SAP's audit focus is shifting as the company adapts its compliance efforts to new usage models and products. Auditors now scrutinise indirect/digital access via third-party systems, cloud subscription metrics, HANA memory consumption, BTP usage, and how customers manage licences during S/4HANA migrations. This playbook outlines the key audit trends and provides strategic recommendations to help CIOs mitigate compliance risk and approach SAP audit engagements from a position of strength.
In 2025/2026, as many customers transition to S/4HANA and the cloud, SAP's audit strategy balances encouraging migration with maintaining a firm stance on compliance. Audits now target indirect access, cloud metrics, HANA memory, BTP usage, and self-declaration integrity. SAP is less tolerant of grey areas given years of warnings and programmes implemented. See also: SAP Audit Survival Guide and SAP Indirect & Digital Access Playbook.
All SAP licence agreements grant SAP the right to perform audits of software usage. Traditionally, on-premise customers undergo yearly self-measurement using SAP's tools (LAW/USMM) to report licence consumption, with SAP reserving the right to initiate deeper audits if discrepancies or risks are suspected. If unlicensed use is found, SAP can require customers to purchase additional licences at list price with back maintenance, or pursue legal remedies in extreme cases.
| Milestone | What Changed | Impact on Customers |
|---|---|---|
| 2017: Diageo ruling | UK High Court ruled SAP could charge named-user licence fees for indirect access by external systems. | Established legal precedent that indirect access through non-SAP systems requires licensing. Fundamentally changed the compliance landscape. |
| 2018: GLAC formation | SAP formed the Global Licence Auditing and Compliance team to standardise audit processes worldwide. | Audits became more structured, consistent, and professionally executed. Revenue protection became a formal organisational priority. |
| 2018: Digital Access model | SAP introduced document-based licensing for nine specific document types created via indirect use. Part of "Project Trust" to modernise licensing practices. | Provided an alternative to named-user licensing for third-party integration scenarios. Created new compliance metrics to track and manage. |
| 2020-2024: Cloud shift | SAP shifted approach to cloud products. SuccessFactors, Ariba, and S/4HANA Cloud monitored directly through SAP's platforms rather than traditional audits. | Contract usage limits enforced through system controls or periodic reviews, especially at renewal time. Compliance became continuous rather than periodic. |
| 2025-2026: New risk areas | Audits now target indirect access, HANA memory, S/4HANA conversion compliance, cloud subscription metrics, BTP usage, and self-declaration integrity. | SAP is less tolerant of grey areas. Multiple audit focus areas create compound compliance risk requiring proactive governance. |
SAP increasingly uses self-declaration forms, asking customers to report usage of products that automated tools cannot measure. While less confrontational than on-site audits, these can still result in hefty true-up fees if misalignment is discovered. Treat self-declarations with the same rigour as a formal audit. See SAP Audit Readiness & Compliance.
Indirect use of SAP systems remains the top audit focus. SAP auditors review third-party integrations, APIs, RPA bots, and external portals connected to SAP to identify unlicensed usage. The 2018 Digital Access model charges for nine specific document types (Sales Orders, Purchase Orders, Invoices, etc.) created indirectly. By 2025/2026, SAP expects customers to have addressed indirect usage either via named users or Digital Access licences.
| High-Risk Scenario | What Happens | Licensing Requirement |
|---|---|---|
| E-commerce to SAP integration | E-commerce site or CRM creates sales orders in SAP. Each order is a billable document under the Digital Access model. | Sufficient Digital Document licences or named-user coverage for the integration. Volume can reach hundreds of thousands of documents annually. |
| RPA bots triggering SAP documents | Robotic process automation tools create purchase orders, invoices, or goods receipts in SAP. Each document counts toward the Digital Access metric. | Digital Access documents per bot-generated transaction. Volume scales with automation scope. Human initiation is irrelevant to SAP's counting. |
| Third-party CRM/ERP integrations | Salesforce, Microsoft Dynamics, or other systems pulling or pushing data to/from SAP. If integrations create or modify SAP documents, they require licensing. | Named-user licences for each external user, or Digital Access documents for each document created. See SAP Digital Access Complete Guide. |
| Customer and supplier portals | Self-service portals where external users submit orders, confirm deliveries, or approve invoices that flow into SAP. Every document created counts. | Digital Access documents for portal-generated transactions. Can generate hundreds of thousands of billable events annually depending on portal traffic. |
Customers who enrolled in SAP's Digital Access Adoption Program (DAAP) but have not purchased adequate documents are likely to come under scrutiny. In 2025/26, SAP is no longer offering leniency on indirect access. Audits count documents generated by interfaces and present a bill for unlicensed ones. This area carries multi-million-dollar risk. See SAP DAAP Strategy Guide.
