Introduction – Why the Pre-Audit Phase Is Your Advantage
SAP software audits are rarely random. They often align with contract renewals, new SAP purchases, or big organizational changes. That means you can predict and prepare for an audit long before SAP ever announces it. The best way to “win” an SAP audit is to start early – 6 to 12 months in advance – cleaning up your license data and coordinating internally.
This proactive phase is like an insurance policy against surprise compliance costs. It gives you control over the data SAP will see and lets you shape the narrative when it comes time to negotiate.
In short, early preparation turns a potential audit crisis into a routine true-up on your terms.
Being skeptical of SAP’s timing is healthy. SAP’s audit and sales teams often work hand-in-hand – audits can precede a sales push or renewal negotiation. For more SAP audit checklists, read our overview SAP Audit Preparation Checklists: Ready Your Team, Systems, and Contracts.
By preparing well in advance, you flip the script. You won’t be scrambling to respond under pressure. Instead, you’ll confidently present clean data and a clear understanding of your entitlements.
Remember, if you wait until SAP notifies you, you’re already on the back foot. Taking action 6–12 months out is your chance to seize the advantage and eliminate compliance risks quietly, before SAP is even in the picture.
Setting Up the Audit Readiness Team
Preparing for an SAP audit is not just an IT task – it’s a cross-functional effort. Start by assembling an audit readiness team with stakeholders from IT, asset management, procurement, legal, and finance. This team will own the pre-audit process and ensure every angle is covered.
In other words, if audit readiness is confined to IT, it will fail when it comes to negotiation. You need broad business involvement to balance technical cleanup with contract and financial strategy.
Key roles and responsibilities:
| Role | Responsibility | Deliverable |
|---|---|---|
| SAM / ITAM Lead (Software Asset Manager) | Owns the consolidated license inventory and overall audit readiness project | Master license baseline (current license usage vs. entitlement) |
| SAP Basis Admin | Runs SAP measurement tools (USMM/LAW) and ensures the quality of data from SAP systems | Accurate measurement results for users and engines |
| Procurement Lead | Aligns contracts, purchase history, and pricing terms with the technical data | “Contract audit matrix” – mapping of contracts to licenses and terms |
| Legal Advisor | Reviews contract clauses, especially audit rights and usage definitions | Summary of legal positions (audit clauses, usage rights, limitations) |
| Finance/CFO | Evaluates budget impact of potential compliance gaps and approves any risk-mitigation spend | Budget alignment for true-up costs or license purchases if needed |
Audit Readiness Team Checklist:
- Appoint a cross-functional audit owner. Choose a leader (often the SAM or ITAM manager) to coordinate the team and be the single point of accountability for audit preparation.
- Define a reporting cadence. Set up monthly or quarterly meetings for the team to review progress, share findings, and escalate issues. Consistent reporting keeps everyone proactive and avoids last-minute surprises.
- Establish a central “Audit Readiness Hub.” Create a secure folder or repository for all audit preparation documents – user lists, LAW results, contracts, meeting notes, etc. This central hub ensures the team works from one version of the truth and can quickly retrieve any evidence during the audit.
By getting the right people involved early and often, you build a united front. Each stakeholder will be prepared to support the audit process – from verifying the data to negotiating with SAP.
Insight: SAP’s auditors and sales reps are coordinated in their approach, so your technical, contractual, and financial teams must be equally coordinated in response.
License Data Cleanup – 6–9 Months Before Audit
With your team in place, the first major focus 6–9 months out is cleaning up SAP license data.
The goal is to eliminate obvious compliance risks in your SAP systems before SAP’s auditors do their official measurements.
A thorough internal cleanup now can drastically reduce (or even eliminate) unpleasant surprises later. Focus on users and engines – make sure the usage data SAP will see is accurate and minimized.
Action Steps (6–9 Months Before Audit):
- Run USMM on all SAP systems. Begin by running SAP’s User Measurement (USMM) report on every production system. Export these results to establish your internal baseline of named user counts and engine metrics. This is your starting point to identify discrepancies.
- Identify inactive and duplicate users. Scrutinize the USMM user lists for any accounts that haven’t been used in over 90 days or appear multiple times across systems. Deactivate or delete users who are no longer active employees or who have duplicate accounts. This prevents SAP’s License Administration Workbench (LAW) from counting the same person twice.
