SAP License Audit Process: Step-by-Step Guide
Introduction – Why Understanding the SAP Audit Process Matters
SAP license audits are a matter of when, not if, for most enterprises running SAP.
These audits are contractually mandated (often annually or every 18–24 months) and can lead to significant unplanned costs if you’re not prepared. CIOs and SAP license managers who fully understand the audit process can turn a potential compliance crisis into a manageable routine.
Being informed and proactive means you control the narrative and outcome, rather than scrambling to respond to SAP’s findings. Read our guide SAP License Audits – The Ultimate CIO Guide.
Below is a step-by-step walkthrough of the SAP audit process – from the initial notice to final resolution – with practical tips to stay in control at every stage.
Step 1: Notification & Scope Definition
The SAP Global License Audit & Compliance (GLAC) team initiates the audit by sending an official audit notification. This typically arrives via email or the SAP support portal, outlining the scope and timing of the audit. The notification will specify which systems (by System ID, or SID) and which products/modules are in scope for measurement. It also typically cites the audit clause in your contract, which allows SAP to conduct audits (often once per year or every two years).
Common audit triggers: Regular contract schedules are a primary trigger, but audits can also be prompted by events like a big increase in users, a major purchase or renewal, mergers and acquisitions (which could expand usage), or SAP’s suspicion of indirect access (third-party systems interfacing with SAP without proper licenses).
In any case, once you receive the notice, customers are generally given a short window (around 30–45 days) to start the process or provide initial data.
Your action: Acknowledge the notification promptly and clarify the scope of the issue. Don’t assume the audit covers everything in your landscape – confirm exactly which installations and license metrics are included. For example, you might respond with formal language such as:
“We acknowledge receipt of the audit notice. Before initiating data collection, we request confirmation of the exact systems, modules, and license metrics in scope, as well as the timeline and methodology that will be used.”
This sets a professional tone, shows you’re taking it seriously, and ensures both you and SAP have a mutual understanding of what will be audited. Getting scope details up front prevents surprises later (like SAP asking for data from a system you weren’t expecting to include).
Step 2: Internal Readiness & Data Cleanup
Before running any official measurement, take time for internal preparation. This phase is where you can identify and fix issues that would otherwise inflate your audit results.
Key preparation steps include:
- Inventory your systems: Verify which SAP systems are productive (in active use) versus test, development, or retired systems. Only productive systems should typically be counted in an audit, unless otherwise specified. Ensure you are familiar with all the SIDs that SAP has listed in the scope and verify that there are no SIDs that they might have missed or that you believe are out of scope.
- Clean up user accounts: Audit your SAP user list in each system to ensure accuracy. Remove or lock any user IDs that are duplicates, belong to former employees, or haven’t been used in a long time. Especially look for generic or test accounts – these should be disabled if not truly needed. Every active user will count toward license usage, so a cleanup can significantly reduce your license counts. Align usernames across systems as much as possible so that the same individual’s accounts can be recognized and consolidated (e.g., ensure John Doe isn’t “jdoe” in one system and “john.doe2” in another without mapping them; consistent IDs or alias mapping will help later).
- Validate license classifications: Check that each active user has the correct license type assigned in the system (if your SAP user master data includes a license type field). For example, ensure that low-activity users are not accidentally tagged as “Professional” if they only need an “Employee” license. You want your user classifications to reflect actual usage and contract definitions before measurement, rather than accept SAP’s default categorization blindly.
- Compile your entitlements: Gather your current SAP license entitlements from your contracts, purchase orders, or license keys. Know how many of each user type and package/engine you are entitled to. This serves as your baseline for comparison with the audit results.
- Run a pre-audit internally: If time permits, execute SAP’s measurement tools internally (the same tools used in audits, discussed in the next step) for your own review first. Treat it as a dress rehearsal. This allows you to see the numbers that SAP would collect. Analyze the preliminary results to identify any anomalies – for example, are test users appearing as active? Is a certain module’s usage unusually high? By doing an internal run, you can correct mistakes (e.g., reclassify a misidentified user or address an unexpected spike in a metric) before you formally submit data to SAP.
