SAP / Audit Defense
SAP license audit survival.
An SAP audit is a measurement, not a verdict. The buyer who measures first and contests the indirect count never negotiates from the vendor number. Read the protocol before the letter arrives.
An SAP audit is a measurement, not a verdict. The buyer who measures first and contests the indirect count never negotiates from the vendor number. Read the protocol before the letter arrives.
An SAP license audit measures named users, engines, and indirect access against your contract. This survival guide covers the LAW and USMM process, indirect exposure, named user reclassification, the digital access math, and the response protocol that protects the buyer.
An SAP audit is a measurement, not a verdict. SAP runs a tool, reads the output, and proposes a gap between what you deploy and what you bought. The proposal is an opening position.
The buyer who treats the first number as final overpays. The buyer who treats it as a draft, and rebuilds it from clean data, settles far lower. The SAP licensing framework leaves real room to contest.
The SAP audit follows a fixed mechanical path. Knowing the path lets you control it.
SAP asks you to run USMM, the user and system measurement tool, in each system. It counts named users by license type and reads engine consumption.
Results consolidate in the License Administration Workbench. It deduplicates users across systems and produces the figures SAP compares to your contract.
SAP issues a findings letter with a proposed shortfall. This is the moment most buyers respond too fast. The letter is a starting point, not a settlement.
Named user classification is the most recoverable area in any SAP audit. Most estates carry the wrong mix.
Many users hold a Professional license but only perform Employee or Productivity tasks. Reclassifying them to the correct lower type removes cost the audit assumed.
SAP defines each user type in the software use rights material. Map real activity to the correct type and document the basis for each change.
SAP named user types and where buyers overclassify
| User type | Typical scope | Common overcount |
|---|---|---|
| Professional | Full operational use | Assigned to view only staff |
| Limited Professional | Restricted operational use | Used where Employee fits |
| Employee | Self service tasks | The reclassification target |
| Productivity | Light reporting and lookup | Rarely assigned, often correct |
Indirect access is the largest dollar line in most SAP audits. It is also the most contestable.
Third party systems that read from or write to SAP create indirect use. Ecommerce, CRM, and automation tools are the usual sources, a risk the Diageo judgment made concrete.
Under digital access, SAP counts documents created by outside systems. The count is contestable. Duplicates and follow on records inflate the vendor number.
The common advice is to respond quickly, cooperate fully, and hand SAP the raw USMM output to show good faith. We disagree. In our defenses, the raw output handed over without review locked buyers into an inflated baseline that took months to unwind. The findings letter overstated the gap in nearly every engagement we ran. The buyer side move is to run USMM internally first, clean the data, reclassify users, and contest the indirect count before any number leaves the building. Cooperation is right. Speed without preparation is not, and it favors the vendor.
Source: Redress Compliance advisory engagement file, 2024 to 2025.
An SAP audit is won before the response is sent. The buyer who measures first, cleans the data, and contests the indirect count never negotiates from the vendor number.
A controlled protocol protects the buyer. Speed without preparation does the opposite.
Run USMM in a controlled internal pass before you share anything. Read the output the way SAP will read it.
Reclassify users, remove dormant accounts, and reconcile the indirect document count. Send a position you have already defended.
Route all communication through one owner. A single voice prevents informal admissions that the vendor can hold you to later.
SAP audits run on an annual measurement cycle and on event triggers such as a renewal, an S/4HANA conversion, or a major new integration. The annual USMM measurement is the most common starting point.
USMM is the SAP user and system measurement tool. It counts named users by license type and reads engine consumption in each system, and its output feeds the License Administration Workbench.
The License Administration Workbench, often called LAW, consolidates USMM results across systems. It deduplicates users and produces the figures SAP compares against your contracted entitlement.
Named user overclassification is the most common finding. Many users hold a Professional license while performing only Employee or Productivity tasks, and reclassifying them removes cost the audit assumed.
Indirect access is usually the largest dollar line in an SAP audit. Third party systems that read from or write to SAP create exposure, and that exposure drove the well known Diageo judgment.
Yes. The findings letter is an opening position, not a settlement. A clean internal measurement, user reclassification, and a contested indirect count routinely move the final number well below the first claim.
Not before you review it. Handing over raw output without cleaning the data locks you into an inflated baseline, so run the measurement internally and reclassify users first.
A prepared buyer closes an SAP audit in a few months. The timeline stretches when buyers respond without a baseline, because every disputed number then has to be rebuilt under pressure.
SAP RISE pricing benchmarks, the CVR framework, indirect access posture, and the buyer side moves across the full SAP estate.
Used across more than five hundred enterprise engagements. Independent. Buyer side. Built for procurement leaders running the next renewal cycle.
The findings letter is a draft. Treat it as final and you overpay. Rebuild it from clean data and you settle on your terms.