As SAP ERP customers now run on the SAP HANA database, SAP has increased its focus on HANA licensing compliance. HANA is licensed based on memory capacity (peak memory usage or total memory size of the system tier) and is expensive. SAP enforces the letter of the contract.
| What SAP Checks | How They Detect It | Your Defence |
|---|---|---|
| Peak memory utilisation (last 12 months) | System telemetry showing highest memory consumption over the audit period. One spike above licensed level triggers a compliance finding. | Monitor HANA memory continuously. Archive data proactively. Budget for expansion licences if growth is inevitable. Do not assume minor hardware upgrades go unnoticed. |
| Additional nodes and HA clusters | Hardware configuration data revealing additional HANA nodes or high-availability clusters that increased memory footprint without additional licences. | Audit your HANA landscape quarterly. Ensure every node and cluster is licensed. Production systems that quietly exceeded licensed GB capacity are a common audit finding. |
| HANA runtime vs. full-use licences | SAP verifies whether customers use HANA for applications beyond the "runtime" scope (e.g., standalone database for custom applications when licensed only for runtime with SAP applications). | Review every HANA instance against its licence type. Runtime licences are restricted to specific SAP applications only. Non-SAP workloads require a full-use licence. See S/4HANA Hidden Costs Guide. |
As enterprises migrate from SAP ECC to S/4HANA, many have engaged in contract conversion programmes where ECC licence value is converted into S/4HANA licences with credit toward the new suite. SAP typically grants dual-use rights during the transition, allowing continued use of legacy ECC for a limited time. Auditors are now verifying compliance with conversion terms.
| What SAP Checks | Risk Scenario | Your Defence |
|---|---|---|
| No "double dipping" | Customer utilising both ECC and S/4HANA productively beyond the agreed timeline or licensed scope. Running ECC productive instances after the contracted period could be deemed unlicensed. | Maintain detailed records of who uses ECC versus S/4HANA during migration. Decommission old environments on schedule or obtain a written extension from SAP. |
| Migration deadline compliance | Customer received credit or discounts conditional on completing migration by a certain date. ECC has not been retired as per the contract. SAP uses audits as a nudge toward migration. | Track all conversion contract conditions and deadlines. Document migration progress. If slipping, negotiate an extension proactively rather than waiting for audit discovery. |
| FUE metric accuracy | S/4HANA conversion resulted in Full User Equivalents (FUE) instead of named users. SAP audits whether user counts provided for conversion were accurate. Advanced = 1.0 FUE, Core = ~0.2 FUE, Self-Service = ~0.03 FUE. | Map every user to the correct FUE category. Validate FUE calculations against SAP's methodology. Errors in conversion calculations compound over the contract term. See S/4HANA Licensing Guide. |
As the 2027 ECC maintenance deadline approaches, SAP could use audits to accelerate migration decisions. CIOs involved in S/4HANA projects should maintain meticulous records, decommission on schedule, and verify FUE counts proactively. See RISE with SAP and the 2027 Deadline.
SAP cloud products are not audited in the traditional on-premise sense. SAP can directly see usage in the cloud. However, compliance checks are targeting whether customers exceed licensed parameters. Cloud subscriptions are enforced through system controls, periodic usage reviews, and renewal-time true-ups.
