SAP / sap licensing

SAP License Audit – SAP Audit Defense Strategies 2024

SAP / sap licensing

SAP License Audit – SAP Audit Defense Strategies 2024

An SAP license audit is:

  • Compliance Check: A process to ensure customers use SAP software according to the terms and conditions of their licensing agreement.
  • Regularly Scheduled: Typically conducted annually to assess and verify the usage of SAP licenses.
  • Measurement Tools: Involves using SAP’s measurement tools to track and report software usage.
  • Audit Types: Includes Basic and Enhanced audits, each with varying degrees of scrutiny and complexity.

SAP License Audit – What you need to know

sap license audit

Navigating an SAP license audit is a complex and significant task that requires careful preparation and understanding.

The nuances of this process are unique to SAP and can have a financial impact on customers who are not thoroughly prepared.

Understanding the SAP License Audit Process

  • Potential Financial Implications: Lack of complete understanding of the SAP license audit process can lead to inadvertent submission of evidence, resulting in substantial financial implications.
  • Basic vs. Enhanced Audits: SAP conducts two types of audits: the Basic license audit, which is usually an annual event, and the more comprehensive Enhanced license audit, which is conducted less frequently.
  • Preparation is Key: Instances of customers facing both Basic and Enhanced audits within the same year underscore the importance of being prepared for either scenario.

Distinguishing Between Basic and Enhanced Audits

types of sap license audits
  1. Basic Audit:
    • Scope: Generally confined to products measurable by standard SAP license audit tools like LAW and LMBI.
    • Customer’s Role: This involves self-reporting technical data extractable from systems, such as the number of cores, and self-reporting business metrics for specific product usage.
    • SAP’s Guidance: SAP provides manuals detailing the extraction of necessary information.
  2. Enhanced Audit:
    • Deep Dive: Goes beyond quantifying license usage to examine how products are used.
    • License Assignment Scrutiny: Includes evaluation of Named User license assignments and rights.
    • Additional Data Sources: SAP may access extra data for accurate user licensing, typically in Enhanced audits but sometimes in Basic audits.
    • Extended Scope: This might include role analysis of Named User assignments, indirect use assessment, functional review of the HANA Runtime Edition database, and onsite visits by auditors.
    • Discretionary Scope: While all product areas are considered, SAP can limit the scope, and sometimes customers can negotiate this.

SAP License Audit Process

sap license audit process

Navigating an SAP license audit involves several key stages, each demanding meticulous attention and understanding.

Here’s an overview of what you need to know about the SAP license audit process, from the initial notification to the final negotiation phase.

Notification of Audit

  • Initiation: An SAP license audit typically begins with an email notification outlining the audit’s scope, involved participants, and expected timings.
  • Enhanced Audit Communication: For an enhanced audit, this initial communication often includes an invitation for a face-to-face meeting or a conference call.

Remote Audits

  • Procedure: Remote audits may require providing login details for the SAP auditor and a list of specific authorizations.

Collection of Data

  • Activation of Audit Tools: Standard license audit tools provided by SAP must be activated within the requested SAP systems.
  • Self-Declaration: Customers are expected to self-declare their usage of technically unmeasurable products, typically via a formal document provided by SAP auditors.

Onsite Visit in Enhanced Audit

  • Additional Steps: Enhanced audits may necessitate an onsite visit, although remote audits are often sufficient.
  • Objective: SAP aims to understand your organization’s utilization of its SAP software.
  • Activities Involved: These may include interviews to understand indirect use processes, evaluate HANA functionality, and investigate Named User license allocation.

Submission of Information

  • Process: After gathering all necessary information, it’s submitted to SAP.
  • Follow-Up Inquiries: Expect follow-up questions, especially for enhanced audits, as SAP reviews the data.

Negotiation Phase

  • Audit Report Review: It’s crucial to thoroughly review the audit report and understand how SAP derived each license usage figure.
  • Commercial Negotiations: This stage may involve negotiations for additional licenses, with enhanced audits typically identifying higher non-compliance levels due to their in-depth nature.
  • Resolution Management: The SAP Sales team handles the resolution of compliance findings, not the GLAC (Global License Audit and Compliance) team that conducts the audit.

Conclusion

  • Understanding the Audit Type: Knowing whether you’re facing a basic or enhanced audit is essential for preparing the right information and understanding SAP’s audit report.
  • Approach and Negotiation: This knowledge will also guide your internal approach to the audit process and inform your negotiation strategy with SAP.

Being well-prepared and informed about each stage of the SAP license audit process can significantly influence the audit’s outcome.

Understanding the nuances of the process is critical to navigating it effectively and minimizing potential risks or costs associated with non-compliance.

Who Conducts SAP License Audits?

