Why SAP Audits Are Revenue Events, Not Compliance Checks
Enterprise buyers routinely misframe an SAP audit as a routine administrative obligation — a periodic check that confirms they are using what they have paid for. This framing is incorrect, and it is expensive. SAP's Global Licence Audit and Compliance (GLAC) team runs a structured revenue function. Audit findings translate directly into licence invoices. The initial audit claim is, in the overwhelming majority of cases, SAP's opening commercial position, not a definitive legal determination of non-compliance.
SAP's fiscal year ends on 31 December. GLAC activity tends to accelerate in Q3 and Q4 as the vendor attempts to close licence shortfall revenue before year-end. If you receive an audit notification in the second half of any calendar year, the pressure you experience to conclude quickly is not coincidental. Understanding this commercial context is the first component of a credible defence.
Across more than 80 indirect access disputes and several hundred enterprise SAP licence negotiations, Redress Compliance has observed a consistent pattern: organisations that treat audit notifications as pure compliance events settle at or near SAP's initial claim. Organisations that treat them as structured commercial negotiations reduce that claim by 30 to 70 percent. The difference is almost always preparation, knowledge, and a willingness to engage as a buyer rather than as a defendant.
How SAP Constructs Audit Claims: USMM, LAW, and LMBI Explained
Before you can challenge an audit finding, you need to understand precisely how SAP measures your usage and constructs its claim. SAP uses three primary tools: the User Measurement (USMM) program, the Licence Administration Workbench (LAW), and the Licence Measurement Business Intelligence (LMBI) platform.
USMM — User Measurement at System Level
USMM runs within each individual SAP system — whether ECC, S/4HANA, or another component — and counts active named users by licence type. It classifies each user ID according to transaction usage patterns. The critical point for buyers is that USMM classification is not infallible. It applies a set of rules that can mis-classify users whose transaction footprints are ambiguous, count technical service accounts as named users, or fail to recognise custom user type assignments your IT team has made. Every USMM output should be reviewed against your own user records before you accept it as a factual baseline.
LAW — Landscape-Wide Consolidation
LAW aggregates USMM outputs from all SAP systems in your landscape into a single consolidated licence position. It is designed to eliminate duplicate user IDs that appear across multiple systems — the same person accessing both a production ERP and a CRM system, for instance. In practice, LAW deduplication relies on User ID matching, which means users with different naming conventions across systems may be counted twice, and users who should be consolidated may not be. Mergers, acquisitions, and regional IT governance differences frequently create inconsistencies that inflate the apparent user count. Documenting these landscape-level anomalies is a material component of your defence.
LMBI — Indirect Access and Document Measurement
For organisations on S/4HANA or those subject to digital access claims, LMBI is the measurement tool SAP uses to quantify document creation via third-party systems. LMBI counts the number of business documents — purchase orders, sales orders, delivery notes, material documents, financial documents — generated in the SAP system as a result of activity in external applications. This is directly connected to the DDLC metric, which is the core mechanism behind indirect access claims on modern SAP landscapes.
The DDLC Metric: Indirect Access Quantified
The Digital Document Licence Charge (DDLC) is the metric SAP uses under its Digital Access licensing model to quantify and price indirect use of S/4HANA. Understanding DDLC is non-negotiable for any organisation that has third-party applications, RPA bots, IoT devices, or external portals that create transactions in SAP.
Under DDLC, SAP counts five categories of business document that, when created in S/4HANA by a non-human actor (i.e., an interface rather than a named user), generate a licence requirement. These five document types are: Sales Orders, Purchase Orders, Production Orders, Goods Movements, and Financial Accounting Documents. The licence price is applied per document, or more precisely per document tier — SAP publishes volume tiers that reduce the per-document rate as volume increases, but the aggregate cost across a large enterprise with high transactional volume can reach millions of euros annually.
The DDLC model replaced the older, more ambiguous "named user for indirect use" approach that SAP applied to ECC environments. Under ECC, indirect access exposure was assessed by asking whether each third-party system should have been covered by a named-user licence for the relevant functionality. Under S/4HANA and Digital Access, the exposure is mechanically measurable via document counts — which is both more transparent and, in high-volume environments, significantly more expensive.
How SAP Leverages DDLC in Audit Scenarios
When SAP runs an audit on an S/4HANA landscape, LMBI will quantify every document created via every interface. SAP then calculates the theoretical cost of licensing all of that indirect usage under the Digital Access price list. The resulting number typically forms the largest single line in the audit claim. Common high-volume scenarios include Salesforce or other CRM systems creating sales orders in SAP, warehouse management systems generating goods movements, EDI gateways producing purchase orders, and RPA automations creating financial documents.
