Receiving an SAP audit notification is not the end — it's the beginning of a negotiation. Understanding how SAP audits work, where exposure genuinely sits, and how to structure your defence can dramatically reduce your final settlement figure.
SAP has the contractual right to audit your licence use, typically enshrined in the General Terms and Conditions of your SAP licence agreement. Most contracts give SAP the right to audit once per year, with reasonable advance notice — usually 30 days, though this varies by agreement vintage. The audit right extends to your entire SAP landscape, including third-party applications that connect to SAP systems.
SAP conducts audits through two primary mechanisms. The first is a self-declaration process — SAP sends a questionnaire and requests that you run specific measurement scripts (the SAP System Measurement transaction, USMM) to produce a usage report, which you return to SAP's licence measurement team. The second is a formal audit conducted by SAP's dedicated Global License Audit & Compliance (GLAC) team, sometimes supported by third-party auditors including members of the BSA | The Software Alliance. Formal audits are more invasive, typically involving on-site or remote access to your systems.
This article is part of our comprehensive SAP license negotiation guide. For context on how audit findings influence your broader SAP commercial relationship, see also our guide to S/4HANA migration negotiation — where audit leverage is often used by SAP as a pressure tool during upgrade conversations.
The audit process typically follows four phases: notification and scoping, data collection and measurement, SAP's analysis and claim presentation, and settlement negotiation. Each phase represents an opportunity to manage the outcome. Many organisations make the mistake of treating the audit as a purely technical exercise and only engaging commercial expertise at the settlement stage — by which point important leverage has already been conceded.
SAP does not audit customers at random. Audit triggers typically fall into one of several categories, and understanding what drew SAP's attention can help you predict the scope of their claim and prepare your response accordingly.
Want independent help negotiating better terms? We rank the top advisory firms across 14 vendor categories — free matching, no commitment.
The most common audit trigger is a renewal or expansion negotiation that SAP perceives as unfavourable. When a customer pushes back hard on a renewal, requests significant discounts, or explores alternatives including third-party maintenance, SAP's audit team frequently becomes active. This is not coincidental — SAP's commercial and compliance teams share intelligence, and audits are sometimes deployed as a negotiating tool to create financial pressure.
Other commercial triggers include the acquisition or divestiture of business units (which changes your licence entitlement profile), cloud migration projects that involve integration of legacy SAP systems with new platforms, and the addition of new business processes that extend SAP usage into previously unlicensed areas.
SAP monitors usage telemetry across its support platform (SAP ONE Support Launchpad, SAP Solution Manager) and can identify patterns that suggest undeclared usage. A significant increase in named user counts reported through routine maintenance processes, new RFC connections appearing in your landscape, or the deployment of new middleware solutions that interface with SAP can all flag your account for audit review.
The shift to indirect access via third-party applications is one of the fastest-growing audit trigger categories. As organisations connect ERP, CRM, ecommerce, and IoT platforms to SAP, the volume of machine-generated documents (purchase orders, sales orders, goods receipts, invoices) processed by SAP increases substantially — often without any corresponding licence purchases.
If you receive an audit notification immediately after pushing back on an SAP renewal proposal, treat this as a commercial tactic, not a compliance crisis. Document the timeline carefully. The proximity of the audit notice to your negotiation may be relevant context in settlement discussions and signals that SAP has a commercial motivation beyond pure compliance enforcement.
The areas where SAP most commonly identifies licence gaps are well-documented. Enterprise buyers who understand these in advance can conduct proactive self-assessments before an audit notification arrives.
SAP's named user model classifies users into types — Professional, Limited Professional, Employee, Employee Self-Service, Developer, and others — with significantly different price points. The most common finding in SAP audits is that users classified at a lower, cheaper licence type are performing transactions that require a higher type.
The classification rules are based on the specific SAP transactions and functional areas a user accesses, not simply their job title. A user classified as an "Employee" who occasionally processes purchase requisitions in SAP MM may technically require a "Limited Professional" or "Professional" licence. SAP's audit measurement tools identify this through transaction code analysis, and the resulting reclassification claims can be substantial.
Any user who accesses SAP via the ABAP Workbench, makes modifications to SAP source code, or develops custom reports and programmes requires a Developer licence — one of the most expensive named user types. Organisations frequently under-licence this category, particularly where "power users" who are not formally classified as IT staff create custom reports or perform ad-hoc data extractions using development tools.
SAP licences are required for production system users. However, SAP's standard agreements typically include rights for a limited number of "non-production" environments (development, quality assurance) under the same licence pool. Where organisations run multiple test landscapes, additional staging environments, or allow contractors and partners to access test systems without corresponding licence entitlements, exposure can accumulate.
