SAP's audit programme has intensified significantly entering 2026. With mainstream support for ECC ending in 2027, SAP's account teams are using the migration conversation as leverage — and the audit notification frequently arrives alongside the S/4HANA commercial proposal. Organisations that treat licence compliance as an annual checkbox exercise find themselves negotiating from a deficit. Those who maintain a live readiness posture consistently achieve dramatically better commercial outcomes.
The five areas this assessment covers are: Contract & Entitlement Foundation, User Landscape Hygiene, Indirect Access & Digital Access Exposure, S/4HANA & RISE Licensing, and Governance & Measurement Readiness. Each of the 20 checklist items identifies the business risk, the corrective action required, and practical expert guidance drawn from direct engagement with SAP audit processes across 500+ enterprise engagements.
"The most expensive SAP audit finding is not the one SAP discovers — it is the one the customer discovers halfway through the audit process, with no time to build a defensible position."
— Fredrik Filipsson, SAP Licensing Practice Lead, Redress Compliance
— Fredrik Filipsson, SAP Licensing Practice Lead, Redress Compliance
Complete this assessment as a self-audit before any SAP commercial engagement. If you identify red flags across three or more sections, engage independent advisory support before SAP formalises its audit scope — the window to shape that scope is narrow and commercially significant.
Section 1 — Contract & Entitlement Foundation
01
Retrieve and verify all SAP licence agreements, amendments, and order forms High Risk
Locate every signed contract document covering your SAP estate: the main licence agreement, all supplemental order forms, amendment letters, and any side letters confirming discounts or contractual carve-outs. Many enterprises cannot produce a complete contract set on short notice. SAP's audit team arrives with their own version of your entitlements — and any discrepancy will be interpreted in SAP's favour unless you can document the correct position.
Expert NotePay particular attention to historical order forms from acquisitions or divestitures. Licensing rights acquired through M&A are frequently not consolidated into the main agreement and may be on separate terms. SAP auditors will review each entity independently unless your contract explicitly permits consolidation across legal entities.
02
Map your licensed user types and counts against current system assignments High Risk
Your contract specifies entitlements by user type — Professional, Limited Professional, Employee, Test User, and so on. Pull the current user assignment list from your SAP system and verify that the number of users in each category does not exceed contracted entitlement. User overages are the most common audit finding and the easiest for SAP to evidence, as the USMM tool produces an automated count that SAP compares directly against your order form.
Expert NoteNamed user licence shortfalls are calculated at list price in SAP audit claims, not at the discounted rate you originally negotiated. A shortfall of 200 Professional users that would have cost £400 per user under a new order can generate a claim at £1,200 per user or more under an audit settlement. Getting ahead of any overage is far less expensive than negotiating a retroactive claim.
03
Confirm engine metric entitlements and current consumption levels High Risk
Engine licences — including SAP HANA, BW, PI/PO, and solution-specific engines — are measured by consumption metrics such as memory volume, record counts, or transaction volumes rather than by named users. Identify every engine your organisation is licensed for, the metric used to measure it, and your current consumption level as measured by USMM. Engine metric overages are growing rapidly as a proportion of SAP audit claims, particularly HANA memory overconsumption as workloads migrate to cloud environments.
Expert NoteHANA memory consumption is now the fastest-growing audit exposure category. SAP licences HANA by licensed memory allocation, not peak usage — meaning that if your cloud infrastructure provider provisions more memory than your contractual baseline to accommodate performance spikes, you may technically be consuming unlicensed capacity even if that memory is never fully utilised. Review your cloud instance sizing configurations against your HANA licence metric.
04
Verify the audit clause terms in your SAP contract Medium Risk
SAP's standard audit clause grants SAP the right to conduct licence verification at any time, typically with 30 days' notice. Review your specific contract language for: the notice period required, the scope of systems covered, whether affiliated entities are included, and any limitations on audit frequency. Some older contracts and enterprise agreements contain more restrictive audit provisions. Understanding your contractual audit rights allows you to manage the process and timeline rather than defaulting to SAP's preferred approach.
