SAP's Digital Access Licensing model — introduced in 2018 and now the de facto framework for indirect use — charges enterprises based on documents created in SAP by third-party systems, not by the users operating those systems. Every time an external application such as Salesforce, a supplier portal, an e-commerce platform, or an IoT device pushes a transaction into SAP, that creates a countable document. If you have not licensed those documents, you are exposed.
The nine document types subject to Digital Access licensing are: Sales Documents, Invoice Documents, Purchase Documents, Service & Maintenance Documents, Manufacturing Documents, Quality Management Documents, Time Management Documents, Financial Documents, and Material Documents. Financial and material documents are weighted at 0.2 each; all others count at 1.0 per document item. High transaction volumes in these lower-weighted categories can still produce significant licensing gaps.
"Most organisations we assess have never run the SAP Digital Access Estimation tool against their live system. They are managing a risk they cannot see — and SAP's audit team can see it very clearly."
— Morten Andersen, SAP Licensing Practice Lead, Redress Compliance
— Morten Andersen, SAP Licensing Practice Lead, Redress Compliance
Use this assessment to produce a documented exposure position before SAP engages you in any commercial conversation. Organisations that complete this exercise proactively — and present a credible measurement to SAP — consistently achieve better commercial outcomes than those reacting to audit findings.
Section 1 — Integration Inventory
01
Compile a complete register of all third-party systems that connect to SAP High Risk
List every non-SAP application, middleware layer, RPA bot, or custom script that reads from or writes to your SAP environment. This includes CRM platforms (Salesforce, HubSpot), procurement tools (Coupa, Ariba standalone instances), e-commerce engines, EDI gateways, IoT platforms, and analytics pipelines. Many organisations discover integrations built years ago that are still running — and still creating documents.
Expert NoteYou are looking for both active and dormant connections. Review your middleware logs, RFC connection tables (SM59), and your integration platform's inventory. Dormant connections that still generate batch documents are a common audit surprise — SAP counts every document regardless of whether the integration is actively maintained.
02
Classify each integration as read-only, write, or bidirectional High Risk
SAP Digital Access licensing is triggered by document creation in SAP by external systems. Pure read operations (extracting SAP data into a BI tool without writing back) do not trigger document charges under the Digital Access model, though they may carry residual indirect access risk under older contract language. Write and bidirectional integrations are your primary exposure. Document this classification for every system in your integration register.
Expert NoteThe distinction between "read" and "write" is not always obvious at the middleware layer. An integration that pulls SAP data and then creates a follow-on SAP document (e.g., a goods receipt triggered by a supplier confirmation) is a write integration even if the user-facing interface looks like a reporting tool. Verify at the SAP transaction layer, not the integration UI.
03
Map all RFC and BAPI calls used by external systems Medium Risk
Remote Function Calls (RFCs) and Business Application Programming Interfaces (BAPIs) are the technical mechanism through which most third-party systems interact with SAP. Use transaction SM59 to review RFC destinations and cross-reference with your integration register. Identify which BAPIs each external system calls and which document types those calls can produce.
Expert NoteSAP's audit team uses the Digital Access Estimation tool to count documents by scanning system logs — but their pre-audit intelligence often comes from BAPI usage patterns. If you are using BAPIs that create sales orders, purchase orders, or production orders, assume those are being counted and measured your volume against what is licensed.
04
Identify all IDoc traffic between SAP and external systems Medium Risk
Intermediate Documents (IDocs) are SAP's native data exchange format, widely used in EDI and B2B integration scenarios. High-volume IDoc traffic — particularly ORDERS, INVOIC, DESADV, and SHPMNT message types — can generate large document counts under Digital Access licensing. Review WE02 and WE05 for inbound IDoc volumes and reconcile these against your Digital Access entitlement.
Expert NoteEDI-heavy industries such as retail, automotive, and manufacturing are consistently among the highest-risk categories for Digital Access exposure. A mid-size manufacturer processing 50,000 purchase order IDocs per month from supplier systems could accumulate 600,000 licensed documents per year — far exceeding typical contractual entitlements.
Section 2 — Document Volume Measurement
05
Run the SAP Digital Access Estimation tool on your live system High Risk
SAP provides an estimation tool to calculate your indirect document consumption. For SAP ECC systems, apply SAP Note 2992090; for SAP S/4HANA systems, apply SAP Note 2999672. These notes install a report that scans your system and produces estimated document counts across all nine Digital Access document types. Run this on a representative 12-month period. The output is your baseline exposure figure.