Your defence on DDLC has three components: first, challenge whether SAP's document count is accurate (LMBI counts are not immune to double-counting); second, identify any interfaces that are legitimately covered by existing named-user licences or integration licences you hold; third, negotiate the forward-looking Digital Access package as a settlement mechanism rather than paying retrospective penalties at list price.
Need expert support on an active SAP audit?
Redress Compliance has defended 80+ indirect access disputes. 100% buyer-side.The Five Phases of SAP Audit Defence
A structured SAP audit defence moves through five distinct phases. Each phase has specific objectives, deliverables, and leverage points. Skipping or compressing any phase reduces your ultimate outcome.
Phase 1 — Notification and Scope Review
When you receive an SAP audit notification, your first obligation is not to begin data collection — it is to review the audit clause in your licence agreement. The audit clause governs what SAP is entitled to measure, how much notice they must give, how often they can audit, and what data they can require you to provide. Many agreements limit SAP to one audit per year. Some contain restrictions on the scope of measurement tools. Some require that SAP bear the cost of the audit. If SAP's notification does not comply with the contractual requirements, you have grounds to push back on timing, scope, or process before any measurement begins.
During Phase 1, assemble your audit response team. This should include a licence management lead, an IT representative with access to run USMM and LAW, a procurement or contract owner who understands your entitlements, and legal counsel who can interpret the contract and manage correspondence. Consider engaging an independent SAP licensing adviser at this stage rather than after findings are issued — early involvement typically produces better outcomes.
Phase 2 — Internal Measurement and Entitlement Baseline
Before SAP runs their measurement, run your own. Use USMM and LAW to produce an internal licence position that you control and understand. For S/4HANA environments, run LMBI or equivalent tooling to quantify your document-based indirect usage. Cross-reference every user classification against HR records, role assignments, and transaction history. Build your own entitlement register by aggregating all licence schedules, amendments, and special agreements — including any Digital Access Adoption Programme (DAAP) agreements, RISE with SAP subscription terms, or BTP licensing arrangements that may cover some of the usage SAP intends to claim.
The goal of this phase is to arrive at a defensible internal position before SAP presents their findings. This is also the phase where you identify optimisation opportunities: users who can be reclassified downward, interfaces that qualify for document exclusions, shelfware that can be used to offset claims, and any contractual provisions that limit SAP's measurement methodology.
Phase 3 — Audit Execution and Findings Challenge
When SAP's GLAC team runs the formal audit measurement and issues their findings report, do not accept it as final. Treat it as SAP's opening commercial position. Review every finding individually, comparing it against your internal measurement from Phase 2. Specific areas to challenge include: user classifications where USMM has applied automated rules that do not reflect actual usage; duplicate user IDs that LAW has failed to consolidate; document counts that include excluded transaction types or test system documents; and indirect access claims for interfaces that are covered by existing licence agreements.
Produce a written counter-analysis for each disputed finding. This document — sometimes called a licence position memorandum — becomes the basis for settlement negotiation. SAP's GLAC team will be aware that well-documented counter-positions carry legal weight and are not easily dismissed. The quality and specificity of your challenge directly influences how much SAP is willing to reduce the claim.
Phase 4 — Settlement Negotiation
SAP audit settlements are commercial negotiations, not adjudications. SAP does not want to litigate — the cost, duration, and reputational risk of SAP audit litigation is substantial for both parties. This gives buyers significant leverage provided they are prepared to engage commercially rather than simply accepting an invoice.
Effective settlement negotiation uses several levers simultaneously. Forward purchasing commitment is the most powerful: if you can credibly commit to an S/4HANA migration, a RISE with SAP contract, a BTP expansion, or any other significant new spend, SAP will typically trade a reduction in audit settlement for commercial momentum. Escalation to your account team — away from GLAC — can shift the dynamic from enforcement to partnership. Bringing in your CIO or CFO to engage SAP's senior leadership signals that this is a relationship-level conversation. Requesting a formal settlement agreement (rather than a simple invoice payment) ensures that the findings are formally closed and cannot be revisited.
A realistic target for settlement reduction, based on our experience across 80+ disputes, is 30 to 50 percent off the initial claim through challenge alone, with a further reduction of 10 to 20 percent achievable when combined with forward purchasing leverage. Initial claims involving large DDLC exposures can sometimes be settled at 20 to 30 percent of the claimed amount when the buyer is well-prepared and willing to make a Digital Access adoption commitment.
Phase 5 — Post-Settlement Governance
Settling an audit without changing the underlying conditions that created the exposure guarantees that the same issues resurface. Phase 5 is the build-out of a permanent licence compliance function that prevents recurring exposure. This includes establishing a quarterly internal licence measurement cadence, building an entitlement register that is maintained in real time, implementing monitoring of DDLC document volumes where indirect access is material, and embedding licence awareness into change management processes so that new third-party integrations are assessed for DDLC impact before they go live.
