SAP Audits: Where the Biggest Compliance Fines are Hiding

All customers of SAP have most likely been through a few SAP audits. While audits rarely occur during opportune times, the frustrating part is that the scope, timing and process seem to be different each year. There is widespread belief that like other big software vendors, audits are just revenue generating tools to get customers to either true-up & spend more on what they currently have, or be gently “nudged” to spend money on more innovative technologies they may not be ready for (i.e. S/4HANA). SAP generates around $1 Billion dollars in annual revenue from their global audit organization. Let’s take a look at some of SAP’s key areas that tend to generate the most compliance revenue along with ways to proactively manage each, so customers can mitigate potential risks they may have.

Users

Compliance gaps for SAP user licenses tend to represent the majority of compliance revenue identified during SAP Audits. One of the main reasons is that SAP Software does not prevent customers from creating new user licenses once they reach their current contractual entitlement amount. As organizations add more employees, whether it be through organic or inorganic growth, this has an immediate effect on the need for more user licenses as they are needed immediately to allow new employees to be effective in their new role. If these user licenses are not purchased right away and an audit hits, then customers are liable to be found with more user licenses deployed than licensed.

During periods of downsizing, user license management tends to be overlooked as organizations are focused on more pressing business matters. When this happens, the validity dates are not properly managed, resulting in user licenses still being active even after the employee(s) have left the organization.

Below are some best practices for managing user licenses and to remain in compliance:

– If growth is planned, regardless if it’s organic or inorganic, procure user licenses in advance.
– If employees leave an organization, ensure the validity date of those user licenses are set to a date in the past. Failure to do so will result in the SAP Audit tools showing them as active and will count towards your consumption.
– Ensure Developer Keys are also turned off when developers are no longer performing any development work.

Engines

The need to address license entitlements for SAP Engines during times of growth is not as immediate as it is for users, but there several SAP engines that do warrant a more proactive approach to monitoring their consumption:

1. GRC Access Controls: Customers who license this product do so to control which user groups have access to different parts of SAP. When SAP Audits for this product, they will usually ask you to pull and submit the table called GRACUSERCONN. This table shows all users that are being monitored by this software and can quickly exceed your license entitlements.

2. Manufacturing Integration & Intelligence: This product is licensed by Employees. Generally speaking, Employees include all workers in your organization who receive a paycheck, regardless of employment status, but customers should defer to their contract for specific definitions, if applicable. While this metric is self-declared to SAP, it tends to quickly be overlooked until an audit hits.

3. HANA Database: When SAP Auditors include HANA Database in the audit scope, they look at the peak usage for the last 12 months. SAP Customers may be compliant for nearly the entire year, but if there is 1 month where they exceed their entitlement level, SAP will seek commercial resolution for this excess use.

4. Extended Warehouse Management: Customers who have a long purchasing history with SAP are most likely licensed by the number of warehouses setup in SAP but could also be licensed by number of items. At list price, both metrics can exceed six figures, depending on the region. It’s highly recommended that this product is addressed on a quarterly basis to prevent and prepare for large compliance fines in the future.

Indirect Access

Since 2015, the term ‘Indirect Access’ has caused a wave of concern globally for SAP customers. Put simply, Indirect Access occurs when unlicensed non-SAP systems and applications trigger the processing capabilities of your ERP. This use can occur by way of human use or by non-SAP applications integrated with your SAP Production systems. In the last 4 years, SAP has not only progressed on how it checks for Indirect Access, but they also have expanded the scope for what they can check during an audit. Below is a brief timeline showing the evolution of Indirect Access:

 2015
o SAP takes Diageo to Court with a 54M claim on Indirect Use

 2016
o SAP’s Global License and Audit Compliance Team starts to include manual checks for Indirect Access during the annual audit.
o SAP’s focus is on external Sales Order and Purchase Order creation, only.

 2018
o With the push to S/4 HANA, SAP re-brands the term Indirect Access to Digital Access.
o Digital Access measurement has evolved from checking two types of orders to now 9 Document types, resulting in an exponential increase of findings.

 2019
o SAP announces the Digital Access Adoption Program (DAAP) to incentivize and motivate their current customer base to move to this new licensing model.

Looking into the very near future, the risk of Indirect Access occurring will grow as businesses adopt more AI technology and leverage bots & sensors that are able to transmit data to SAP. SAP Customers should expect that SAP will adapt its current measurement methods to account for newer technologies.

While there is no official requirement for customers to move to the new Digital Documents Licensing model, it’s imperative for current customers to understand the process for how SAP will check for Indirect Access. The best way to identify Indirect Access within your SAP Infrastructure today is to do the following:

1. Identify all non-SAP to SAP connections in the current IT Landscape.
2. Understand the type of data that is being exchanged – is it Master Data or Transactional Data?
3. What is the flow of this data? One-Way? Two-Way?
4. How is the data being exchanged? EDI, Process Integration/Process Orchestration, Batch, OpenHub, etc.

SAP Auditors will have more questions than the ones listed above, but these four will capture a large majority of information that they will be looking for. Conducting this exercise will not only prepare you for the audit but will also prepare you for your future journey with SAP as your landscape evolves.

NetWeaver Foundation for Third Party Applications

It’s very uncommon for most customers to be audited for this product. In fact, only 2% of SAP’s Global Audit Team includes this product in their audit scope. While customers may have never seen this in an annual audit, this does not mean they are immune from being measured for this.

The purpose of this product is to grant customers the right to use and integrate third party software Add-Ons into the NetWeaver platform so they can exchange information with SAP Applications. While many consider this a type of Indirect Access, it’s not included as part of an overall Indirect Access measurement. SAP will require customers to purchase licenses if these Add-Ons:

– Access the information in the underlying database of the SAP Application(s).
– Add new, independent functionality.

Today, this product can be licensed in 1 of 2 ways: Cores or Users. SAP Customers must decide which metric they would like to purchase as SAP won’t allow license both options. If you are running third party Add-Ons today, it will be important for you to understand the following:

– How many end users are accessing the Add-Ons.
– How many cores (estimated) are needed to run the software.
– SAP’s Software Use Rights as it pertains to this software specifically.

Once customers have identified any potential risks from above, they should work with their Account Team to understand the options and list prices of both metrics as they are extremely different.

If you have any questions or comments regarding the content shared in this article, please feel free to reach out to me directly at aaron.mills@accenture.com.

Disclaimer: The content in this article neither represents Accenture’s opinion nor constitutes legal advice.

About Aaron Mills