Are SAP audits completely transparent and easy to follow?! The short answer is no, simply because SAP’s licensing models are as complex as their products. After organizations spend years to implement SAP products, they believe they’re done, until they receive an audit notification letter from SAP in order to uncover any intentional or inadvertent software sprawl within the organization. Much like other software vendor audits, their goal is to recover lost revenues.
Usually, each software vendor has its own auditing methodology and SAP makes no exception. Compound these unique auditing methodologies that are difficult to follow with highly complex IT environments, and it’s no wonder many customers tend to miss key information when they acquire SAP software and end up using more licenses than they originally paid for. This combination of miscommunication between SAP and their customers, lack of knowledge on how software licensing works, along with the inherent complexities of their IT environments and SAP contracts, drastically increases the odds of software over-deployments or failing an audit.
At Connor Consulting, we have extensive experience in Software Advisory and SAP Auditing with seasoned leaders who have conducted hundreds of license assessments and have established effective software asset management (SAM) programs for Fortune 500 companies. Based on our deep knowledge and a proven track record, we’ve compiled a list of leading practices you need in your toolkit to pass an SAP License Audit.
1. Keep track of all the things you agreed in writing with SAP
This goes without saying, but in comparison to other IT supplier agreements, SAP contracts can be very complex, and the extensive use of legal jargon makes them difficult to understand and translate for software tracking purposes; however, you need to be in control of your license purchases at all times and keep a record of any custom licensing models or metrics.
Make sure to keep track of all contracts and order forms. You can create an SAP vendor risk matrix, where you inventory your active licensing agreements, detailing key dates, products, metrics and highlighting any high-risk contract provisions (e.g., audit and/or M&A clause). In case you miss any, don’t hesitate to contact SAP and request your copy. It’s always better to be prepared, otherwise, you will regret it when SAP issues the proverbial audit letter to your CIO. Also, never rely on SAP or its audit agent to provide you with the correct license entitlements during a review. It’s imperative that you always double-check those figures to minimize any potential non-compliance and/or the need for future software purchases.
2. Make sure you are always able to collect the metrics agreed with SAP
There’s a wide range of industries and business functions that SAP products cover. So naturally, there’s also a great variation of the metrics used to measure consumption. Hence, to understand your license consumption, you need to be aware of your specific metrics that aren’t always spelled out clearly in purchase documents or software contracts.
To achieve that, one common method is to perform a license verification by running the transaction codes “USMM” and “SLAW.” These are the measurement tools offered by SAP, native to the applications; however, in most cases, this information will not be enough. There might be metrics customized for your business that cannot be measured automatically or systematically. For example, “annual sales revenue” or the “number of local stores in your distribution chain,” or the “number of beds” can be a license metric if you are a hotel chain.
Getting all of this data for an audit can be very time-consuming and may involve multiple departments within your organization. As such, you might want to have a repeatable process for collecting this information periodically or as part of your regular software asset management operations. Remember, SAP will have you fill in a self-declaration form for all of your licensed metrics, and your responses are expected to be both timely and accurate. If there are holes or figures that raise “red flags,” it could warrant further audit inquiries and prove to be very costly for your organization.
3. Never delete an inactive user from the system
SAP, through the usage data you are required to send during an audit, will also see a report of all the users that have been deleted from the system. Of course, user accounts deleted prior to the audit will be a contentious point for SAP due to the way they license their software in customer agreements. SAP employs a “named user” licensing model, which means you cannot have multiple persons using the same account.
There are different types of “named user” licenses. From the Professional User, which is the most expensive license, to Employee or Employee Self-Service, which are the most basic and relatively inexpensive license types.
Based on your contract terms, it’s your SAP administrator’s responsibility to assign the correct license type to the people in your organization. Furthermore, you always need to control the number of users, their license types and their roles so that it stays within contractual limits. When SAP performs an audit, they investigate all users created in the system and their assigned license type. It doesn’t matter whether they are active or not. As a result, you might end up paying additional license fees even for users that are no longer your employees. Ongoing tracking and maintenance of SAP user accounts are essential SAM related tasks that can help reduce licensing fees and optimize your SAP user environment.
The best approach here is to not delete inactive users, but instead, lock their user ID, set an end date and remove their assigned roles. As an extra measure of caution or audit risk mitigation, you can also move all locked user accounts to a user group created for “Expired” or “Terminated” users.
4. Beware of huge indirect access charges
Indirect usage of your SAP software requires additional licensing and you may not even be aware of it. Indirect access happens when third-party applications connect to SAP ERP and extract or modify information in the database. SAP will investigate those and will charge a lot of money for improper licensing.
The issue with keeping track internally of your indirect usage is that it’s a time-consuming process and you need to understand SAP’s indirect access rules before performing any sort of internal mock audit. In addition, you run the risk of double-counting users who already have an SAP license assigned for the direct usage.
Your best option is to use the available inventory tools. They are not free, but they will save you precious time and minimize the amount of data errors. If you’re looking for unpaid tools, recently SAP has released a tool that aims to support customers in analyzing their indirect usage. Unfortunately, as per SAP’s release notes, it’s still under development and doesn’t offer many useful features for customers now.
Much more useful than SAP’s utilities are third-party inventory tools. They work by searching for any type of documents exchanged by external applications with the SAP system (e.g. sales documents, purchase documents, material documents, etc.). Additionally, SAP access via any other technical interface such as “RFC,” “BAPI,” or “Idocs” will be determined. The results will indicate whether there is any risk for indirect access, as well as any license gap between SAP usage and contractual entitlements.
5. Make sure you correctly uninstall SAP software
Improper uninstallation of software leaves traces that can be misinterpreted by SAP. As such, if there are any historical installation traces identified on your production or development systems, SAP might consider the product still in use and will assess a fee for those licenses. On a regular basis, make sure that you perform system maintenance as part of your normal SAM operations to keep your SAP environment clean.
An effective way to do that is to periodically simulate an audit to detect false positives or remnants of prior installs and plan on how to deal with them. As mentioned above, you can generate your software usage report by using SAP transaction codes like “USMM” and “SLAW” or run certified inventory tools. Based on the usage report, you will be able to identify those metric IDs that are no longer relevant, and which might indicate an old installation of the engine.
However, the best thing you can do is to have a process on how to correctly uninstall your software. All the steps for a correct uninstallation can be found on SAP’s support portal and can be accessed with your customer credentials.
SAP audits are among the most nerve-wracking and frustrating vendor audits because of the complexity of their licensing models, their large product portfolio, customized software metrics, and the list can go on; however, if you follow these five (5) best practices, you will have a better chance to successfully pass an SAP audit and may even have an opportunity to optimize your licensing environment.
If you’re interested in learning more about SAP audit defense leading practices and how your company would perform during an SAP audit, contact us to schedule a free high-level SAP license assessment today.