- Validate user license classifications. Ensure each user is assigned the correct license type in SAP according to their actual role. Ensure that heavy users have the appropriate licenses (e.g., Professional) and light users have lower-tier licenses if available. Misclassified users can cause compliance issues or unnecessary cost – fix those now.
- Remove test and system accounts from the count. Exclude or properly flag any test users, training accounts, or background technical accounts so they aren’t counted as full named users. These accounts might need special license types (like “Test” or “Technical”) or exclusion from LAW consolidation.
- Reconcile with HR records. Cross-check the active SAP user list against HR’s employee roster. Make sure people who have left the company or changed roles are reflected in SAP (removed or updated). Each departed employee left active in the system is a needless license consumption. Likewise, ensure no generic accounts are misused.
Pitfall → Fix Examples:
- Pitfall: The same employee is counted twice in LAW because they have two user IDs (e.g., one in ERP and one in CRM) that aren’t linked. Fix: Consolidate duplicate accounts by maintaining a common identifier (such as Personnel Number or email) for each user across all systems. This way, LAW will recognize two accounts as one person and count them only once.
- Pitfall: A significant number of inactive users (e.g., 20% of the user list) are still set as active in SAP, inflating your license count. Fix: Implement a quarterly user review and cleanup process. Well before any audit, routinely remove or lock users who haven’t logged in over 90 days, so they don’t appear in official audit reports.
After cleaning up, run USMM again to see the improvement. You might be surprised how much the “raw” user count drops after scrubbing out duplicates and stale accounts.
This directly reduces compliance risk.
License Cleanup Checklist:
- Ensure all active users are accurately classified by license type (no defaults or unknowns).
- Deactivate and remove old user accounts before the next LAW run. Make this a standard practice, not a one-time effort.
- Double-check system settings for LAW – confirm which systems are flagged as production vs. test. (LAW should typically consolidate only production systems for license counts. Mark training or QA systems appropriately so their users aren’t mistakenly counted in the audit.)
By investing time in data cleanup, you ensure that when you eventually consolidate data for SAP, the numbers are lean and correct.
It’s far better for you to find and fix an issue like a duplicate user now than for SAP to find it later. This step alone can save tens or hundreds of thousands in unnecessary license fees.
More information on technical clean-up: Technical Cleanup Before Audit: Ensuring Your SAP Systems Are Audit-Ready.
Contract and Entitlement Review – 6–9 Months Before Audit
Cleaning your technical data is only half the battle – you also need to arm yourself with contractual knowledge well in advance. An SAP audit isn’t just about what’s in your systems; it’s about comparing that usage to what you’ve legally purchased.
In the 6–9 month pre-audit window, take time to review all your SAP contracts and entitlements. Knowing your rights (and limits) in those agreements gives you a huge advantage in an audit scenario.
Start by gathering every relevant SAP contract: license agreements, order forms, appendices, invoices, and any amendments or side letters. Pay special attention to any audit clause or terms that describe how an audit should proceed.
This legal fine print can be crucial if you need to push back on scope or process later.
Next, map your entitlements in detail:
- Confirm your license types and metrics. List out all the SAP license types your organization owns (e.g., Professional User, Limited Professional, Employee Self-Service, various engine products, etc.). Note the metric for each (users, cores, orders, etc.) and the quantity you have purchased. Also note the version of the SAP price list or definitions in your contract – definitions can evolve, so know which ones apply to you.
- Match entitlements to systems and usage. Create a matrix mapping what you own to where it’s used. For example, if you have 100 Professional User licenses under Contract A, determine which systems or user groups those cover. Align engine license entitlements (like SAP HANA, SAP Payroll, etc.) with the systems and data that consume them. This “contract-to-license mapping matrix” will highlight any gaps or areas of over-license.
- Verify maintenance terms and renewal dates. Check the maintenance fees and terms in your contracts. Note your annual support percentage and when each contract term renews or expires. This is important because an upcoming renewal is often when SAP will want to reconcile any license shortfall (and it could be your opportunity to negotiate a better deal if you’re prepared).