Indirect Access: The Audit Trigger You Cannot Ignore
Indirect access — the use of SAP functionality by humans or systems that connect through a third-party application rather than directly through the SAP user interface — remains the single largest source of audit exposure for most enterprise SAP customers. In ECC environments, the exposure was assessed via named-user logic: if a user of Salesforce, for example, was triggering SAP processes, SAP argued that user should hold an SAP named-user licence. In S/4HANA environments, the same exposure is now quantified via DDLC document counts, which makes it simultaneously more transparent and more dangerous to ignore.
The most common indirect access scenarios we encounter in audit defence engagements include CRM platforms (Salesforce, Microsoft Dynamics) creating sales orders in SAP via API integration; warehouse management, transport management, or logistics execution systems generating goods movements and delivery documents; EDI gateways processing purchase orders and invoices on behalf of suppliers; RPA platforms (UiPath, Automation Anywhere, SAP's own Build Process Automation) executing financial transactions; and IoT systems generating material documents, production confirmations, or maintenance notifications at scale.
None of these scenarios are inherently non-compliant — but all of them require explicit attention to whether the documents being generated are covered by existing licences. Proactively inventorying every interface that touches your SAP landscape, estimating the document volumes they generate, and mapping those volumes against your current entitlements is the most effective preventive action available to enterprise SAP buyers.
S/4HANA Migration and the Licence Baseline Reset
Migrating from ECC to S/4HANA — whether via a greenfield implementation, a brownfield conversion, or via RISE with SAP — resets your licence baseline in ways that are not always visible until an audit occurs. This is one of the most significant and underappreciated risks in the S/4HANA transition.
Under ECC, your licence entitlements were defined by named-user types (Professional, Limited Professional, Employee, etc.) and by the specific modules and engines you had licensed. Under S/4HANA, the user type nomenclature changes — Advanced User, Core User, Self-Service User — and the mapping between old and new types is not always one-to-one. SAP provides a conversion guide, but the guide often maps to the user type that maximises SAP's revenue from your landscape rather than the type that most accurately reflects each user's actual usage. Accepting SAP's default mapping without review is a common and costly mistake.
S/4HANA also activates Digital Access as the default model for indirect use. If your ECC landscape had informal indirect access arrangements — interfaces that were never explicitly licensed but were tolerated — those arrangements do not carry over to S/4HANA. Every interface that generates documents in S/4HANA requires either a Digital Access licence covering the relevant document types and volumes, or a named-user licence for the users operating the external application. SAP's GLAC team will conduct a post-migration audit with specific focus on both user type mapping and digital access exposure.
RISE with SAP and Audit Context
RISE with SAP is marketed as a comprehensive cloud ERP solution, but what it actually includes and excludes has direct relevance to audit exposure. RISE with SAP bundles the S/4HANA Cloud Private Edition licence, infrastructure hosting, the SAP Business Technology Platform starter package, and SAP Premium Supplier Collaboration — but it does not include Digital Access licences for third-party integrations beyond what is explicitly stated in the RISE contract, nor does it include SAP Analytics Cloud, SuccessFactors, Ariba, or other SAP cloud applications that many customers assume are part of the bundle.
In a RISE with SAP environment, SAP hosts the infrastructure, which means SAP has more visibility into actual usage than in a traditional on-premise landscape. The absence of an audit notification does not mean RISE customers are not being monitored — contractual compliance in RISE is enforced through subscription terms and renewal processes rather than through the classic GLAC audit mechanism. However, customers who expand their integration landscape after signing a RISE contract can create DDLC exposure that is not covered by the initial subscription terms and that will surface at renewal as an uplift demand.
The Role of SAP Annual Support in Audit Economics
SAP charges annual maintenance at approximately 22 percent of net licence value (NLV). This figure is critical to audit economics for two reasons. First, any new licences agreed as part of an audit settlement immediately generate an ongoing annual support obligation at 22 percent. A settlement that includes EUR 5 million in new licences creates an annual recurring cost of EUR 1.1 million in support fees — indefinitely, unless those licences are later removed or renegotiated. Second, if you have been under-licensed in prior years, SAP may seek backdated support fees in addition to the licence shortfall.
When negotiating an audit settlement, buyers should always calculate the total cost of ownership of any settlement proposal, not just the licence payment. A settlement that includes a large new licence bundle with full annual support is substantially more expensive over three to five years than a smaller cash settlement that does not add to the perpetual support base. Structuring settlements as one-time clean-up payments rather than new licence acquisitions — where commercially achievable — reduces the long-term financial impact.
Negotiation Tactics That Work
Based on experience across 80+ indirect access disputes, the following tactics consistently produce material improvement in audit outcomes for enterprise buyers.
