What are SAP license audits?
There are two types audits that SAP run; Basic (Self-Measurement) and Enhanced (Onsite). SAP audit most of their customers on license compliance annually with a Basic Audit, which has a limited and well-defined scope. They tend to occur in the first half of the year, for them to be finished before the end of SAP’s financial year in December.
The Basic Audit is usually co-operative and involves you submitting reports using SAP’s tools (LAW – License Administration Workbench) and, for products not measured by SAP’s tools, submitting self-declarations of the usage levels. SAP may probe further into the results if they are not completely satisfied that your organisation is compliant based on the information provided, which we see happening much more regularly.
The Enhanced audit is far more in-depth and digs deeper into the numbers submitted by LAW and the self-declaration to ensure that it is measured correctly. It also tends to cover the full scope of your products. Often an onsite visit is required to go over details and speak with various people in your organisation. SAP tend to perform these audits where they have a strong suspicion that you are not compliant. Perhaps something surfaced during your Basic Audit, or maybe publicly available information highlights a potential non-compliance.
It is important to note that there is no built-in mechanism to prevent over-usage. Technically, your administrators can implement and use any SAP product without first purchasing a license and often without even downloading a license key. This can be very dangerous for your software licensing.
What do SAP audit?
The key areas SAP audit are Named Users, Packages, Self-Declaration, and Additional Products. Named Users are people who require a license for using your SAP system as part of their job. Packages are the licensable software components that your users would access or use. Self-Declaration products are Packages which cannot be measured by SAP’s tools. Additional Products are those not usually covered in the standard Basic Audit such as, BusinessObjects, Indirect/Digital Access, and Sybase.
The Named User results are included in the LAW report. The users across your systems are consolidated and deduplicated to ensure that only 1 user is counted, not 1 user per system. The main Named User types are cumulative i.e. the rights in a Limited Professional license are included in the higher Professional license. Some licenses do not fall into this hierarchy, meaning users may need more than one license assigned to them. The user license assignment process does not allow customers to easily determine and assign these licenses, so a detailed review is a must.
The measurement for Named Users is based on the license assignments an administrator has made, and not automatically determined by the system based on assigned authorisations or actual use (S/4HANA introduces new methods, however). A user may require a Professional license based on their use, but the administrator has assigned them a cheaper Employee user license, which means that there is a hidden compliance gap. The same could be said vice versa, leaving an opportunity to optimise your user estate. In a Basic Audit this point is not delved into too deeply, but it is during an Enhanced Audit. If you are not certain whether your user estate has been assigned correctly, it is a big risk area for your organisation and could result in large license purchases.
To ensure that your users and licenses are aligned, JNC can review what authorisations a user has been assigned. Once this is mapped out, we can compare this against the contractual requirements for each Named User license you own and provide recommendations on how to optimise. Actual use statistics, for example frequency or duration of access, can also play a role in license assignment depending on your contract. This means there may be further room for optimisation.
Package measurements are combined consolidated across systems and for some Packages it is easy to see what you are using from the LAW report, but this is not the case for all. SAP do not have an accurate way to measure the usage of many Packages and results could merely indicate that the software is in use, not the number of licenses that are consumed. This could be for several reasons, such as the metric you have purchased is not the one that is measured, the measurement does not accurately calculate the usage for all architectures, or even you require a corrective SAP note as there is a known error. Many reported measurements are in fact not relevant at all. This reported usage may be included in other licenses or is no longer licensable. Knowing how to interpret the measurements is key to understanding your actual licensing consumption, and ultimately leads to a successful audit defense.
In Basic Audits, the requested Self-Declaration results are submitted via a PDF document. These products or metrics are not measured by the LAW and so must be manually determined. For example, a product purchased with a metric of Revenue cannot be measured as it does not exist in the system in a standard way across all customers, so you must self-declare this figure. Understanding your contractual terms is crucial to ensure you do not mis-declare. For example, whether your Revenue metric applies for your whole organisation, or for specific countries or business units.
These product areas are not part of a standard SAP audit. The BusinessObjects product set can be measured , but by a separate tool called LMBI and requires different analysis. Once selected for a BusinessObjects measurement, we commonly see SAP reduce audit regularity for several years. Indirect/Digital Access would also fall into this category. SAP do not measure for Indirect Access as part of Basic audits due to the lack of guidance and clarity on measuring this usage . The potential identification of Indirect Access is a common trigger for Enhanced Audits. It is critical to note that SAP are looking to include a tool to measure this usage as part of a Standard Audit, meaning your Indirect Access will come under much more scrutiny in the future. Few organisations continue to rely on the Sybase product set heavily, so this is not a major area that SAP focuses on. This article is just focusing on the key areas of an SAP audit, so please see our other articles for more details about these product sets.
What can I do to prepare and/or defend myself?
The golden rule is always to be proactive. Reviewing your SAP license estate and remediating any risk before an audit can save your organisation high fees to SAP, especially if you have not been audited for a while. Reporting risk to SAP before they audit you can result in favourable negotiations.
Organisational procedure is an often-overlooked factor in audit preparation. Controlling who can communicate with SAP and when your organisation can instigate conversations with the vendor is vital. We see cases where an audit has been triggered due to someone communicating sensitive information to SAP.
Although SAP’s audit team are separate from their sales team, license conversions can often be triggers for audits. Increased audit rights is even included in SAP’s On-Premise and Cloud Extension Policies, which allow you to partially terminate your licenses whilst purchasing alternative on-premise or Cloud products.. It is essential that if you are making any changes or increasing your activity with SAP, that you make sure that your environment is free from licensing risks.
If you are too far down the road to be proactive, then analysis and negotiation are your tools for success. The optimal audit defense is achieved by scrutinizing your measurement results against your deployment, contracts, and licensing models then comparing this to SAP’s conclusions. Using leverage to mitigate the costs can also be helpful, such as commitment to upgrade your licenses or agreeing to adopt HANA or S/4HANA . SAP’s focus is continued revenue so if you can offer them that, they may just look past your previous missteps in licensing. There will be an expense, but turn it into investment in your organisation’s future rather than for retrospective compliance.
So, how do you prepare yourself? Making sure SAP do not stumble across licensing risks, and that there are none to find. The key points we stress to customers about audits are:
• Control your dialogue with SAP by restricting who can communicate directly with them
• Ensure your Named Users are assigned licenses that accurately reflect their activity in the system
• Regularly review your SAP licensing measurements to ensure any potential risks can be remediated before an audit, or so that you can initiate a purchase and avoid audit fees
• Assess the impact of business change on your SAP licensing estate
• Do not take SAP at their word. Do your own research and analysis, or hire experts
• Always negotiate for the win-win, paying audit fees may not be your only option
JNC are experts in SAP licensing and commercials. We can guide and support you through these steps to understand what it is you are using, how to license more efficiently, and what you need to do to become compliant and stay compliant.. If you are being audited right now, JNC offer Audit Defence support to defend and negotiate a desirable outcome for both you and SAP. JNC have years of experience in reviewing and correcting SAP’s license compliance findings to ensure you do not pay audit fees where it is not required.