SAP Licence Audit Triggers — Top 10 Red Flags That Invite SAP Audits

Every 2–3 yrs

Typical audit frequency for large customers

22%

Annual maintenance on licence fees

£54M

SAP v Diageo indirect access ruling

10 Triggers

Key red flags covered in this advisory

Top 10 SAP Audit Triggers

SAP often zeroes in on certain red flags that signal potential non-compliance. Understanding these triggers — and preparing for them proactively — is the most effective way to avoid audit surprises and unbudgeted true-up costs.

Sudden Usage Spikes

A rapid increase in SAP usage — onboarding hundreds of new users or a surge in transactions — raises concern that you've outgrown your entitlements. SAP monitors utilisation; a sharp spike in user count or data volume is a classic trigger.

Takeaway: Track user counts internally. Run SAP's LAW tool after major expansions. Inform your SAP account team when planning large rollouts.

Contract Renewals & True-Ups

Approaching a licence renewal or scheduled true-up is prime time for an audit. SAP often audits right before negotiations to establish a usage baseline, ensuring any extra consumption is paid for in the new contract.

Takeaway: Perform a full internal audit before any renewal. Enter negotiations knowing exactly where you stand — not reacting to SAP's findings.

New Modules or System Expansions

Deploying SAP HANA, a CRM add-on, a cloud connector, or any new component triggers a compliance check. SAP views new implementations as points of risk — the new software must be properly licensed and integrated into your agreement.

Takeaway: Treat every new implementation as a licensing event. Consult your contract before enabling modules. Run measurement tools after deployment.

Mergers, Acquisitions, or Divestitures

M&A events create double-counting and licence confusion. When companies merge, the combined user base changes significantly. SAP frequently audits after M&A to reconcile licensing under the new organisation.

Takeaway: Engage licence management early in any M&A. Inventory SAP systems and users as they come and go. Work with SAP to formally reallocate licences.

Indirect Access & Third-Party Integrations

Non-SAP applications interacting with SAP data — CRM pulling customer info, e-commerce creating sales orders — require additional licences even if no one logs into SAP directly. The SAP v Diageo case (£54M+ for unlicensed indirect usage) made this a headline risk.

Takeaway: Map all third-party interfaces. Evaluate SAP's Digital Access (document-based) licensing. Negotiate contract language clarifying indirect use.

Long Gap Since Last Audit

SAP can audit annually, but typically audits large customers every 2–3 years. If it's been a long time since your last review, that alone puts you on SAP's radar. Usage drift — gradual user growth or data expansion — accumulates silently.

Takeaway: Always assume an audit is coming. Maintain annual internal reviews. If you haven't heard from SAP in a while, double-check compliance now.

Past Audit Findings or Compliance History

Customers with prior shortfalls are considered high-risk accounts. If your last audit resulted in a true-up purchase or misclassification finding, SAP will follow up in subsequent years — potentially with an enhanced (deeper) audit.

Takeaway: Remediate root causes immediately after any audit finding. Strengthen internal processes. Demonstrate improved compliance posture at the next review.

Missing or Inaccurate Licence Data

Failing to submit LAW data on time, sending incomplete reports, or showing a high number of "unclassified" users signals lack of control. Ignoring a measurement request almost guarantees an audit notice.

Takeaway: Run the latest measurement programmes across all systems before deadlines. Ensure no active users remain uncategorised. Fix anomalies before submitting.

Switching to Third-Party Support

Leaving SAP maintenance for a third-party provider increases audit risk. An audit may be SAP's last opportunity to enforce compliance and potentially collect back-support fees. Many companies report audit notices within 1–2 years of switching.

Takeaway: Conduct a thorough internal audit before discontinuing SAP support. Clean up all compliance issues. Keep detailed entitlement records — SAP may not assist once you're off maintenance.

Staying on Legacy SAP Software

Delaying migration to S/4HANA or SAP cloud products attracts audit attention. SAP's sales strategy pushes customers to the latest platforms. As the 2027 ECC support deadline nears, long-time ECC customers face increasing compliance pressure.

