SAP's audit focus is shifting as the company adapts its compliance efforts to new usage models and products. Auditors now scrutinise indirect/digital access via third-party systems, cloud subscription metrics, HANA memory consumption, BTP usage, and how customers manage licences during S/4HANA migrations. This playbook outlines the key audit trends and provides strategic recommendations to help CIOs mitigate compliance risk and approach SAP audit engagements from a position of strength.
SAP's Right to Audit: All SAP licence agreements grant SAP the right to perform audits of customers' software usage. Traditionally, on-premise customers undergo a yearly self-measurement using SAP's tools (LAW/USMM) to report licence consumption, with SAP reserving the right to initiate a deeper audit if discrepancies or risks are suspected. The audits verify that the number of licences purchased aligns with actual usage across named users and engine metrics.
SAP formed a dedicated Global Licence Auditing and Compliance (GLAC) team in 2018 to standardise this process worldwide, underscoring the importance of compliance in SAP's revenue protection strategy. In an audit, if unlicensed use is found, SAP can require customers to purchase additional licences — often at list price with back maintenance — or pursue legal remedies in extreme cases.
SAP's audit posture has hardened and adapted over the past decade. High-profile compliance disputes — such as the 2017 Diageo case over indirect use — signalled to customers that SAP would enforce contract terms even for usage via non-SAP systems. The UK High Court ruling in SAP v Diageo established that SAP could charge named-user licence fees for indirect access by external systems, fundamentally changing the compliance landscape.
In response, SAP introduced initiatives like "Project Trust" around 2018 to modernise licensing and auditing practices. This included clearer definitions for indirect access and the new Digital Access licensing model, which charges by documents created via indirect use — providing an alternative to classic named-user licences for third-party scenarios. For a comprehensive analysis, see our SAP Indirect & Digital Access Licensing Playbook.
During the early 2020s, SAP also shifted its approach to cloud products. Rather than traditional audits, cloud subscriptions (SuccessFactors, Ariba, S/4HANA Cloud) are monitored directly through SAP's cloud platforms. Contract usage limits — users, transactions, storage — are enforced through system controls or periodic usage reviews, especially at renewal time.
In 2025/2026, as many customers transition to S/4HANA and the cloud, SAP's audit strategy strikes a balance between encouraging migration and maintaining a firm stance on compliance. The result: audits are targeting new risk areas — indirect access, cloud metrics, HANA memory — and SAP is less tolerant of grey areas, given the years of warnings and programmes implemented.
Facing an SAP audit or compliance review? Get independent defence from former SAP licensing specialists.
SAP Audit Defence Service →Indirect use of SAP systems — when non-SAP applications or external users interact with SAP data via interfaces — remains a top audit focus. SAP auditors are reviewing third-party integrations, APIs, robotic process automation (RPA) bots, and any external portals connected to SAP to identify unlicensed usage.
SAP's 2018 Digital Access model charges for nine specific document types (Sales Orders, Purchase Orders, Invoices, etc.) when triggered indirectly. By 2025/2026, SAP expects customers to have addressed indirect usage either via named users or by adopting Digital Access licences. Audit teams are now verifying whether customers who opted for traditional licensing are inadvertently generating large volumes of documents through external systems without proper licences.
An e-commerce site or CRM system creates sales orders in SAP. SAP will insist these transactions are licensed — either through sufficient Digital Document licences or other contract provisions.
Robotic process automation tools creating purchase orders, invoices, or goods receipts in SAP. Each document created counts toward the Digital Access metric, regardless of whether a human initiated the action.
Salesforce, Microsoft Dynamics, or other systems pulling or pushing data to/from SAP. If these integrations create or modify SAP documents, they require licensing under the Digital Access model.
Self-service portals where external users (customers, vendors) submit orders, confirm deliveries, or approve invoices that flow into SAP. Every document created counts, potentially generating hundreds of thousands of billable events annually.
For complete strategies on managing indirect access exposure, see our dedicated playbooks: SAP Indirect & Digital Access: CIO Playbook and SAP Digital Access: The Complete Guide.
