Establishing an Internal SAP Licence Compliance Programme: Avoiding Audits Proactively

The Compliance Gap That SAP Exploits

Every SAP audit claim begins with the same underlying problem: a gap between what the customer believes they are licenced for and what SAP's measurement tools actually find. These gaps do not appear overnight. They accumulate over years through user provisioning without review, new system integrations that nobody ran past the licensing team, licence type classifications that were set during the original implementation and never revisited, and organic business growth that outpaces the licence positions negotiated at the previous renewal.

SAP's audit process — whether conducted via the basic USMM-based measurement or the enhanced LAW-driven review — is specifically designed to surface these gaps at a moment when the customer has no time to remediate them before the data is submitted. The organisation that runs its own internal compliance programme proactively closes those gaps on its own timeline, at its own pace, with full control over the remediation approach. The organisation that does not runs those gaps through SAP's measurement tools first, under audit conditions, with SAP's pricing applied to whatever it finds.

The position is clear: proactive internal compliance programmes are not a cost. They are a negotiation asset. Every gap closed internally is a gap that SAP cannot monetise during an audit. At the licence costs that apply at enterprise scale — Professional users at approximately €4,000 to €6,000 per user per year at list price — even a modest number of incorrectly classified users represents a material exposure.

The Four Pillars of an Effective Internal Programme

Pillar 1: Regular Internal Measurement with USMM and LAW

SAP provides two primary tools for licence measurement: the User and System Measurement (USMM), which measures user counts and licence types within a single SAP system, and the Licence Administration Workbench (LAW), which consolidates measurements across a multi-system landscape into a single view. These are the same tools SAP uses during a formal audit. Running them internally, on a consistent cadence, allows you to see exactly what SAP would see before SAP sees it.

The recommended cadence is quarterly. Annual measurement is better than nothing, but a year is a long time for compliance drift to accumulate — particularly in organisations with high headcount turnover, frequent restructuring, or active system integration programmes. Quarterly measurement creates a rolling baseline that makes anomalies visible before they compound. The practical requirement is that someone within the organisation is formally responsible for running the measurement, reviewing the results against the contracted licence position, and escalating discrepancies for remediation. Without assigned ownership, measurement tools are available but unused.

A critically important detail: never submit raw USMM data to SAP without internal review first. SAP audit teams will accept the data as submitted. Errors in user classification, duplicate users, blank licence type assignments, and incorrectly counted system users all inflate the measurement in SAP's favour. An internal review pass before any data leaves the organisation is a basic control that catches a significant proportion of inflated readings before they become formal claims.

Pillar 2: User Lifecycle Management

The most common source of licence drift is user accounts that persist beyond their operational purpose. Employees who leave, transfer to different roles, move between legal entities, go on extended leave, or change their system access requirements all create user records that, unless actively managed, continue to appear in USMM measurements at their original licence type classification.

An effective internal programme treats SAP user provisioning and de-provisioning as a licensing event, not a purely technical one. When an employee leaves the organisation, the standard offboarding process should include SAP account deactivation within a defined window — 24 to 48 hours is standard for organisations with mature IAM controls. When an employee changes roles, the process should include a licence type review that checks whether the new role's system access requirements match the existing classification. When a new integration or interface is deployed that provides external users or automated processes with access to SAP data, a licence impact assessment should be a mandatory gate before go-live.

A Nordic financial services group established this as a formal control in 2023. Before the change, their annual USMM measurement consistently identified between 200 and 350 unused or misclassified user accounts that required manual remediation. After implementing automated de-provisioning with a 48-hour window and a licence type checkpoint at every role change, the annual measurement number dropped to fewer than 30 accounts requiring adjustment — a reduction that eliminated an estimated annual exposure of approximately €900,000 at list pricing.

Pillar 3: Indirect Access Governance

Indirect access remains the most commercially significant compliance risk in enterprise SAP environments as of 2026. It arises when external users, third-party applications, robotic process automation bots, custom portals, or IoT devices interact with SAP data — writing to SAP, reading from SAP, or triggering processes within SAP — without using a standard SAP user interface. Under SAP's Digital Access licensing model, which applies to all new agreements signed since 2018 and most RISE with SAP agreements, indirect access is charged per document type created, measured in Documents per Year.

The governance challenge is that indirect access exposure is created by technical decisions made by development and architecture teams who may have no awareness of the licensing implications. A new supplier portal that sends purchase orders into SAP, a custom mobile application that updates field service records in SAP, or an RPA workflow that creates journal entries in SAP are all generating indirect access consumption that may or may not be covered by existing licence agreements.

The internal control is straightforward to describe and surprisingly difficult to implement without explicit senior sponsorship: no new interface, integration, portal, or automated process that touches SAP data goes into production without a licensing impact assessment from the SAP licence management team. This requires the licensing team to be embedded in or formally connected to the change management and development governance process — not sitting downstream of it waiting to review systems that are already live.