| Cloud Product | Metric Monitored | How SAP Enforces | Your Defence |
|---|---|---|---|
| SuccessFactors (user counts) | Active employee records vs. contracted named subscriptions. Uploading 5,500 active records against 5,000 licences triggers a 10% overage charge. | Direct cloud platform monitoring. Annual compliance certifications requiring executive sign-off on active user counts. | Deactivate former employees promptly. Run user count reports regularly. Certify accurately. Assign HRIS as metric owner. |
| SuccessFactors (concurrent) | Peak concurrent sessions for modules like Learning. 1,200 simultaneous learners against 1,000 concurrent licence triggers overage. | Concurrent session analysis over defined periods. Peak usage is the measuring point, not average. | Stagger training rollouts to avoid company-wide spikes. Monitor concurrent usage. Negotiate headroom provisions in contracts. |
| Ariba (document volumes) | Number of purchasing documents (POs, invoices) processed per year or total managed spend. 130,000 invoices against 100,000 contract triggers tier upgrade. | Automatic consumption tracking in cloud. Enforcement at renewal or through compliance claims. Ariba in "monetise actual usage" mode. | Track document volumes internally. Approach SAP proactively to negotiate bulk rates rather than being caught off guard. Assign procurement ops as metric owner. See SAP Ariba Licensing Guide. |
SAP's Business Technology Platform (BTP) is an emerging area of audit attention. BTP is offered in various models (pay-as-you-go cloud credits, subscription bundles, or as part of RISE with SAP) and involves complex metrics like application instances, memory/CPU, or connection counts.
| BTP Audit Focus | What SAP Checks | Your Defence |
|---|---|---|
| Custom Fiori apps and side-by-side extensions | Whether customers who deployed custom Fiori apps or extensions have required BTP entitlements. A portal built on BTP used by thousands may require a specific BTP app service licence beyond standard ERP user licences. | Inventory all custom Fiori apps and BTP extensions. Verify each has the required entitlement. Do not assume ERP user licences cover BTP-hosted components. |
| "Shadow" BTP usage | Basis teams sometimes activate BTP services (Cloud Integration trials, small HANA instances) without formal licences that remain in productive use. SAP monitors BTP usage through the cockpit. | Audit BTP cockpit for all active services. Decommission trial services. Ensure every productive BTP instance has a matching subscription. |
| Cloud credit consumption | BTP consumption (measured in credits or service units) vs. contracted amounts. Running more credits than purchased or using services beyond trial allowances requires true-up. | Monitor credit consumption monthly. Set alerts at 75% and 90% of contracted volume. Budget for expansion before overages accrue. See RISE Contract Challenges. |
For customers under RISE with SAP contracts, certain BTP services may be included, but any services outside the RISE bundle require separate licensing. Inventory all applications developed on SAP platforms (including BTP) and ensure they have appropriate licences. The boundary between "included in RISE" and "separately licensed" is a frequent source of audit findings. See RISE with SAP Tiers.
A significant change in SAP's audit approach is heavy reliance on customer self-declaration of usage for metrics that automated tools cannot measure (employee counts, orders processed, cloud user counts). Self-declarations are effectively an audit in disguise: SAP uses them to detect overuse without sending an on-site team.
| What SAP Cross-Checks | How It Works | Your Defence |
|---|---|---|
| Cross-system data verification | SAP cross-checks data across systems. Self-declaring 10,000 employees on SAP Payroll while SuccessFactors shows 12,000 active users triggers compliance questions. | Reconcile all metrics across SAP systems before submission. Ensure consistency between on-premise declarations and cloud platform data visible to SAP. |
| Year-over-year comparisons | Submitting significantly lower figures than previous years without a corresponding business event (divestiture, restructuring) raises a red flag. SAP may initiate a formal audit. | If figures genuinely decrease, prepare documentation explaining the change (divestitures, workforce reductions, process changes). Proactive explanation prevents escalation. |
| Executive sign-off requirements | SAP has started requiring CEO or CFO sign-off on self-declaration forms. Inaccurate declarations can expose the organisation to seven or eight-figure costs. | Triple-check all figures before executive submission. Maintain evidence of how each number was derived. Consider independent internal review before submitting. See SAP Compliance Best Practices. |
| # | Action | What to Do |
|---|---|---|