- Identify special clauses or legacy terms. Look for any unique terms: maybe a clause that fixed pricing for certain licenses, or an allowance for extra usage (common in older contracts or large enterprise agreements). These could be leverage points if SAP tries to push list price or new metrics during an audit resolution. Highlight anything ambiguous in the contract (like unclear user definitions or indirect usage language) that might become a debate – you want your legal team ready to interpret those in your favor.
Contract Review Checklist:
- Build a “contract vs. usage” matrix – for each contract line item, document how it maps to actual usage in your systems. This ensures nothing you bought is overlooked, and you can prove usage coverage.
- Highlight any ambiguous definitions or metrics in your licenses. If “Professional User” isn’t clearly defined in your contract, know that definition (perhaps from SAP’s standard terms of that year) so you can argue if needed.
- Pinpoint legacy contracts or unusually favorable terms. For example, you might have a 10-year-old contract with a lower price or certain license types grandfathered – SAP’s audit teams may not volunteer that information, so you must. Use those as leverage to counter any “all at list price” compliance claim.
- Note upcoming renewal or true-up dates. If a major contract renewal is 6 months away, anticipate that SAP could use the audit to pressure a sale. Conversely, you can plan to address any license gaps as part of that renewal negotiation. A proactive stance might get you better discounts or conditions since SAP’s sales team will be eager to close the renewal.
Remember, SAP’s audit team and SAP’s sales team share information – you should assume anything the auditors find will be used by sales in negotiations. That’s why your procurement and legal strategy must align with your technical findings.
By knowing your contracts cold, you won’t be rattled by the auditor’s claims. Instead, you’ll respond with, “We’ve reviewed our records and according to contract X, our use is compliant with definition Y,” or, “We’re aware of a shortfall and plan to address it at renewal in Q4.” This turns the audit from a hunt for revenue into a structured dialogue that you control.
Internal License Measurement – 3–6 Months Before Audit
By around 3–6 months before a potential audit, you should execute a full internal license audit – essentially a dress rehearsal of the real thing. This means running SAP’s measurement tools and consolidating the results, just as you would if SAP had officially kicked off an audit.
The difference is, you do it for your eyes only. This internal check lets you see exactly what SAP would see, on your own timeline. With those insights, you can still make adjustments or plan responses well before SAP knocks on the door.
Here’s how to perform an internal SAP license measurement:
- Run USMM in all production systems (again). Even if you ran it earlier during cleanup, run fresh measurements now that your data is cleaner. Make sure to include all relevant systems that SAP would expect in an audit (ECC, S/4HANA, BW, CRM, etc.). This captures the latest user counts and usage metrics.
- Consolidate with LAW. Use the License Administration Workbench to combine the USMM results from each system into one consolidated view. This step will automatically filter out the duplicate users (if your user data is harmonized) and give you a global license consumption report. Carefully choose the matching criteria (user name, personnel number, email, etc.) that you standardized during cleanup to get the best consolidation.
- Validate the consolidation. Don’t blindly trust the LAW output—review it. Look at any exceptions or users that LAW couldn’t match across systems. Manually adjust or investigate any oddities (for example, if LAW shows 95 users consolidated but you expected 90, find out why – maybe a user has a slightly different name in one system). Also, verify that the highest license type per user is what’s counted (LAW should automatically count a user at their highest classification among systems).
- Compare usage vs entitlements. Now, take your consolidated LAW results and stack them against the entitlement baseline from your contract review. Where do you stand? For each license type, are you under or over the limit? For engines (like packages/modules), how does measured consumption compare to what you bought? List out any shortfalls (usage exceeding entitlement) and any surpluses (licenses purchased but not fully utilized). This is purely internal intel – you’re identifying areas of compliance risk (shortfalls) and areas of potential shelfware or negotiation currency (surplus).
- Keep it internal and confidential. Treat your internal audit results as sensitive information. Do not share these numbers or findings with SAP or any third party not bound to confidentiality. These results are your narrative, not SAP’s. If the numbers look good, great – you’re ready. If they show some compliance gap, that’s fine too – you found it, not SAP, and you have time to address it before it becomes an official issue.
Internal Measurement Checklist:
- Perform a full LAW consolidation of all current systems’ user counts. Save the output files securely for analysis.
- Cross-verify engine metrics (like SAP HANA capacity, orders, etc.) with respective system owners to ensure the measurement is accurate. Sometimes engine measurements need interpretation – double-check any unusual spikes or dips.