As SAP ERP customers now run on the SAP HANA database — especially those who have migrated from ECC to Suite on HANA or implemented S/4HANA on-premise — SAP has increased its focus on HANA licensing compliance. HANA is often licensed based on memory capacity — either peak memory usage or total memory size of the system tier.
SAP's audit teams check peak HANA memory utilisation over the last 12 months against the licensed amount. One spike in memory usage above the licensed level can trigger a compliance finding and a backcharge. HANA is an expensive asset — SAP will enforce the letter of the contract, requiring customers to license the highest memory usage even if it was a one-time peak.
Additional HANA nodes or high-availability clusters that effectively increased memory footprint without additional licences are flagged. Production HANA systems that quietly exceeded their licensed GB capacity are a common finding.
SAP verifies whether customers using HANA for applications beyond the allowed "runtime" scope — e.g., using HANA as a standalone database for custom applications when licensed only for runtime use with SAP applications — have the correct licence type. Per SAP's HANA licensing terms, runtime licences are restricted to use with specific SAP applications only.
As enterprises migrate from SAP ECC (Business Suite 7) to SAP S/4HANA, many have engaged in contract conversion programmes. Under a conversion, a customer may terminate their old ECC licence contract and convert licence value into S/4HANA licences — often with credit toward the new suite. SAP typically grants dual-use rights during the transition, allowing continued use of legacy ECC for a limited time while S/4HANA is implemented.
Audit teams ensure customers are not utilising both ECC and S/4HANA productively beyond the agreed timeline or licensed scope. If a customer is still running ECC productive instances after the contracted period, that usage could be deemed unlicensed.
If a customer received credit or discounts conditional on completing migration by a certain date, auditors may verify whether ECC has been retired as per the contract. SAP could utilise audits as a nudge: customers still on ECC might face stricter enforcement to encourage migration.
If the S/4HANA conversion resulted in different metrics — e.g., Full User Equivalents (FUE) instead of named users — SAP might audit whether the user counts provided for conversion were accurate. Under the FUE model: Advanced user = 1.0 FUE, Core user = ~0.2 FUE, Self-Service = ~0.03 FUE.
For comprehensive S/4HANA licensing strategy, see our SAP S/4HANA Licensing Complete Guide and our SAP ECC & S/4HANA Licence Agreements Playbook.
Migrating to S/4HANA? Ensure your conversion contract protects you from audit exposure.
SAP Contract Negotiation →SAP SuccessFactors isn't audited in the traditional on-prem sense — SAP can directly see usage in the cloud. However, SAP's compliance checks are targeting whether customers exceed their licensed number of users. Many contracts are based on number of employees (named subscriptions per employee or contingent worker). Some modules, especially Learning, may be based on concurrent usage.
If a client purchases 5,000 Employee Central users but uploads 5,500 active employee records, the 10% overage will be noted and charged at true-up or renewal. SAP is emphasising periodic compliance certifications — requiring customers to certify the number of active users on an annual basis.
For concurrent-user entitlements, SAP analyses peak concurrent sessions over a period. If a Learning module allows 1,000 concurrent learners but 1,200 participated in company-wide training simultaneously, the contract has been exceeded.
SAP Ariba licences are commonly based on transaction volumes — number of purchasing documents (POs, invoices) processed per year or total spend managed through the platform. In 2025/2026, SAP is tightly enforcing these consumption metrics.
If the contract allows 100,000 invoices per year but 130,000 are processed due to business growth, SAP will flag this and invoice for higher usage or require a tier upgrade. Unlike on-prem software, Ariba's cloud automatically captures these metrics — the "audit" is enforcement at renewal.
Ariba's adoption has matured — SAP is no longer in "land-and-expand" mode but in "monetise actual usage" mode. If transaction volumes trend above licensed amounts, proactively approach SAP to negotiate bulk rates rather than being caught off guard by a compliance claim.
SAP's Business Technology Platform (BTP) — application development, integration services, and database/cloud runtime offerings — is an emerging area of audit attention. BTP is offered in various models (pay-as-you-go cloud credits, subscription bundles, or as part of RISE with SAP) and often involves complex metrics like application instances, memory/CPU, or connection counts.
SAP is examining if customers who deployed custom Fiori apps or extensions have the required BTP entitlements. A portal built on BTP used by thousands of employees might require a specific BTP app service licence in addition to standard ERP user licences.
