SAP License Audit Process
- Notification: SAP sends an email outlining the audit scope and timeline.
- Remote Audits: Access to systems and tools is securely provided.
- Data Collection: Use tools like LAW to gather SAP usage metrics.
- Submission: Submit collected data and declarations to SAP.
- Negotiation: Review findings and address compliance gaps.
SAP License Audit Process
Overview: An SAP license audit is a formal compliance check by SAP to verify that a customerโs use of SAP software matches the licenses they have purchasedโ. In plain terms, SAP wants to ensure youโre not using more software, users, or modules than you paid forโ.
These audits occur regularly (often annually for SAP ECC and S/4HANA on-premise systems) and can also be triggered by certain events, such as a major system expansion or indications of heavy indirect usage. The audits are conducted by SAPโs Global License Audit and Compliance (GLAC) organization, which was recently renamed Global Adoption Insights & License Complianceโ.
Why It Matters: If an audit finds that you areย under-licensedย (using fewer than entitled), your company will be required to purchase additional licenses to โtrue upโ the shortfall, potentially at list price and with back-maintenance fees.
These unplanned costs can be significant โ for example, a well-known case in 2017 (SAP vs. Diageo) resulted in a customer being liable for overย ยฃ54 millionย due to unlicensed indirect usage. Even if youโre compliant, audits consume time and resources. Understanding the SAP audit process helps you prepare and avoid costly surprises.
Audit Notification and Scope
SAP typically sends a formal audit notification, often referred to as a โLicense Measurement Serviceโ requestโ. This notice outlines which systems are in scope and gives instructions for data collection. By contract, customers must cooperate.
SAP typically audits on-premises ECC and S/4HANA installations by measuring named user counts and engine usage, while cloud products, such as Ariba or SuccessFactors, are monitored through SAPโs cloud portals.
The audit notice also specifies a deadline for submitting data,ย commonlyย 3 weeks for small or medium-sized enterprises and 4 weeks for large enterprisesย to complete the measurement. This is a short timeframe, which is why preparation is critical well in advance.
Audit Triggers: Routine annual audits are normal, but certain factors can lead SAP to escalate an auditโs scope:
- Long time since last audit: If you havenโt been audited in a while, SAP may scrutinize more closely.
- Indirect usage indicators: The integration of third-party systems (e.g., non-SAP apps accessing SAP data) can signal SAPโs interest.
- Purchase of new SAP products or expansions: Big changes in your SAP landscape might prompt an audit.
- Underuse of licenses (shelfware): Ironically, significantly under-utilizing licenses can also trigger questions, as SAP may check if usage is being routed indirectly elsewhere.
Steps in the Audit Process
The SAP license audit process involves several key steps:
- Preparation and Measurement: After notification, the customer must apply any required SAP support notes (scripts or patches) for measurement. Then, using SAPโs standard tools โ the User Measurement (USMM) on each system and the License Administration Workbench (LAW) โ the company collects usage data. USMM records metrics, such as named users (by license type) and engine usage, on each system, and LAW consolidates these results across the landscape, deduplicating users with accounts in multiple systemsโ. The customer also completes any self-declaration forms for metrics that are not captured automatically (for example, certain package licenses or indirect use counts). All this data is compiled into audit reports.
- Submission to SAP: The collected LAW report and self-declaration data are submitted to SAPโs GLAC teamโ by the deadline. Itโs wise for the company toย double-checkย all data at this stage (e.g., ensuring that inactive users are removed, duplicate users are properly merged, and all systems in use are accuratelyย measured). Remember that unclassified users will be counted as expensive licenses by default (e.g., Professional users), so classification should be reviewed before submission.
- SAP Analysis (Basic Audit): SAPโs audit team reviews the data. In a basic audit, they simply verify compliance based on the submitted figuresโ. If the data shows that the number of users or engine usage is within purchased entitlements, you may receive confirmation of compliance or, often, just silence (no news is good news). If it shows overuse (e.g., 100 extra Professional users than licensed), SAP will typically issue an invoice for the overageโ. Itโs not uncommon for SAP to send a true-up invoice without much discussion if the numbers are clear-cut and the entitlement is met.