| 1 | Conduct internal licence audits ahead of SAP | Run SAP's measurement programmes (USMM, LAW) at least annually. Check each system for user counts by licence type and usage of engines and packages. Simulate an audit internally: identify compliance issues and remediate before SAP becomes aware. Involve IT, SAP Basis, procurement, and finance. See SAP Named User Optimisation Playbook. |
| 2 | Map indirect access and use simulation tools | Create a detailed map of all third-party systems, interfaces, and non-SAP applications interacting with your SAP environment. For each integration, determine how SAP might view the usage. Use SAP's Digital Access Estimation Tool to quantify document creation volumes. Third-party tools can scan SAP logs to identify proxy users. See SAP Digital Access Complete Guide. |
| 3 | Validate engine licence metrics vs. real usage | Many SAP products are licensed on specific metrics (annual revenue, active employees, database records, CPU cores). Validate each metric against your licences. If SAP Payroll is licensed for 5,000 employees, check actual active master records including contractors and global employees. Set internal alerts at 90% of licensed capacity. |
| 4 | Implement role-based licence validation | Examine transactions and roles each user has in SAP. Map roles to licence categories. Identify users with expensive Professional licences who never go beyond display reports (downgrade candidates). Conversely, upgrade under-licensed users before SAP finds them. Third-party tools automate this process. |
| 5 | Prepare defensible data sets for SaaS usage | For SuccessFactors, Ariba, Concur, and SAP Analytics Cloud, maintain copies of usage data and logs to reconcile against SAP's figures. Export user lists regularly. Download processing reports. Assign metric owners per SaaS product. Treat cloud usage data as audit artefacts requiring disciplined management. |
| Audit Focus Area | Risk Level | How SAP Detects | Your Defence Strategy |
|---|---|---|---|
| Indirect / Digital Access | Very High | Document counts via SAP system logs. Interface analysis. Digital Access Estimation Tool. | Map all integrations. Simulate document counts. Adopt Digital Access licences or ensure named-user coverage. See Indirect Access Playbook. |
| HANA memory | High | Peak memory utilisation over 12 months. System telemetry. Hardware configuration data. | Monitor HANA memory continuously. Archive data. Budget for expansion licences. See SAP Licensing Cost Drivers. |
| S/4HANA conversions | Medium-High | Dual-use period verification. ECC retirement checks. FUE metric validation. | Maintain migration records. Decommission ECC on schedule. Verify FUE counts. See S/4HANA Licensing Guide. |
| SuccessFactors users | Medium | Direct cloud platform monitoring. Active user count vs. contract. Concurrent session analysis. | Deactivate former employees promptly. Run user count reports regularly. Certify accurately. |
| Ariba documents | Medium | Cloud platform transaction logs. Automatic consumption tracking. Renewal-time enforcement. | Track document volumes internally. Negotiate bulk rates proactively. See SAP Ariba Licensing Guide. |
| BTP / custom development | Emerging | BTP cockpit monitoring. Cloud credit consumption tracking. Direct questioning during audits. | Inventory all BTP apps. Secure entitlements. Treat BTP with same governance as core SAP. |
| Self-declarations | High | Cross-system data verification. Year-over-year comparisons. Executive sign-off requirements. | Triple-check figures. Maintain evidence. Independent review before submission. See SAP Compliance Best Practices. |
| # | Recommendation | What to Do |
|---|---|---|
| 1 | Establish a licence compliance task force | Form a dedicated team meeting quarterly: IT (SAP Basis/Security), Procurement/Vendor Management, Software Asset Management, and key business units. Mandate: continuous compliance and audit readiness. CIO or IT Director sponsorship ensures organisational priority. |
| 2 | Baseline entitlements and usage | Gather all SAP contracts, order forms, and metric definitions. Build a clear inventory of entitlements (user types, engine limits, cloud subscriptions). Extract current usage data from SAP systems. This baseline highlights gaps immediately. |
| 3 | Remediate high-risk compliance gaps | Prioritise issues from the baseline for remediation before SAP's audit. High-risk: thousands of unlicensed indirect documents, major HANA memory overage. Purchase proactively (better pricing than under audit pressure), reduce usage, or adjust configurations. Document mitigation plans. See Reducing SAP Shelfware. |
| 4 | Leverage expert tools and services | Invest in licence management software and/or third-party audit advisory. Tools automate user licence optimisation, track engine metrics, and simulate indirect usage costs. These often pay for themselves by identifying unnecessary licences or compliance issues. See SAP Licence Optimisation Services. |