Expert NoteThe audit clause also typically specifies how measurement is conducted and which SAP tools must be used. If your contract requires use of the LAW/SLAW2 measurement tool and SAP attempts to introduce custom audit scripts or additional measurement methodologies, you have contractual grounds to object. This is a meaningful lever in audit scope negotiations and is commonly overlooked by organisations unfamiliar with their contract terms.
Section 2 — User Landscape Hygiene
05
Run USMM internally before SAP does — and understand what it will report High Risk
USMM (User and System Measurement) is the transaction SAP uses to generate its audit measurement in your system. Running USMM yourself before an audit is the single most effective readiness action available. It produces the same output SAP will use and reveals your current user count, licence type breakdown, and engine metrics in a format directly comparable to your entitlements. Any surprises in a USMM run are far better discovered internally than by SAP's audit team.
Expert NoteUSMM counts every active user in the system at the time of measurement, regardless of whether those users have logged in recently. Accounts that were created for projects, contractors, or temporary assignments and never formally deactivated will appear in the count and contribute to your measured licence consumption. Run USMM immediately after any user access review to confirm the impact of your clean-up actions before SAP arrives.
06
Deactivate all inactive accounts, including departed employees and ex-contractors High Risk
Inactive user accounts that remain in an active status continue to consume licence entitlement. Systematically compare your SAP user roster against HR records and contractor management systems to identify accounts that belong to individuals who have left the organisation or whose access should no longer be active. Deactivating these accounts before an audit reduces measured consumption and demonstrates responsible governance — both of which improve your negotiating position.
Expert NoteSAP will not typically accept retroactive deactivation of accounts as grounds for reducing an audit claim for prior periods. However, cleaning up inactive accounts before an audit request is received means those accounts will not appear in SAP's measurement at all, eliminating the exposure entirely. For organisations with high employee turnover, quarterly access reviews are strongly recommended.
07
Review user role assignments against actual business functions High Risk
SAP licence type is determined by the functions a user can perform, not solely by what they actually do. If a user is assigned roles that include financial posting, HR data access, or other Professional-level capabilities — even if they only use the system for basic inquiry tasks — USMM will classify them as a higher licence type. Conduct a systematic role-to-licence mapping exercise to identify users who have been over-privileged and whose licence classification can be legitimately reduced by removing unused role assignments.
Expert NoteRole rationalisation is the highest-ROI readiness activity for most enterprises. In our engagements, it is common to find 15–25% of Professional users whose actual business activity could be supported by a Limited Professional or Employee licence once unnecessary roles are removed. The key is documenting the business justification for each reclassification before SAP arrives — retroactive role changes without supporting documentation are difficult to defend in an audit context.
08
Consolidate and eliminate duplicate user IDs across the system landscape Medium Risk
The License Administration Workbench (LAW/SLAW2) consolidates USMM measurements across your full system landscape and deduplicates users who exist in multiple systems. If you operate multiple SAP systems — production, development, quality assurance, or separate business unit instances — a user appearing in all systems should count only once in the consolidated measurement. However, if the same person has been assigned different user IDs across systems (a common outcome of acquisitions and system migrations), deduplication will fail, and they will be counted multiple times.
Expert NoteVerify that your user IDs are consistent across all systems in your landscape and that your LAW configuration correctly maps identical users. In landscapes with three or more systems, unduplicated user counts frequently differ from naive totals by 10–20%. Running LAW before the audit and verifying its deduplication logic is a critical step that many organisations skip, leaving them unable to challenge SAP's consolidated measurement if it differs from their expectations.
Download the SAP Audit Defence Framework
Complete playbook: response protocols, measurement guides, and negotiation positioning for SAP audit engagements.
Section 3 — Indirect Access & Digital Access Exposure
09
Compile a complete inventory of all third-party systems that write to SAP High Risk
Every non-SAP application that creates, modifies, or triggers a document creation in your SAP environment represents a potential indirect access or digital access exposure. Build a register of all such integrations: CRM platforms (Salesforce, HubSpot), procurement tools (Coupa, Ariba standalone), e-commerce engines, EDI gateways, RPA bots, IoT platforms, and any custom middleware or API layers. Include both current integrations and legacy connections that may still be active in the background without active business use.