Basis teams sometimes activate BTP services — Cloud Integration trials, small HANA instances on BTP — without formal licences, and they remain in productive use. SAP has improved monitoring of BTP usage through the BTP cockpit and will notify account teams of customers running services without matching subscriptions.
Audits verify BTP consumption (measured in credits or service units) against contracted amounts. Running more cloud credits than purchased, or using services beyond trial allowances, requires a true-up.
A significant change in SAP's audit approach is the heavy reliance on customer self-declaration of usage for certain metrics, and a keen focus on the integrity of those reports. Not all SAP products can be technically measured by SAP's audit tools — engine metrics like "employee count" for HR modules, "orders processed" for ERP packages, or user counts in cloud services are often reported by the customer.
Each year, SAP asks many customers to fill out self-declaration forms for specific products (e.g., "How many employees are managed in your SAP Payroll system?" or "How many active SuccessFactors Recruiting users do you have?"). These declarations are effectively an audit in disguise: SAP uses them to detect overuse without sending an on-site audit team.
SAP cross-checks data across systems. If you self-declare 10,000 employees on SAP Payroll but your SuccessFactors system (also accessible by SAP) has 12,000 active users, the inconsistency triggers compliance questions.
If a customer submits significantly lower figures than previous years indicated — without a corresponding business event like a divestiture — it raises a red flag. SAP might then initiate a formal audit.
SAP has started requiring the CEO or CFO to sign off on self-declaration forms to emphasise their seriousness. Self-declaration is not a casual task — it can expose you to seven or eight-figure costs if declared usage was too low.
Need an independent review of your self-declared metrics before submission? We validate your position.
SAP Licence Optimisation →To get ahead of SAP auditors and reduce compliance risk, CIOs and IT asset managers should implement proactive measures well before an audit letter arrives.
Run SAP's measurement programmes (USMM for user counting, LAW for consolidating results) at least annually. Check each system for user counts by licence type and usage of engines and packages. Simulate an audit internally: identify compliance issues — excessive Professional users, engines exceeding metrics — and remediate before SAP becomes aware. Involve a cross-functional team (IT, SAP Basis, procurement, finance). See our SAP Named User Licence Optimisation Playbook for detailed methodology.
Create a detailed map of all third-party systems, interfaces, and non-SAP applications that interact with your SAP environment. For each integration, determine how SAP might view that usage. SAP has a Digital Access Estimation Tool that analyses systems for documents created by external means. Third-party licence management solutions can scan SAP logs to identify named users who may be proxies for external systems. See our SAP Digital Access Complete Guide.
Many SAP products are licensed on specific metrics — annual revenue, active employees, database records, CPU cores. Validate each metric in your environment against your licences. If SAP Payroll is licensed for 5,000 employees, check your HR system for actual active master records — including contractors and global employees. Set internal thresholds — e.g., trigger an alert at 90% of licensed capacity.
Examine the transactions and roles each user has in SAP and determine the appropriate licence type. SAP provides guidelines on which transactions require Professional licences. Third-party tools can automate this by mapping roles to licence categories. You may discover 200 users with expensive Professional licences who never go beyond display reports — candidates for downgrade to Limited Professional or ESS. Conversely, upgrade under-licensed users before SAP finds them. See Named User Optimisation for frameworks.
For SuccessFactors, Ariba, Concur, and SAP Analytics Cloud, maintain copies of usage data and logs to reconcile against SAP's figures. Regularly export user lists and statuses from SuccessFactors; download document processing reports from Ariba. If SAP claims you exceeded a metric, you need detailed records to validate or challenge their claim. Assign metric owners per SaaS product. Treat cloud usage data as audit artefacts requiring disciplined management.