SAP's Digital Access Adoption Programme (DAAP) provides a commercial pathway for organisations to normalise existing indirect access exposure into a managed licence position, and it has been available since 2019. Organisations that discover historic indirect access exposure during an internal review should assess DAAP before SAP's auditors discover the same exposure and apply enforcement pricing instead.

Pillar 4: Change Management Integration

An internal compliance programme that operates in isolation from the business functions that generate licence changes is a programme that will always be catching up. The most effective programmes are integrated into four core business processes: new project initiation, system implementation planning, major business change (reorganisations, M&A activity, headcount changes), and vendor/partner onboarding that involves SAP system access.

At each of these gates, a licensing checkpoint asks the same questions: will this change create new users who need SAP access? Will it change the access profile of existing users? Will it create any form of indirect or automated access to SAP? If the answer to any of these is yes, the licensing team is engaged before the change proceeds, not after. This is a process change, not a technology change — and it is the difference between a compliance programme that works and one that generates audit findings.

Organisational Structures That Work

The most common failure mode for internal SAP compliance programmes is not technical — it is organisational. Measurement tools are available. The data is accessible. The failure point is the absence of a clear owner with both the authority and the accountability to act on what the data shows.

Effective programmes assign a named SAP Licence Manager or Software Asset Management lead with explicit responsibility for the SAP licence position. This person owns the measurement cadence, reviews results against the contracted position, escalates discrepancies for remediation, and represents the licence position in procurement negotiations with SAP. They are not a part-time responsibility of the SAP Basis team, the IT director, or the procurement category manager. Licence management at enterprise scale requires dedicated focus.

Governance above the licence manager level should include a quarterly review with the CIO and CFO that covers the current measurement position, any material changes since the previous review, the remediation status of known discrepancies, and the forecast licence position at the next renewal. This is not a compliance bureaucracy requirement. It is the mechanism that gives the licence manager the organisational authority to enforce the change management controls that keep the programme functional.

The 2027 Maintenance Deadline Changes the Calculation

The approaching end of mainstream SAP ECC EHP 6–8 maintenance — scheduled for 31 December 2027 — creates a specific internal compliance priority that did not exist in previous years. Organisations that remain on ECC after that date will face extended maintenance fees that represent approximately 24 percent of licence value annually, compared to 22 percent for standard maintenance, plus a 2 percent annual uplift. Third-party maintenance providers including Rimini Street offer maintenance fees up to 50 percent below SAP's rates for supported ECC versions, which is a commercially relevant alternative for organisations that cannot complete migration within the deadline.

For the internal compliance programme, the 2027 deadline creates a specific requirement: the licence position needs to be clean before migration discussions begin in earnest. SAP sales teams use renewal and migration conversations to surface compliance findings that they then use as leverage — reducing the customer's negotiating position on migration pricing by anchoring against a compliance liability that the customer is motivated to resolve. An organisation that enters S/4HANA migration discussions with a clean, independently verified licence position has a fundamentally stronger commercial starting point than one whose position is unknown or unreviewed.

What SAP Does Not Tell You About Internal Measurement

SAP's USMM tool produces a measurement that reflects the system state at the moment it is run. It does not retrospectively measure historical access patterns or historical document creation volumes. This is commercially significant: if an organisation runs its own internal USMM measurement, identifies an overcount, and corrects user classifications before SAP runs its own audit, the corrected position is what SAP measures — not the historic inflated state. Internal measurement followed by remediation is genuinely protective in a way that many organisations do not realise until they have experienced a formal audit.

SAP account teams are trained to present the formal audit as an inevitable and neutral process. It is neither. The decision to initiate a formal audit is a commercial decision, not a compliance obligation that SAP must fulfil on a fixed schedule. Organisations with robust internal compliance programmes, transparent measurement processes, and proactive engagement with their SAP account team are measurably less likely to receive formal audit letters than organisations with no visible internal governance. SAP's audit resources are finite, and they are directed toward accounts where the commercial return is expected to be highest.

Building the Programme: Practical Starting Points

For organisations that currently have no formal internal compliance programme, the practical starting point is a one-time baseline measurement using USMM and LAW across the full system landscape, reviewed against the current contracted licence position. This baseline establishes what actually exists, rather than what was assumed to exist, and creates the foundation for all subsequent programme activities.

The baseline review will almost certainly surface findings. This is expected and manageable — internal findings are remediable on the organisation's own timeline and do not create financial claims until SAP has measured them under audit conditions. Treating the baseline findings as a remediation project rather than a compliance failure is the correct framing. Once remediation is complete, the cadence of quarterly measurement, user lifecycle governance, and change management integration can be established as ongoing programme activities.

For organisations approaching a major SAP renewal or beginning S/4HANA migration planning, the baseline should be completed before any formal SAP engagement on those topics. The licence position is a negotiating asset. An unknown or unreviewed position is a liability.