Every enterprise running SAP should know what can trigger a licence audit. This advisory breaks down the top 10 red flags, from usage spikes and indirect access to M&A events and third-party support transitions, with practical ITAM strategies to stay ahead.
This advisory is part of our SAP Licensing Knowledge Hub. For the complete audit defence guide, see SAP Licence Audit: A Survival Guide.
SAP often zeroes in on certain red flags that signal potential non-compliance. Understanding these triggers, and preparing for them proactively, is the most effective way to avoid audit surprises and unbudgeted true-up costs.
Critical risk alert: indirect access. Indirect access remains the single most expensive audit finding. The landmark SAP v Diageo ruling, where a customer was charged over $54 million for unlicensed indirect usage via third-party systems, demonstrated the scale of risk. SAP's Digital Access model was introduced to address this, but many customers remain unsure of their exposure. Map all interfaces and evaluate Digital Access licensing before SAP does it for you.
Misclassifying users is a common audit finding. The cost differences between licence types illustrate why SAP auditors focus heavily on correct classification.
| User Licence Type | Approx. Cost | Intended Usage | Risk If Misused |
|---|---|---|---|
| Professional User | $3,000-$4,000 + 22%/yr | Full access to all SAP modules (power users) | Under-licensing if a heavy user is given a lower licence type |
| Limited Professional | $1,500-$2,000 + 22%/yr | Restricted scope (specific modules or tasks) | If user performs tasks beyond the limited scope, Professional licence required |
| Employee Self-Service | $500-$1,000 + 22%/yr | Self-service tasks only (time entry, HR self-service) | Using ESS users for regular operational work violates terms |
| Developer User | ~$1,000 + 22%/yr | Development and configuration (non-production) | If developer accounts execute business transactions in production, Professional licence also required |
User misclassification is a common "gotcha." Any account without a licence type assignment defaults to the most expensive category. Upgrading a misclassified user from a $1,000 licence to a $3,000 licence, plus back-maintenance, multiplied across dozens of users creates a substantial bill. ITAM teams should regularly review user roles and licence assignments to ensure each user has the correct type.
| # | Recommendation | Priority |
|---|---|---|
| 1 | Conduct regular self-audits. Schedule internal licence compliance reviews at least annually. Use SAP's LAW tool to check user counts, classifications, and engine usage. | Critical |
| 2 | Optimise licence assignments continuously. Lock/remove inactive users, consolidate duplicates, and right-size every user's licence type. | Critical |
| 3 | Monitor indirect usage proactively. Inventory all third-party systems and integrations interacting with SAP. Consider SAP Digital Access licences for document-generating integrations. | Critical |
| 4 | Engage SAP early for big changes. M&A, new modules, cloud migrations. Proactively updating contracts prevents audits later. | High |
| 5 | Leverage contract clauses. Negotiate 60-day notice, max one audit per year, and the right to remedy shortfalls at your discount (not list price). | High |
| 6 | Train and communicate. Make SAP compliance a team sport. Train technical teams, project managers, and procurement on audit triggers. | High |
| 7 | Keep excellent records. Central repository of all SAP contracts, licence certificates, purchase orders, and correspondence. | Moderate |
| 8 | Budget a compliance cushion. Earmark a small contingency for true-ups. | Moderate |
| 9 | Consider expert support. For high-stakes audits, engage independent SAP licensing specialists. They often save far more than their cost. | Moderate |
| 10 | Foster a compliance culture. Include licence impact in change management processes and cloud transition plans. | Moderate |
The best audit defence is being audit-ready at all times. Organisations that maintain annual internal reviews, clean user lists, and documented entitlements can respond to an SAP audit notice within days, not weeks. This confidence translates directly into better negotiation outcomes: you negotiate from facts, not fear.
Most large SAP customers can expect a licence audit roughly every 2-3 years. SAP can audit annually under its contract, but does not always exercise this right. However, self-reviews via SAP's measurement tools happen yearly. If you have not been audited in a long time, assume you are due, especially if any trigger events have occurred.
A basic audit is largely routine: SAP asks you to run their standard measurement programmes (USMM and LAW) and provide the results. An enhanced audit is more intense: SAP's auditors dig deeper with detailed questionnaires, remote sessions, or on-site visits. Enhanced audits occur if SAP suspects significant compliance issues such as extensive indirect use or past problems.
You cannot refuse an audit, it is a contractual right SAP holds. However, you can negotiate timing and scope. If the proposed period coincides with a critical business quarter, you might request a deferral. Always respond professionally, confirm compliance intent, but request reasonable accommodations in writing. If SAP requests something outside the agreed scope, you can push back using your contract terms.
Common findings include: unassigned users (accounts without a licence type default to the most expensive category), misclassified users (users doing more than their licence allows), indirect usage (systems creating SAP transactions without proper licences), engine overuse (exceeding licensed metrics), and developer misuse (using developer accounts for production transactions). Auditors also flag duplicate accounts and inactive users consuming licences.
You would typically need to purchase licences for any shortfall at list price, plus back-dated maintenance (22% per year for each year of unlicensed use). For example, 50 under-licensed Professional Users for 2 years means full-price purchases plus 2 years of maintenance on each. SAP generally does not levy fines beyond licence fees, but without prior arrangements you will not get your negotiated discount. Negotiating a cap or discount on audit findings in your contract is highly valuable.