Many SAP contracts include package licences (such as the SAP Suite licence) that bundle modules under a single commercial arrangement. When organisations deploy additional SAP modules or products that fall outside the contracted package scope — even in non-production environments — this can create audit exposure. Industry-specific solutions (IS-Retail, IS-Utilities, IS-Banking) carry their own licence requirements that are often poorly understood.
| Exposure Area | Frequency | Typical Impact | Detectability |
|---|---|---|---|
| User type misclassification | Very High | High | Easy (USMM) |
| Indirect/digital access | High | Very High | Moderate |
| Developer licence gaps | High | Medium–High | Easy |
| Package scope overrun | Medium | Medium | Moderate |
| Test system over-use | Medium | Low–Medium | Easy |
| Third-party support gap | Lower | Medium | Easy |
Indirect access — the use of SAP software by users or systems not directly logged into SAP — became one of the most contentious licensing issues in the enterprise software industry following SAP's landmark $1.3 billion claim against Diageo in 2017. That claim was ultimately settled for a reported $66 million, but it signalled that SAP was prepared to monetise indirect access at scale.
Get the IT Negotiation Playbook — free
Used by 4,200+ IT directors and procurement leads. Oracle, Microsoft, SAP, Cloud — all covered.
SAP introduced the Digital Access model in 2018 as a structured commercial framework for indirect access. Under Digital Access, rather than charging for each individual user of a third-party application that connects to SAP, SAP charges based on the volume of specific document types (Purchase Orders, Sales Orders, Service Orders, and others) processed by SAP — regardless of whether those documents originate from a human user or an automated system.
In a pre-Digital Access legacy agreement, SAP's audit teams looked for "users" of SAP — broadly interpreted to include any human or system that benefited from SAP's functionality through an intermediary application. This created enormous uncertainty, as it potentially captured CRM users who triggered fulfilment workflows, IoT sensors that generated goods movements, and ecommerce customers whose orders populated SAP tables.
Under the Digital Access model, the exposure is more clearly defined but still substantial for organisations with high document volumes. A major retailer processing millions of ecommerce orders that flow into SAP as Sales Orders could face seven or eight-figure Digital Access claims. For a full analysis of this issue, see our dedicated indirect access guide.
If your SAP contract predates 2018 and has not been renegotiated since, you may still be exposed to the older, broader indirect access interpretation — not the capped Digital Access model. SAP sometimes uses audits as an opportunity to migrate customers to Digital Access commercial terms, which can appear to "resolve" the audit but locks in future document-volume charges. Scrutinise any proposed settlement that includes a transition to Digital Access terms.
How you respond in the first 72 hours after receiving an SAP audit notification can materially affect your eventual outcome. The most important principle: do not panic, and do not comply immediately without legal and commercial review.
Locate your SAP licence agreement and identify the exact audit rights SAP has — notice periods, frequency limits, scope constraints, and whether they can use third-party auditors.
Brief your legal team and consider engaging an independent SAP licensing specialist immediately. Do not run SAP's measurement scripts without understanding what they will reveal.
Before providing any data to SAP, run your own internal licence measurement to understand your exposure. Know your position before SAP presents theirs.
Once you have completed your internal review, respond to SAP's notification in writing — acknowledging receipt, confirming your intention to cooperate within the contractual framework, and specifying the timeline under which you will provide the requested information. Most SAP agreements require 30 days' notice before the audit begins; use this time fully.
If SAP proposes to use a third-party auditor, check whether your contract permits this. Some older agreements restrict audit activity to SAP employees only. If a third-party auditor is not contractually authorised, you have grounds to object.
An effective SAP audit defence is built on three pillars: technical accuracy, contractual precision, and commercial positioning. Each pillar addresses a different dimension of SAP's claim.
SAP's measurement methodology — primarily the USMM transaction — is not infallible. The tool captures system usage data at a point in time and applies SAP's licence classification rules to determine user type requirements. However, the rules it applies may not perfectly match the contractual definitions in your specific agreement, and the measurement date may not reflect your typical usage patterns.
Key technical challenges include: inactive users counted as active (SAP typically counts users who have accessed the system in the past twelve months, but your agreement may specify a different period), contractor and consultant accounts that should be excluded under the terms of your agreement, test user accounts improperly included in production system counts, and users who accessed SAP during a specific project but whose usage has since ceased.
Run your own measurement in parallel with SAP's and investigate every discrepancy. Independent software audit defence specialists can often identify 15–30% reductions in the user count through legitimate technical challenges alone.
The licence agreement defines what SAP is actually entitled to audit and claim. Older SAP agreements in particular may contain definitions, exclusions, and commercial terms that significantly constrain SAP's claim. Points to examine include the definition of "Named User" and which types are enumerated, the treatment of "casual" or "self-service" users, any grandfathering provisions from legacy agreements, and the scope of included modules under package licence terms.