Challenge Every Finding in Writing
Verbal objections do not create a record. Written, documented challenges to specific findings — supported by data from your internal measurement — carry legal weight and force SAP to engage substantively with your counter-position. The quality of your written challenge is directly correlated with the size of the reduction you can achieve.
Separate GLAC from Sales
SAP's GLAC team and your account team have different incentives. GLAC's objective is to close findings and generate licence revenue. Your account team's objective is to grow the relationship and close future deals. Engaging your account team as a parallel channel — framing the audit as a partnership issue rather than a compliance enforcement action — creates internal tension within SAP that typically results in commercial concessions from the sales side.
Use Forward Purchasing as Currency
Any credible commitment to future SAP spend — S/4HANA migration, RISE with SAP transition, BTP expansion, SuccessFactors deployment — can be used as currency in audit settlement discussions. SAP will often accept a reduced settlement payment in exchange for a committed new contract. This only works if the commitment is genuine and documented in a binding order form.
Negotiate Settlement Language Explicitly
Any settlement agreement should contain explicit language stating that the agreed payment resolves all findings identified in the audit and that SAP waives any further claims arising from the measurement period. Without this language, SAP retains the ability to revisit findings in a future audit. "Full and final settlement" language is standard in commercial dispute resolution and should be non-negotiable in your SAP audit settlement.
Engage Legal Counsel for Significant Claims
For audit claims in excess of EUR 2 to 3 million, or where SAP's initial position is clearly unreasonable, engaging commercial lawyers with software licensing expertise changes the dynamic of the negotiation. SAP is acutely aware of the legal uncertainty around indirect access claims — particularly for ECC-era indirect use — and the involvement of experienced legal counsel signals that you are prepared to contest the claim formally if necessary.
Download the SAP Audit Defence Framework — full checklist and settlement guide
Used by procurement teams at 120+ enterprise organisations.Building a Permanent SAP Audit Defence Programme
The most resilient position against SAP audit risk is a permanent internal programme that treats licence compliance as an ongoing operational function rather than a crisis response activity. Organisations with mature SAP licence governance consistently achieve lower audit settlements, shorter audit cycles, and fewer escalations than those who treat audits reactively.
Quarterly Internal Measurement
Run USMM and LAW quarterly, not annually. Quarterly measurement means you identify licence drift — user count increases, new module deployments, interface expansions — within 90 days of it occurring, rather than discovering it during a formal SAP audit years after the fact. Quarterly measurement also gives you a running record of your licence position that you can produce quickly in response to an audit notification.
DDLC Document Monitoring
For organisations with significant third-party integration landscapes, implement continuous DDLC document volume monitoring. This can be achieved through SAP's own monitoring tooling, through third-party SAM tools that integrate with your SAP landscape, or through custom reporting built on SAP's standard document management infrastructure. The goal is to know your document volumes in near-real-time and to trigger an internal review whenever volume growth suggests you are approaching a tier boundary that would increase your Digital Access licence cost.
Integration Change Management
Every new third-party system, RPA bot, IoT integration, or API connection that touches your SAP landscape should go through a formal licence impact assessment before go-live. This assessment should determine whether the new integration generates DDLC-relevant documents, quantify the expected volume, confirm whether existing licences cover that volume, and if not, initiate a procurement process to acquire the necessary Digital Access coverage. This single governance control prevents the majority of indirect access audit exposure from occurring in the first place.
Contract and Entitlement Register
Maintain a current entitlement register that aggregates all licences purchased, their metrics, their quantities, and their contractual coverage. This register should be updated after every procurement transaction and should be reconciled against the annual LAW report. When an audit notification arrives, the first step — reviewing your entitlement position — should take hours rather than weeks.
What SAP's GLAC Team Won't Tell You at the Settlement Table
An SAP audit notification is a commercial event that rewards preparation and penalises passivity. The DDLC metric, which governs indirect access claims in S/4HANA environments, is the most significant source of audit exposure for organisations with complex integration landscapes. S/4HANA migration resets the licence baseline and activates digital access as the default indirect use model — both of which must be explicitly addressed before migration, not after. RISE with SAP does not automatically resolve audit exposure; it changes the enforcement mechanism without eliminating the underlying risk. SAP annual support at 22 percent of NLV means that every new licence agreed in a settlement creates a permanent ongoing cost obligation.
The buyers who achieve the best audit outcomes are those who invest in proactive governance, engage SAP as a commercial counterpart rather than as an authority, and leverage the full range of contractual, technical, and commercial arguments available to them. Redress Compliance has built its SAP practice on this approach, defending more than 80 indirect access disputes exclusively on behalf of enterprise buyers across 50+ countries.
If you are facing an active SAP audit, preparing for an S/4HANA migration that will reset your licence baseline, or building out a proactive compliance programme, our SAP commercial advisory specialists are available to support you at every stage. Our engagements are 100 percent buyer-side — we do not advise SAP or any software vendor.