| 5 | Educate and communicate internally | Ensure IT staff and business users understand SAP licensing rules. Developers creating interfaces without realising it triggers indirect access. HR keeping terminated employees active in SuccessFactors. Conduct briefings. Communicate audit exposure risk to the CFO to unlock compliance funding. |
| 6 | Negotiate audit framework and protections | During next contract renewal, include clauses for clearer audit terms: 90-day notice before on-site audit, right to remediate findings within 60 days before SAP invoices. Have an audit game plan: designated point person, data collection procedures, negotiation team. See SAP Negotiation Strategies. |
| 7 | Make compliance a continuous governance topic | Incorporate licence checks into change management: for any new project involving SAP, ask "does this have licensing implications?" Maintain an authoritative licence inventory. As the business evolves through mergers, expansions, or new modules, update your compliance plan. See SAP M&A Licensing Playbook. |
Common triggers include significant changes in user counts (spikes in USMM/LAW reports), corporate events like mergers or divestitures, contract renewals approaching, large discrepancies between self-declared metrics and SAP's expectations, and routine compliance cycles. SAP's GLAC team monitors customer developments and may initiate audits when they suspect non-compliance. See SAP Audit Survival Guide.
Introduced in 2018, the Digital Access model charges for nine specific document types (Sales Orders, Purchase Orders, Invoices, Goods Receipts, etc.) when created indirectly via non-SAP applications, APIs, RPA bots, or external portals. Instead of requiring a named-user licence for every external system or user, you purchase a volume of Digital Access documents. SAP's Digital Access Estimation Tool can help quantify exposure. See SAP Digital Access Complete Guide.
Not in the traditional on-premise sense, but SAP can directly monitor usage in cloud platforms. They compare subscription parameters (user counts, document volumes, storage) against actual system usage. Overages are typically enforced at renewal or through periodic compliance certifications. SAP may require annual user count certifications signed by senior executives. Proactive internal tracking is essential.
SAP auditors check peak HANA memory utilisation over the last 12 months. Even a one-time spike above your licensed level can trigger a compliance finding and backcharge. HANA is expensive and SAP enforces the letter of the contract. Options include: monitor continuously, archive data to reduce footprint, budget for expansion licences before audits discover the issue, or negotiate with SAP proactively. See S/4HANA Hidden Costs.
Treat self-declarations with the same rigour as a formal audit. Triple-check all figures, maintain evidence of how you arrived at each number (system reports, queries, user lists), and consider independent internal review before submission. SAP cross-checks data across systems and compares year-over-year figures. Inaccurate declarations can expose you to seven or eight-figure costs.
SAP typically grants dual-use rights during the transition, allowing continued use of legacy ECC while S/4HANA is implemented. However, this has a defined timeline and conditions. If you slip on migration plans and are still running ECC productively after the contracted period, that usage could be deemed unlicensed. Document your migration timeline, verify FUE metrics, and obtain written extensions if needed. See S/4HANA Licensing Guide.
Respond calmly and deliberately. Identify a point person to liaise with SAP, assemble your data collection team, and engage negotiation resources. Understand your contractual audit clause (response time, process). If you have been proactively managing compliance, you will be in a strong position. If you have not, seek independent expert advice immediately as the cost is far lower than unmanaged audit exposure. See SAP Audit Defence Service.
Map all third-party systems, interfaces, and applications that interact with SAP. Quantify document creation volumes using SAP's Digital Access Estimation Tool. Decide whether named-user licensing or Digital Access documents is more cost-effective for each integration. Consider restricting certain interfaces until properly licensed. Maintain interface documentation to explain and defend your position. See Indirect Access CIO Playbook.
Redress Compliance provides independent SAP audit defence from former SAP GLAC specialists who understand SAP's audit methodologies, measurement tools, and enforcement tactics from the inside. Licence optimisation, Digital Access advisory, and contract negotiation. Fixed-fee engagements.
SAP Audit Defence ServiceWhether you are facing a live audit, preparing for self-declarations, or building continuous compliance governance. Independent SAP advisory from former SAP GLAC and licensing specialists. Fixed-fee engagements.