IT vendor audits are a fact of life these days – a fact made more difficult because compliance has become somewhat of a moving target. It can be a full-time job managing your entitlements and matching them with your license utilization. For SAP customers, that job is getting more difficult and risky, especially as it relates to indirect access.
Just ask beverage maker Diageo which paid SAP approx. £50m in license and maintenance fees for mySAP Business Suite. After integrating with Salesforce using SAP’s integration tools, SAP claimed the customer owed an additional £54,503,578 based on API access to its software. The courts have sided with SAP on its right to collect these fees.
The consequences of this ruling could be far-reaching for many companies that have integrated their SAP databases with non-SAP applications. First, it’s a point of confusion and SAP has done little to clarify what constitutes indirect access. Second, the associated costs and resources required for achieving compliance are hard to calculate. The best-case scenario is a steep price tag. Short of that, the process can be both high cost and disruptive.
If you’re an SAP customer that’s integrated the vendor’s solutions with non-SAP applications and middleware, it’s important you evaluate your exposure to indirect access non-compliance before SAP conducts its own investigation. An official audit will most likely result in higher-than-necessary penalties.
And, remember – it’s not just SAP that’s on the audit prowl. Oracle recently threatened the City of Denver with a potential $10 million penalty. Confectionary giant Mars – despite spending an estimated $100 million on Oracle over a three-year period – was forced to take Oracle to court last year over outrageous claims of non-compliance. Meanwhile, 7- and 8-figure penalty fees have become commonplace over at Microsoft.
The moral of the story? Know your compliance risk exposure with your large enterprise software vendors, and have a plan to mitigate or decrease it.