Who Conducts SAP License Audits

Understanding the orchestration of SAP license audits is crucial for businesses engaged with SAP products.

The audit process is a meticulously coordinated effort involving specialized professionals.

Licensed Auditors and Compliance Managers

  • International Team of Auditors: SAP license audits are conducted by licensed auditors based in various global locations, including Ireland, China, and India. These auditors are responsible for executing the fundamental audit process.
  • License Compliance Manager’s Role: A dedicated license compliance manager works closely with these auditors and ensures that the audit activities adhere to SAP’s established procedures and guidelines.

Selection of Customers for Audits

  • Strategic Selection Process: Not all SAP customers are subjected to annual audits. The selection is a strategic decision made by a collaborative effort between license compliance managers, auditors, and SAP’s audit business team experts.
  • Criteria for Selection: Large enterprises, recent purchasers of new SAP products, or customers labeled as ‘high risk’ from previous audits are typically more likely to be selected for an audit.
  • Initial and Subsequent Audits: New SAP customers generally face their first license audit within two years of signing the contract unless otherwise specified. Subsequent audits aim to be annual, contingent on SAP’s resources and planning.

Initiating the Audit Process: The Measurement Request Email

the SAP license Audit Process
  • Measurement Request Email: The auditing process begins with the licensed auditor dispatching a Measurement Request Email to the appointed individual responsible for audit-related activities within the customer’s organization.
  • Key Elements of the Email:
    • Scope of the Audit: It includes System Measurement using tools like USMM & LAW, which covers the System/Installation Landscape, a measurement plan, and Self-Declaration Products.
    • Relevant Engine Notes: A document containing SAP notes for customer review and implementation.
    • SAP Portal Links: Provides access to detailed information about the measurement tools used in the audit.
    • Submission Deadlines: These are typically set at four weeks for direct customers (large, Medium, Small) and extended to 12 weeks for indirect customers.

Understanding the intricacies of the SAP license audit process, from the roles of the auditors and compliance managers to the initiation of the audit, is vital for businesses to prepare adequately and navigate the process effectively.

Guiding Through the Audit Process: Auditor Interaction and Key Responsibilities

SAP Audit Process Auditor Interaction and Key Responsibilities

The SAP license audit process involves significant interaction with auditors and adhering to specific responsibilities and procedures.

Here’s a detailed overview:

Regular Contact and Submission Process

  • Auditor Communication: SAP auditors communicate regularly with end users to track the progress of the measurement and remind them of the impending deadline.
  • Transfer of Measurements: Measurements can be transferred directly to SAP from the tools or emailed, provided they meet SAP’s formatting requirements.

Auditors’ Responsibilities

  1. System Landscape Analysis:
    • Involves assessing all relevant systems, including production and development.
    • It excludes irrelevant systems like Java-based portals, dual-stack, test, and training systems.
  2. USMM Log Files Technical Verification:
    • Checks the correctness of client selection, price list, user types, background jobs, installed components, etc.
  3. LAW Technical Verification:
    • Evaluates users’ combinations, counts, and other aspects.
  4. Engine Measurement Analysis:
    • Verifies the SAP Notes.
  5. Additional Verifications:
    • Assesses expired users, multiple logins, late logons, workbench development activities, and more.
  6. Self-Declaration Products, HANA Measurement, and Business Object Verification:
    • Addresses measurement errors, with potential extension of deadlines for corrections.

Comparison and Understanding of Contractual Entitlements

  • Collaboration with License Compliance Managers: Auditors work with managers to compare measured figures against contractual entitlements.
  • Importance of Understanding SAP Contracts: Customers must fully comprehend their SAP contracts to avoid potential disadvantages.

Closure Notification and Compliance Gaps

  • Closure Notification Email: Sent to the customer to confirm the audit’s conclusion and indicate if any compliance gaps exist.
  • Engagement in Case of Compliance Gaps: The SAP license compliance manager may propose additional purchases or request further checks.

Execution of Additional Measurement Checks

  • Complex Technical Verifications: This may include OpenHub measurement, Single Sign On, multiple logins, expired users, late logons, workbench development activities, and system data extracts.
  • Independent or SAP-Assisted Execution: These checks can be performed independently by the end-user or with the aid of SAP’s supplementary audit services experts.

This overview illustrates the critical steps and responsibilities of the SAP license audit process.

End users should be prepared for regular interaction with auditors and understand the comprehensive nature of these audits, from initial contact to potential compliance gap resolutions.

Diving Deeper: The Enhanced Audit Process

SAP Enhanced Audit Process

Leadership and Team Composition

  • Specialized Team: Enhanced audits in SAP licensing are not led by standard auditors. Instead, they involve a specialized team comprising license compliance managers, compliance team executives, and SAS experts.
  • Expert-Led Approach: The complex nature of these audits necessitates leadership by individuals with deep expertise in SAP licensing and compliance.