Taking these preparatory actions sets you up to present the cleanest, most accurate data to SAP, minimizing questions and false positives in the later stages. Essentially, you’re doing your own audit to preempt the vendor’s audit.
Step 3: Running SAP’s Audit Tools (USMM & LAW Explained)
Once internal cleanup is done, it’s time to execute SAP’s official license measurement tools:
- USMM (User Measurement System) – This is the SAP transaction that runs the license measurement on a single system. You’ll run USMM in each SAP system that’s in scope. The USMM tool will scan user accounts and usage on the system, tallying up license-relevant metrics. This includes counting how many users are assigned to each license type (or how many users USMM thinks should be in each category based on their roles and activity) and measuring “engines” or package metrics (for example, number of HR employees, number of sales orders, etc., for certain SAP modules). After running, USMM generates a measurement file (usually an XML or text file) with the results for that system.
- LAW (License Administration Workbench) – Once you have USMM results from all individual systems, LAW is used to consolidate them. You typically run LAW in a central system (like Solution Manager or any designated consolidation system). In LAW, you import the measurement files from each system or pull the data remotely. LAW’s job is to combine everything into one unified report for your entire SAP landscape. Crucially, LAW will identify duplicate users across systems and merge them so that each person is only counted once in the final totals. For instance, if the same employee has accounts in both ERP and CRM systems, LAW will recognize that (as long as it can match the usernames or you manually map them) and count that user under whichever system requires the higher license type for them, rather than counting them twice. LAW then produces a consolidated audit report that shows the total number of unique named users by license type, as well as summed engine metrics, across all included systems.
- Newer tools (LAW 2.0 / LMBI): In recent years, SAP has introduced LAW 2.0 (sometimes referred to as SLAW or SLAW2) and the License Management Business Intelligence (LMBI) dashboard to enhance the classic LAW. These are essentially upgrades that offer better interfaces and more analytics, but the core purpose remains the consolidation of measurement data. If you’re on a newer SAP release, you may use LAW 2.0; however, for the audit process, the outcome is similar – a unified license usage report.
After running USMM on each system and consolidating with LAW, take a moment for an internal review of the LAW output. This is a critical control point: review the consolidated results for any discrepancies that appear to be incorrect.
Are the user counts in each category in line with expectations? Did LAW properly eliminate the duplicates you knew about? Do the engine metric totals make sense given your knowledge of usage? Suppose something appears incorrect (for example, a test system’s users are accidentally included as productive, or a group of users is unexpectedly classified as a costly license type).
In that case, you should return to the systems to investigate and possibly re-run USMM after making the necessary fixes. It’s perfectly acceptable to iterate: clean up data, run USMM again, and reconsolidate in LAW until you’re confident the figures are accurate.
Pro Tip: USMM will default any “unclassified” users to the highest license category (often Professional) by default. Ensure that no active user is left unclassified or without a license type in the system; otherwise, the audit will default to the most expensive category for them.
Likewise, if LAW shows a user count for a category that you think is too high, double-check if some users were miscategorized. Catching and correcting these before submission can save you from having to explain them to SAP later.
Read about SAP Audit Defense Strategy, SAP Audit Defense Strategy: How to Prepare and Respond
Step 4: Submitting Data to SAP – What to Include, What to Exclude
After you’ve run the measurements and verified the results internally, the next step is to provide the data to SAP. Typically, SAP will instruct you to submit the LAW consolidated report (and any supplementary data, like self-declaration forms for certain licenses) via the SAP ONE Support Launchpad or by email.
When submitting data to SAP, be precise and only provide what is requested:
- Submit the consolidated LAW report (not individual system files unless they ask). This is usually an electronic file. Double-check that it’s the correct, finalized version. Keep a copy of exactly what you send.
