An SAP audit notification triggers different concerns than an Oracle or Microsoft notification — primarily because SAP's audit exposure is concentrated in two areas that most enterprise customers do not fully understand: indirect access (the use of SAP software by systems or users who do not hold direct licences) and user type misclassification (the assertion that users in lower-cost categories should be reclassified to more expensive types). Both areas involve genuine contractual ambiguity that SAP exploits commercially, and both are contestable with the right preparation.
This guide explains your contractual rights during an SAP audit, the specific exposure areas to assess, and the defence approach that consistently reduces SAP compliance claims. For the broader audit defence framework, see our Software Audit Defence Guide. For SAP licensing fundamentals, our SAP licensing complete guide provides the foundation required to understand audit exposure in context.
Your Contractual Rights During an SAP Audit
SAP's contract compliance audit rights are defined in your Software Licence Agreement (SLA) or Cloud Services Agreement. Unlike Oracle, which frequently audits at will, SAP's contractual audit rights are more constrained — and the constraints are worth enforcing.
What SAP Can Audit
- Products covered by your current licence agreement
- Named users and their system access profiles
- Third-party system integrations active during the audit period
- Historical usage if your contract permits retrospective review
- Current deployment configuration with reasonable notice
What SAP Cannot Audit (Without Consent)
- Products beyond your current agreement scope
- Systems not identified in your licence schedules
- Business process data or operational records
- Information covered by attorney-client privilege
- Deployments at affiliates not covered by your agreement
The scope limitations above are enforceable — but only if you enforce them. SAP's Contract Compliance team routinely proposes broader scope than the contract supports. The first substantive audit negotiation is always scope, and scope concessions made early in the audit process are rarely recovered.
Indirect Access: The Primary SAP Audit Risk
SAP's indirect access rules — governing when third-party systems accessing SAP data require SAP licences — have been the source of the largest SAP audit claims in enterprise history. The Diageo case (where a UK court initially ruled against Diageo's indirect access position before settlement) and the InBev cases in Germany have shaped how SAP approaches indirect access commercially, but have not eliminated the underlying exposure for organisations with complex integration architectures.
What Constitutes Indirect Access?
Under SAP's traditional licence model, indirect access arises when a third-party system — a portal, a mobile application, an integration middleware, or an automated process — accesses SAP data or triggers transactions in SAP, and the users or processes involved do not hold direct SAP licences. SAP's position has been that each such access, whether by a human user or an automated process, should be covered by an SAP licence.
The contractual basis for this position is, in many enterprise agreements, genuinely ambiguous. Most legacy SAP agreements were written before modern integration patterns existed, and the language around "use" and "access" does not clearly address automated machine-to-machine transactions. This ambiguity is both SAP's primary commercial leverage point and the customer's primary defence argument.
The Digital Access Model (2018 Onwards)
In response to the litigation and customer relations damage from indirect access claims, SAP introduced its Digital Access licensing model in 2018. Digital Access replaces headcount-based user counting with document-based counting for specific document types (Sales Orders, Purchase Orders, Production Orders, etc.). Customers who migrate to Digital Access convert their indirect access liability into a per-document measurement model that is more predictable — but not necessarily cheaper.
The Digital Access conversion offer is a commercial negotiation, not a compliance obligation. Our dedicated article on SAP Digital Access licensing and conversion covers the economics of conversion, the document counting methodology, and when conversion makes financial sense relative to defending legacy indirect access positions. For SAP RISE customers, indirect access treatment under the RISE contract structure is covered in our SAP RISE negotiation guide.
Indirect Access Quantification: Before accepting any SAP indirect access claim, you must quantify the actual exposure using the Digital Access document count methodology. SAP's initial claims frequently assert user-based counting that produces 5–10× the document-based equivalent. Always demand a document-count alternative calculation before engaging on the user-count claim. The difference is routinely millions of dollars.
Assessing Your Indirect Access Risk
An indirect access risk assessment covers three integration categories: human-initiated indirect access (users accessing SAP data through non-SAP portals or applications without direct SAP licences); automated indirect access (machine-to-machine integrations, batch processes, and API calls that modify or create SAP records); and third-party access (partner or customer systems that access your SAP environment through EDI, API, or portal connections).