- Keep the detailed results confidential and internal. Share them only among the audit readiness team and senior management. The goal is to be prepared, not to preemptively disclose anything to SAP.
This “shadow audit” is one of the most powerful steps you can take. Insight: Your internal measurement defines your story — SAP’s measurement defines theirs. By doing your own measurement first, you decide which story will be told.
For example, if you discovered that 50 unused accounts were boosting your count, you removed them, and your story now is “we’re compliant and efficient.” If SAP did the measurement without that, their story would be “you’re over-using 50 licenses, pay up.” Clearly, doing it yourself first puts you in control of the narrative and numbers.
Risk and Remediation Planning – 3–6 Months Before Audit
Once you have the results of your internal license measurement, you need to act on any discrepancies. The 3–6 month window is an ideal time to quietly remediate issues or, if remediation isn’t possible, plan how you will handle them.
Essentially, you’re closing the gaps that could cost you in an audit, or at least preparing your organization to address them head-on.
The objective is that by the time an official audit begins, there are no large surprises left – you either fixed the problems or you have a strategy (and budget) to resolve them.
If your internal audit found compliance gaps, take these steps:
- Quantify the exposure. Calculate the potential financial risk of any shortfall. For example, if you found you are 10 Professional users over your entitlement, estimate what 10 additional licenses would cost at your discount or at list price (including back maintenance if applicable). If an engine metric is over (say HR Employee count, or Salesforce integration documents in indirect use), project what license or usage fees that implies. Having hard numbers focuses the urgency and helps in management discussions.
- Evaluate remediation options. Not every compliance gap requires buying more licenses immediately. Consider alternatives:
- Reclassify or optimize usage: Perhaps some users can be moved to a different license type or removed if not truly needed. Or maybe shifting certain processes (like archiving old data to reduce a database engine metric) can bring usage down below your entitlement.
- License reallocations: If you have unused licenses of one type and a deficit in another, can you reallocate or convert them? (SAP sometimes allows swapping license types in certain programs or at renewal – note this for negotiation.)
- Last-resort purchases: If additional licenses are absolutely needed, plan the best timing to purchase – ideally aligning with a renewal or a quarter-end when you might get a better deal from SAP.
- Indirect access mitigation: If the risk is indirect usage (third-party systems accessing SAP without proper licenses), consider if you should purchase SAP’s Digital Access licenses or adjust integrations to limit document creation. These decisions can be complex, so weigh cost vs. risk carefully.
- Engage experts if needed. Suppose you uncovered complex issues (like substantial indirect access exposure, complicated engine metrics, or unclear contract clauses that make it hard to determine compliance). In that case, this is the time to quietly get advice. External SAP licensing advisors or specialty firms can provide guidance under NDA, or you might involve your SAP account team informally without disclosing specifics. The key is to gather options for cost-effectively solving the issue.
- Plan, budget, and approvals. If likely you’ll need to spend money (e.g., to buy 100 more user licenses or a new engine license), loop in finance leadership early. It’s much easier to get budget approval for a well-anticipated compliance true-up than a last-minute emergency spend. By quantifying the exposure as above, you can make a case for setting aside funds or including it in upcoming budget cycles. This also avoids panic if SAP audit results come in – you’ll have financial coverage ready.
Now, remediate what you can immediately. For instance, if you found 50 users assigned a Professional license but they only use low-level transactions, downgrade them to a Limited license (if allowed) to free up compliance headroom.
If an engine is overused, see if some data or users can be offloaded. Perform these fixes quietly and document them (so you have a record of changes). After making corrections, run another internal USMM/LAW to verify the gap closed.
Risk Remediation Checklist:
- Create an internal remediation plan listing each identified compliance gap and the action to address it (e.g., cleanup, reclassification, purchase at renewal, etc.). Assign owners and dates to each action.
- Document all changes you apply (e.g., “25 users removed on Jan 15, 2025,” or “Switched 10 users from Professional to Employee Self-Service on Feb 1, 2025”). This paper trail shows good faith and internal control if ever needed.
- After fixes, re-run the measurement to confirm the issue is resolved. Only mark a risk as closed when the numbers prove it.
