitoring. Deployed tools to track SAP user accounts, licence classifications, and transaction activity in real time across all global instances. Alerts trigger when user counts approach contracted thresholds or when new integration points are established.
Indirect access register. Created and documented a comprehensive register of all systems that connect to SAP, including data flow direction, integration method (RFC, API, file transfer), and the applicable licensing mechanism (named user, digital access, or exempt). New integrations require licensing review before deployment.
User lifecycle management. Standardised user provisioning and deprovisioning processes globally. When an employee departs, their SAP accounts are deactivated within 5 business days across all instances. Quarterly reconciliation of SAP user accounts against HR master data identifies orphaned accounts.
Periodic internal audits. Established a semi-annual internal licence review process, conducted by the company's SAM team with Redress Compliance providing annual independent validation. This catches compliance drift before it accumulates into material exposure.
Training and awareness. Delivered training sessions for IT, procurement, and business unit leaders across all major regions, covering SAP licensing models, indirect access rules, and the importance of central licence governance.
09. Key Lessons: What Every Enterprise Should Learn from This Case
1
Never accept SAP's findings at face value. SAP's initial claim was CHF 25 million. The verified exposure was CHF 1.5 million. A 94% discrepancy is not unusual. In our experience, SAP audit findings are overstated by 50-80% as a matter of course. Independent verification is not optional; it is essential.
2
Indirect access is the highest-value battleground. Indirect access accounted for 56% of SAP's initial claim (CHF 14M of CHF 25M) but only 27% of the final settlement (CHF 0.4M of CHF 1.5M). This is where SAP's most aggressive interpretations produce the most inflated numbers, and where specialist knowledge delivers the greatest savings.
3
User account hygiene is a material financial risk. Dormant accounts, duplicates, and departed employees inflated this company's user count by over 7,000. At Professional licence list prices, that represents approximately CHF 4.7 million in phantom licence requirements. Regular user account reconciliation is one of the simplest and most effective compliance investments.
4
Transaction log analysis requires expert interpretation. SAP's methodology reclassified 15,000 users based on transaction logs. Our analysis reduced the genuine reclassification requirement to 2,200. The difference was understanding the context behind the data: one-time transactions, test activity, service accounts, and classification rules that SAP's audit team applied without nuance.
5
Negotiate from credibility, not denial. We achieved a 94% reduction not by denying everything, but by acknowledging genuine shortfalls while challenging inflated ones. Presenting SAP with a credible corrected position, supported by evidence, created a productive negotiation dynamic that blanket denial would not have achieved.
6
Historical contracts contain hidden entitlements. Reviewing 15+ years of licence agreements revealed entitlements that SAP's audit team had not accounted for, including bundled licences from prior enterprise agreements, successor product rights, and promotional grants. Comprehensive entitlement archaeology is a critical component of audit defence.
7
Governance prevents repeat exposure. The conditions that created CHF 25 million in alleged exposure, dormant accounts, undocumented integrations, regional deployments outside central oversight, are preventable. The governance framework we implemented costs a fraction of what the company would have paid without it.
8
Global complexity demands global visibility. Operations in 50+ countries meant SAP usage patterns that no single regional team fully understood. Central visibility across all instances, all user accounts, and all system integrations is a prerequisite for both compliance and cost optimisation.
10. Why Independent Advisory Transforms SAP Audit Outcomes
The difference between this company's outcome, CHF 1.5 million, and what it would have paid without independent advisory is stark. Companies that negotiate SAP audit settlements internally, without specialist support, typically resolve at 30-50% of the initial claim. This company resolved at 6%. The difference is expertise, evidence, and negotiation strategy that internal teams rarely possess.
Deep SAP licensing expertise. SAP licensing is a specialised discipline. Indirect access rules, user classification frameworks, digital access pricing, sub-capacity licensing, and contract interpretation require knowledge that is not typically available within enterprise IT or procurement teams. Redress Compliance's consultants have decades of combined experience working directly with SAP licensing, including former SAP employees who understand how SAP builds and pursues audit claims from the inside.