Expert NoteRun this tool before SAP does. SAP's audit team uses the same or equivalent tooling to establish the claim figure in an audit. If you have already run it and understand the numbers, you are in a position to challenge methodology, negotiate document counting rules, and dispute anomalies. If you have not run it and SAP presents a figure, you are negotiating blind.
06
Count sales order documents created by external systems at the line-item level High Risk
Sales Documents are among the most commercially significant of the nine Digital Access types. SAP counts at the line-item level, not the header level — a single sales order with 15 line items counts as 15 documents. E-commerce platforms, CRM order management modules, and customer self-service portals are the most common sources of externally-created sales documents. Establish monthly volumes for this document type specifically.
Expert NoteThe line-item counting rule is where most commercial teams get the exposure figure badly wrong. They count orders when they should count lines. A B2C e-commerce operation processing 10,000 orders per month with an average of 3.5 items per order is generating 35,000 licensed documents per month — 420,000 per year. At list price, this has significant licence cost implications.
07
Measure purchase document volumes from procurement platforms and supplier portals High Risk
Purchase Documents — purchase orders and purchase requisitions created in SAP by external procurement systems — are a major exposure category for enterprises using tools such as Coupa, Jaggaer, or custom supplier portals that push POs into SAP via integration. Count purchase order line items created by non-SAP-native users across a 12-month period.
Expert NoteMany procurement digitalisation projects create significant indirect access exposure precisely because their business case focuses on efficiency gains (faster PO processing, supplier self-service) without any licensing impact assessment. A 3-way matching process where the GR is automatically created by the WMS system compounds the exposure further — both the PO and the goods receipt may be countable documents.
08
Quantify manufacturing and quality documents created by MES or QMS systems Medium Risk
Manufacturing Execution Systems (MES) and Quality Management Systems (QMS) integrated with SAP PP and SAP QM modules create production orders, process orders, quality notifications, and inspection lots that fall under Digital Access licensing. Document the integration points between your MES/QMS and SAP, and measure the monthly document volumes produced.
Expert NoteManufacturing companies that have invested in Industry 4.0 or Smart Factory initiatives often have extensive MES-to-SAP integration. These integrations were rarely reviewed for licensing impact at the time of implementation. A production line generating 500 production orders per day from an external MES creates approximately 182,500 licensed documents per year — a figure that is rarely reflected in contract entitlements.
09
Count financial and material documents (weighted at 0.2) but assess cumulative volume Medium Risk
Financial Documents (FI postings) and Material Documents (goods movements) created by external systems carry a reduced weighting of 0.2 under the Digital Access model. However, these document types occur at extremely high volumes in automated supply chains — particularly goods receipts generated by warehouse management systems, and automated FI postings from treasury or ERP consolidation tools. Calculate weighted document totals for these types separately.
Expert NoteThe 0.2 weighting is a relative concession — but a warehouse system generating 10,000 goods movements per day is still producing 2,000 weighted documents per day, or 730,000 per year. When combined with other document types, financial and material documents are frequently the second-largest contributor to total Digital Access exposure after sales documents.
10
Compare measured document volumes against licensed entitlements and calculate the gap High Risk
Once you have run the Digital Access Estimation tool and manually validated key document types, compare total weighted document consumption against your current contractual entitlement. If you have signed a DAAP agreement, review the entitlement bundles included. If you are on legacy indirect access contract language, model what the equivalent Digital Access exposure would be. The gap is your compliance liability.
Expert NoteMost enterprises have no Digital Access entitlement at all — they are operating on legacy contract language that does not address document-based licensing. This is not a safe position. SAP has demonstrated willingness to pursue retroactive claims for periods of unlicensed use. Establishing the gap now, and addressing it commercially before any audit communication, is materially better than responding to a formal claim.
Download the SAP Audit Defence Framework
Practical contract language, measurement methodology, and negotiation playbook for SAP indirect access and Digital Access compliance.
Section 3 — User & Access Audit
11
Review all SAP system users (technical accounts) assigned to external integrations Medium Risk
Every integration with SAP typically runs under a dedicated SAP system user account. Identify all accounts of user type "System" in your SAP user master (SU01 or SUIM), and map each account to the external system it serves. Verify that named user licenses are not being assigned to integration accounts, and that integration accounts are not being misused to perform manual transactions.
