The SAP License Audit Process: Understand the SAP Audit Escalation Process


March 03, 2021
Audit IT SAP

Interested in learning more about NPI’s services?

Contact Us

One thing that makes it difficult to navigate a software license audit is that the process varies by vendor. At an atmospheric level, the process may be seem straightforward enough (receive a formal notification, share data, etc.), but it’s the nuances that count. And the nuances of the SAP audit process make it stand out.

Without a full understanding of what makes the SAP license audit process unique, customers may be hand-delivering the evidence that results in a multi-million-dollar invoice. In this post, we walk through the stages of an SAP audit.

Self-declaration – The Most Basic Form of an SAP License Audit

As we discuss in this bulletin, SAP requires customers to perform an annual self-reporting process, of which the self-declaration is a key component. The self-declaration requires reporting of metrics that cannot (or cannot easily…) be tracked by existing SAP tools. Self-reporting requirements and “Notes” (patches and updates) that need to be applied to SAP systems are distributed each year. The reporting requirements may vary from year to year.

Many SAP customers apply the Notes and submit the requested reports without much review or thought. It seems mundane enough, is contractually stipulated and happens at a regular cadence. Yet the reality is that the reports, and self-declaration in particular, can expose SAP customers to 7- and 8-figure penalty fees that show up unexpectedly as invoices.

Once SAP formally issues self-reporting requirements, customers must apply the Notes, then run SAP’s USMM scripts to collect the required information and aggregate into LAW reports. Customers then combine the LAW reports with self-declaration data and submit. SAP’s Global License Audit and Compliance (GLAC) center conducts a review, or basic audit. If SAP sees the customer has over-deployed a particular product, SAP sends them an invoice for that overage – sometimes with no confirmation or questioning.

In many cases, the SAP license audit process ends when the customer pays the invoice and remedies licensing shortfalls. But not always. With growing frequency, customers find themselves moving into a more a more intrusive and structured type of audit.

This is why it’s important for customers to perform their own internal analysis before submitting reports to SAP (read why here).

Enhanced Audit – An Escalation Beyond Basic

In addition to receiving a true-up invoice for any license shortfalls, SAP may escalate a self-declaration to an Enhanced Audit. Entering this phase, the customer should proceed with even more caution. Enhanced Audits typically lead to additional scrutiny from SAP with regard to indirect access and use of business objects.

Indirect access occurs when the vendor’s solutions are accessed or initiated by non-SAP solutions. SAP continues to evolve how it monitors this activity and gets compensated for the use of its products that are initiated this way. Unfortunately, SAP’s current tools, Passport and the Estimation Tool, are still imprecise and review remains highly subjective. It’s a point of concern and confusion for many SAP customers, and it can be a large liability given the expanse of most customer’s SAP estates and level of integration with other systems.

During an Enhanced Audit, representatives from SAP’s GLAC senior management will collect additional usage data by requesting that more scripts be run, and they will then follow up with additional inquiries. It’s important to note these reports do not produce definitive results, yet findings may be presented as such. This is why it’s critical for customers to fully understand what the data in these reports actually mean, and what they do not. It’s best to get an independent licensing expert to provide analysis and recommendations because the compliance exposure presented as an audit finding can be substantial.

As the customer and SAP debate the veracity of the findings, a few scenarios may emerge:

  1. The customer is discovered to be compliant, but at this point a finding of compliance is atypical.
  2. The customer is found to be out of compliance, penalty fees are presented and SAP offers a “Partnership Proposal” as an alternative to paying the proposed settlement fee.

Negotiating the Final Outcome – The Last (and Critically Important) Step of the SAP License Audit Process

When SAP finds noncompliance, the penalty fees are typically significant and new licenses will need to be purchased. But payback for under-licensed environments is only the short game in SAP’s audit revenue strategy. SAP uses noncompliance as leverage to “motivate” customers to purchase new solutions or accelerate their migration to S/4HANA. In an Enhanced Audit the two likely options to be offered as a “Partnership Proposal” are participation in their Digital Access Adoption Program (DAAP) or purchasing Analytics Cloud. If a purchase is necessary, customers should perform a price benchmark analysis to ensure they pay at or better than fair market pricing for new solutions.

If you need help navigating an SAP license audit, NPI can help. Our vendor-specific license and audit management experts will guide you through every step of the process. NPI helps you control the cadence, avoid self-incrimination, establish an independent license position, validate the vendor’s data accuracy, identify vendor misinterpretations and negotiate an optimal outcome. We work with you to minimize and mitigate penalties and reduce future audit risk.