SoftwareOne logo

6.53 min to readSAP ServicesPublisher Advisory Services

SAP audit practices – everything you should know to be in control

SoftwareOne blog editorial team
Blog Editorial Team
A mountain range with a pink sky in the background.

An SAP license audit is a yearly formal process that end users are contractually obliged to undergo, where they are expected to demonstrate that the number of licenses purchased matches the number of licenses installed and used. The main purpose of the audit is to protect the intellectual property rights of SAP, but also to compensate SAP in case its products are overused.

This article provides an overview of the SAP audit process, including information about the SAP audit team (GLAC) and the SAP audit types.

SAP audit team - Global License Auditing and Compliance team (GLAC)

In 2018, SAP established a new team known as Global License Auditing and Compliance team. This team includes the former Global License Auditing and Services team (essentially, license auditors and measurement experts) with license compliance managers and executives, and a newly appointed team of Supplementary Audit Support Experts (SAS Experts).

  • License auditors and measurement experts (LAW, USMM, Engines) are based in three locations: Ireland, China and India. The scope of their work is defined by what SAP refers to as ‘Market Units’, these being the various geographical business regions identified by SAP, and the language support available at a given SAP site. For example, French and Spanish customers are audited by SAP experts based in Ireland, Australian customers are audited by SAP China, etc.
  • License compliance managers and executives and SAS experts are based in customers’ locations. In Sweden, for example, SAP has a license compliance manager and SAS expert that supports the Scandinavian customers.

When talking about the GLAC team members, we should not forget about the license audit business team based in Waldorf, Germany (SAP headquarters). This team is responsible for the auditing procedure, the structures, and the technical development of measurement tools.

SAP audit types

SAP differentiates between two types of audits, as described below:

  • Basic audit (sometimes referred to as ‘’standard audit’’, addressed to most end users)
  • Enhanced audit (performed remotely and/or onsite, addressed to selected customers)

Basic audit

The basic audit is conducted by the license auditors located in Ireland, China or India. These auditors collaborate strongly with a given license compliance manager who is responsible for ensuring that the audit activities correspond with SAP’s procedure and directives. The number of basic audits undertaken is subject to SAP’s yearly planning, and it is worth noting that not all customers are audited annually. Rather, the license compliance managers, together with auditors and experts from the audit business team, target selected customers (e.g., large enterprises; customers who have purchased new products; customers who are classified as ‘’high risk’’ as a consequence of a previous audit). Nevertheless, be aware that a first license audit will usually take place not later than two years after signing a contract with SAP (unless specified differently in the contractual agreement). After the first audit, subsequent audits should occur annually, though again, this is subject to the available SAP resources.

The whole auditing process starts with a Measurement Request Email sent to the customer by the license auditor. This email is addressed to the contact person within the organization that is responsible for auditing activities. This communication contains the following information.

    Prior to the submission deadline, the SAP auditors will contact the end users repeatedly in order to check the status of the measurement, and to remind them about the deadline. The measurements can be sent directly from the tools to SAP, or as email attachments formatted according to SAP requirements.

    The auditors are responsible for evaluating the measurement results by performing:

    • Analysis of the system landscape to make sure that all relevant systems (production and development) were measured. Systems that are not relevant for the measurement are java based, portals, dual stack, no longer used but not maintained properly on SAP Support Portal, test and training systems.
    • Technical verification of the USMM log files: correctness of the client, price list selection, user types, dialog users vs. technical users, background jobs, installed components, etc.
    • Technical verification of the LAW: users’ combination and their count, etc.
    • Analysis of engine measurement – verification of the SAP Notes
    • Additional verification of expired users, multiple logons, late logons, workbench development activities, etc.
    • Verification of Self Declaration Products, HANA measurement and Business ObjectIf measurement errors are identified, the SAP auditor will contact the customer by email in order to request corrections. In this scenario, the deadline is usually extended by a week, so that the measurement can be updated.

    The license auditors work closely with SAP license compliance managers to compare the measured figures with the contractual license entitlement. It is essential that customers understand their SAP contracts, since these can be quite complicated, and it can work to the disadvantage of the organization. Otherwise, how can one understand how SAP has evaluated the measurement and if the evaluation was performed correctly?

    After the measurements have been received and evaluated by the SAP GLAC team, a Closure Notification Email is sent to the customer. This communication confirms that the audit was finalized and specifies if any compliance gaps have been identified. If there is a compliance gap, the SAP license compliance manager will personally engage with the end user. Typically, the license compliance manager will invite to consider an “additional purchase proposal”.

    In some situations, the license compliance manager may also request to execute additional measurement checks. These checks may be performed by the end user independently, or they may be performed by the SAP supplementary audit services experts. Either way, the additional checks are likely to include complex technical verifications like:

    • OpenHub measurement
    • Single Sign On
    • Multiple logons
    • Expired Users
    • Late Logons
    • Workbench Development Activities
    • System Data Extracts: Users’ last logon date, password change, etc.
    • Order table extracts

    These checks can expose further compliance gaps, triggering another (potentially costly) “additional purchase proposal”.

    Enhanced audit

    The enhanced audits are expert led, meaning that standard auditors are not usually involved. These audits are being led by license compliance managers, compliance team executives, and SAS experts. At the beginning, the scope of the audit is made clear to the end user. As a standard, enhanced audits include all checks required to complete a basic audit, plus the additional measurements required from the customers found to be non-compliant in a basic audit (as listed above). In addition, the enhanced audit incorporates a unique indirect access usage measurement.

    An enhanced audit will involve SAP performing some checks remotely by logging into an end user’s systems and/or onsite. When SAP auditors come onsite, this is specifically to research the levels of indirect access usage. In order to verify this, SAP will check the following:

    • interactions between SAP and non-SAP systems
    • data flow direction
    • details of how data is transferred between systems/users (EDI, iDoc, etc)

    After the data is verified and evaluated, a report with the results is created. Again, a “Closure Notification Email” is sent, which may or may not indicate a compliance gap. In the event of a compliance gap, the SAP license compliance manager will present an “additional purchase proposal” based on the audit findings. At this point, an SAP sales executive may also be involved in the discussions, even though sales executives are nowadays formally excluded from the auditing process (prior to 2018 and the advent of GLAC, sales executives were heavily involved in the audit). However, sales executives continue to be the primary owners of the commercial customer relationship. Accordingly, when it comes to signing a new deal, they collaborate with the license compliance team in order to resolve the license compliance risk.

    An abstract background with blue and green lines.

    Get in touch

    It is important to seek the support of independent expertise when confronted with an SAP audit. By working with professionals who have specific knowledge, organizations can minimize potential cost implications arising from such audit. Our experts who thoroughly understand SAP procedures, including measurement logic and legal aspects of SAP contacts, support customers to achieve substantial cost savings and avoid non-compliance situations. If you’re in need of specialized SAP knowledge, don’t hesitate to reach out to us!

    Meet the SAP licensing experts

    Get in touch

    It is important to seek the support of independent expertise when confronted with an SAP audit. By working with professionals who have specific knowledge, organizations can minimize potential cost implications arising from such audit. Our experts who thoroughly understand SAP procedures, including measurement logic and legal aspects of SAP contacts, support customers to achieve substantial cost savings and avoid non-compliance situations. If you’re in need of specialized SAP knowledge, don’t hesitate to reach out to us!

    Author

    SoftwareOne blog editorial team

    Blog Editorial Team

    We analyze the latest IT trends and industry-relevant innovations to keep you up-to-date with the latest technology.

    Related articles