- Include any required declarations: Some license metrics (especially for specific engines or packages) might require you to fill out a manual form (for example, number of 3rd-party system users for indirect access, or user counts for engines that USMM doesn’t automatically count). Ensure these are completed accurately and consistently with your LAW data.
- Stick to the scope: Refrain from sending data on systems or modules that were not in the defined audit scope. For example, if the audit is for your ECC and CRM systems, but not for your BW system, you do not need to provide BW usage data. Don’t overshare – every piece of data you provide is something SAP can scrutinize. If SAP needs additional info, they will ask, and you can provide it then if appropriate.
- Document the submission: Maintain a record of when and what you submitted (files, forms, emails). Treat it like a legal audit trail. That way, if a question comes up later (“Did we include System X in the data?” or “What was the user count we reported for Professional users?”), you can easily refer back to the exact submission.
It’s often wise to notify SAP once you’ve submitted (“We have uploaded the LAW report for all in-scope systems as requested, please confirm receipt.”). This ensures they acknowledge they have your data. By controlling the flow of information – sending exactly what’s required and no more – you maintain clarity in the process and limit potential misunderstandings.
Step 5: SAP’s Review & Preliminary Findings
With your data in hand, SAP’s GLAC audit team will begin its analysis. In this phase, SAP compares your reported usage (from LAW and any declarations) against your entitlements and contractual terms.
They will be looking at:
- Named user license counts: How many users of each type did you report versus how many are you licensed for? (e.g., you reported 500 Professional users but own 450 licenses – that’s a 50-user shortfall to investigate.)
- Package/engine metrics: For any SAP packages (like ERP modules with metrics such as orders, employees, revenue, etc.), does the usage exceed what you’ve licensed? For instance, if your license for SAP Payroll allows up to 10,000 employees and your LAW report or declaration shows 12,000 employees in the system, that’s a potential compliance issue.
- Indirect access signs: SAP will also review for indications of indirect usage. This could be hidden in technical accounts or high volumes of certain transactions that might imply non-SAP systems are accessing SAP data. If something appears suspicious or if you have a known interface (such as Salesforce or a portal utilizing SAP data), they may flag this for further discussion or an enhanced audit.
- Overall data consistency: SAP verifies that all expected systems have reported data and that the figures are accurate (e.g., user counts relative to company employees, module usage relative to business size, etc.). Any anomalies might be noted.
After their review, SAP typically issues a Preliminary License Audit Report or an initial findings document. This usually happens a few weeks after submission (often around 4–8 weeks later, but timelines can vary).
In this preliminary report, SAP will list any discrepancies found, such as license shortfalls, classification issues, or requests for clarification regarding certain users or systems.
Think of this report as SAP’s first pass assessment, not the final verdict.
Your action in this phase: Don’t panic if the preliminary findings show a big compliance gap – it is common for initial reports to look daunting.
Treat this as a discussion draft. Scrutinize SAP’s findings line by line, comparing them with your own data and knowledge:
- Are there users in SAP that are counted as a certain license type, which you believe should be classified as a lower type? (This is the time to point out, for example, “User X was counted as Professional, but they only use a self-service role – we believe they should be an Employee license.” Provide rationale or evidence.)
- Did SAP count any decommissioned or test systems as productive usage? You might need to clarify, for example, “System ID Y is a standby system for DR (disaster recovery) and not in active use – it should not count towards licenses.”
- Are there any “unclassified” users that SAP defaulted to an expensive category? You can often argue that these were service accounts or should be reclassified appropriately.
- Check math and totals against your submission. Mistakes can happen in consolidation or interpretation on SAP’s side, too.
Responding to preliminary findings: Formally reply to SAP with a clarification letter or document. Address each point where you disagree or have an explanation. Be factual and, where possible, support your claims with evidence (e.g., log data showing a user’s last login date if you claim an account is inactive).
The goal here is to resolve any misunderstandings and narrow down the true compliance gap (if any) by correcting errors in SAP’s assumptions. This phase may involve meetings or calls with SAP’s auditors to go over the details – treat those as negotiations where you advocate for your interpretation of the data.
