How to prepare for your next SAP audit?

In the B2B world, the word audit is a dreaded word. Either it’s a financial or a software compliance check, going through an audit is quite often seen as a time consuming, unexpected and costly inconvenience for companies.

When faced with an audit letter, organisations are typically thinking “Am I really non-compliant?”, ”There must be a reason why they started this audit, but what is that?”, “What am I missing here?”. This uncertainty comes from a lack of a limited overview of the software licenses that they are entitled to use, their location and configuration (what is included), who is using the licenses and how are these licenses being used.

Typically, vendors such as Oracle, Microsoft or IBM are most feared when it comes to audits, but the SAP audits are also highly complex and challenging events for end user organisations. Preparation is key in negotiating and getting through an SAP audit successfully. In this article, we’ll provide essential tips and practical recommendations that will help you to better understand the SAP auditing process.

SAP audit team: objectives

The so called SAP Global License Auditing and Compliance (GLAC) team operates based on clearly defined procedures and protocols related to the way the audit must be conducted. The sole purpose of an audit is to monitor your software usage compliance position. The SAP audit team expects you to demonstrate that your usage is in line with the purchased and available licenses. Its SAP’s practice to apply tight deadlines to end users that are under audit. The GLAC team will allow small/medium enterprises a period of three weeks to perform the measurement and provide all the requested deployment and usage data, while large enterprises are expected to return results within 4 weeks. Not surprisingly, this short timeframe limits your and any other end users’ capacity to analyse and adjust any compliance issues. It is therefore highly recommended that you perform internal audits on a regular basis and especially before an official SAP audit starts.

Know your entitlements

Self-assessment is only effective when you understand your contractual entitlement(s). This is typically not a straight forward task, since contractual documents are full with complex legal terminology; equally, the original contract may have been signed many years before, and you may have bought additional SAP products in the interim. Thus, a thorough review of the contract and subsequent product ‘add-ons’ is essential for the preparation of your (internal) audit. By going one level deeper, it is important to understand the context under which SAP products were sold. It is for example not uncommon that end users purchased licenses only for a specific business unit while it was contractually agreed that an enterprise metric for the whole organisation is applicable. Understanding the product metrics, the number of blocks and the special clauses that may have been contractually agreed (e.g. indirect use) are just a few examples of contractual terms that you should take into account.

Note: SAP cannot evaluate products sold under different or inconsistent metrics. In fact, SAP can only make evaluations in accordance with the current metric maintained in the present price list. As such, as a customer, you have the clear advantage of negotiating this in your favor if you have a clear understanding of your contractual entitlements, associated metrics and pricing.

Update system landscape

It is highly recommended to maintain the system landscape status (e.g. production use, decommissioned) in your SAP Support Portal. If you’re not maintaining the SAP Support Portal and you are under audit, you can be requested by the SAP auditors to include systems in the USMM measurement which may not even be actively used anymore. The SAP Support Portal is the reference for the auditors and should reflect your real and actual system use. If you don’t pay attention to this, you may – as one example only – end-up in situations in which the measurement of your SAP environments includes usage of modules or engines that your IT staff tested years ago but for which you were never licensed. In short: be ready, because SAP will ask about all your SAP systems. Your inactive SAP systems may be included in the measurement plan as delivered by SAP, with adverse cost consequences possibly arising.

The heart of the audit

It is highly recommended that you run test measurements with the SAP Measurement Program (transaction USMM). This should be done in order to complete an internal analysis of users and engines – it is obviously not wise to send the resulting information to SAP, as this could trigger an audit. Most organisations don’t maintain their systems (users and engines) regularly and the measurement might include inaccurate data. Therefore, it is recommended to run a test measurement and have it validated by an SAP expert. After implementing the SAP consultant’s recommendations (cleanup the users, implement notes, etc.) the measurement can be shared with SAP.

Users

Determining the correct classification for SAP users is extremely difficult for almost any end user. While basic user definitions are available on the SAP Support Portal, the contractual agreement may contain additional definitions and classifications that should be understood in order to perform your internal analysis or to validate the results of your SAP audit. In the SAP Measurement Program (USMM), there are a number of methods used for user classification. The core of the classification is based on the user authorisation and the contractual agreement, which should correspond with the price list which is the basis of the SAP contract. After performing the measurement of all relevant production and development systems as per SAP technical prerequisites and directives, further user self-analysis is an essential step in order to guard against possible over-charging from SAP. You can be sure that SAP will ask about the following:

• Locked Users
• Deleted Users
• Expired Users
• Users with Multiple Logons (possibly more individuals are granted access)
• Users with Late Logons
• Reclassification of “Workbench Development Users”
• Users with SSCR Keys used for development purposes
• Test Users in production (hint: 10% is allowed by SAP per system measurement)
• Dialog Users vs. Measured Standard Users

Engines

The last step of the SAP measurement is the consolidation of all measured systems in the License Administration Workbench (LAW). By doing so, users and user types are listed and assigned to one contractual user type. On condition that LAW user criteria are consistently maintained across the whole system landscape, this virtually eliminates the risk of counting one individual multiple times (deduplication). If the number of consolidated users identified by LAW is higher than the contractual entitlement, it is recommended that you seek verification of the following:

• LAW criteria (as used to deduplicate user counts across multiple SAP systems)
• Locked users (and if the expiration date has been maintained correctly)
• Unclassified users (per default counted as professional users on production systems)
• Technical users maintained as Dialog Users
• Users authorisations based on your contractual user type assignment

In addition to LAW measurement results, you are required to provide additional information as requested by SAP (for example, Self-Declaration Products, HANA, Business Object). In each step of the audit, SAP has defined additional data gathering processes to follow. These are not further discussed in this article, but will be explained in more detail in a future article.