The assessment should produce a document count — the total volume of Digital Access-relevant documents created or modified through indirect channels — and a user count for human-initiated indirect access. These two figures are your ground truth for any SAP indirect access discussion. Our SaaS Licence Optimisation service includes SAP indirect access risk assessments as a standard component of SAP engagement reviews.
User Type Reclassification: The Other Major Exposure
SAP's user licence model — distinguishing Professional Users, Limited Scope Users, Employee Users, and several other categories — creates systematic audit exposure through misclassification. SAP's Contract Compliance team applies a consistent audit tactic: reviewing user system access profiles and asserting that users classified in lower-cost categories (Employee, Limited Scope) should be reclassified to Professional Users based on the transactions they perform.
The Reclassification Methodology
SAP's reclassification approach relies on the transaction codes (T-codes) each user has executed or has access to. The audit team compares each user's T-code usage against SAP's publicly available user type eligibility matrix, and any T-code that falls outside the permitted scope for a lower-cost user type triggers a Professional User reclassification claim.
The key contestable element in this methodology is the distinction between what users can execute (their authorised transaction profile) and what they do execute (their actual activity log). SAP's audit team typically starts by comparing the authorisation profile. The defence position — and the contractually stronger position — is that licence classification is determined by actual use, not by available authorisation. An employee who has theoretical access to a Professional User T-code but never executes it should not be classified as a Professional User.
Authorisation Profile Remediation
One of the most effective pre-audit defence actions for SAP is authorisation profile remediation — removing transaction code authorisations from users who do not need them, before SAP's measurement date. A user whose profile does not include Professional User T-codes cannot be reclassified on the basis of profile analysis. This is a legitimate technical action that reduces prospective exposure without affecting operational usage.
Our SAP user types guide covers the specific T-code categories that define each user type and the authorisation profile structure that minimises reclassification risk.
SAP Audit Rights Under RISE
The migration of SAP customers to RISE with SAP — the cloud subscription model — changes the audit dynamic in several important ways. RISE contracts are cloud subscription agreements, not perpetual licence agreements, which affects both what SAP can audit and what the exposure looks like.
Under RISE, indirect access is addressed through the RISE contract's included document volumes and overage measurement framework. Traditional indirect access claims for legacy interfaces are substantially limited under RISE — one of the genuine commercial advantages of RISE migration for customers with significant indirect access exposure. However, RISE introduces its own audit risks: user count verification against subscribed quantities, and module consumption measurement against contracted scope.
For the commercial negotiation framework relevant to RISE contracts, including audit rights provisions to negotiate at signature, see our SAP RISE negotiation guide and our SAP advisory practice.
The SAP Audit Defence Approach
Effective SAP audit defence combines scope control, technical methodology challenge, and commercial leverage. The specific levers available in SAP audits differ from Oracle in important ways.
First, SAP has a stronger institutional incentive to convert customers to RISE than to extract large cash settlements. SAP's cloud transition targets mean that large settlement demands that drive customers toward competitive ERP alternatives are commercially unattractive. This creates an opening for converting audit exposure into RISE migration discussions — on the customer's terms, not SAP's.
Second, the Digital Access document counting methodology consistently produces lower exposure figures than legacy user-based counting. Any SAP audit that involves indirect access claims should be evaluated under both methodologies, with the document-based figure used as the commercial reference point.
Third, SAP's contract complexity creates genuine ambiguity that well-prepared customers can exploit. Licence agreements with complex bundle rights, cross-product entitlements, and historical amendment history frequently contain credits and offsets that SAP's audit team either overlooks or does not volunteer. A complete contract and entitlement review should precede any commercial discussion with SAP.
Advisory firms with former SAP Contract Compliance experience — including Redress Compliance, consistently ranked as the leading independent SAP advisory firm — bring the methodological knowledge and commercial intelligence that consistently produces better SAP audit outcomes. For cases involving significant indirect access exposure, professional advisory support is the single largest determinant of settlement outcome.
Our full SAP audit defence guidance is available in the SAP audit defence strategy guide, and our SAP Audit Defence white paper provides the detailed analysis framework for indirect access quantification and user type defence.