09 Oct

SAP Licensing Compliancy and Vendor Audit Risk

Software License Audits are on the increase bringing unwanted business disruption and costly unbudgeted license fees. Can your business afford to be non-compliant?

Software vendors are increasingly resorting to licensing audits as a source of revenue with high fees being levied against the non-compliant use of their software. With SAP licensing models amongst the most complex and challenging to manage it is vital SAP end-users understand the main risk factors to ensure they are compliant and vendor audit ready.

In this article, JNC will draw on their extensive knowledge and experience of SAP license management, audit preparation and audit defence to highlight the key risk and issues around SAP licensing compliance and license audits.

SAP licensing compliance is certainly a high-profile issue. There is always plenty of noise in the media, and throughout the SAP end-user eco-system in general, regarding aggressive and costly license audits and high-profile court cases. This might be cause for concern for many SAP customers but do they fully understand the extent of the issue? Is it really enough to drive SAP customers to take action?

The fact of the matter is the problem is far more widespread than perceived. Only a few cases ever reach court with many more licensing disputes settled out of court before they make it that far. So in general SAP customer only see and hear is only the tip of the iceberg.

“The fact of the matter is the problem is far more widespread that perceived”

Why don’t we hear more about Licensing Disputes?

This is a product of how the vendor presents the dispute and what they do to achieve a settlement. From our experience SAP raise a dispute by presenting a headline figure, which is the maximum licensing fees they would be entitled to relate to the under-licensing detected and their interpretation of the customers SAP licensing contract. Typically, it comes unexpectedly from left field and is presented either as an order form with a deadline to sign or by way of a letter written to the finance director or another high-ranking company official. This creates a sense of concern and urgency and puts pressure on those responsible to resolve the issue.

When an offer is made to settle in a short time-frame for an amount significantly less than the “headline” figure, many firms sign on the dotted line as a quick and convenient way of avoiding prolonged business disruption and mitigating a potentially significantly higher cost. SAP much prefer a quick settlement over a difficult, time-consuming, resource-sapping and uncertain legal dispute. This can result, for argument’s sake, in the offer of a settlement for half to a third of the much more daunting “headline” figure.

As a consultancy, we tend too much busier around SAP’s end of quarter and end of the year. This is indicative of sales target shortfall and the vendor actively seeking revenue to hit sales targets.  Otherwise, there would be no such pattern to these events, which draws into question the integrity of the claims that are being made.

“This is indicative of the vendor actively seeking revenue to hit sales targets”

When JNC are called in to help customers in this potion we see the same pantomime played out time and time again. Thankfully our knowledge and experience of licensing and vendor tactics help customers get the bottom of their actual compliancy position paying significantly less and sometimes even nothing where compliant usage is successfully proven. Sadly, without expert help, most customers are not able to mount an effective defence to these scenarios and don’t have many alternative options.

Most firms also don’t like to broadcast non-compliance as it affects business reputation, stakeholder confidence and even share price. Most settlements are also made under strict NDA so the vendor holds just enough equilibrium to press ahead with this strategy without causing too many waves. Customers, therefore, feel they are in isolation whereas many other customers are in a very similar position.

In knowing, or having learned, how customers are likely to respond to this kind of tactics, could SAP be guilty of taking advantage? I’ll leave you to draw your own conclusions, however, If SAP customers were more aware of the hidden reality then licensing compliancy would probably rank much higher on the list of IT Director’s and CIO’s priorities.

“If SAP customers were more aware, licensing compliancy would probably rank much higher on the list of IT Director’s and CIO’s priorities”

So, how do licensing disputes to come about in the first place?

Typically, a licensing dispute arises from under-licensing detected as a result of an annual measurement or an SAP License Audit. Many SAP customers mistake their annual measurement with a license audit and it is important to understand they are two very different things as the risk is completely different. I have spoken to many SAP customers who claim they are fine with SAP licensing because they are audited every year. However, what they are referring to is the annual measurement, which is not comparable to a License Audit.