Expert NoteSAP auditors now routinely request RFC connection tables (SM59), interface logs, and middleware configuration exports as part of the audit data request. Having a pre-built integration register demonstrates governance maturity and allows you to frame the conversation around your measurement — rather than responding reactively to SAP's findings from your own system logs. Organisations that present a credible self-measurement consistently achieve better settlement outcomes than those who appear to be discovering their exposure during the audit.
10
Run the SAP Digital Access Estimation tool against your live system High Risk
SAP provides a Digital Access Estimation tool that counts documents created in your SAP system by external sources across the nine Digital Access document types: Sales, Invoice, Purchase, Service & Maintenance, Manufacturing, Quality Management, Time Management, Financial, and Material Documents. Running this tool — ideally against a full twelve-month period — gives you a document volume baseline that can be compared against any existing Digital Access licence entitlement. Most enterprises have never run this tool, which means they are managing a financial exposure they cannot quantify.
Expert NoteFinancial and Material documents carry a 0.2 weighting factor, while all other document types count at 1.0. High transaction volume environments such as logistics, manufacturing, and retail often find that even at 0.2 weighting, their Financial and Material document volumes generate substantial licence gaps. Run the estimation tool by document type and integration source to understand where your exposure is concentrated — this allows you to prioritise mitigation actions before an audit and to challenge SAP's measurement if it differs from yours.
11
Assess RPA bot and automated workflow document creation volume High Risk
Robotic Process Automation (RPA) deployments — particularly those using tools such as UiPath, Automation Anywhere, or SAP's own Business Technology Platform workflows — frequently create documents in SAP at scale. A single RPA process that automates purchase order creation, invoice matching, or goods receipt posting can generate tens of thousands of Digital Access documents per month. If your Digital Access licence does not cover these volumes, you have accumulated a compounding exposure since the RPA deployment date.
Expert NoteSAP's position is that RPA bots constitute indirect access in the same manner as any third-party system — the bot is not an SAP user and therefore its document creation activity triggers Digital Access licensing requirements. This is a contested area commercially, and some enterprises have successfully argued for alternative treatment under their contracts. However, without a documented contractual position, an audit claim based on RPA-driven document creation is difficult to challenge purely on technical grounds.
12
Verify whether your contract includes Digital Access Adoption Programme (DAAP) coverage Medium Risk
The Digital Access Adoption Programme (DAAP) is SAP's commercial mechanism for licensing indirect access exposure, typically at 85–90% discount to standard Digital Access pricing. Enterprises that negotiated their primary SAP contract before 2019 may have legacy indirect access language that predates the Digital Access model entirely — which can be favourable or unfavourable depending on wording. Confirm whether your current contract includes any Digital Access or DAAP provisions, and whether the entitlement is sufficient to cover your measured document volume.
Expert NoteThe DAAP discount is available during a defined adoption window, but it is not automatically renewed and is subject to commercial negotiation. Organisations that approach SAP for DAAP coverage after receiving an audit notification are in a significantly weaker commercial position than those who negotiate proactively. If your Digital Access measurement reveals a material gap, engage advisory support before initiating any commercial conversation with SAP — the sequence and framing of that conversation materially affects the outcome.
Section 4 — S/4HANA & RISE Licensing
13
Confirm S/4HANA migration licence conversion terms are fully documented High Risk
When migrating from ECC to S/4HANA, SAP performs a licence conversion exercise that maps your existing named users to new S/4HANA licence types. This conversion is not a direct one-to-one mapping — Professional users in ECC do not automatically become the cheapest S/4HANA equivalent. The conversion methodology, and the resulting licence type assignments, should be documented in a signed conversion agreement before you complete the migration. Verbal assurances from your SAP account team have no contractual standing.
