Client Profile
The client is a UK-headquartered engineering and infrastructure group delivering civil engineering, building services, and asset management programmes across the public sector, utilities, and commercial property markets. The group employs approximately 8,200 people across project delivery, engineering, commercial, and central services functions, and operates SAP ERP as its core finance, procurement, and project accounting platform.
The group's operational model involves extensive integration between SAP and specialised operational systems — including a third-party computerised maintenance management system (CMMS) used across its asset management division, a supply chain and materials management platform used by its civil engineering teams, and a subcontractor management portal used to process payments to the group's extensive subcontractor supply chain. These integrations had been developed incrementally over the preceding decade and represented critical operational dependencies.
The Challenge
SAP's compliance team notified the group of a formal audit in June 2024, focusing specifically on the group's indirect access exposure — the use of SAP data and functionality by users and systems operating through third-party applications without direct SAP login credentials. SAP's audit scripts analysed the group's SAP environment and produced a report asserting indirect access exposure of £4.6M, calculated on the basis of document volumes generated by the third-party integrations.
The audit identified six integration scenarios as generating indirect access exposure: the CMMS-to-SAP maintenance work order integration, the supply chain platform's purchase order creation interface, the subcontractor payment portal's invoice submission workflow, a project management tool's timesheet-to-project-accounting integration, a health and safety incident reporting system's regulatory filing workflow, and an asset condition monitoring system's inspection record creation interface.
SAP's document count methodology had applied a standard per-document rate to the aggregate volume of SAP documents associated with each integration, without accounting for documents created by direct SAP users that had been double-counted in the analysis, or for integrations where the technical architecture meant that SAP documents were being read — not created — through the interface. The group's internal SAP team suspected that SAP's methodology significantly overstated the actual indirect access obligation, but lacked the technical documentation to challenge the audit findings.
The Approach
Redress Compliance conducted a systematic technical review of each of the six integration scenarios identified in SAP's audit report. For each integration, the review examined the interface architecture — specifically whether the integration was creating SAP documents (which may generate indirect access obligation) or reading SAP data (which does not) — and validated the document count figures against the group's actual transaction data.
The technical review identified material errors in SAP's document count methodology across four of the six integrations. The CMMS maintenance work order integration had been counted on the basis of gross work order volume, without excluding work orders created by direct SAP users — approximately 42% of the total — which SAP's own indirect access guidance excludes from the indirect access count. The supply chain platform's purchase order interface had been counted at the individual line item level rather than the purchase order document level, inflating the document count by a factor of approximately eight. Two further integrations — the asset condition monitoring system and the health and safety reporting system — were found to be read-only in their SAP interaction pattern, creating no documents and generating no indirect access obligation.
The two remaining integrations — the subcontractor payment portal's invoice workflow and the project management timesheet integration — were found to generate genuine indirect access exposure. Redress Compliance negotiated settlement for these integrations through SAP's Digital Access Adoption Programme (DAAP), which provided historical amnesty for past indirect usage and established a forward commercial framework for the document volumes generated by both integrations. The group's planned S/4HANA migration timeline was incorporated into the DAAP settlement structure, ensuring licence continuity through the migration period.
The Outcome
The group's SAP indirect access settlement was agreed at £780,000 via DAAP — an 83% reduction from SAP's initial audit claim of £4.6M. The settlement eliminated historical exposure on all six integration scenarios, including the four where SAP's methodology had been successfully challenged. The forward digital access commercial framework covered the actual ongoing document volumes from the subcontractor payment portal and project management timesheet integration at an annual cost of approximately £145,000, which was incorporated into the group's IT operating budget.
The S/4HANA migration pathway was protected through explicit licence continuity provisions in the DAAP settlement, ensuring that the group's indirect access position would not require renegotiation at the point of technical migration. The interface mapping documentation produced during the engagement forms the basis of the group's ongoing SAP indirect access compliance register.
Key Takeaways
- SAP indirect access audit claims routinely contain material methodology errors that reduce the actual obligation by 50–80%. SAP's audit scripts calculate document volumes at a gross level that frequently conflates documents created by direct SAP users with documents generated by indirect access integrations, counts at the line item rather than document level for purchase and sales workflows, and misclassifies read-only integrations as document-creating. A systematic technical review of each integration scenario is the essential first step in any SAP indirect access audit response.
- The distinction between document creation and data reading is fundamental to indirect access liability. SAP's indirect access framework applies only to documents created through third-party integrations, not to data read from SAP by external systems. Many operational integrations in engineering and asset-intensive businesses — particularly condition monitoring, reporting, and data extraction workflows — are read-only in their SAP interaction and carry no indirect access obligation.
- DAAP provides historical amnesty and forward commercial clarity for genuine indirect access scenarios. The Digital Access Adoption Programme remains the most commercially effective route for organisations with genuine indirect access exposure — providing full amnesty for historical usage and a forward licensing framework at predictable per-document costs. Engaging DAAP on your own terms, with accurately scoped document volumes, is consistently preferable to waiting for an audit outcome.
- S/4HANA migration creates both risk and opportunity in SAP indirect access management. Organisations planning S/4HANA migrations should address indirect access exposure before migration commences — both to avoid carrying audit liability into the new system landscape and to negotiate migration-period licence continuity provisions that protect against compliance interruptions during the technical transition.
- Engineering and asset-intensive businesses with CMMS and field operations integrations face elevated indirect access risk. The operational integration patterns typical of engineering and infrastructure businesses — CMMS, subcontractor portals, supply chain platforms, and asset management systems — are among the highest-volume document-generating integrations in SAP landscapes. These are systematically targeted by SAP's compliance team and require formal documentation as part of any audit defence strategy.
Received an SAP indirect access audit notification?
Redress Compliance challenges SAP's methodology, maps your integration landscape, and negotiates settlement through DAAP — on the buyer's side only.