Expert NoteSystem user accounts should be restricted to programmatic access only. If an integration account is used to perform manual transactions — even occasionally — it may trigger a reclassification requirement from Professional to a higher license type. More importantly, misuse of system accounts is a common audit finding that SAP uses to escalate from a Digital Access conversation to a broader license review.
12
Review STAD and ST03N transaction logs for interface account activity patterns Medium Risk
Use SAP transactions STAD (Statistical Records Display) and ST03N (Workload Monitor) to analyse activity patterns for your identified integration accounts. Look for unusually high transaction counts, unexpected transaction types, and activity outside of normal batch processing windows. This analysis surfaces integrations that may be more active than expected, and provides the basis for challenging inflated document count estimates in an audit.
Expert NoteYour own system logs are your best defence in any indirect access audit. If the STAD data shows that a particular system user ran a document-creating transaction 1,200 times per month but SAP's estimation tool is claiming 50,000 documents from that account, you have concrete grounds to challenge the methodology. Build the habit of archiving STAD data for at least 24 months in advance of any expected SAP engagement.
13
Check whether any named SAP users are accessing SAP data exclusively through unlicensed third-party interfaces High Risk
The original indirect access risk — pre-Digital Access — was that named users were accessing SAP functionality via a third-party UI without individual SAP licenses. While the Digital Access model partially addressed this for new contracts, older ECC contracts often retain named-user indirect access clauses alongside or instead of document-based licensing. Identify any business users whose only SAP data access is via an unlicensed application layer.
Expert NoteThis is the risk that produced the landmark litigation cases. A user who reads SAP inventory data in a custom dashboard, or submits expenses via a third-party mobile app that writes to SAP, may be "using SAP" under the contract definition even though they never log into the SAP GUI. Salesforce users accessing SAP data via an integration, for example, triggered a claim in excess of £54 million in the most publicised UK case.
14
Assess RPA bot activity and AI agent interactions with SAP High Risk
Robotic Process Automation (RPA) bots and, increasingly, AI agents that interact with SAP to automate procurement, finance, or HR workflows create documents in exactly the same way as human users operating through a third-party system. Many organisations have deployed UiPath, Automation Anywhere, or SAP Build Process Automation bots without assessing the Digital Access document footprint those bots generate. Include all RPA workflows that touch SAP in your assessment.
Expert NoteRPA-generated document volumes can be among the highest in an organisation precisely because automation runs continuously, without the natural rate-limiting effect of human working hours. A bot automating accounts payable invoice processing that runs 24 hours a day will generate document counts that no manual team could match. This is a fast-growing area of audit exposure as enterprise automation programmes accelerate.
Section 4 — Contract & Licensing Review
15
Review your SAP contract for indirect access definitions, scope limitations, and exclusions High Risk
Extract and review the indirect access provisions in your current SAP licence agreement. Key clauses to examine: the definition of "use" and "indirect use"; whether the contract references the Digital Access Adoption Program (DAAP) or document-based licensing; any Technology Partner or Embedded License provisions that may reduce exposure for specific integrations; and the audit rights clause that governs SAP's measurement methodology.
Expert NoteContract language from pre-2018 agreements often contains broad "indirect use" definitions that can be read more expansively by SAP than by customers. Do not assume that ambiguous language protects you — SAP's interpretation is typically the most commercially aggressive one consistent with the text. Where your contract is genuinely ambiguous, that ambiguity is a negotiating asset to deploy before, not during, an audit.
16
Determine whether you have signed the Digital Access Adoption Program (DAAP) High Risk
DAAP is SAP's commercial programme to transition customers from legacy indirect access risk to document-based Digital Access licensing. DAAP typically offers 85 to 90 percent discounts off list price on initial document license purchases, and provides amnesty for historical unlicensed use. Confirm whether DAAP has been signed, which document types and bundles are covered, what the contractual document caps are, and when the DAAP terms expire or convert.
Expert NoteDAAP is not a permanent solution — it is a time-limited commercial vehicle. DAAP agreements typically have fixed terms of 3 to 5 years, after which the document pricing reverts toward list. If your DAAP agreement is within 18 months of expiry, renegotiation should be part of your current SAP commercial strategy. DAAP also does not automatically cover all nine document types — review the specific bundles included in your agreement.
17
Assess RISE with SAP contract terms for Digital Access inclusions and carve-outs Medium Risk
For organisations on RISE with SAP (S/4HANA cloud subscription), SAP generally includes a baseline level of digital access within the RISE contract, reducing the exposure compared to on-premise agreements. However, RISE contracts do not provide unlimited digital access — they include document entitlements at a level calibrated to standard usage, and significant integration-driven volumes can still exceed what is included. Review your RISE contract's specific digital access provisions.