- Enhanced Audit (If Applicable): If SAP identifies red flags in the initial data (or if you are randomly selected for a deeper review), it may be escalated to anย Enhanced Audit. In an enhanced audit (sometimes called a โpremiumโ audit), SAP auditors โ often senior GLAC personnel โ request additional scripts and data to scrutinize usage in more detailโ. They might, for example, analyze user authorizations to see if any users classified as having a low-level license are performing activities that require a higher license. They also pay special attention to indirect access (when third-party systems use SAP functionality indirectly). SAPโs tools for indirect usage, such as the โPassportโ tracing tool or Estimation programs, may be deployed. However, these tools are still evolving, and results can beย imprecise. SAP may also examine specific engines or packages more closely or conduct on-site verification in some cases.
- Audit Findings and Outcome: After analysis (basic or enhanced), SAP provides an audit report or compliance statement. There are a few scenarios:
- Compliant Outcome: If youโre fully compliant (with no shortfalls), the process ends with a possible letter confirming compliance. (Note: In practice, a finding of zero issues is somewhat atypicalโ โ SAP often finds at least minor discrepancies.)
- Non-Compliance โ True-Up Required: If the audit finds you exceeded your licenses, SAP will require you to purchase the necessary additional licenses. This could simply mean paying the invoice for extra users or modules, as mentioned earlier (in a basic audit). The costs can be significant if many licenses are needed immediately.
- Non-Compliance โ Enhanced Audit/Negotiation: In an enhanced audit, if under-licensing is discovered, SAP typically presents not just an invoice but a โPartnership Proposalโ as an alternative resolutionโ. This is where SAP takes advantage of the situation to propose a deal. For example, they might suggest enrolling in theirย Digital Access Adoption Program (DAAP)ย to resolve indirect usage via a new document-based license model, or require the purchase of certain strategic products, such as SAP Analytics Cloud, instead of just paying a penalty. Essentially, SAP might use the audit findings as leverage to upsell or accelerate your adoption of new SAP solutions or cloud offeringsโ. Any required purchases or settlements are usually expected to be executed quickly following the audit.
The table below summarizes the two types of SAP audits and how they differ:
| Aspect | Basic Audit (Standard Annual Audit) | Enhanced Audit (Escalated/Deep Dive) |
|---|---|---|
| Trigger | Routine annual audit or simple compliance checkโ. Data self-submitted by customer. | Initiated if basic audit reveals potential issues, or if high risk factors (heavy indirect use, etc.) are presentโ. |
| Data Collection | Customer runs USMM on each system and consolidates via LAWโ. Provides self-declaration for metrics not auto-collected. | SAP requests additional data: special scripts/notes for specific products, detailed usage logs, possibly on-site verificationโ. |
| Focus Areas | Verify named user counts by license type, engine usage vs. contract entitlements. Basic validation of submitted data. | Scrutinize user classifications and authorizations (are all โProfessionalโ users correctly categorized?), investigate indirect access in depth, check for any usage beyond contractual termsโ. |
| Typical Outcome | If non-compliant: invoice for license shortfall, pay for extra licenses to become compliantโ. If compliant: audit closed with no action (maybe a compliance confirmation). | If non-compliant: SAP often proposes a tailored settlement (e.g. buy additional products or migrate licenses) instead of a straight feeโ. Involves negotiation on how to resolve findings. Compliant outcome is rare at this stageโ. |
| SAP Team Involvement | Handled by GLAC audit analysts as a standard process. | Involves senior SAP audit managers, possibly coordination with SAP account executives (because of the sales component of settlement). |
ECC vs. S/4HANA Considerations: For traditional SAP ECC or S/4HANA (on-premise) environments, the audit steps are essentially the same, measuring users and engines via USMM/LAWโ. One difference is that S/4HANA introduces the concept of Digital Access (document-based licensing for indirect use), which might be assessed during an audit if you havenโt adopted it.
