How to prepare for your next SAP audit?
In the B2B world, the word audit is a dreaded word. Either it’s a financial or a software compliance check, going through an audit is quite often seen as a time consuming, unexpected and costly inconvenience for companies.
When faced with an audit letter, organizations are typically thinking “Am I really non-compliant?”, ”There must be a reason why they started this audit, but what is that?”, “What am I missing here?”. This uncertainty comes from a lack of a limited overview of the software licenses that they are entitled to use, their location and configuration (what is included), who is using the licenses and how are these licenses being used.
Typically, vendors such as Oracle, Microsoft or IBM are most feared when it comes to audits, but the SAP audits are also highly complex and challenging events for end user organizations. Preparation is key in negotiating and getting through an SAP audit successfully. In this article, we’ll provide essential tips and practical recommendations that will help you to better understand the SAP auditing process.
SAP audit team: objectives
The so called SAP Global License Auditing and Compliance (GLAC) team operates based on clearly defined procedures and protocols related to the way the audit must be conducted. The sole purpose of an audit is to monitor your software usage compliance position. The SAP audit team expects you to demonstrate that your usage is in line with the purchased and available licenses. Its SAP’s practice to apply tight deadlines to end users that are under audit. The GLAC team will allow small/medium enterprises a period of three weeks to perform the measurement and provide all the requested deployment and usage data, while large enterprises are expected to return results within 4 weeks. Not surprisingly, this short timeframe limits your and any other end users’ capacity to analyse and adjust any compliance issues. It is therefore highly recommended that you perform internal audits on a regular basis and especially before an official SAP audit starts.
Know your entitlements
Self-assessment is only effective when you understand your contractual entitlement(s). This is typically not a straight forward task, since contractual documents are full with complex legal terminology; equally, the original contract may have been signed many years before, and you may have bought additional SAP products in the interim. Thus, a thorough review of the contract and subsequent product ‘add-ons’ is essential for the preparation of your (internal) audit. By going one level deeper, it is important to understand the context under which SAP products were sold. It is for example not uncommon that end users purchased licenses only for a specific business unit while it was contractually agreed that an enterprise metric for the whole organization is applicable. Understanding the product metrics, the number of blocks and the special clauses that may have been contractually agreed (e.g. indirect use) are just a few examples of contractual terms that you should take into account.
SAP cannot evaluate products sold under different or inconsistent metrics. In fact, SAP can only make evaluations in accordance with the current metric maintained in the present price list. As such, as a customer, you have the clear advantage of negotiating this in your favour if you have a clear understanding of your contractual entitlements, associated metrics and pricing.
Update system landscape
It is highly recommended to maintain the system landscape status (e.g. production use, decommissioned) in your SAP Support Portal. If you’re not maintaining the SAP Support Portal and you are under audit, you can be requested by the SAP auditors to include systems in the USMM measurement which may not even be actively used anymore. The SAP Support Portal is the reference for the auditors and should reflect your real and actual system use. If you don’t pay attention to this, you may – as one example only – end-up in situations in which the measurement of your SAP environments includes usage of modules or engines that your IT staff tested years ago but for which you were never licensed. In short: be ready, because SAP will ask about all your SAP systems. Your inactive SAP systems may be included in the measurement plan as delivered by SAP, with adverse cost consequences possibly arising.
The heart of the audit
It is highly recommended that you run test measurements with the SAP Measurement Program (transaction USMM). This should be done in order to complete an internal analysis of users and engines – it is obviously not wise to send the resulting information to SAP, as this could trigger an audit. Most organizations don’t maintain their systems (users and engines) regulary and the measurement might include inaccurate data. Therefore, it is recommended to run a test measurement and have it validated by an SAP expert. After implementing the SAP consultant’s recommendations (cleanup the users, implement notes, etc.) the measurement can be shared with SAP.
Determining the correct classification for SAP users is extremely difficult for almost any end user. While basic user definitions are available on the SAP Support Portal, the contractual agreement may contain additional definitions and classifications that should be understood in order to perform your internal analysis or to validate the results of your SAP audit. In the SAP Measurement Program (USMM), there are a number of methods used for user classification. The core of the classification is based on the user authorisation and the contractual agreement, which should correspond with the price list which is the basis of the SAP contract. After performing the measurement of all relevant production and development systems as per SAP technical prerequisites and directives, further user self-analysis is an essential step in order to guard against possible over-charging from SAP. You can be sure that SAP will ask about the following:
- Locked Users
- Deleted Users
- Expired Users
- Users with Multiple Logons (possibly more individuals are granted access)
- Users with Late Logons
- Reclassification of “Workbench Development Users”
- Users with SSCR Keys used for development purposes
- Test Users in production (hint: 10% is allowed by SAP per system measurement)
- Dialog Users vs. Measured Standard Users
The last step of the SAP measurement is the consolidation of all measured systems in the License Administration Workbench (LAW). By doing so, users and user types are listed and assigned to one contractual user type. On condition that LAW user criteria are consistently maintained across the whole system landscape, this virtually eliminates the risk of counting one individual multiple times (deduplication). If the number of consolidated users identified by LAW is higher than the contractual entitlement, it is recommended that you seek verification of the following:
- LAW criteria (as used to deduplicate user counts across multiple SAP systems)
- Locked users (and if the expiration date has been maintained correctly)
- Unclassified users (per default counted as professional users on production systems)
- Technical users maintained as Dialog Users
- Users authorisations based on your contractual user type assignment
In addition to LAW measurement results, you are required to provide additional information as requested by SAP (for example, Self-Declaration Products, HANA, Business Object). In each step of the audit, SAP has defined additional data gathering processes to follow. These are not further discussed in this article, but will be explained in more detail in a future article.
Arm yourself with SAP expertise
Make sure that the measurement is validated by an SAP expert, ideally before sharing any data with SAP. Worst case, when you already shared the data with SAP, ask an SAP expert to perform the analysis in parallel with SAP, to be prepared in defending yourself on what may come. Do not assume, because SAP did not query a certain product during your previous audit, that this will be the case again. Results from the past are not a guarantee for the future. Don’t forget that the recent changes in the SAP GLAC team results already in a) an increased number of audits and b) more in depth audits compared to last years.
Preparing for the next SAP audit can be time consuming, complex and highly challenging for many organizations. Our vast experience of the SAP audit process and the ability to understand your software consumption, as well as our insights in the most cost-effective licensing options and our audit and negotiation support services are readily available if and when you need them. Don’t hesitate to reach out to us.
This article was published on 21-05-2019
Anna has been working in the license management industry since 2011. For 8 years she worked as License Audit Specialist at SAP, where she was responsible for conducting the SAP license audits. In addition, she was performing the role of SAP Engine Expert, supporting products measurement queries from the customers worldwide. Anna joined B-lay in April 2019 and she uses her in-depth knowledge and expertise to help customers to optimize their software consumption.
Anna holds degrees in Business Studies and Humanities from the Universities of Cracow and Dublin.