SAP audit practices – everything you should know to be in control

SAP audit introduction

An SAP license audit is a yearly formal process that end users are contractually obliged to undergo, where they are expected to demonstrate that the number of licenses purchased matches the number of licenses installed and used. The main purpose of the audit is to protect the intellectual property rights of SAP, but also to compensate SAP in case its products are overused.

This article provides an overview of the SAP audit process, including information about the SAP audit team (GLAC) and the SAP audit types.

SAP audit team – Global License Auditing and Compliance team (GLAC)

In 2018, SAP established a new team known as Global License Auditing and Compliance team. This team includes the former Global License Auditing and Services team (essentially, license auditors and measurement experts) with license compliance managers and executives, and a newly appointed team of Supplementary Audit Support Experts (SAS Experts).

  • Licence auditors and measurement experts (LAW, USMM, Engines) are based in three locations: Ireland, China and India. The scope of their work is defined by what SAP refers to as ‘Market Units’, these being the various geographical business regions identified by SAP, and the language support available at a given SAP site. For example, French and Spanish customers are audited by SAP experts based in Ireland, Australian customers are audited by SAP China, etc.
  • Licence compliance managers and executives and SAS experts are based in customers’ locations. In Sweden, for example, SAP has a licence compliance manager and SAS expert that supports the Scandinavian customers.

When talking about the GLAC  team members, we should not forget about the license audit business team based in Waldorf, Germany (SAP headquarters). This team is responsible for the auditing procedure, the structures, and the technical development of measurement tools.

SAP audit types

SAP differentiates between two types of audits, as described below:

  • Basic audit (sometimes referred to as ‘’standard audit’’, addressed to most end users)
  • Enhanced audit (performed remotely and/or onsite, addressed to selected customers)

Basic audit

The basic audit is conducted by the license auditors located in Ireland, China or India. These auditors collaborate strongly with a given license compliance manager who is responsible for ensuring that the audit activities correspond with SAP’s procedure and directives. The number of basic audits undertaken is subject to SAP’s yearly planning, and it is worth noting that not all customers are audited annually. Rather, the license compliance managers, together with auditors and experts from the audit business team, target selected customers (e.g., large enterprises; customers who have purchased new products; customers who are classified as ‘’high risk’’ as a consequence of a previous audit). Nevertheless, be aware that a first license audit will usually take place not later than two years after signing a contract with SAP (unless specified differently in the contractual agreement). After the first audit, subsequent audits should occur annually, though again, this is subject to the available SAP resources.

The whole auditing process starts with a Measurement Request Email sent to the customer by the license auditor. This email is addressed to the contact person within the organization that is responsible for auditing activities. This communication contains the following information:

  • Audit scope:
    • System Measurement -> USMM & LAW (System/Installation Landscape document provided, as well as measurement plan)
    • Self-Declaration Products – products based on enterprise metrics, not measured automatically (form provided)
    • HANA Database
    • Business Object
  • Relevant engine notes:
    • A document that includes SAP notes that need to be reviewed by the customers and implemented if applicable
  • SAP portal information
    • Links to the SAP Portal with information on the measurement tools
  • Measurement submission deadline
    • Timeline for all direct customers (Large, Medium, Small) is 4 weeks
    • Timeline for indirect customers is 12 weeks

Prior to the submission deadline, the SAP auditors will contact the end users repeatedly in order to check the status of the measurement, and to remind them about the deadline. The measurements can be sent directly from the tools to SAP, or as email attachments formatted according to SAP requirements.

The auditors are responsible for evaluating the measurement results by performing:

  • Analysis of the system landscape to make sure that all relevant systems (production and development) were measured. Systems that are not relevant for the measurement are java based, portals, dual stack, no longer used but not maintained properly on SAP Support Portal, test and training systems.
  • Technical verification of the USMM log files: correctness of the client, price list selection, user types, dialog users vs. technical users, background jobs, installed components, etc.
  • Technical verification of the LAW: users’ combination and their count, etc.
  • Analysis of engine measurement – verification of the SAP Notes
  • Additional verification of expired users, multiple logons, late logons, workbench development activities, etc.
  • Verification of Self Declaration Products, HANA measurement and Business Object

If measurement errors are identified, the SAP auditor will contact the customer by email in order to request corrections. In this scenario, the deadline is usually extended by a week, so that the measurement can be updated.

The license auditors work closely with SAP license compliance managers to compare the measured figures with the contractual license entitlement. It is essential that customers understand their SAP contracts, since these can be quite complicated, and it can work to the disadvantage of the organization. Otherwise, how can one understand how SAP has evaluated the measurement and if the evaluation was performed correctly?

After the measurements have been received and evaluated by the SAP GLAC team, a Closure Notification Email is sent to the customer. This communication confirms that the audit was finalised and specifies if any compliance gaps have been identified. If there is a compliance gap, the SAP license compliance manager will personally engage with the end user. Typically, the license compliance manager will invite to consider an “additional purchase proposal”.

In some situations, the license compliance manager may also request to execute additional measurement checks. These checks may be performed by the end user independently, or they may be performed by the SAP supplementary audit services experts. Either way, the additional checks are likely to include complex technical verifications like:

  • OpenHub measurement
  • Single Sign On
  • Multiple logons
  • Expired Users
  • Late Logons
  • Workbench Development Activities
  • System Data Extracts: Users’ last logon date, password change, etc.
  • Order table extracts

These checks can expose further compliance gaps, triggering another (potentially costly) “additional purchase proposal”.

Enhanced Audit

The enhanced audits are expert led, meaning that standard auditors are not usually involved. These audits are being led by license compliance managers, compliance team executives, and SAS experts. At the beginning, the scope of the audit is made clear to the end user. As a standard, enhanced audits include all checks required to complete a basic audit, plus the additional measurements required from the customers found to be non-compliant in a basic audit (as listed above). In addition, the enhanced audit incorporates a unique indirect access usage measurement.

An enhanced audit will involve SAP performing some checks remotely by logging into an end user’s systems and/or onsite. When SAP auditors come onsite, this is specifically to research the levels of indirect access usage. In order to verify this, SAP will check the following:

  • interactions between SAP and non-SAP systems
  • data flow direction
  • details of how data is transferred between systems/users (EDI, iDoc, etc)

After the data is verified and evaluated, a report with the results is created. Again, a “Closure Notification Email” is sent, which may or may not indicate a compliance gap. In the event of a compliance gap, the SAP license compliance manager will present an “additional purchase proposal” based on the audit findings. At this point, an SAP sales executive may also be involved in the discussions, even though sales executives are nowadays formally excluded from the auditing process (prior to 2018 and the advent of GLAC, sales executives were heavily involved in the audit). However, sales executives continue to be the primary owners of the commercial customer relationship. Accordingly, when it comes to signing a new deal, they collaborate with the license compliance team in order to resolve the licence compliance risk.

It is important to seek the support of independent expertise when confronted with an SAP audit. By working with professionals who have specific knowledge, organizations can minimise potential cost implications arising from such audit. Our experts who thoroughly understand SAP procedures, including measurement logic and legal aspects of SAP contacts, support customers to achieve substantial cost savings and avoid non-compliance situations. If you’re in need of specialized SAP knowledge, don’t hesitate to reach out to us.