SAP Audits in 2026: What's Triggering Them and How to Prepare Your Defence

The Commercial Logic Behind SAP's Audit Surge

SAP does not audit customers randomly. Audit activity is a revenue mechanism as much as a compliance function, and the 2026 surge in SAP licensing reviews has a clear commercial driver: Gartner estimates that 17,000 of SAP's 35,000 ECC customers will not complete migration to S/4HANA by the December 2027 mainstream maintenance deadline. That represents a large population of customers with expiring support, unresolved licence positions, and significant commercial leverage for SAP to exploit.

SAP's fiscal year ends September 30. The audit activity that generates revenue recognition in SAP's fiscal year must be initiated early enough to complete before year end. Q3 and Q4 — July through September — are when SAP commercial pressure is highest and when many audit findings are used as the basis for renewal negotiations. Understanding this timing helps organisations anticipate when they are most likely to receive audit notices and plan their response windows accordingly.

What SAP would prefer buyers not know: self-declaration requests — forms SAP asks customers to fill out annually for specific products — are effectively audits in disguise. SAP's licence compliance team uses declared data to identify overuse patterns without incurring the cost of a formal on-site audit. Treating self-declaration requests as routine administrative tasks rather than as the licence risk assessments they actually are is one of the most common errors we see in SAP customer organisations.

Trigger 1: ECC Maintenance Deadlines and Migration Pressure

SAP ECC EHP 0 through EHP 5 mainstream maintenance ended December 31, 2025 — that deadline has already passed. Customers on these versions who did not migrate to extended maintenance arrangements are now operating on end-of-life software without formal SAP support. ECC EHP 6 through EHP 8 mainstream maintenance ends December 31, 2027. This creates a hard deadline that SAP's commercial team is actively leveraging in customer interactions.

The maintenance deadline creates audit risk in two ways. First, customers who continue operating ECC post-mainstream-maintenance without a formal extended maintenance agreement (which carries a 2 percent uplift on maintenance to approximately 24 percent of licence value, compared to 22 percent for standard maintenance) may be in breach of their support contract terms. Second, customers who have deployed additional integrations, expanded user counts, or added modules since their original licence agreement may have allowed their licence position to drift during the years they deferred migration decisions.

Extended maintenance from 2028 to 2030 is available for EHP 6–8 customers, but at the 24 percent maintenance rate — meaningfully higher than standard. The cost differential between standard and extended maintenance for a large ECC deployment can represent hundreds of thousands of dollars per year in additional spend, which SAP will naturally surface during any licence review.

What the Audit Actually Looks For in ECC Environments

When SAP reviews an ECC estate approaching the maintenance deadline, the focus areas are predictable. Auditors look for user count growth since the last licence agreement — new roles, new business units, additional modules licensed informally. They examine whether HANA database licensing is correctly sized for current memory usage, as HANA memory consumption often grows beyond original licence provisions without corresponding licence adjustments. They assess whether SAP Solution Manager is deployed correctly for technical monitoring purposes. And they focus intensively on indirect access — the integration layer where most ECC customers carry the largest unquantified liability.

Trigger 2: Indirect Access and Ageing Integration Landscapes

Indirect access — the use of SAP's ERP functionality through non-SAP systems that create documents or transactions in SAP — has been an audit focus for over a decade. In 2026 it is more acute than ever because ECC integration landscapes have had eight additional years to grow since SAP's last formal indirect access enforcement wave. Most ECC customers have added CRM systems, eCommerce platforms, RPA tools, workflow automation layers, EDI gateways, and custom API integrations since their original licence agreements were structured. None of these additions were accompanied by licence adjustments.

SAP's Digital Access model, introduced in 2018 and codified under SAP Note 2992090 for ECC customers, provides a document-based licensing metric — the Document-Driven Licence Count (DDLC) — as the measurement basis for indirect use. Under DDLC, each unique document type created in SAP by an external system counts against a licensed allocation. The document types include purchase orders, sales orders, goods movements, financial postings, and production orders, among others.

The technical reality of DDLC measurement creates its own complexity. SAP's measurement tools have historically had accuracy issues — overcounting documents because they cannot distinguish original document creation from minor updates or system-generated repostings. Customers who allow SAP to run measurement tools uncontested frequently see claims that overstate actual indirect usage by 30 to 50 percent. Rigorous pre-audit measurement using independent tools is the most important single defensive step an ECC customer can take.

Why Integration Risk Is Growing in 2026

The SAP integration risk in 2026 is not just about the volume of integrations — it is about their age and opacity. Integrations built in 2015 or 2018 are typically poorly documented, may have changed hands multiple times as IT teams turned over, and are often running on middleware that IT operations has deprioritised. The result is that many organisations cannot accurately describe their own indirect access footprint without a dedicated technical discovery exercise. SAP's audit team has a structural advantage: it can request measurement data and analyse it before the customer has completed its own assessment.

Trigger 3: HANA Memory Licensing Overuse

HANA database licensing is one of the fastest-growing sources of undetected SAP compliance exposure in 2026. SAP HANA is licensed on a memory capacity basis — the total RAM allocated to the HANA system must be covered by the customer's licence entitlement. As organisations deploy more data volumes, add reporting and analytics use cases, and expand HANA-based applications, memory consumption grows. Licence entitlements, set at the time of original purchase, frequently do not keep pace.