Step 6: Clarifications and Disputing Errors
(Note: This is closely tied with Step 5 and often part of the same “clarification phase,” but it’s emphasized here as its own step for the sake of guidance.)
After reviewing SAP’s preliminary report, you enter a clarification period. This is your opportunity to dispute errors or provide additional information before SAP finalizes the audit. Key things to do in this stage:
- Correct misclassifications: If SAP’s tools or team misclassified several users, prepare a revised count. For example, “We have reviewed the 50 users SAP listed as Professional in system A. Of these, 20 are actually read-only accounts that should be categorized under the Employee license. Attached is a breakdown of these users and their roles to support this reclassification.” By doing this, you potentially eliminate that apparent shortfall of 20 Professional licenses.
- Provide usage context: Sometimes numbers alone don’t tell the full story. If SAP flagged certain usage as indirect access or as needing a higher license, explain how that usage is actually covered or not relevant. For instance, “The high volume of IDoc transactions is due to an internal interface between two SAP systems we are fully licensed for, not a third-party application.” This differentiates legitimate use from what SAP might have assumed was unlicensed third-party access.
- Negotiate definitions if needed: SAP’s standard definitions might not perfectly fit your scenario. If the contract language is ambiguous (for example, what constitutes a “professional” versus a “limited professional” user), now is the time to discuss it. You may need to refer to your contract or prior communications to ensure the interpretation is in your favor, where possible.
- Keep it formal and documented: All clarifications should be given in writing (even if discussed in a meeting, follow up with an email or letter summarizing your position on each point). This creates a record of your challenge to certain findings and the reasons behind it.
During this process, SAP may revise its findings based on your input. There could be back-and-forth over a few weeks. The goal for both sides is to reach a mutually agreed-upon understanding of any license deficit or confirm compliance. Remember, until the final report is issued, nothing is set in stone. A collaborative yet firm approach here can significantly reduce what initially appeared to be a substantial compliance gap in the first report.
Step 7: Negotiation and Settlement
Once clarifications are done, SAP will deliver a final audit report or compliance statement.
This will state whether you are compliant or, more likely, list any shortfall (e.g., “X number of additional licenses required” or “these engines are overused by Y amount”). At this point, SAP will typically expect you to address any shortfall, which often means purchasing additional licenses or adjusting your license agreements.
However, this stage should be viewed as a negotiation, not a simple transaction or punishment.
Key considerations for the negotiation/closure phase:
- Remember your leverage: An audit finding is not a legal fine; it’s a contract compliance issue. You usually have options for resolving it. SAP, being a vendor, is often open to a commercial resolution – especially if you’re a valuable customer or in the middle of other deal discussions. Treat the “required licenses” as the starting point for negotiation.
- Explore alternatives: If the audit reveals, for example, a need for 100 additional Professional user licenses or a new type of license (such as indirect access documents), consider negotiating a different approach. For example, SAP offers programs like the Digital Access Adoption Program (for document-based licensing of indirect use). You might consider negotiating a move to this model instead of purchasing classic users if it proves more cost-effective in the long term. Alternatively, if you were planning an upgrade or purchase (e.g., migrating to S/4HANA or acquiring cloud products), you could incorporate the audit true-up into that deal, potentially securing a better discount or terms.
- Bundle with renewals or projects: A smart strategy is to align audit settlements with upcoming renewals or expansions. CIOs often use the audit findings as an argument to secure a budget for a broader upgrade that includes the necessary licenses or to renegotiate the entire contract. SAP sales teams are often willing to waive or reduce back-maintenance fees or offer discounts if the customer commits to new products or a multi-year renewal as part of the settlement.
- Validate SAP’s calculations: Before agreeing to anything, double-check the final numbers one more time to ensure accuracy. To ensure accuracy, ensure that, if you do purchase licenses, you’re only buying for real, unavoidable gaps. If you successfully reclassified users or proved some usage was out of scope, those should have been removed from the final count. Do not pay for “fuzzy” shortfalls. It can be helpful to prepare your own calculation of what you believe you owe, based on the clarified data, and use that in discussions.
