An SAP audit is a self-measurement: you run the USMM transaction in each system, consolidate it through the License Administration Workbench (LAW), and SAP's Global License Audit and Compliance team bills the gap between measured consumption and contracted entitlement. The claim almost always inflates in three places — named-user types classified too high, engine metrics measured against the wrong base, and indirect (digital) access counted as unlicensed. In our 340+ engagements, disciplined buyer-side defence reduces the initial SAP compliance claim by 68% on average. The defence starts before you submit a single LAW file.
SAP audits are self-declared measurements, which is what makes them defensible. Once a year SAP requests a system measurement; you execute transaction USMM in every productive system, which counts named users by licence type and measures consumption of licensed engines (packages). You then consolidate the per-system results in the LAW (License Administration Workbench, transaction LICENSE_ADMIN / SLAW), de-duplicate users who exist in multiple systems, and submit the consolidated file to SAP. SAP compares the result against your contract and issues findings. Because you control the classification and the consolidation, most of the exposure is created — and can be removed — before submission, not after.
The trap is treating USMM as a button you press. Default user classifications are frequently wrong: a user set up years ago as a Professional may only run self-service ESS/MSS transactions today and qualify for a far cheaper type. Multiply that across thousands of users and the gap between the default measurement and the defensible one is enormous. This is the single most productive area of an SAP audit defence, and the reason we never let a client submit a raw LAW file.
Do not run USMM and submit blind. We classify and clean the data first. Talk to us before you respond.
SAP licences people, not logins, and the named-user type sets the price per head. The classic ECC types — Professional, Limited Professional, Employee/Self-Service — carry very different list values, and SAP's measurement defaults toward the higher type when activity is ambiguous. The right classification is evidence-based: what transactions has each user actually executed over the measurement period? Reclassifying down to the entitlement that matches real usage is legitimate, contractual, and where a large share of the 68% average reduction comes from.
| Named-user type (ECC) | Typical role | Relative list value | Common audit error |
|---|---|---|---|
| SAP Professional | Operational / full transactional | Highest | Assigned by default to occasional users |
| SAP Limited Professional | Role-restricted operational | Mid | Promoted to Professional on ambiguity |
| Employee / Self-Service | ESS/MSS, leave, expenses, payslips | Low | Counted as Professional, not ESS |
| SAP Developer | ABAP / configuration | High | Dormant dev IDs still counted active |
| Test / technical / RFC | Batch, interface, system IDs | Often excludable | System users counted as named users |
Duplicate users are the other quiet inflator. The same person with IDs in ECC, BW and a CRM system can be counted multiple times if LAW consolidation is run carelessly. Proper de-duplication across the landscape — keyed on a reliable identifier — collapses the count to one licence per human, which is exactly what the contract intends.
Indirect (or digital) access is when a non-SAP application — a CRM, an e-commerce front end, a bespoke portal, an RPA bot, an IoT feed — creates, reads, updates or processes SAP data without a human logging in with a named SAP user. SAP historically argued these interactions still required named-user licences, producing the headline-grabbing claims of the late 2010s. Since 2018 SAP offers the Digital Access model, which prices indirect use by document rather than by user: nine document types (sales, invoice, purchase, service, material, financial, manufacturing, quality management, and time-management documents) are counted, with the initial creation of a document the licensable event.
Indirect access is the largest source of surprise SAP exposure because most organisations have never measured it. The defence is twofold: first, establish which integrations genuinely create chargeable documents versus those that only read; second, choose the cheaper of the two licensing bases (document-based digital access vs. residual named-user) for each integration, which SAP's own framework permits. Our SAP digital access defence breakdown walks the document model and the contractual options in detail; the indirect access overview covers how exposure arises in the first place.
The named-user reclassification framework, the digital-access document model, and the audit-response checklist we use in live SAP reviews.
Beyond users, SAP licenses dozens of engines (packages) on their own metrics — order line items, payroll headcount, contract accounts, gigabytes of HANA memory, revenue, and more. USMM measures these automatically, but the measurement is only as good as the configuration: a metric counting the wrong table, a one-off data migration spiking a volume count, or a sandbox client included in production figures can all balloon the result. Each engine metric needs to be validated against the contract definition and the genuine business volume before it is accepted. For the mechanics of each metric, see our SAP engine metrics guide.
The S/4HANA transition adds a layer: conversions can shift you onto new metrics and new digital-access terms, and SAP frequently uses an audit as the on-ramp to a conversion conversation. Treat the two as connected — the measurement you submit becomes the baseline SAP anchors the migration deal on. Our S/4HANA migration guide covers how the 2027 ECC deadline reshapes that leverage.
No single concession produces it — the claim shrinks finding-by-finding. This is the pattern we see most often: SAP's opening measurement on the left, the defensible position after review on the right.
| Finding area | SAP's opening position | Defensible position | Driver of the reduction |
|---|---|---|---|
| Named-user types | Default / highest type on ambiguity | Reclassified to evidenced usage | Transaction-history analysis |
| Duplicate users | Counted once per system | De-duplicated to one per person | Correct LAW consolidation |
| Indirect access | Named users or broad document count | Document model, read-only excluded | Integration-by-integration review |
| Engine metrics | Raw USMM volume accepted | Validated against contract & real volume | Metric configuration correction |
| System / technical IDs | Counted as named users | Excluded per licence terms | User-type and RFC classification |
We defend the measurement and shape the migration deal as one motion — SAP uses both as leverage, so we do too.
We run a controlled process from the moment the measurement request lands, designed to keep the data clean before it ever reaches SAP. In practice that means: take control of the USMM run and the measurement window; reclassify named users against transaction evidence; de-duplicate the landscape in LAW; map every integration to determine genuine indirect-access exposure and the cheaper licensing basis; validate each engine metric against its contract definition; and only then submit a position we can defend line by line. Where SAP escalates, we manage the commercial response — and where the audit is really a migration play, we fold it into the wider SAP audit defence engagement and the negotiation that follows.
The principle behind all of it is the one that defines our firm: we represent the customer against the vendor, never both. We hold no SAP reseller agreement and take no vendor fees, which is what lets us contest a measurement rather than rationalise it. For the full licensing foundation, start with the SAP licensing guide pillar and our named-user licensing and licence optimization breakdowns; for the wider methodology, see the audit defence service and the cross-vendor vendor audit defence guide.
An SAP audit is rarely just a compliance exercise — it is the baseline for your next contract. Treated as both, with independent buyer-side defence, the 68% average reduction becomes a settlement that protects the renewal and the migration, not just the claim.
From single-system measurements to global LAW consolidations and digital-access disputes, we defend the buyer side only.
Most teams learn a metric changed when the audit letter lands. Subscribers learn the month it happens, with the buyer-side response already mapped.