Takeaway: Even in a holding pattern, optimise licence usage continuously. Retire unused licences, re-harvest shelfware, and ensure efficient assignments so auditors find no easy targets.

🔴 Critical Risk Alert

Indirect access remains the single most expensive audit finding. The landmark SAP v Diageo ruling — where a customer was charged over £54 million for unlicensed indirect usage via third-party systems — demonstrated the scale of risk. SAP's Digital Access model was introduced to address this, but many customers remain unsure of their exposure. Map all interfaces and evaluate Digital Access licensing before SAP does it for you.

SAP User Licence Types — Costs & Compliance Risk

Misclassifying users is a common audit finding. The cost differences between licence types illustrate why SAP auditors focus heavily on correct classification — upgrading dozens of misclassified users at list price plus back-maintenance can result in substantial unbudgeted bills.

User Licence Type	Approx. Cost	Intended Usage	Risk If Misused
Professional User	$3,000–$4,000 + 22%/yr per user	Full access to all SAP modules (power users)	Under-licensing if a heavy user is given a lower licence type — audit will flag the shortfall
Limited Professional	$1,500–$2,000 + 22%/yr per user	Restricted scope (specific modules or tasks)	If user performs tasks beyond the limited scope, a Professional licence is required — compliance gap
Employee Self-Service	$500–$1,000 + 22%/yr per user	Self-service tasks only (time entry, HR self-service)	Using ESS users for regular operational work violates terms — requires upgrade to higher licence
Developer User	~$1,000 + 22%/yr per user	Development and configuration (non-production)	If developer accounts execute business transactions in production, a Professional licence is also required

⚠️ Compliance Warning

User misclassification is a common "gotcha." Any account without a licence type assignment defaults to the most expensive category. Upgrading a misclassified user from a $1,000 licence to a $3,000 licence — plus back-maintenance — multiplied across dozens of users creates a substantial bill. ITAM teams should regularly review user roles and licence assignments to ensure each user has the correct type.

Worried about an upcoming SAP audit? Get a confidential compliance assessment.

SAP Audit Defence →

Recommendations

#	Recommendation	Priority
1	Conduct regular self-audits — Schedule internal licence compliance reviews at least annually. Use SAP's LAW tool to check user counts, classifications, and engine usage. Early detection lets you fix issues quietly.	🔴 Critical
2	Optimise licence assignments continuously — Lock/remove inactive users, consolidate duplicates, and right-size every user's licence type. Proactive hygiene means usage aligns with purchases even if audited.	🔴 Critical
3	Monitor indirect usage proactively — Inventory all third-party systems and integrations interacting with SAP. Require new interfaces to be reviewed by licence management. Consider SAP Digital Access licences for document-generating integrations.	🔴 Critical
4	Engage SAP early for big changes — M&A, new modules, cloud migrations — involve SAP (or a licensing advisor) ahead of time. Proactively updating contracts prevents audits later.	🟡 High
5	Leverage contract clauses — Negotiate 60-day notice, max one audit per year, and the right to remedy shortfalls at your discount (not list price). Strong clauses won't stop audits but make them fairer.	🟡 High
6	Train and communicate — Make SAP compliance a team sport. Train technical teams, project managers, and procurement on audit triggers so they don't inadvertently create compliance gaps.	🟡 High
7	Keep excellent records — Central repository of all SAP contracts, licence certificates, purchase orders, and correspondence. Document internal changes (e.g., retiring 500 users last quarter).	🟢 Moderate
8	Budget a compliance cushion — Earmark a small contingency for true-ups. If an audit finds extra licences needed, having funds ready prevents budget derailment.	🟢 Moderate
9	Consider expert support — For high-stakes audits, engage independent SAP licensing specialists. They validate SAP's findings, push back on errors, and negotiate down proposed fees — often saving far more than their cost.	🟢 Moderate
10	Foster a compliance culture — Make software compliance an ongoing responsibility. Include licence impact in change management processes and cloud transition plans. When compliance is baked into IT culture, audit triggers become manageable.	🟢 Moderate

💡 Expert Insight

The best audit defence is being audit-ready at all times. Organisations that maintain annual internal reviews, clean user lists, and documented entitlements can respond to an SAP audit notice within days — not weeks. This confidence translates directly into better negotiation outcomes: you negotiate from facts, not fear.