| Audit Focus Area | Risk Level | How SAP Detects | Your Defence Strategy |
|---|---|---|---|
| Indirect / Digital Access | Very High | Document counts via SAP system logs; interface analysis; Digital Access Estimation Tool | Map all integrations; simulate document counts; adopt Digital Access licences or ensure named-user coverage. Read playbook → |
| HANA Memory | High | Peak memory utilisation over 12 months; system telemetry; hardware configuration data | Monitor HANA memory continuously; archive data; budget for expansion licences. Read guide → |
| S/4HANA Conversions | Medium-High | Dual-use period verification; ECC retirement checks; FUE metric validation | Maintain migration records; decommission ECC on schedule; verify FUE counts. Read guide → |
| SuccessFactors Users | Medium | Direct cloud platform monitoring; active user count vs. contract; concurrent session analysis | Deactivate former employees promptly; run user count reports regularly; certify accurately. Read guide → |
| Ariba Documents | Medium | Cloud platform transaction logs; automatic consumption tracking; renewal-time enforcement | Track document volumes internally; negotiate bulk rates proactively; optimise transaction flows. |
| BTP / Custom Development | Emerging | BTP cockpit monitoring; cloud credit consumption tracking; direct questioning during audits | Inventory all BTP apps; secure entitlements; treat BTP with same governance as core SAP. Read guide → |
| Self-Declarations | High | Cross-system data verification; year-over-year comparisons; executive sign-off requirements | Triple-check figures; maintain evidence; independent review before submission. Read guide → |
SAP auditing your indirect access or HANA memory? Our former SAP GLAC specialists defend your position.
SAP Audit Defence →A proactive, informed stance transforms audits from dreaded events into manageable exercises. Here are prioritised steps to prepare for upcoming SAP audit engagements.
Form a dedicated team meeting quarterly — IT (SAP Basis/Security), Procurement/Vendor Management, Software Asset Management, and key business units. Mandate: continuous compliance and audit readiness. CIO or IT Director sponsorship ensures organisational priority.
Gather all SAP contracts, order forms, and metric definitions. Build a clear inventory of entitlements (user types, engine limits, cloud subscriptions). In parallel, extract current usage data from SAP systems — users by category, 12 months of engine metrics, digital document counts, cloud usage reports. This baseline highlights gaps immediately.
Prioritise issues found in the baseline for remediation before SAP's audit. High-risk: thousands of unlicensed indirect documents, major HANA memory overage. Purchase additional licences proactively (better pricing than under audit pressure), reduce usage (archiving, user cleanup), or adjust configurations. Document issues and mitigation plans — demonstrating awareness earns leniency.
Invest in licence management software and/or third-party audit advisory. Tools automate user licence optimisation, track engine metrics, and simulate indirect usage costs. These often pay for themselves by identifying unnecessary licences or compliance issues before they become multi-million-dollar problems. Explore our SAP advisory services.
Ensure IT staff and business users understand SAP licensing rules. A developer might create a new interface without realising it triggers indirect access licensing. HR might keep terminated employees active in SuccessFactors. Conduct briefings on the "dos and don'ts" of SAP usage. Communicate audit exposure risk to the CFO — financial risk awareness unlocks compliance funding.
During your next contract renewal or purchase, consider including clauses for clearer audit terms — 90-day notice before on-site audit, right to remediate findings within 60 days before SAP invoices. Know your audit clauses: response times, defined processes. Have an audit game plan: designated point person, data collection procedures, negotiation team. See our SAP Negotiation Strategies.
Incorporate licence checks into change management: for any new project involving SAP, ask "does this have licensing implications?" Maintain an authoritative "licence bible" of entitlements and usage — update with every change. As the business evolves through mergers, expansions, or new SAP modules, update your compliance plan accordingly. For M&A-specific guidance, see our SAP M&A Licensing Playbook.
A clean licensing house gives CIOs more freedom to pursue new SAP innovations — moving to the cloud, adopting new modules — without the baggage of compliance debt. Be aware of your licences and their usage, and continually reconcile the two. With that discipline, even as SAP's audit focus shifts, your company will remain in control and audit-ready.
Whether you're facing a live audit, preparing for self-declarations, or building continuous compliance governance — Redress Compliance provides expert, independent SAP advisory from former SAP GLAC and licensing specialists who know SAP's playbook from the inside.
Explore our complete SAP licensing knowledge hub — playbooks, guides, and case studies.
SAP Knowledge Hub →Also managing Oracle, IBM, or Microsoft licence audits? We cover all major vendors.
All Advisory Services →