- Maintain a united front: In negotiations, involve your procurement, legal, and executive stakeholders as needed. If the amounts are large, this becomes a commercial negotiation like any other major purchase. Don’t let it be framed purely as a compliance penalty; it’s ultimately about acquiring the right licenses to meet your business needs. You may consider negotiating payment terms or phased purchases, especially if the compliance gap is costly.
Outcome: The negotiation ends in either purchasing the necessary licenses (and possibly paying for back-up support on them) or reaching an alternative agreement with SAP.
Once both sides agree, SAP will close the audit, and you’ll typically sign some paperwork or get an official compliance certificate/letter. Make sure any special terms of the settlement (like credits, deadlines to deploy new licenses, or exceptions granted) are documented in writing.
Step 8: Post-Audit Controls and Internal Governance
With the audit officially closed, take the opportunity to strengthen your software asset management and avoid future pain. An audit’s end isn’t just an end – it’s the beginning of better license governance.
Here are the post-audit best practices:
- Document the results: Archive the final audit report, the compliance letter, and any license purchase agreements resulting from the audit. Summarize for internal reference what was found and how it was resolved. This is invaluable history that can inform your team for the next audit (e.g., “last audit we were short on 50 Professional users due to X; we resolved by doing Y.”).
- Update your license inventory: Adjust your records to reflect any new licenses purchased or any reclassifications that have been made. Ensure your internal license entitlement database now matches what SAP recognizes. If you negotiated any special terms (like a temporary allowance or a conversion of certain licenses), note the details and expiration if any.
- Process improvements: Conduct a lessons-learned meeting with your team to share insights and best practices. Identify what changes are needed to prevent similar findings. For example, if you discover that many inactive users are still in the system, consider instituting a quarterly user review process if certain engines were overused, set up internal alerts or procedures to monitor those metrics more regularly.
- Regular self-audits: Don’t wait for SAP to audit you again. Schedule periodic (e.g., quarterly or semi-annual) internal license compliance checks using USMM/LAW. Many companies treat licensing as an ongoing discipline – by running mini-audits in advance, you can catch and correct issues proactively. This means next time SAP sends a notice, you’ll already have recent data and confidence in your compliance position.
- Training and Awareness: Ensure administrators and new project teams understand the impact of licenses. For instance, if new systems are added or new users onboarded, incorporate license assignment review into that process. The people who create user accounts or configure systems should be aware of licensing rules so they don’t inadvertently create compliance gaps (like assigning everyone a Professional license by default when some only need Limited access).
- Monitor indirect use and new SAP policies: The compliance landscape is constantly evolving. Keep an eye on SAP licensing changes (e.g., new rules for indirect digital access, new measurement tools, etc.). Assign someone to be responsible for staying up-to-date and adjusting internal practices accordingly.
By fortifying your internal controls, you transform the audit experience from a reactive fire drill to a manageable, routine compliance check. The goal is to have no surprises the next time SAP’s audit team comes around.
Enhanced vs. Basic SAP Audits
Not all SAP audits are created equal. SAP generally conducts a basic audit for most customers; however, if they suspect something or you’re a large, complex customer, they may perform an enhanced audit.
It’s important to know the difference and your rights in each scenario:
- Basic Audit (Standard): In a basic audit, you perform the standard self-measurement (USMM/LAW) and submit the data. SAP’s role is primarily to review the information you provided and verify compliance. They typically trust but verify the data – if everything looks in order and within entitlement, the audit may close with minimal fuss (you might not even get a formal “all clear,” just no further action). If there’s an obvious shortfall, they’ll inform you and usually issue a request to purchase the deficit. Basic audits are largely data-driven and remote, and are the default annual or bi-annual checks as per contract.