Scope and Approach

  • Comprehensive Scope: The scope of an enhanced audit is communicated upfront to the end user. It includes all the necessary checks of a basic audit plus additional measurements, especially for customers previously found non-compliant in a basic audit.
  • Indirect Access Measurement: A distinctive aspect of enhanced audits is measuring indirect access usage, a critical component in SAP licensing.

Audit Process and Investigation

  • Intensive Audit Procedure: Enhanced audits represent a more thorough process, often involving remote checks by SAP and, in some cases, onsite visits.
  • Primary Focus of Onsite Visits: SAP auditors primarily investigate the extent of indirect access usage when onsite. This includes examining interactions between SAP and non-SAP systems, data flow directions, and specifics of data transfer methods like EDI and iDoc.

Reporting and Compliance Gap Identification

  • Comprehensive Reporting: Post-evaluation, a detailed report outlining the results is compiled.
  • Closure Notification: A “Closure Notification Email” is sent to the customer to indicate whether a compliance gap exists.
  • Additional Purchase Proposal: If a compliance gap is identified, the SAP license compliance manager proposes additional purchases based on the audit findings.

Role of Sales Executives and Compliance Team Cooperation

  • Separation from Auditing Process: As of 2018, SAP sales executives are formally separated from the auditing process due to the establishment of GLAC (Global License Audit and Compliance).
  • Continued Commercial Relationship: Despite this separation, sales executives maintain their primary role in managing the commercial customer relationship.
  • Cooperation in New Deals: When negotiating new deals, sales executives work with the license compliance team to resolve any license compliance risks effectively.

Enhanced audits in SAP licensing are intricate processes requiring a deep understanding of SAP’s systems and license compliance.

The involvement of a specialized team, the comprehensive scope of the audit, and the detailed reporting and closure process highlight the importance of thorough preparation and understanding by end users to navigate these audits successfully.

Common SAP License Compliance Issues

sap license compliance issues

Misallocation of User Classifications

  • Issue: A frequent misstep is assigning the more expensive “Professional User” licenses, whereas more affordable “Named User” licenses would be adequate.
  • Impact: This can lead to unnecessary expenditure on SAP licensing.

Indirect Access Licensing

  • Requirement: Individuals accessing SAP-generated data through third-party systems must have separate licenses.
  • Challenge: Ensuring compliance in this area can be complex, particularly in integrated IT environments.

Inaccurate User Counting

  • Misinterpretation: “Users” in SAP license agreements refer to authorized software users. However, system users, generic users, or any other usernames in the SAP system are often miscounted as licensable users.
  • Result: This leads to an inflated and inaccurate count of licensable users.

Active vs. Authorized Usage

  • Scenario: Organizations that do not regularly update their SAP systems may count “old” usernames, including those of individuals no longer with the company, leading to inaccurate user counts.
  • Advice: Regular system clean-ups are recommended to avoid such discrepancies.

Engine License Requirements

  • Non-User Metric Licensing: Several SAP programs require licenses based on metrics other than user numbers, such as revenue or turnover.
  • Implication: Understanding these requirements is crucial to avoid compliance issues.

Varied Licensing Terms for Identical SAP Programs

  • Observation: It’s not uncommon for organizations to secure licenses under different metrics for the same SAP functionalities.
  • Precaution: A thorough review of license terms is necessary to ensure correct application.

Custom Implementations

  • Consequence of Customization: Custom transactions and reports can lead to incorrect “Named User” license allocations.
  • Solution: Regular audits and reviews of custom implementations can help maintain compliance.

These common compliance issues highlight the need for a thorough understanding and diligent management of SAP licenses.

Organizations should regularly review their SAP license usage, understand the specific terms of their agreements, and ensure that their usage aligns with the licensed entitlements to avoid potential non-compliance and associated costs.

FAQs on SAP License Audits

FAQs on SAP License Audits

What is an SAP license audit?

An SAP license audit reviews a company’s SAP usage and licensing to ensure compliance with contractual agreements.

What is the role of SAP auditors before the submission deadline?

SAP auditors are responsible for contacting end users repeatedly to verify the measurement status and remind them about the submission deadline.

How can measurements be sent to SAP?

Measurements can be sent directly from the tools to SAP or as email attachments formatted according to SAP requirements.

What happens if measurement errors are identified?

If any errors are found, the SAP auditor will email the customer to request corrections. The deadline for updating the measurement is typically extended by a week.

Who evaluates the measurement results?

The auditors are responsible for evaluating the measurement results, which involve various technical verifications and analyses.

