Navigating the SAP Licensing Audit Maze: Understanding Basic and Enhanced Software Licensing Audits
Mark Thaver
CEO and Founder Licensing Data Solutions | Ex- Deloitte Software Licensing Auditor | Ex- SAM Manager( Bloomberg and AXA)
In the dynamic landscape of SAP licensing, maintaining compliance and ensuring licensing precision are paramount for organizations. The intricacies of SAP audits can be daunting; thus, understanding the various types of SAP audits becomes crucial. In this blog post, we will demystify this complex subject by delving into the two main types of SAP audits: the basic audit and the enhanced audit, along with their underlying mechanisms.
Types of SAP Software Licensing Audits
SAP Basic Audit
Often referred to as the standard annual audit, the basic audit is a typical audit carried out for most customers. In this process, customers annually provide SAP with information about their license deployment, for example, SLAW, LMBI, etc. The main goal of this type of audit is to evaluate whether the customer's use of SAP's software aligns with their licensing policies and agreements. For more details, please refer to the contractual clause provided below.
2.4. Verification
2.4.1. SAP may audit (at least once annually) Customer's usage of SAP Materials. SAP’s standard audits are performed remotely but may be at Customer's site. Customer shall cooperate reasonably with audits. Customer can conduct the measurement itself using the unaltered tools and self-declaration forms provided by SAP for that purpose. The self-declaration form is to be completed independently of technical measurement. The result of the measurement is to be transmitted online via the interfaces from Customer’s system(s) to SAP, or in a machine-readable format according to instruction provided by SAP.
2.4.2. If an audit reveals that: a) Customer underpaid license fees or SAP Support fees (or both); or b) Customer Used Software in excess of the license quantities or levels stated in an Order Form, then Customer shall pay such underpaid fees or for such excess usage based on the SAP price list in effect at the time of the audit. Customer shall execute an additional Order Form to license additional quantities or levels.
2.4.3. If audit results indicate usage in excess of the licensed quantities or levels then reasonable costs of SAP's audit shall be paid by Customer, if any. SAP reserves all rights at law and equity with respect to both Customer's underpayment of license fees or SAP Support fees and usage in excess of the license quantities or levels.
Source: General Terms and Conditions for SAP Software and Support enUS.v.4-2022
During a basic audit, SAP will typically perform the following activities:
Data Collection: SAP audit team gathers and scrutinizes data related to software usage (SLAW2, LMBI), user access, and license entitlements.
Basic, Non-Intrusive Compliance Assessment: The basic audit ensures that organizations are employing SAP software within the boundary of their purchased licenses. Auditors compare actual usage with license entitlements to detect any mismatches. As they only ask for a fraction of deployment data like SLAW, etc., and not the underlying transaction level details or tables, they can only perform a high-level check for license allocation.
Licensing Final Communication: The audit confirms the licensing contracts and verifies that the organization complies with SAP's stipulated terms and conditions.
SAP conducts a basic audit of its vast customer base of over 425,000 customers. However, it is not practical for them to assess compliance for every individual customer in detail. As a result, they prioritize and closely examine a select percentage of these customers. A common misconception among customers is that they are in compliance with SAP licensing simply because they have been submitting deployment information to SAP annually. This is a myth. In reality, SAP may not yet have had the opportunity to delve into their environment in detail. This is why SAP offers an enhanced audit, which is specifically designed to scrutinize customers' environments more closely based on their unique terms and conditions.
This misunderstanding can result in huge fines and back penalties worth millions of dollars. Therefore, it is important for customers to understand that submitting deployment information to SAP as part of their basic audit does not guarantee compliance.
SAP Enhanced Audit- “Danger, Will Robinson”:
The enhanced audit is a more comprehensive and detailed audit process compared to the basic audit. It is conducted for selected customers.
领英推荐
The enhanced audit encompasses the following key elements:
Scope and Depth: The enhanced audit goes way beyond basic assessment, focusing on a deeper analysis of system usage, license entitlements, system integrations, and other relevant reports.