In hybrid landscapes (on-premise SAP integrated with SAP cloud services like Ariba, SuccessFactors, or S/4HANA Cloud), those cloud services are not measured by LAW; instead, compliance for cloud subscriptions is checked against the subscriptions you purchased (SAP can track cloud usage on its end). So, you may receive separate compliance checks for cloud products. Ensure you manage both on-prem and cloud license compliance.
After the Audit, if it reveals compliance gaps, you typically enter aย true-up and negotiation phase,ย covered in detail in a later section. At a high level, you will need to either pay for the shortfall or reach an agreement with SAP on a resolution.
On the other hand, if you passed cleanly, itโs still good practice to review the audit report and note any recommendations from SAP. Many customers view a โgoodโ audit as an opportunity to reinforce their internal license management processes, ensuring future audits remain low-risk.
Recommendations (Audit Process)
- Perform Internal Checks Before Submission: Never submit your LAW report to SAP without first doing an internal review. Run the measurement internally and analyze the results for errors or anomalies, such asย inactive users or misclassified usersโ. This helps avoid inadvertently handing SAP evidence of non-compliance.
- Understand Your Usage and Contracts: Map the measured results to your entitlements. If the LAW report shows 1,000 Professional users but you only own 900, recognize that gap before SAP does. Understanding your license contracts (user types, package metrics) helps you interpret the results and address issues proactively.
- Address data quality issues byย cleaning up SAP user accounts and licenses throughout the year. For example, ensure that duplicate user IDsย across systems are linked for LAW. Remove or lock unused accounts, and classify all users with the correct license type. Unclassified or outdated data can make you look non-compliant when youโre not.
- Be Cautious with Enhanced Audits: If SAP moves into an enhanced audit, engage your internal experts or third-party advisors immediately. Understand that the additional scripts may produce ambiguous dataโ. Donโt accept SAPโs interpretation of these data at face value โ be prepared to discuss what the findings truly mean.
- Keep Records of Communication: Document all interactions with SAP during the audit. If SAP gives any verbal guidance or exceptions, get it in writing. This helps if there are disputes in the final stage of the audit process.
FAQ: SAP License Audit Process
What is the first step in an SAP license audit?
SAP initiates the process by sending an email notification that details the scope and timeline of the audit.
What is the purpose of a remote audit?
Remote audits enable SAP auditors to access system data securely without an on-site visit, using the provided login details and authorizations.
What tools are used during data collection?
SAP tools, such as the License Administration Workbench (LAW) and the License Management by License Indicator (LMBI), gather usage metrics.
What is a self-declaration in the SAP audit process?
It is a formal document where organizations declare metrics not measured by SAP tools, such as indirect access or module-specific usage.
When are onsite visits required in SAP audits?
On-site visits are common in enhanced audits. These visits focus on in-depth system reviews, role analysis, and evaluations of indirect access.
What happens after data submission in an SAP audit?
SAP reviews the submitted data, and follow-up questions may be sent to clarify discrepancies or gaps.
How are findings shared with the organization?
SAP provides a detailed audit report outlining compliance gaps, license usage, and any required adjustments.
What is the role of the negotiation phase?
The organization reviews the audit report and discusses compliance gaps or additional licenses needed with SAP’s sales team.
What is the importance of the law in SAP audits?
LAW helps organizations monitor and extract license usage metrics, ensuring accurate data submission.
Can indirect access trigger compliance issues?
Yes, third-party systems interacting with SAP data often require additional licensing, which is reviewed during the audit.
What are the key challenges in SAP audits?
Challenges include complex licensing terms, indirect access scenarios, and the resource-intensive nature of the audit process.
What is the difference between basic and enhanced audits?
Basic audits focus on measurable metrics, while enhanced audits involve onsite visits, detailed reviews, and broader evaluations.
How should organizations prepare for an SAP audit?
Conduct internal audits, use SAP tools to monitor usage, and maintain accurate records of system activity and user roles.
What happens if compliance gaps are found?
Organizations may need to purchase additional licenses or adjust current usage to address identified gaps.
How often are SAP license audits conducted?
SAP audits are typically annual
Read more about our SAP Audit Defense Service.
Do you want to know more about our SAP Audit Defense Service?
l but may occur more frequently based on organizational changes or compliance concerns.