A single spike in HANA memory usage above the licensed amount can constitute a compliance finding under SAP's measurement methodology. Seasonal data loads, year-end processing spikes, and analytics workloads that run against growing historical data sets can all push instantaneous memory usage above licence thresholds — even if average utilisation remains within bounds. SAP's audit approach measures peak consumption, not average, which creates audit risk for organisations that manage to average thresholds rather than peak thresholds.

The financial exposure from HANA memory overuse can be substantial. For large enterprise deployments where 100 GB of additional HANA memory at list pricing represents tens of thousands of dollars annually, a discovery of even moderate undersize in licensing terms can generate six-figure audit claims. The fact that SAP does not proactively notify customers when they are approaching memory thresholds — despite having visibility through Solution Manager telemetry — is deliberate. It is commercially more advantageous for SAP to surface the gap at audit time than to enable customers to address it incrementally.

Trigger 4: Cloud Subscription Compliance Gaps

The 39 percent of SAP's ECC customer base that has licensed S/4HANA — approximately 13,650 organisations as of late 2024 — now faces a new category of audit risk: cloud subscription compliance. RISE and GROW contracts introduce subscription metrics — Active Users, Full Use Equivalents, and document-based measures for digital access — that are measured by SAP systems in real time. Unlike perpetual licence audits, cloud compliance is continuous rather than periodic.

SAP's cloud audit focus in 2026 centres on three areas. First, user count overrun: organisations that have grown beyond contracted user counts without corresponding order amendments are in continuous breach. Second, FUE miscategorisation: users assigned to low-tier FUE categories whose actual system usage indicates higher-tier entitlement are a frequent audit finding. Third, BTP credit overrun: RISE and GROW contracts include BTP credit allocations; organisations that have consumed more credits than contracted — particularly for integration scenarios not anticipated at signing — face overcharge billing at list rates rather than negotiated rates.

Trigger 5: Self-Declaration Requests as Stealth Audits

SAP routinely sends customers annual or semi-annual self-declaration requests for specific products — SuccessFactors, Concur, Fieldglass, and others. These are presented as administrative compliance exercises. They are, in practice, licence compliance reviews that feed directly into SAP's commercial intelligence systems.

The data collected in self-declarations is analysed by SAP's Global Licence Compliance (GLC) team against contracted entitlements. Discrepancies are flagged and may trigger a formal audit, be used as leverage in renewal negotiations, or result in direct billing adjustments. Customers who submit self-declarations without independent review of the accuracy of their reported figures are providing SAP with free compliance intelligence that will subsequently be used against them commercially.

How to Build Your Audit Defence in 2026

Step 1: Conduct an Internal Licence Position Assessment Before SAP Does

The most important defensive step is to conduct your own independent licence position assessment before SAP measures anything. This means mapping every licensed product against current deployment, running DDLC measurement tools with independent oversight, assessing HANA memory utilisation against licence entitlements, and reviewing user classifications for accuracy. Organisations that know their position before an audit notification are in a fundamentally stronger negotiating posture than those who are reacting to SAP's measurement data.

Step 2: Establish Control Over the Measurement Process

When SAP requests access to run measurement tools or requests data for a self-declaration, you have the right to conduct your own measurement first and to challenge SAP's methodology. Your licence agreement defines the measurement process; review it carefully before allowing SAP access. Insist on reviewing the measurement output before it is submitted to SAP's GLC team. Challenge any measurement anomalies — including document double-counting and HANA peak vs. average discrepancies — in writing before the compliance discussion proceeds.

Step 3: Understand Your Contract Rights

Most SAP licence agreements include provisions that limit audit frequency (typically to once per year), require advance notice of audit initiation (typically 30 to 60 days), and specify acceptable measurement methodologies. Many audit disputes are resolved or materially reduced simply by enforcing the contractual terms that govern the audit process itself. These rights are frequently not exercised because customers are unfamiliar with their contract terms at the time an audit is initiated.

Step 4: Engage Independent Advisory Support Before the Audit Closes

SAP's audit process is designed to move quickly from measurement to settlement proposal. The settlement window — typically six to twelve weeks between audit initiation and SAP's commercial proposal — is when independent advisory support has the highest impact. Engaging specialist support during this window to challenge measurement methodology, validate the licence position, and structure a negotiated resolution consistently delivers materially better outcomes than accepting SAP's initial settlement figure.

Client Pattern: ECC Manufacturer Faces HANA and Indirect Access Dual Audit

A European industrial manufacturer with approximately 3,500 ECC users received simultaneous audit notifications covering HANA memory licensing and indirect access. SAP's initial measurement identified a HANA memory shortfall of 128 GB and indirect access liability across three connected systems — a logistics platform, a customer portal, and an RPA automation layer — with an aggregate claim of EUR 3.2 million.

Our independent review established that SAP's HANA measurement had captured a peak data load during year-end processing that was 40 percent above typical utilisation. Independent HANA sizing confirmed the actual shortfall was 48 GB, not 128 GB. The indirect access measurement had overcounted sales order documents by counting amendment postings as new documents. The corrected indirect access liability covered two of the three systems; the RPA layer connected through a licensed SAP integration platform was excluded. The final settlement was EUR 780,000 — 76 percent below SAP's initial claim.