What’s the difference then, and what’s the impact?

Annual measurement is the process of reporting software usage data to SAP, where the customer is responsible for performing the measurement themselves. A License Audit is where SAP, either remotely or on-site, gather and analyse data themselves to determine a customer’s compliancy position. The issue is that LAW reporting provides very limited data to SAP, whereas a License Audit allows then to see much more of what is really going on the SAP systems. An example of the difference is that SAP standard audit tools USMM/LAW don’t interrogate user provisioning to determine what license type is required or to cross-check that the license type assigned is correct.

User provisioning is controlled by SAP Authorizations where a customer assigns authorizations to give users access to the transactions they need to be able to perform their job roles using the software. The customer must also assign each user a license type in each SAP system based on the level of authorizations they have. So USMM only reads what license has been assigned but doesn’t give any information on what license should have been assigned. If the licenses assigned match entitlements held the LAW report will not flag any issue. In an SAP License Audit, the auditors will interrogate this data and potentially discover that the license type assigned is non-compliant. So it is possible that licensing data submitted via LAW can hide the true picture. This is just one example of a number of risks which could lead to a costly SAP License Audit.

A practical example of this is where 1000 users are given limited professional licenses where they are authorized to carry out activity associated with full professional use. Where 1000 limited licenses are held and 1000 limited licensed users are measured there appears to be a match where in fact at list price this represents a circa €3 million risks. For discovered (versus disclosed) non-compliance SAP’s policy is to revoke discount, and are not obligated to trade for other unused assets. However, if you were to identify this shortfall position yourselves and notify SAP as such then you would be honouring what is described as their “Trust Model” where discount can be preserved and options of surplus asset trading can be explored. All the more reason to take action on licensing compliancy.

“Many SAP customers mistake their annual measurement with a license audit and it is important to understand they are two very different things”

Why are more companies not taking action?

SAP licensing compliancy is as much to do with attitude and awareness as it is to do with knowledge and Expertise. The purpose of this article, without documenting every risk and issue in detail, is to give Managers and Stakeholders more awareness about the potential risks of non-compliant software usage, inaccurate systems administration and measurement, and the ultimate risk of an SAP License Audit to help then decide if it’s in their interest to address the issue.

 JNC’s SAP License Audit Simulation

JNC’s SAP License Audit Simulation service replicates the processes and methodologies of a full SAP License Audit and provide organisations running SAP with an Enterprise-wide view of the licensing and compliancy position giving them the insight and intelligence they need to identify and deal with licensing and compliancy risk in a commercially optimal way and mitigating the risks of an on-site audit.

 JNC’s SAP License Audit Simulation Service Click to find out more

5 Signs You Could be Non-Compliant – Read the article


James Cochlin on EmailJames Cochlin on Linkedin
James Cochlin
Principal Consultant - SAP Licensing and Compliancy at JNC Consultancy
James Cochlin is Principle Consultant and Head of Audit & Compliancy Services at JNC, A company which has been providing SAP License Management services since 2009. In total James possesses over 12 years’ experience in SAP License Management and Auditing with significant knowledge and experience in SAP security, Authorisations and GRC. In the past, James was an SAP License Auditor for Deloitte. As Global Technical Lead James audited clients around the world on behalf of SAP, and was involved in the development of SAP’s License Audit Methodology. Now James works with customers helping reduce their risk of non-compliance, identify cost savings and avoid the pit-falls of licensing SAP estates. Throughout his consulting career, James has worked at some of the largest clients of SAP helping them solve complex licensing problems whilst helping them regain control of SAP Licensing and Compliancy. James continues to train SAP Consultants on SAP licensing to the highest standards, he was the lead architect of a well know SAP Software Asset Management tool, and is held in high esteem internationally as a leading SME and authority on SAP License Management.
Share this