Expert NoteThe S/4HANA licence conversion is a one-time commercial event, and the terms offered during an active migration project are almost always more favourable than those available after go-live. If you are mid-migration and have not yet formalised the conversion terms in writing, do so now. Organisations that complete migration without a documented conversion agreement frequently find themselves in a post-go-live dispute about licence quantities that is costly and difficult to resolve without significant leverage.
14
Understand and validate your Full User Equivalent (FUE) calculation under RISE High Risk
RISE with SAP uses Full User Equivalents (FUE) as a consolidated user metric that combines named users of different types into a single comparable unit. The FUE weighting varies by user type: a Professional user carries a higher FUE weighting than a Limited Professional or Employee user. If you have migrated to RISE or are in commercial negotiations for RISE, verify that your total contracted FUE entitlement accurately reflects your user population — and that the FUE weights applied match those specified in your contract, not SAP's current standard rate card.
Expert NoteFUE miscalculation is among the most common commercial errors in RISE contracts. SAP sales teams frequently present FUE calculations using simplified assumptions that do not account for the full complexity of a customer's user mix. We regularly identify FUE shortfalls in signed RISE contracts that were never caught during the commercial process. Verify your FUE entitlement against an independent calculation of your user population before your first RISE renewal — correcting the position at renewal is far less costly than addressing it under audit.
15
Review SAP Business Technology Platform (BTP) usage against contracted entitlement Medium Risk
SAP BTP is increasingly bundled into RISE and S/4HANA contracts, but consumption-based BTP services — including Integration Suite, Extension Suite, and Analytics Cloud — can generate costs that exceed the baseline entitlement if usage grows without governance controls. Review your BTP service entitlements, your current consumption metrics, and whether your organisation has deployed BTP services not covered under the base contract. Uncontrolled BTP consumption is the emerging audit frontier for RISE customers in 2026.
Expert NoteBTP licensing complexity is significant — services are licensed on different metrics (active users, API calls, messages processed, compute time), and a single integration scenario can consume multiple BTP services simultaneously. Build a BTP consumption register that maps each deployed scenario to its licensed service and usage metric. SAP's cloud visibility means BTP overconsumption is often visible to SAP before it is visible to the customer — creating an information asymmetry that disadvantages customers who do not monitor their own consumption proactively.
16
Confirm that Digital Access entitlement is explicitly included in your RISE contract High Risk
Moving to RISE with SAP does not automatically resolve legacy indirect access exposure, and Digital Access licensing is frequently not included in the standard RISE bundle. Review your RISE order form to confirm whether Digital Access document licences are explicitly included, in what volume, and whether they cover all document types relevant to your integration landscape. Many RISE customers are surprised to discover their contract does not address Digital Access at all — leaving them exposed to the same indirect access audit risk in the cloud as in on-premise ECC.
Expert NoteSAP's enhanced visibility in RISE cloud environments means it can potentially observe Digital Access document volumes without a formal audit notification. Ensure your contract explicitly addresses Digital Access before finalising any RISE agreement — and negotiate a specific Digital Access entitlement based on your measured document volumes. Do not accept a RISE contract that is silent on indirect access, as that silence creates the maximum possible commercial exposure when SAP chooses to raise the issue.
Section 5 — Governance, Measurement & Response Readiness
17
Establish a formal internal SAP licence measurement calendar Medium Risk
SAP audit readiness is not a one-time project — it is an ongoing governance discipline. Implement a structured measurement calendar that schedules USMM runs at least quarterly, user access reviews bi-annually, integration inventory updates following any new system deployments, and a full LAW consolidation exercise annually. Organisations that run regular internal measurements have a documented audit history that demonstrates proactive compliance governance and provides baseline data to challenge SAP's measurements if they differ from yours.
Expert NoteQuarterly USMM runs serve a dual purpose: they keep your compliance position current and they generate a trend record that is useful in audit negotiations. If your user count has been consistently below the contracted entitlement across twelve consecutive quarters and an audit produces a different measurement, that documented history provides grounds to challenge the methodology. Without that history, you are defending a single point in time with no supporting trend data.