- Enhanced Audit (Deep Dive): An enhanced audit is triggered by red flags – perhaps the data you submitted suggests significant under-licensing or unusual usage patterns, or sometimes purely at random, for a thorough check. In an enhanced audit, SAP auditors will request a greater level of detail. They may provide special scripts or require you to apply certain SAP Notes to collect additional data that USMM/LAW doesn’t capture (for example, user authorization details, transaction logs, or specific engine usage reports). They might scrutinize indirect usage by analyzing integration logs or using their “Passport” technology to trace external connections. In extreme cases, SAP may request on-site audits or remote sessions where they guide the data extraction. Enhanced audits involve more senior SAP compliance experts and often involve your SAP account executive, because the findings can lead to a larger sales discussion (upsell or contract restructuring).
What to do if facing an enhanced audit: Always check your contract to see what SAP is entitled to request. You are obligated to assist in an audit, but only within the agreed scope. For instance, if SAP asks for something like admin-level access to your systems or data beyond license metrics, you have the right to question it. It’s prudent to involve legal or third-party licensing advisors when an audit escalates to this level.
Also, anticipate that an enhanced audit will likely lead to a negotiation (SAP might prefer to offer you a new licensing deal rather than a simple invoice). Stay skeptical of any “findings” from custom scripts until you validate them yourself – these tools can be crude and sometimes flag usage that isn’t truly non-compliant. Approach an enhanced audit with the highest level of preparation and scrutiny, as the stakes are typically higher.
In summary, a basic audit is a simpler, check-the-box process, while an enhanced audit is a more in-depth investigation.
In both cases, preparation and understanding your contracts are key, but with enhanced audits, you must be even more vigilant and possibly defensive about extraneous data requests.
Timeline Snapshot – Weeks 0 to 16
Every audit’s timeline can vary, but here’s a typical sequence from kickoff to closure to help you anticipate the flow:
- Week 0: Audit Notification Arrives – The clock starts. SAP sends the formal notice (Day 1 of the audit). You acknowledge receipt and clarify the scope within the first few days. Internal planning begins immediately.
- Weeks 1–4: Internal Prep and Cleanup – During the first month, your team gathers system information, cleans up user accounts, aligns data, and essentially lays the groundwork (as described in Step 2). You may also apply any required SAP Notes for measurement during this time, ensuring the tools are up to date.
- Weeks 4–6: Measurement and Internal Review – Toward the end of the first month or into the second, you run USMM on all systems, then LAW consolidation. You spend time in this window reviewing the LAW results, fixing any issues, and rerunning if necessary. By week 6 (give or take), you will be ready to submit your data.
- Weeks 6–10: Submission and SAP Analysis – You submit the LAW report around week 6 or 7. SAP’s GLAC team takes a few weeks to analyze the data. During this period, they may come back with a few quick questions or requests for clarification, or they might simply work internally. You likely hear initial feedback by roughly week 10.
- Weeks 10–14: Clarifications & Negotiation – Around weeks 10–11, SAP delivers the preliminary findings. You then engage in clarification discussions, providing additional info or disputing points as needed. This could involve multiple exchanges. By week 12 or 13, the scope of any compliance gap is clearer, and you begin negotiations on how to resolve it. This negotiation may extend into week 14 or a bit beyond, depending on its complexity and how quickly you reach an agreement.
- Weeks 14–16: Closure – Ideally by week 14 or 16, you and SAP finalize the outcome. You sign any paperwork for additional licenses or contract adjustments. SAP issues a final audit report or compliance certificate. The audit is officially closed around this time (roughly 3 to 4 months after the start).
Note: This timeline is a generalized example. Some audits conclude much faster (especially if you’re fully compliant – it might wrap up by week 8 with minimal fuss).
Others can drag longer (complex negotiations or enhanced audits could push the timeline to 6 months or more). However, as a general rule of thumb, planning for a 3-4 month process is advisable, allowing you to allocate resources and attention accordingly.
Common Mistakes to Avoid
Even experienced SAP customers can stumble during audits.
