SAP Audit Types
There are two types of SAP audits, called Basic and Enhanced, which pose different levels of risk, and can yield very different outcomes. Both are generated by the vendor’s Global License Audit and Compliance (GLAC) organization, which is comprised of:
The Head of Global License Audit & Compliance at SAP headquarters in Germany.
The regional License Compliance Managers (LCM) — the project managers of the audit team who handle communication between the audit team and sales, determine which customers to nominate for an audit, and close out the audit at its completion.
The Office of License Compliance, which gathers information from the client, analyzes it, and generates the final audit report.
The Basic Audit Team, located India and Ireland, handles the bulk of Basic audits, works with both the license compliance vendors and the Office of License Compliance, and reviews audit data.
Sales. Despite SAP’s claims to have separated sales from the audit process, salespeople are still heavily involved and receive commissions on revenue generated from their customers’ audits.
In every SAP contract, there’s a clause called “Audit Right” which establishes how the vendor can audit a customer. If you’re notified of an audit, this is the first thing to inspect. Specifically, look for clauses highlighted pulled from a typical SAP contract, below.
This clause states that the vendor cannot audit you more than once a year, so if you were audited at the end of a calendar year but the audit was not officially closed until the beginning of a new year, you could argue that you were already audited in the new year. It also says that the audit cannot disrupt your business and must be conducted during normal business hours. And finally, it states that you are responsible if proprietary SAP information is given to the third parties -- and this is a big red flag. This language is referring to indirect access, meaning anyone who could potentially interface with your SAP information is subject to their compliance rules.
Who Gets Nominated for an Audit?
SAP randomly nominates customers for a Basic Audit. The Enhanced Audit involves a far more robust nomination process. The first thing they look at is purchase history. Specifically, they’ll flag any customer that has not made a purchase in the last 5 or 10 years, examine those license types, and try to identify what’s been going on at the company in terms of revenue growth or number of employees during that time period. If the company has expanded, for example, and it hasn’t made a purchase, there's a good chance that there will be lots of compliance issues there.
Other events that can trigger an audit:
The sales team is having trouble closing a deal and an audit will provide pressure on the customer to update or refresh the SAP environment to achieve compliance.
The customer wants to eliminate some licensing not in use and they want to reduce their maintenance costs and/or go to a third party.
Because there are so many resources that go into an Enhanced Audit, SAP identifies and nominates those customers that will provide the biggest return on investment from an audit.
The Basic Audit
This type of audit affects about 80% of SAP's customers on an annual basis, and its findings are based on automated measurements. The Basic team looks at what a customers owns, then sends out a an audit request in the License Audit Workbench report, which is included in every SAP system and provides a snapshot of SAP deployment, enabling them to check for license discrepancies across all engines and users. Next, they take into account anything the customer self-declares, and put everything into an audit report, which includes your license amount and your usage. The report is then given to your sales representatives to rectify deficits, or to inform the customer of any surpluses.
The problem is that the customer never gets any of the audit information back and is forced to go through this huge exercise nearly every year.
Furthermore, in 2018, SAP’s compliance organization created something called Supplementary Audit Services, after discovering that there was information missing in a lot of Basic Audits. A team was created to request more information from the customer and probe more deeply into user groups, engines, indirect access, and so forth. At that point, the Basic became more like an Enhanced Audit.
The Enhanced Audit
As mentioned, the Enhanced Audit generates the most revenue, because in addition to large audit findings, it leads to sales that rectify those findings.
These begin with an e-mail from someone in the Office of License Compliance, which looks like no audit request you've received before. It contains a lengthy list of the deliverables they want and provides detailed measurements with step-by-step instructions regarding everything requested.
They're going to verify these measurements and ask for data extracts and tables. If they want to identify more users or identify where your users are, they'll ask for your user tables. They’ll also want data extracts that you’ve never provided to anyone before, because they’re looking for indirect access. This includes tables specific to sales orders and purchase orders so they can identify who's making sales orders, or if it's an automated sales process.
In addition, they'll ask you for a Business Process Visio. And before you ask yourself “Who would ever provide this type of information?” let me assure you that unwittingly, staff members in many client organizations simply provide whatever they’re asked for, in an effort to get the audit over with.
SAP requires an on-site meeting as part of the Enhanced Audit process, which often allows complete access to the customer’s entire system and a view of all their connections. SAP routinely gathers data they have no right to, because Enhance auditors are expert at breaking down barriers and gaining people's trust.
Many clients ask us if their account team or sales team can “kill” an audit. The vendor will say no, but the real answer is “in some instances”. It really depends on extenuating circumstances (e.g., a large deal is in play) and the level of the account rep and how high up in the organization they can escalate the request.
We caution any client that receives an audit request from SAP that a Basic Audit can escalate into an Enhanced Audit very quickly. To learn more about SAP audits, watch our SAP Audit Types webinar, sign up for our SAP Audit Webinar Series, or contact a member of the ClearEdge Compliance team.
Richard Wright is a ClearEdge Senior Manager on the Compliance and SAM team, a former SAP auditor, and an SAP expert at Accenture.