Expert NoteMoving to RISE does not eliminate indirect access risk — it restructures it. Organisations that assumed RISE meant "all integrations are covered" have received unwelcome commercial conversations from SAP when their document volumes exceeded the RISE baseline. If you are in active RISE migration planning or recently completed migration, the Digital Access terms in your RISE contract should be reviewed before go-live of major integrations.
18
Identify upcoming SAP renewal dates and align commercial strategy accordingly Medium Risk
SAP audit activity frequently increases in the 12 to 18 months before a major contract renewal. This is because SAP uses audit findings as commercial leverage to drive renewal at higher licence levels. Knowing your renewal timeline — and understanding that SAP's account team tracks it closely — allows you to proactively manage your Digital Access position before it becomes an audit-driven conversation.
Expert NoteThe best time to address an indirect access exposure is during a renewal negotiation where it can be bundled into a broader commercial package, not as a standalone compliance remediation. Organisations that bring their own measurement data to the renewal table — and can demonstrate a credible, independently-verified document count — consistently achieve better resolution terms than those reacting to SAP-initiated audit findings.
Section 5 — Risk Mitigation & Governance
19
Implement a mandatory licensing impact assessment for all new SAP integration projects Medium Risk
Establish a governance gate in your project approval process that requires a Digital Access licensing impact assessment before any new integration with SAP is approved. The assessment should document: which document types will be created; estimated monthly volume; whether the integration will be covered by current DAAP entitlements; and whether architectural changes could reduce document creation (e.g., batching, consolidation). This prevents future exposure from accumulating.
Expert NoteA minor architectural decision — whether an integration creates documents as individual items or batches them — can be the difference between a manageable document count and a significant compliance exposure. These decisions are nearly impossible to reverse after go-live without significant re-engineering cost. A pre-project licensing gate costs almost nothing; discovering the exposure at renewal costs a great deal more.
20
Establish quarterly document count monitoring and compare against licensed entitlements Governance
Implement a quarterly cadence for running the Digital Access Estimation tool (or your equivalent measurement methodology) and comparing results against current contractual entitlements. Track trends — if document volumes are growing faster than anticipated, this signals either a need to renegotiate entitlement levels or an opportunity to redesign high-volume integrations before the exposure becomes material. Document and archive all measurement results.
Expert NoteQuarterly measurement is also your audit defence record. If SAP presents a claim based on estimated peak-month volumes extrapolated across 36 months, your documented quarterly actuals allow you to challenge both the methodology and the magnitude. Organisations with continuous measurement data consistently negotiate materially lower settlement figures than those who must accept SAP's estimation as the baseline.
Organisations that complete this assessment and bring an independently-verified document count to the negotiating table routinely achieve Digital Access settlements at 85 to 90 percent below SAP list price. Those that wait for an audit letter achieve, on average, terms 40 percent worse.
Next Steps: From Assessment to Commercial Resolution
Completing this assessment gives you a clear picture of your indirect access exposure position. The next step is converting that knowledge into a commercial strategy. There are three primary paths available depending on your current contract status, renewal timeline, and measured document volumes.
Path 1 — DAAP Adoption: If you have not signed DAAP and your measured exposure is material, proactively approaching SAP with a DAAP proposal — before any audit communication — typically secures 85 to 90 percent discounts on required document licenses and full amnesty for historical periods. The key negotiating lever is your own measurement data; arrive with credible numbers and a proposed bundle structure.
Path 2 — Integration Redesign: For integrations where document volumes are high but the business requirement is specific and bounded, architectural changes may reduce document counts significantly. Batching individual transactions, redesigning workflow triggers, or switching from document-creating BAPIs to read-only APIs where the use case permits can reduce exposure without commercial negotiation. Always validate redesign options with SAP licensing expertise before implementation.
Path 3 — Renewal Bundle Negotiation: If a major SAP contract renewal is within 18 to 24 months, digital access entitlements can be addressed as part of a broader commercial package. This approach typically produces the most favourable outcomes because it gives SAP an incentive — renewal of the broader estate — that offsets the revenue they forego on Digital Access. Engage specialist advisory support to develop the full commercial strategy before entering renewal discussions.
Download the SAP Audit Defence Framework
Practical measurement methodology, contract language templates, DAAP negotiation playbook, and integration design guidance — everything you need to convert this assessment into a defensible position.