Pitfall → Fix:
- Pitfall: Trying to fix licensing problems after SAP has officially requested your LAW data. If you wait until the audit is underway, any late changes you make could raise red flags or be disallowed by SAP (and you’ve lost the element of control).
- Fix: Always complete major remediation before the first formal contact with SAP about an audit. Once SAP asks for your measurement results, assume those must reflect reality then. By doing all adjustments in advance, the data you eventually hand over will already be in good shape. Essentially, you’re “locking in” your compliant position ahead of time.
By proactively addressing risks, you can enter any audit discussion calmly.
You’ll either have nothing critical to fix (because you fixed it) or you’ll have a well-thought-out plan that you can negotiate from (e.g., “We anticipated needing X licenses and have budgeted for them – let’s discuss a fair price or trade as part of our renewal”). In both cases, you’re not caught off guard, and that confidence is evident to SAP.
Documentation & Governance Setup
During the pre-audit months, an often overlooked task is setting up strong documentation and governance around license compliance. Audits can drag on for weeks or months, and without organized records, you could find yourself scrambling to prove a point or reconstruct what was done.
A little effort now in organizing your documentation will pay off massively if SAP comes knocking. Good governance also institutionalizes the audit readiness process so it isn’t a one-time scramble but an ongoing discipline.
What should you document and organize?
- Archive all measurement outputs. For every USMM and LAW run you perform (including the internal ones you’ve been doing), save the results files, screenshots, and exports. Keep them in a dated folder structure. If SAP later claims “your user count was X,” you can pull out the internal measurement from that date and verify or explain the difference.
- Record user and license changes. Maintain a simple log or spreadsheet of key changes made during cleanup and remediation. For example: “Dec 2024 – 300 inactive users removed; Jan 2025 – 50 users reclassified from Professional to Limited.” This log shows that you took prudent actions and also helps explain any usage anomalies.
- Centralize contract and entitlement documentation. Store copies of all the contracts, the license mapping matrix, and any interpretations or legal memos in your Audit Readiness Hub. In the heat of an audit negotiation, having quick access to that one clause in your 2010 contract amendment could save you millions – but only if you can find it. Make sure contracts are indexed or summarized for easy reference (e.g., a cheat sheet of all license counts and definitions per contract).
- Version control and access. Implement version control for key documents like the license baseline or the contract matrix. When you update something, keep the old version archived. Also, restrict access to the core documentation folder – only the audit team and essential executives should have access. This prevents accidental changes or deletions and also reduces leaks of sensitive information.
- Retention policy. Decide how long you’ll keep audit-related documents. It’s wise to keep records for at least a few years, because audit findings can influence future compliance checks. Some companies keep a rolling history (e.g., the last three audits’ worth of data). Since you’re doing continuous internal audits, keep those results for trend analysis as well.
Documentation & Governance Checklist:
- Set up a secure “Audit Archive” folder structure (digital and physical if needed) to store all relevant materials. Use clear names and dates (e.g., “2025-01 Internal LAW Result”) for easy lookup.
- Track measurement history quarterly or at key milestones. By the time an SAP audit happens, you should be able to show a timeline of your compliance status (e.g., “Here’s our Q1 internal audit, Q2 after cleanup, etc.”). This demonstrates control and due diligence.
- Maintain versioned documentation of user classifications and license allocations. If someone questions why a user was classified a certain way, you have the historical record of how and when that decision was made.
Having an organized repository of data and documents means that when SAP asks a question like “Can you explain this jump in user count?” you can pull up records in minutes to explain, rather than launching a frantic internal investigation.
Good documentation also empowers your legal and procurement teams – they can find supporting evidence for negotiations without delay. Insight: An organized archive turns audit defense from a two-month crisis into a two-hour Q&A. In other words, you’ll handle queries efficiently instead of scrambling, which again shows SAP that you’re in control.
Communication Alignment – 1–3 Months Before Audit
In the final stretch (about 1–3 months before you suspect an audit might formally start, or even if you’re just due for one soon), focus on internal and external communication planning. How you communicate during an SAP audit can significantly affect the outcome. Mixed messages or uninformed replies can inadvertently expose you or weaken your negotiation stance.
By aligning communication protocols ahead of time, you ensure a smooth, consistent interface with SAP and a unified front within your company.
