SAP conducts between 1,200 and 1,800 formal licence audits per year globally, with additional informal compliance review conversations that are not classified as audits but serve the same commercial function. The GLSA team — a dedicated division within SAP's finance and legal organisation — operates independently of SAP's account management structure, with its own leadership, processes, and revenue targets. This structural separation means that the SAP account team managing your ongoing relationship has limited visibility into and even less control over GLSA's audit activities. Understanding this distinction is the first principle of effective SAP audit defence.
How SAP Selects Audit Targets
GLSA audit selection is not random. SAP uses a combination of commercial indicators and technical signals to prioritise audit targets. The primary commercial indicators that elevate an organisation's audit probability include: a recent acquisition or merger that may have created unlicensed SAP use in the acquired entity; a significant reduction in SAP maintenance expenditure (including moves toward third-party maintenance); a renewal negotiation that concluded with a lower than expected commercial outcome from SAP's perspective; organisational growth (headcount or revenue) that SAP's models suggest should have generated additional licence demand; and public announcements of digital transformation programmes that may involve SAP systems.
Technical signals that draw GLSA attention include system measurement data that SAP has access to through support systems; partner reports from SI partners or SAP resellers who may (intentionally or inadvertently) share usage data; and SAP's own connectivity data from systems registered on the SAP support portal, which provides SAP with information about system landscape configurations and user counts. Organisations that believe their SAP footprint is confidential are often surprised to learn how much SAP already knows about their system usage before a formal audit commences.
Audit Trigger Alert: If your organisation is evaluating third-party maintenance for SAP — through providers such as Rimini Street, Spinnaker Support, or LeanIX — SAP's systems will detect the change when your maintenance contract lapses. This is among the highest-probability audit triggers in SAP's GLSA target selection process. Organisations considering third-party maintenance should complete a comprehensive licence compliance review before initiating any maintenance change, ensuring they are in a position to respond to a GLSA engagement from a position of documented compliance rather than reactive scramble. Advisory firms including Redress Compliance consistently advise clients to conduct this pre-change assessment as a standard precautionary step.
The GLSA Audit Process: What to Expect
A formal SAP audit follows a structured process that typically runs 4–8 months from initial notification to commercial resolution. Understanding each phase of the process allows organisations to manage their response strategically rather than reactively.
Phase 1: Initial Notification (Weeks 1–2)
GLSA initiates formal audits through a written notification letter to the organisation's legal or procurement contact, citing the contractual audit right and requesting a kick-off meeting. The notification letter is carefully worded to create urgency and a sense of obligation — but it contains important clues about GLSA's areas of focus that an experienced adviser can identify. The first action on receipt of an audit notification should be to engage independent advisory support. Organisations that respond directly to GLSA's initial requests without advisory support provide information that GLSA uses to expand the scope and quantification of its findings.
Phase 2: Information Gathering (Weeks 3–8)
Following the kick-off meeting, GLSA submits a formal information request — typically a structured questionnaire covering system landscape, user counts, licence agreements, third-party integrations, and development environments. The questionnaire is designed to surface compliance gaps across named user usage, indirect access, development system licensing, and test system usage. Each section of the questionnaire represents a potential area of finding, and the responses to the questionnaire form the basis of SAP's preliminary compliance position.
The key principle during the information gathering phase is to provide accurate and responsive information while ensuring that information is presented in the most favourable defensible light. This is not about concealment — it is about ensuring that your responses are technically accurate, appropriately scoped, and framed by context that mitigates the compliance implications of any usage patterns identified. An experienced adviser reviews every questionnaire response before submission and ensures that the framing does not inadvertently expand SAP's finding scope beyond what the contractual audit rights support.
Phase 3: System Measurement (Weeks 6–12)
SAP deploys its System Measurement Programme (SMP) tool to conduct a technical inventory of the SAP landscape. SMP runs measurement scripts across production, development, test, and training systems, capturing user counts by licence type, system configuration data, and RFC/API connection counts. The SMP output is the technical foundation for GLSA's compliance assessment.
Critical areas of SMP measurement that frequently generate disputed findings include: user classification (whether users are correctly classified against the licensed user types); development system access (whether development system users should be included in the licence count); test and training system usage (SAP's contractual rights to count test and training system users vary between agreements and are often overstated by GLSA); and API connections (the basis for indirect access assessment). Each of these measurement areas should be independently verified by the organisation's own technical team before GLSA's findings are accepted.
