Client Background and Audit Trigger

The client is a leading Swiss multinational with operations spanning more than 50 countries and a global headcount in excess of 100,000 employees. The organisation had been an SAP customer for over two decades, with a complex multi-system ERP landscape that included both legacy SAP ECC components and newer S/4HANA deployments in key regional hubs.

SAP's Global Licence Audit and Compliance (GLAC) team initiated a formal audit citing concerns about the organisation's indirect access usage, licence type classifications across its global user base, and the completeness of its annual measurement and reporting. The audit notification arrived without prior commercial discussion — a pattern increasingly common as SAP's GLAC team operates as a distinct revenue function, separate from the account team managing the customer relationship.

The timing was significant: SAP's fiscal year ends 31 December, and the audit notification was issued in Q3, giving GLAC a structured window to conclude findings and convert them to licence revenue before year-end. The initial financial exposure identified in SAP's preliminary assessment was CHF 25 million — a figure that, if accepted, would have generated an additional annual support obligation of approximately CHF 5.5 million per year at SAP's standard 22 percent annual support rate.

The Three Core Areas of SAP's Audit Claim

SAP's formal audit findings document identified three distinct areas of alleged non-compliance. Understanding how each was constructed was the first step in building an effective response.

Indirect Access via Third-Party Systems

The largest component of the CHF 25M claim related to indirect access — specifically, the use of SAP ERP functionality through third-party systems that were not covered by named-user licences or by a Digital Access (DDLC) agreement. SAP's auditors had used LMBI (Licence Measurement Business Intelligence) tooling to count documents generated in the client's SAP landscape by external applications, and had applied DDLC document pricing to the total volume.

The Digital Document Licence Charge (DDLC) metric is SAP's mechanism for pricing indirect use of S/4HANA. Under DDLC, SAP counts the number of specific business document types — Sales Orders, Purchase Orders, Production Orders, Goods Movements, and Financial Accounting Documents — created in the SAP system by non-human actors: interfaces, APIs, RPA bots, or EDI gateways. Each document, or each document within a volume tier, carries a licence fee. At the client's transaction volumes, the theoretical DDLC exposure before any challenge was the dominant element of the overall claim.

User Classification Overstatement

The second component involved user licence type classifications across the global user base. SAP's USMM (User Measurement) analysis had classified a significant proportion of users at higher licence tiers — Advanced User or Professional User equivalents — based on automated transaction footprint analysis, without taking into account the client's own internal user type governance or the role-based access restrictions that limited what many of those users could actually do within SAP.

In complex global organisations with decentralised IT governance, user accounts often accumulate transaction authorisations that are never actively used. USMM applies rules based on which transactions a user has authority to execute, not exclusively on which transactions they have actually executed within a defined measurement period. This creates systematic overstatement of licence requirements in large organisations where role management has not been kept tightly pruned.

Landscape Consolidation Anomalies

The third component arose from how SAP's LAW (Licence Administration Workbench) had consolidated user data across the client's multi-system landscape. The client had grown significantly through acquisitions over the preceding decade, and several acquired entities had their own SAP systems with different user ID naming conventions. LAW's deduplication logic had failed to consolidate a substantial number of user IDs that represented the same individual accessing multiple systems, resulting in an inflated aggregate user count — and a correspondingly inflated licence shortfall claim.

"SAP's initial CHF 25 million figure was not a legal determination — it was an opening commercial position, constructed from automated measurement tools that contained systematic errors we could document and challenge."

The Defence Approach: Four Parallel Workstreams

Redress Compliance was engaged three weeks after the audit notification — early enough to influence the measurement phase rather than simply react to findings. The defence was structured around four parallel workstreams, each targeting a distinct component of SAP's claim.

Workstream 1: Independent Internal Measurement

Before accepting any of SAP's measurement data, the team ran an independent USMM and LAW analysis using the client's own access to their SAP landscape. This produced a baseline that the client controlled and could verify against its own HR records, access governance logs, and user activity data. The independent measurement immediately identified the landscape consolidation anomalies: a large cohort of user IDs representing the same individuals across acquired systems had not been deduplicated by LAW due to naming convention inconsistencies introduced during post-acquisition IT integration.

The client's IT team worked with Redress Compliance to produce a formal reconciliation of the LAW outputs, mapping each apparently duplicate user to the underlying HR record that confirmed their identity. This reconciliation, prepared in a format suitable for submission to SAP's GLAC team, addressed a significant portion of the inflated user count and reduced the user classification shortfall materially.

Workstream 2: DDLC Counter-Analysis

The indirect access and DDLC component required the most detailed technical work. The team undertook a full inventory of every third-party system, API integration, and automated process that generated transactions in the client's SAP landscape. This inventory — compiled across IT, procurement, operations, and finance teams — identified over 40 distinct integration points, ranging from a global warehouse management system generating goods movements to a regional HR platform triggering payroll-related financial postings.