What is the role of the SAP license compliance managers?

They work closely with the auditors to compare the measured figures with the contractual license entitlement.

What is a Closure Notification Email?

This communication is sent to the customer after the measurements have been evaluated. It confirms the completion of the audit and indicates whether any compliance gaps have been identified.

What is an Enhanced Audit?

An Enhanced Audit is a more thorough audit led by licensed compliance managers, compliance team executives, and SAS experts. It includes additional measurements and a unique indirect access usage measurement.

How are indirect access usage levels researched during an Enhanced Audit?

When SAP auditors come onsite, they will investigate the levels of indirect access usage by checking interactions between SAP and non-SAP systems, data flow direction, and how data is transferred.

Are customers required to participate in SAP annual license audits?

Yes, customers must participate in annual license audits, during which SAP audit tools review license usage.

What is the role of the SAP License Audit Workbench (LAW)?

LAW measures SAP-named users based on how customers have classified them. However, it cannot determine how users should have been licensed.

What happens if users are classified incorrectly?

If users are incorrectly classified, customers may buy the wrong licenses, leading to significant over-licensing.

What is the impact of not expiring unused user accounts?

If unused user accounts are not properly locked and expired, they can still be active for licensing purposes and will be counted by LAW, potentially leading to over-licensing.

What is a Self-declaration audit?

A self-declaration audit involves the customer self-declaring software use based on their configurations. Technically, it’s not a full SAP license audit.

Are all SAP products in-scope for an annual SAP License Audit?

No, only certain SAP products are in scope. The SAP License Audit Workbench only measures ABAP systems, not JAVA-based ones.

If I don’t hear back from SAP following my annual license audit, does that mean I am compliant?

Not necessarily. SAP may be unable to review every annual license audit submission in detail. It’s possible that issues can be missed or not raised with the customer at the time.

Are SAP License Audit Workbench measurements always accurate?

No, these measurements are known to have issues when measuring SAP products accurately, especially due to the constant changing of SAP license metrics.

Is the SAP License Audit Workbench a Software Asset Management (SAM) tool?

No, the SAP License Audit Workbench is primarily a data collection tool for SAP. It doesn’t provide visibility on usage, licensing costs, or functionality to actively manage licenses and configurations.

Does the SAP License Audit Workbench help identify indirect access within my landscape?

Yes, at least License Audit Workbench 2.0 does by examining transactional load via technical user accounts used to interface third-party systems with SAP.

What is the purpose of the USMM TCode?

USMM TCode is designed to count active dialog users with customer-assigned license types from a valid price list.

What happens if a user is assigned a blank license type?

If a user is assigned a blank license type, the USMM TCode assigns them an expensive professional license.

Does the USMM TCode collect license usage data from all systems?

No, it only collects data from ABAP systems, excluding the Java stack.

What kind of license usage data does the USMM TCode collect?

USMM TCode collects license usage data such as Named Users, Indirect Usage data, Managed Engines usage, peak concurrent Logon sessions, and Professional Users.

Has the introduction of SAP S4 Hana changed license definitions?

Yes, with the introduction of SAP S4 Hana, license definitions have changed significantly from legacy ECC to S4 Hana license, including the Hana Database License.

SAP License Audit Defense Service

Our SAP License Audit Defense Service is a specialized offering designed to support organizations that use SAP software through the complex process of SAP license audits.

This service minimizes compliance risks and potential financial penalties from such audits.

Through this service, we will leverage our deep expertise in SAP licensing and compliance to help your organization confidently navigate the audit process.

Key Service Components:

  1. Pre-audit Analysis: We will perform a comprehensive pre-audit analysis of your current SAP licensing situation, identifying potential areas of risk and non-compliance.
  2. Audit Support: Our team will provide guidance and support throughout the audit process. This includes liaising with SAP and the auditors on your behalf and ensuring all communication is clear, timely, and accurate.
  3. License Optimization: We will help optimize your SAP licensing strategy to ensure you get the most value from your SAP investment. This could involve reassigning licenses, identifying unused licenses, and advising on the appropriate license types for your users.
  4. Compliance Monitoring: To avoid future audit issues, we will help establish processes for ongoing compliance monitoring. This will help ensure that your organization always complies with SAP licensing terms.
  5. Indirect Access Management: Our service will help you manage indirect access licensing issues often arising during audits. We will guide you in handling these complex situations and help mitigate any potential financial impact.
  6. Post-Audit Review: After the audit, we will conduct a post-audit review to identify lessons learned and implement changes to prevent similar issues from arising.

If SAP audits your organization, contact us for help!

Author

  • Fredrik Filipsson

    Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, improving organizational efficiency.

    View all posts