Remote and On-site Activities: The audit may involve a combination of remote and on-site activities. Activity conduct interviews, review landscape diagrams and the analysis of technical configurations in detail. They may also visit the organization’s premises to conduct further assessments and gather additional evidence.
Compliance Evaluation: The primary objective of the enhanced audit is to thoroughly evaluate an organization’s compliance with SAP’s licensing terms. Auditors assess the organization’s license usage, measure the effectiveness of controls, and identify any potential licensing risks or discrepancies.
Technical Analysis: The enhanced audit may include a detailed technical analysis of system configurations, interfaces, and integrations with third-party systems. This analysis helps auditors understand the organization's software landscape and determine any areas of non-compliance or indirect access risks.
Final Communication: Comprehensive audit results, supported by intricate system data, often reveal findings that result in substantial penalties, commonly within the 7-8 figure range. SAP commonly uses these staggering figures as a strategic tool to compel customers into purchasing additional cloud-based products such as S/4 HANA or RISE.
Key Differences and Considerations:
To better comprehend the different types of SAP audits, let's compare the basic audit and the enhanced audit in more detail:
Scope and Target Audience: The basic audit is typically carried out for most end users and is akin to a routine yearly physical check-up with a doctor. On the other hand, an enhanced audit can be compared to scheduling a specialized procedure like a colonoscopy, which is more thorough, is conducted based on specific needs or conditions, and is far more painful.
Data Collection Methods: Both audits involve data collection, but the enhanced audit often requires more extensive data gathering and analysis due to the broader scope of the evaluation. SAP will ask for 15 or more detailed transaction table exports like AGR_USER, VBAK, EKKO, etc.
Remote vs. On-site Activities: The basic audit is typically conducted remotely, while the enhanced audit may include on-site visits, screen share and detailed interviews to gather additional evidence.
Compliance exposures and back penalties: We have seen much greater compliance exposure in 7 or 8 figures ranging from enhanced audits, especially due to Indirect Access/Digital Access and HANA Runtime being included in the scope.
Guidelines for SAP Audit Readiness:
In order to be well-prepared for SAP audits, businesses should consider the following best practices:
License Entitlement Record Management: Keep a meticulous record of license entitlements. This should encompass the number of licenses acquired through all amendments, the corresponding license metrics, and any adjustments or enhancements to the agreement. If your internal team doesn't possess the necessary skills to extract and consolidate all amendments into an entitlement register, consider engaging an external firm like LDS.
Evaluation of Compliance( Mock Audit) then optimize/cleanup: Conduct a demand/consumption analysis (Enterprise License Position), aka mock audit, in line with SAP's methodologies/tools/interpretation to verify conformity with SAP's licensing policies, terms, and conditions. Keep up to date with any changes in licensing models or agreements that could influence your business. If your internal team lacks these capabilities, contemplate employing a third-party service like LDS, which has the benefit of using ex-auditors who can emulate SAP's audit methods and interpretation. ?
Review of Indirect/Digital Access: Comprehend and record integrations with external systems to evaluate potential Digital Access/indirect access risks. Undertake a measurable analysis and proactively develop a strategy to optimize or reconcile any indirect access risk.
Development of Internal Controls and Procedures: Create strong software provisioning/installations/consumption internal controls and procedures to ensure compliance with SAP's licensing policies. Clearly define roles and responsibilities, enforce licensing controls, and conduct routine audits to identify and rectify compliance issues.
Conclusion:
Grasping the variety of SAP audits is critical for organizations. This knowledge enables a prompt action plan, suitable team mobilization, and a robust defensive strategy. The basic audit measures compliance with SAP's licensing policies and typically reveals medium-scale findings, whereas the enhanced audit provides a more detailed assessment for selected customers, often uncovering significant compliance findings and back-usage fines running into millions of dollars, and which usually ends up at CFO/CIO level. By adhering to the suggested audit preparation techniques and leveraging the specialized expertise of Licensing Data Solutions (LDS), organizations can navigate the complex world of SAP audits with confidence, leveling the playing field, and reducing compliance exposure.
To learn more, or to discuss your organization's specific needs, feel free to contact us at [email protected].