ITAM Action Checklist

SAP Audit Readiness — 5-Step Action Plan

Set Up an Internal Audit Calendar — Mark a date (at least yearly) to run SAP's user measurement reports and review licence usage. Treat it like a mini-audit. Identify overshoot in users or engines before SAP does.
Clean Your SAP House — Purge or fix obvious compliance issues immediately. Remove dormant users, correct licence classification errors, reconcile engine metrics. Document all clean-up actions.
Brief Stakeholders on Audit Triggers — Hold a session with ITAM, SAP Basis, procurement, and project teams on the top 10 triggers. Ensure everyone knows that adding a new module or integrating a new app involves a licensing check.
Review Contracts for Audit Terms — Check the audit clause and true-up provisions. If anything is vague or one-sided (no notice period, unclear scope), prepare to address it at next negotiation.
Simulate an Audit Response — Assemble your "audit response" team. Generate a LAW report, compile user lists, and map them to entitlements. This dry run reveals weak spots in data quality before a real audit exposes them.

Watch: Protect Your Business in SAP Audits

Expert overview of SAP audit defence strategies — Redress Compliance on YouTube

Frequently Asked Questions

Most large SAP customers can expect a licence audit roughly every 2–3 years. SAP can audit annually under its contract, but doesn't always exercise this right. However, self-reviews via SAP's measurement tools happen yearly. If you haven't been audited in a long time, assume you're due — especially if any trigger events have occurred.

A basic audit is largely routine — SAP asks you to run their standard measurement programmes (USMM and LAW) and provide the results. An enhanced audit is more intense: SAP's auditors dig deeper with detailed questionnaires, remote sessions, or on-site visits. Enhanced audits occur if SAP suspects significant compliance issues such as extensive indirect use or past problems. If an audit feels more thorough than usual, you may be under an enhanced review.

You cannot refuse an audit — it's a contractual right SAP holds. However, you can negotiate timing and scope. If the proposed period coincides with a critical business quarter, you might request a deferral. Always respond professionally, confirm compliance intent, but request reasonable accommodations in writing. If SAP requests something outside the agreed scope, you can push back using your contract terms.

Common findings include: unassigned users (accounts without a licence type default to the most expensive category), misclassified users (users doing more than their licence allows), indirect usage (systems creating SAP transactions without proper licences), engine overuse (exceeding licensed metrics), and developer misuse (using developer accounts for production transactions). Auditors also flag duplicate accounts and inactive users consuming licences.

You'd typically need to purchase licences for any shortfall at list price, plus back-dated maintenance (22% per year for each year of unlicensed use). For example, 50 under-licensed Professional Users for 2 years means full-price purchases plus 2 years of maintenance on each. SAP generally doesn't levy fines beyond licence fees, but without prior arrangements you won't get your negotiated discount — it's often full retail. Negotiating a cap or discount on audit findings in your contract is highly valuable.

SAP Licensing White Papers

Download independent research on SAP audit defence, Digital Access, S/4HANA migration, and cost optimisation for enterprise ITAM teams.

Download White Papers →

How Redress Compliance Can Help

As a fully independent advisory firm with former SAP insiders on staff, Redress Compliance provides objective guidance on SAP audit defence, licence optimisation, Digital Access strategy, and contract negotiation — with no commercial relationship with SAP.

📋

Facing an SAP Audit — or Want to Get Ahead of One?

Redress Compliance provides SAP audit defence, licence assessments, and negotiation support — staffed by former SAP insiders who know exactly how SAP audits work from the inside.

SAP Advisory Services Book a Consultation

Top 10 SAP Licence Audit Triggers