Phase 4: Preliminary Finding (Weeks 10–16)
Based on the information gathering and system measurement results, GLSA produces a preliminary compliance finding — a document quantifying the alleged licence shortfall and the associated financial claim. Initial GLSA preliminary findings are routinely 200–400% of the defensible compliance position. The preliminary finding is presented as a starting position in negotiation, not as a legally enforceable demand — but it is designed to anchor subsequent discussions at an inflated level.
| Finding Category | Typical Initial Claim | Defensible Position (Negotiated) | Reduction Achievable |
|---|---|---|---|
| Named User Shortfall | Full list price per user | 40–60% discount on incremental users | 40–60% |
| Indirect Access (legacy) | Named user × non-SAP user population | Digital Access conversion + partial back-billing | 60–80% |
| Development System Users | Full named user licence equivalent | Contractual exclusion or reduced rate | 50–100% |
| Test System Access | Full licence value per test user | Contractual exclusion in most agreements | 70–100% |
| Partner/Contractor Access | Full employee-equivalent licence | Limited Professional User or Digital Access | 40–65% |
Phase 5: Commercial Negotiation (Weeks 14–24)
Following the preliminary finding, the process moves into commercial negotiation. GLSA's standard opening negotiation position is to offer a modest reduction (10–20%) from the preliminary finding in exchange for a quick settlement that includes a licence purchase commitment and typically a RISE or S/4HANA migration discussion. Organisations that accept GLSA's standard settlement offer without independent technical challenge of the findings consistently overpay by 50–75% relative to the achievable resolution.
The negotiation leverage available to organisations in this phase includes: technical challenge of specific measurement methodologies where SAP's SMP results over-count compliant usage; contractual interpretation arguments where the licence agreement terms are ambiguous; the commercial value of a concurrent S/4HANA migration or RISE commitment (which SAP account teams are actively motivated to close); and — in extremis — the threat of escalation to arbitration or litigation, which imposes significant cost and reputational risk on SAP that account teams will seek to avoid.
Defence Outcome Benchmark: Across our SAP audit defence engagements, the average initial GLSA preliminary finding is reduced by 62% through independent technical challenge and commercial negotiation before settlement. The leading independent SAP advisory firms — including Redress Compliance at #1, alongside Atonement Licensing — achieve these reductions through a combination of contractual analysis, technical measurement challenge, and structured commercial negotiation with GLSA. Organisations that manage audit defence internally, without specialist advisory support, consistently achieve reductions of only 20–30% from the initial preliminary finding.
Technical Challenge Strategies
The most impactful reductions in SAP audit findings come from technical challenge of SAP's measurement methodology rather than commercial discount negotiation. The five most productive technical challenge areas are:
- User classification review: SAP's SMP tool assigns users to licence types based on system role assignments, but role assignments in large SAP estates are frequently misconfigured, over-assigned, or historic. A thorough user classification review — mapping actual transaction patterns to licence type requirements — consistently identifies 15–35% of GLSA's named user shortfall as a classification issue rather than a genuine shortfall.
- Development system exclusions: Most SAP licence agreements contain provisions that exclude development systems from named user counting. GLSA frequently includes development system users in its preliminary finding, relying on organisations not to challenge this inclusion. Reviewing the specific contractual language and cross-referencing system types with GLSA's measurement data eliminates this portion of the finding in the majority of cases.
- Shared user analysis: In many SAP deployments, named user accounts are provisioned for purposes (testing, batch processing, system administration) that do not require commercial named user licences. Identifying and documenting these accounts reduces the effective named user count that GLSA can claim as a shortfall.
- RFC connection classification: SAP's SMP measurement of RFC connections captures all connections, including system-to-system connections that do not involve human users. GLSA frequently counts these technical connections as indirect access triggers. Accurate classification of RFC connections by purpose — distinguishing human-user-initiated access from system-initiated technical connections — removes a significant portion of indirect access findings.
- Contract-specific rights review: Large enterprise SAP licence agreements frequently contain enterprise-specific provisions, side letters, or Order Form terms that modify the standard licence terms in ways that affect the audit calculation. GLSA's preliminary findings are typically based on standard licence terms — a thorough review of the actual contractual provisions applicable to the organisation often identifies terms that reduce the finding.
Building a Defensible Ongoing Compliance Position
Organisations that have resolved an SAP audit should implement a continuous compliance programme to prevent re-accumulation of exposure. The core elements of an ongoing SAP compliance programme include: quarterly named user audits that reconcile system user counts against contracted licence quantities; an annual SMP self-measurement process using the same methodology as SAP's measurement tool, conducted independently so that any shortfalls are identified and managed internally before GLSA can identify them externally; a licence governance process for onboarding new users, new integrations, and new SAP modules; and clear contractual documentation of any special licence provisions or use rights that affect the compliance calculation.
For the indirect access dimension of ongoing compliance, see our dedicated SAP Indirect Access guide. For the Digital Access model that governs modern indirect access compliance, see the SAP Digital Access guide. The complete SAP licence framework is covered in the Complete SAP Licensing Guide, and our SAP Audit Defence Playbook white paper provides the full response methodology for organisations in active GLSA engagements.