18
Designate an audit response team and document the communication protocol Medium Risk
When an SAP audit notification arrives, the first 48 hours are commercially critical. Organisations without a designated response team and documented communication protocol frequently make avoidable errors: responding to data requests without legal review, providing access to systems beyond the contracted audit scope, or making informal admissions in early conversations with SAP's audit team that are difficult to walk back later. Designate an audit lead, confirm involvement of legal counsel, and establish that all communication with SAP's audit team is coordinated and documented.
Expert NoteSAP's audit process includes an opening meeting that is often presented as informal but which establishes the tone and scope of the entire engagement. Participate in that meeting prepared, not improvising. Know your contracted audit clause, have your entitlement documentation accessible, and ensure your legal team or independent adviser is briefed before any substantive discussion with SAP's audit team. Engaging external advisory support at the notification stage — before you have made any representations — consistently produces better outcomes than engaging after the audit is underway.
19
Prepare a pre-emptive commercial negotiation position before SAP raises the audit formally Medium Risk
If your internal assessment reveals a material compliance gap — whether in user counts, engine metrics, or digital access volumes — you have a strategic choice: address it proactively with SAP before the audit, or wait for SAP to discover it. Proactive disclosure, executed correctly with independent advisory support, typically achieves significantly better commercial terms than a reactive settlement under audit pressure. It also preserves the relationship with your SAP account team, which a protracted audit process typically does not.
Expert NoteThe framing of a proactive commercial discussion matters enormously. Approaching SAP with a documented measurement and a specific commercial proposal is a fundamentally different conversation from conceding an audit finding and negotiating the settlement amount. In the former scenario, you control the data, the timing, and the structure of the resolution. In the latter, SAP sets the terms. The commercial outcome difference is typically measured in millions — sometimes tens of millions — of pounds or dollars.
20
Maintain an up-to-date SAP licence optimisation register to identify cost reduction opportunities Lower Risk
Licence readiness is not only about defending against audit claims — it also surfaces opportunities to reduce current licence spend. Users who have been over-classified, engines that are licensed but unused, and third-party software substitutes that can reduce engine metric consumption all represent optimisation levers. A structured licence optimisation register, reviewed alongside the measurement calendar, ensures that readiness activity generates return beyond audit risk mitigation and positions the organisation favourably in renewal negotiations.
Expert NoteSAP renewal negotiations are strongest when approached from a position of documented surplus — where you can demonstrate that your current consumption is significantly below your contracted entitlement and propose a right-sized renewal. Organisations that enter renewals without this documentation default to accepting SAP's proposed renewal quantity, which invariably reflects list price assumptions rather than actual usage. The measurement and optimisation discipline established through this readiness programme directly strengthens your renewal leverage.
"SAP's audit team arrives knowing your system better than most customers know it themselves. The only effective equaliser is preparation — and preparation requires ongoing measurement, not a reactive scramble when the notification lands."
— Fredrik Filipsson, Redress Compliance
— Fredrik Filipsson, Redress Compliance
Next Steps: Turning Readiness into Commercial Position
If this assessment has identified gaps — particularly across Sections 1, 3, or 4 — the priority action is to quantify your exposure before SAP does. That means running USMM and the Digital Access Estimation tool, reviewing your integration inventory, and producing a documented entitlement gap analysis that you own and can defend.
For organisations already in receipt of an audit notification, the immediate priority is to review your contracted audit clause, designate your response team, and engage independent advisory support before responding substantively to SAP's data requests. The scope and framing of the initial response shapes the entire subsequent commercial negotiation.
Redress Compliance provides independent SAP licence audit readiness assessments, audit defence support, and proactive commercial positioning across all SAP contract types including ECC, S/4HANA, RISE, and BTP. Our SAP practice has delivered six and seven-figure audit claim reductions for enterprise clients across manufacturing, financial services, retail, and the public sector — all on a strictly buyer-side basis with no commercial relationship with SAP.
Speak to an SAP Licensing Expert
Independent readiness assessment, audit response, and commercial positioning — buyer side only.