Key communication steps to take:
- Designate a single point of contact (SPOC) for SAP. Decide who will be the primary (and ideally sole) communicator with SAP’s audit team. This is often someone in ITAM/SAM or a senior IT manager, sometimes supported by procurement. The SPOC will send all data to SAP and receive all questions. By funneling communication through one person, you avoid the classic audit pitfall of SAP going around asking different people and getting inconsistent answers. Notify your SAP account manager early that “All audit communications should go through [Name/Title].”
- Prepare internal briefing and boundaries. Educate all stakeholders and relevant staff on how to handle SAP inquiries. For example, instruct technical teams that if an SAP auditor or consultant reaches out informally, they should not provide data or answers on the fly but rather route the request to the SPOC. Everyone should know what information is okay to share and what’s sensitive. Also, brief them on the audit clause rights – e.g., SAP is entitled to certain data but not to run tools themselves on your systems, etc., so that your team doesn’t unknowingly over-share or grant access beyond what’s required.
- Align messaging across departments. Make sure IT, procurement, legal, and finance are all on the same page regarding your stance. If, for instance, you identified a shortfall of 100 licenses and plan to address it at renewal, everyone should know that’s the plan and stick to that line when asked. Inconsistency can be exploited – for example, if IT says, “We think we’re short 100 licenses,” but procurement says, “We’re fully licensed,” you lose credibility. Have an internal FAQ or bullet points about how to respond to common queries.
- Centralize all correspondence. Log and save every email or letter between your company and SAP regarding the audit. Ideally, use the Audit Readiness Hub folder to store communications as well (or a sub-folder just for correspondence). Not only does this help track commitments and requests, but it’s also evidence if there’s any dispute later about who said what when.
Communication Alignment Checklist:
- Officially assign the SAP audit SPOC and have their contact info ready to share with SAP. Ensure this person has the authority and knowledge to handle auditor requests or knows how to delegate tasks internally.
- Create a communications plan document. Include a list of do’s and don’ts for internal teams (e.g., do funnel requests to SPOC, don’t speculate on compliance positions in emails, etc.), and a template for formal responses to SAP if needed (for example, an initial reply acknowledging the audit notice and outlining your requested timeline).
- Brief all stakeholders (IT admins, managers, procurement leads, etc.) on the plan. A short meeting or memo can reinforce that during the audit, no one responds to SAP queries independently. Clarify roles: who will gather data behind the scenes, who will review SAP’s findings, and who will be involved in any negotiation discussions.
- Centralize and archive communications the moment they occur. If the SAP auditor asks a question by email, save it. If there’s a phone call, have the SPOC document the key points in a written memo to the file. Treat it like a legal project – meticulous records of every interaction.
By planning your communications, you avoid panic and confusion. SAP will see a professional, coordinated response at every step: one where their requests are met promptly and consistently by the SPOC, and your team is not caught off guard by any question.
This projecting of control can sometimes even discourage SAP from pushing too hard, because it signals you are well-prepared and knowledgeable. In any case, it prevents the common scenario of “the left hand doesn’t know what the right is doing” internally during an audit.
5 Must-Do Actions Before an SAP Audit
In summary, before an SAP audit officially begins, make sure you have checked off these five critical actions:
- Run and review your own SAP LAW/USMM results. Always measure your usage internally first, so you know your compliance position before SAP does.
- Clean up inactive users and classify licenses correctly. Remove dormant accounts and ensure every user is properly assigned the right license type to avoid over-counting.
- Map all contracts to active entitlements. Know exactly what you’ve purchased and how it relates to your current usage – no surprises in terms of rights and limits.
- Assign governance roles and a single SAP contact. Establish a dedicated audit prep team and SPOC so that both your internal efforts and external communications are controlled and consistent.
- Archive every measurement and correspondence record. Keep detailed documentation of license counts, cleanup actions, and all communications, enabling a fast and confident response to any audit query.
By executing these must-do actions 6–12 months ahead of time, you’ll be in the driver’s seat for any SAP audit. Instead of reacting to SAP’s findings, you’ll be presenting your own well-supported data.
The audit will transform from a dreaded event into a manageable formality – one where you dictate the pace and outcome as much as possible. Preparation is not just defense; it’s a power in dealing with SAP. Use that 6–12 month head start wisely, and you can turn an audit into just another routine check with no drama.
Read about our SAP Advisory Services.
