Closing Out an SAP Audit
Updated: Aug 27
This blog post is part of a four-part series on SAP audits. You can read part three here.
Let’s take a look at what’s involved in closing the two types of SAP Audits, and how to handle the final, agreed-upon audit results with a list of best practices.
At the end of a Basic Audit, a report will be sent from the Basic Audit Team in India to your local License Compliance Manager (LCM), whose group will review the findings and, together with your sales team, work with you to close out the audit. Because these reports are based solely on the LAW report and your Self-Declaration, they often feature a high rate of error. Maybe the LAW report didn’t capture everything accurately, or the systems were not cleaned up and show a lot of users that haven’t logged in for years. These errors provide opportunities to negotiate with SAP, and the vendor will be hard-pressed to defend them.
Recently, we have seen SAP simply send clients a bill for the areas that were found out of compliance in a Basic Audit rather than a full audit report. We advise clients to push back in these instances, and make SAP provide detailed proof of noncompliance. It is also important to get a full report from SAP because it could be very useful later, for example, as a reference point during an Enhanced Audit.
And finally, we recommend that clients insist on an Audit Closing Letter from SAP which states that the audit is officially finished. This is especially relevant in cases where you’ve gone through a Basic Audit and there were no findings; too often, the vendor doesn’t provide a report or any notification about its completion because there’s nothing to be gained.
At the conclusion of an Enhanced Audit, you will see something like the following chart:
It’s important to compare the highlighted areas to the LAW report, which you submitted to SAP and shows your consolidated users, to see if the outcomes match. If the SAP admin sent the LAW report to the vendor without a team review, this creates a problem: the customer will see how much they’re using, but they will not necessarily know how much they’re licensed for, and won’t be able to account for any discrepancy. It’s very difficult to address these issues after the audit has been completed.
The following chart is an example of and Engine Output:
I have found that the most common mistakes happen in the Self-Declared Function (SDF) part of the audit. In the above example, the customer failed to update their MII license when they add users, so they end up being out of compliance. I would recommend changing this metric to a more updated one, because MII has changed over the years, and customers could optimize their licenses.
In this example, the auditor is looking at cores. Notice the discrepancy between the licensed number, the SDF number, and the way the auditor reported the findings. These are areas that can be challenged. Remember, when the report is submitted to you, it is still negotiable – you can and should challenge their findings, ask for more information, and work to verify the information internally.
After you’ve gone back and forth and arrived at an agreed-upon number, it’s time for the Audit Close Out. Let’s assume there are a few areas where you need to true-up or make adjustments. The first thing I would advise is to wait for the end of a quarter (preferably SAP’s fourth quarter, ending December 31) when you have the most leverage, because the SAP account team, LCM, and audit team have quotas, and will be most eager to capture revenue at these times.
The next best practice: negotiate for discounts to be applied to the audit findings. The SAP account team will claim this is not an option, but rest assured, it is. (Remember, SAP also claims that your sales team is not involved in an audit: not true! They were involved in nominating you for an audit.)
Another tactic is to leverage any new purchases and bargain for higher discounts or reduced maintenance costs in settling the audit. In fact, we encourage clients to scrutinize maintenance costs on all future purchases, to make sure SAP honors any promised discounts.
In addition, we urge clients to request two final items at the end of an Enhanced Audit: ask for – in writing -- an “Audit Holiday” of three years before they audit you again, and an Audit Close Letter that verifies that the audit is completed. (Be prepared for SAP to negotiate down to 24 or 18 for the “holiday”.) Insist that the close out letter include the contract number(s) and audit start and close dates.
Richard Wright is a ClearEdge Senior Manager on the Compliance and SAM team, a former SAP auditor, and an SAP expert at Accenture.
This blog post was inspired by part four of the SAP Audit Webinar Series, Closing Out the Audit. You can access the full recording to this webinar below. If you are concerned that your organization’s swift move to automated software or cloud solutions has left you out of compliance with SAP’s Indirect Access rules, consider our latest service offering, the SAP Indirect Access Assessment, and contact us today.