Here are common pitfalls and how to avoid them:
- Skipping the internal pre-audit: A major mistake is running the USMM/LAW tools and sending the results to SAP without first doing an internal review and cleanup. This “blind” submission often hands SAP a loaded gun – the data may include obvious compliance issues you could have fixed. Always do your own audit and corrections first.
- Oversharing data beyond scope: Some teams, out of an abundance of transparency, submit more data than SAP asked for – for example, including every system (even those not in scope) or detailed user listings for each license type. The more data SAP has, the more they can probe. Stick to what is required. Provide additional details only when necessary to clarify a point. Don’t volunteer information that could open new audit threads.
- Accepting SAP’s classifications at face value: SAP’s measurement tools might suggest a user needs a higher license type or that certain access counts as indirect use. Many simply accept these as facts. Challenge and verify these classifications. Often, you can argue for a different classification if you have a rationale. Failing to do so can mean paying for expensive licenses you don’t truly need.
- Not aligning results to contract terms: The LAW report is just a list of numbers. The critical mistake is not mapping those numbers to your specific contract entitlements. For instance, your contract might allow for a spare buffer or include specific user definitions. If you don’t align the measured usage with the exact contract language and license counts, you might miss opportunities to contest SAP’s interpretation. Always interpret audit results in the context of your contracts and seek clarification on any terms that are unclear.
- Last-minute rush and lack of documentation: Panicking as the deadline looms and sending data without thorough checks, or negotiating verbally without written confirmation, can hurt you. Avoid the fire drill approach. Start prep early when the notice arrives. And document every step, communication, and decision. A clear paper trail can save you if there’s any dispute later on.
Avoiding these mistakes largely comes down to preparation, diligence, and a healthy dose of skepticism. Don’t treat the audit as a routine task to rush through – treat it as a project that needs careful management.
SAP Audit Checklist for CIOs
To ensure you stay in control, use this high-level checklist of audit process “control points”:
- Acknowledge and Clarify Scope: As soon as the audit notice comes, formally acknowledge it and confirm what’s in scope (systems, modules, timeline). Never proceed without a mutual understanding of what will be audited.
- Mobilize Internal Team: Assign an audit lead (if not yourself) and involve IT, compliance, and procurement stakeholders. Mark the key deadlines. Treat this as a priority project with executive visibility.
- Internal Audit and Cleanup: Run an internal license audit before SAP’s audit. Clean up user accounts, double-check classifications, and ensure data quality. Simulate the audit by running USMM/LAW internally to ensure you are aware of your status.
- Validate Against Entitlements: Compare your internal audit results with what you’ve purchased. If you find gaps, strategize how to address them (true-up now, reclassify users, archive data, etc.). The goal is to enter the SAP audit with no unpleasant surprises.
- Controlled Data Submission: Only submit the required consolidated data and forms. Exclude anything out of scope. Keep copies of everything. Ensure that a responsible person reviews the package before it is sent out.
- Thorough Review of SAP Findings: When SAP responds with their findings, examine every detail. Bring in your SAP contract to verify terms against their claims. Don’t hesitate to push back on discrepancies or request clarification of how SAP calculated something.
- Engage in Negotiation Mode: If there’s a shortfall, plan your negotiation. Know what additional licenses would cost vs. what alternative arrangements you might prefer. Involve procurement/legal to help frame your counter-offers or requests (e.g., special programs, discounts, phasing).
- Document Everything: Keep a log of communications, decisions, data versions, and outcomes. If SAP makes any concessions or agreements during discussions, ensure they are documented in writing (email is acceptable). This protects you in case personnel change or memories fade by the next audit.
- Close and Learn: After settlement, formally close the loop with SAP (get a confirmation of compliance). Then conduct an internal debrief to improve processes and prevent the recurrence of any issues found. Update internal documentation and maybe create a playbook for future audits.
This checklist can serve as a quick reference for busy CIOs and IT leaders to ensure nothing critical is overlooked. Each step above presents an opportunity to steer the audit in your favor, rather than simply reacting to SAP.
Read more about our SAP Audit Defense Service.