For each integration, the team assessed whether: the documents generated were of a type covered under DDLC (not all transaction types are DDLC-applicable); the volume attributed to that integration in SAP's LMBI report was accurate; any existing named-user or integration licences already covered that usage; and any test system or non-production documents had been incorrectly included in the count. The analysis found that SAP's LMBI count had included a significant volume of documents from test and development systems, which are not subject to DDLC charges under standard SAP licence terms. It also identified several integrations where the client held integration licences that explicitly covered the indirect usage in question.

The result was a DDLC counter-position that reduced the document volume subject to licensing by approximately 35 percent compared to SAP's initial claim, with corresponding reductions in the theoretical licence exposure.

Workstream 3: User Classification Review and Optimisation

The user classification component of the claim was addressed through a detailed role and transaction analysis. The team identified a large cohort of users who had been classified at the Advanced User tier by USMM based on transaction authorisations they held but had not exercised within the measurement period. SAP's standard measurement rules count authorisation-based classification in some scenarios, but the client's licence agreement contained specific language that provided a basis for challenging classifications where actual usage did not support the higher tier.

Additionally, the review identified a pool of users whose licences could be legitimately downgraded through administrative remediation — removing unused transaction authorisations from roles to ensure that future USMM measurements would classify them at the correct tier. This optimisation, implemented before SAP's formal measurement was completed, reduced the ongoing licence requirement rather than simply generating a one-time settlement adjustment.

Workstream 4: Settlement Strategy and Commercial Negotiation

With the technical counter-positions documented, the negotiation phase focused on converting the analysis into a settlement outcome. The client's account team was engaged as a parallel channel alongside the GLAC team — framing the audit resolution as a partnership discussion rather than a pure enforcement matter. The client had a credible pipeline of future SAP investment, including a planned expansion of their S/4HANA deployment to additional regions, which provided meaningful commercial leverage.

The settlement negotiation targeted three outcomes: a significant reduction in the face value of the claim based on the documented technical counter-positions; a forward-looking Digital Access agreement covering the legitimate indirect usage identified in the DDLC analysis, at commercially negotiated rates rather than list price; and explicit full-and-final settlement language in the agreement, preventing SAP from revisiting the same measurement period in a future audit.

Facing a large SAP indirect access claim?

Redress Compliance provides 100% buyer-side SAP audit defence. No vendor relationships. No conflicts.
Request SAP Audit Support →

Outcome and Long-Term Governance

The settlement achieved a substantially reduced outcome compared to SAP's initial CHF 25 million claim. The reduction reflected the combined impact of the DDLC counter-analysis eliminating test system documents and already-licensed integrations from the scope, the user reconciliation correcting the LAW consolidation anomalies across acquired entities, the user classification review downgrading the cohort with authorisation-only exposure, and the commercial leverage generated by the client's forward investment commitments.

The final Digital Access agreement covering the client's legitimate indirect usage was structured at commercial rates negotiated below list price, with volume tiers appropriate to the client's actual document volumes and contractual protections limiting SAP's ability to reclassify document types without notice during the agreement term. The annual support cost on the new licences — at approximately 22 percent of net licence value — was factored into the total cost of ownership modelling used to evaluate settlement options.

Governance Framework Established

The resolution of the audit was accompanied by the design and implementation of a permanent SAP licence governance framework to prevent the same issues from recurring. The framework included quarterly USMM and LAW runs with results reviewed against the entitlement register, automated monitoring of DDLC document volumes by integration to detect growth trends before they cross tier thresholds, a formal integration change management process requiring licence impact assessment for any new third-party system connecting to SAP, and annual user access reviews targeting the removal of unused transaction authorisations from role assignments.

Critically, the client also implemented a cross-functional governance committee — including representatives from IT, procurement, finance, and legal — to ensure that SAP licensing decisions are not made unilaterally by any one function and that the organisation maintains a coherent, documented view of its licence position at all times.

Lessons for Enterprise SAP Buyers

This case study illustrates several principles that apply broadly to enterprise organisations facing SAP indirect access audits. SAP's initial audit claim is always a commercial opening position, not a definitive legal determination. The DDLC metric, which governs indirect access quantification in S/4HANA environments, is susceptible to over-counting in several common scenarios — test systems, already-licensed integrations, and non-applicable document types — and each of these represents a documentable basis for challenge.

The cost of annual SAP support at 22 percent means that every CHF of new licences agreed in a settlement generates perpetual annual obligations. Total cost of ownership modelling across three to five years, not just the initial settlement payment, should drive every settlement decision. Organisations that engage specialist buyer-side support early — before SAP's formal measurement is completed — consistently achieve better outcomes than those who wait until findings are issued.

Finally, the most durable protection against future audit exposure is a permanent internal governance programme that treats licence compliance as an operational function, not a crisis response. The investment in building that governance capability, undertaken as part of this engagement, creates ongoing protection that significantly exceeds the cost of implementing it.

For organisations operating complex SAP landscapes with significant third-party integration footprints, the question is not whether SAP will audit — it is whether you will be ready when they do. Redress Compliance's SAP audit defence services are available to support organisations at every stage, from notification through settlement and governance build-out.