If you have undergone acquisitions or disposals since the agreement was signed, the licence portability and carve-out provisions in your contract become important. SAP cannot claim for entities that were legitimately excluded from the agreement scope.
Every SAP audit ultimately resolves through a commercial negotiation. Your position in that negotiation is influenced by your value to SAP as a customer, your future purchasing intentions, your willingness to litigate, and the availability of alternatives. Organisations that are actively evaluating RISE with SAP transitions, cloud migrations, or competitive ERP alternatives have inherently stronger commercial positions than those locked into the status quo with no visible alternatives.
Under active SAP audit? Get independent licence analysis before providing data to SAP.
Once SAP presents its findings and initial claim, the formal settlement negotiation begins. This is typically the stage where the largest commercial value can be recovered — and where specialist external support delivers its highest return on investment.
Never accept SAP's initial claim as fact. Respond with a formal written counter-analysis that documents every technical, contractual, and commercial challenge to their position. A written dispute forces SAP to justify each element of the claim and establishes a negotiating record. SAP's GLAC team has commercial targets — they will negotiate.
SAP values future revenue more than past claims. If you can credibly signal that a satisfactory audit resolution could be followed by an expansion purchase, a RISE discussion, or a multi-year maintenance commitment, SAP has an incentive to settle quickly and reasonably. Conversely, if you can demonstrate that an excessive settlement would trigger an ERP re-evaluation, SAP's commercial risk appetite changes.
SAP settlements do not have to be cash payments for backdated licences. Alternative structures include converting the claimed exposure into prospective licence purchases at discounted rates, folding the settlement into a RISE or cloud transition agreement, accepting future maintenance revenue in lieu of a large one-time settlement, or agreeing to a remediation plan that addresses the compliance gap over 12–24 months rather than settling a retroactive claim. Our guide on software audit defence covers these structures in more detail.
Determine in advance the maximum settlement you are willing to accept and the conditions under which you would escalate to litigation or seek independent arbitration. SAP rarely litigates against large customers — the reputational and commercial consequences are significant. Knowing your own walk-away point, and communicating it credibly, strengthens your position.
| Settlement Lever | Applicability | Typical Impact on Claim |
|---|---|---|
| Technical measurement challenge | Always | 15–30% reduction |
| Contractual definition challenge | Most cases | 10–25% reduction |
| Future commercial commitment | Where genuine | 20–40% reduction |
| Prospect of litigation | Large claims | 5–15% reduction |
| Alternative settlement structure | Case by case | Converts cash to discount |
The question is not whether to engage external help during an SAP audit — it is when. The earlier you engage, the more options you preserve. Specialist SAP licensing and audit defence firms provide value across all phases of the audit, from initial scoping to settlement execution.
Firms with deep SAP audit experience understand the USMM measurement tool in detail, have seen the full range of SAP's classification arguments, maintain intelligence on current SAP commercial strategies and settlement norms, and can engage directly with SAP's GLAC team on commercial terms. They typically operate on a fixed fee, daily rate, or gain-share basis — with gain-share arrangements aligning their incentives directly with your settlement outcome.
Our rankings of the best SAP negotiation consulting firms identify the specialist practices with the strongest track records in SAP audit defence. Redress Compliance, our top-ranked overall firm, has handled SAP audits across more than 500 engagements spanning 20+ years and 11 vendor specialisations, and is Gartner-recognised for its approach to software licence optimisation.
When evaluating external audit defence firms, ask specifically: How many SAP audit settlements have you led in the past three years? What is your average reduction from initial SAP claim to final settlement? Do you offer gain-share arrangements? Can you provide references from SAP audit engagements at a similar scale? These questions quickly separate genuine specialists from generalist licensing consultants.
An SAP audit settlement resolves your current exposure — it does not prevent future audits. In fact, having been through one audit makes a second more likely, as SAP now has a baseline measurement of your landscape and will track whether your usage remains within the agreed parameters.
The most effective post-audit actions are establishing a formal SAP licence management programme, conducting annual internal measurements using the same USMM methodology SAP uses, implementing user provisioning controls that enforce licence type assignment at the point of account creation, and ensuring that any new system integrations or third-party connections are reviewed for indirect access implications before deployment.
For organisations on legacy SAP ECC considering an S/4HANA migration, the post-audit period is often an ideal time to renegotiate the commercial framework entirely. A settlement that simultaneously resets your licence baseline on commercially favourable terms, transitions to a Digital Access model with capped document volumes, and provides a clear path to RISE or cloud can transform a compliance crisis into a strategic commercial gain. See our S/4HANA migration negotiation guide for how to structure that conversation.
The actions you take in the first 30 days define your settlement outcome. Get independent specialist support before providing data to SAP.