Evidence-based challenge capability. SAP's audit teams are accustomed to customers who lack the technical capability to challenge findings at a granular level. When an independent advisor produces a 120-page corrected usage report with data flow diagrams, transaction log analysis, and contract references, the dynamic changes fundamentally. SAP knows that unsupported claims will not survive scrutiny.
Complete vendor independence. Redress Compliance has no commercial relationship with SAP. No partner status, no resale revenue, no referral commissions. Our audit defence recommendations are exclusively aligned with our client's interests. This is a critical distinction from advisory firms that hold SAP partnerships and may have financial incentives to recommend settlement rather than challenge.
This engagement delivered a return on advisory investment of over 15:1, CHF 23.5 million in avoided costs against a fraction of that in advisory fees. More importantly, the governance framework provides ongoing protection that will prevent the accumulation of compliance drift for years to come.
Frequently Asked Questions
How common is it for SAP audit claims to be significantly overstated?+
Very common. In our experience across hundreds of SAP audit engagements globally, initial SAP claims are overstated by 50-80% as a matter of course. The overstatement results from SAP's measurement methodology, which applies conservative assumptions about indirect access, user classification, and account activity. Without independent challenge, companies routinely settle at 3-5 times their actual compliance exposure.
What is indirect access, and why does it drive the largest audit claims?+
Indirect access occurs when a third-party system (CRM, e-commerce platform, supplier portal, or any non-SAP application) reads or writes data in SAP. SAP historically required named user licences for every individual who interacted with these third-party systems, even if they never saw or touched SAP directly. Since 2018, SAP has offered digital access licensing (priced per document rather than per user) as an alternative. However, audits frequently apply the most expensive interpretation. Indirect access typically accounts for 40-60% of large SAP audit claims.
Can SAP force a company to pay the full audit claim?+
No. SAP's contractual audit rights allow them to measure compliance and identify shortfalls, but the financial resolution is negotiated, not imposed. SAP cannot unilaterally demand payment. If agreement cannot be reached, the matter could theoretically escalate to formal dispute resolution, but SAP almost always prefers negotiation because litigation is expensive, uncertain, and damaging to customer relationships. Companies with strong evidence and independent advisory support consistently achieve dramatically better outcomes.
How long does an SAP audit defence engagement typically take?+
Most SAP audit defence engagements take 12-20 weeks from initial engagement to agreed settlement, depending on the complexity of the SAP estate and the scope of the audit claims. The phases are: audit review and analysis (3-4 weeks), independent usage validation (4-6 weeks), negotiation preparation and execution (4-6 weeks), and governance implementation (2-4 weeks).
Should we involve Redress Compliance before or after receiving SAP's audit findings?+
Ideally before. If you know SAP is initiating an audit, engaging advisory support immediately allows us to manage the audit process from the outset, controlling what data is provided, ensuring SAP's measurement methodology is appropriate, and identifying issues proactively. However, most clients engage us after receiving SAP's findings, and the results are still excellent. In this case study, the company engaged us after receiving a CHF 25 million claim, and we achieved a 94% reduction.
What does governance implementation involve after an audit is resolved?+
Governance implementation creates the systems and processes that prevent future compliance exposure. Key components include: automated licence monitoring tools that track user accounts and classifications in real time, user lifecycle management (linking SAP account provisioning and deprovisioning to HR processes), an indirect access register documenting all SAP-connected systems, periodic internal licence reviews (typically semi-annual), and training for IT and procurement teams.
Does Redress Compliance have any commercial relationship with SAP?+
No. Redress Compliance is a 100% independent advisory firm with no commercial relationship with SAP or any other software vendor. We do not resell SAP licences, hold SAP partner status, or earn referral commissions. This complete vendor independence ensures our audit defence strategies and negotiation recommendations are exclusively aligned with our clients' interests.
Related Resources
FF
Fredrik Filipsson
Co-Founder, Redress Compliance
Fredrik Filipsson is the co-founder of Redress Compliance, a leading independent advisory firm specialising in Oracle, Microsoft, SAP, IBM, and Salesforce licensing. With over 20 years of experience in software licensing and contract negotiations, Fredrik has helped hundreds of organisations, including numerous Fortune 500 companies, optimise costs, avoid compliance risks, and secure favourable terms with major software vendors.
← Back to SAP Licensing Knowledge Hub