SAP Indirect Access: Top 3 Ticking Timebombs

Cloud services and automated digital solutions are fast changing the way we conduct business. To stay agile, companies increasingly rely upon third-party RPA technology, bots, artificial intelligence, and machine-driven processes to interact with each other. In just a few years, third-party applications like CRM, which interacts with data platforms such as ERP systems, have become popular among enterprises everywhere. From banking to retail to travel to human resource services – companies are enjoying unprecedented access – often indirectly -- to products and services never before available.

Although this digital interaction often delivers speed and operational efficiencies, it also leaves organizations vulnerable to compliance issues. The new solutions require third-party application integration, but contract language has not kept pace and leaves much unclear about how to properly license indirect access. Compliance violations can quickly snowball in organizations that lack a well-defined process to monitor and limit indirect access of their solutions.

Indirect access (also known as multiplexing) occurs when a system is accessed or queried through a third-party application, interface, gateway, middleware, or automated process (i.e., bot/RPA). In situations like these, a single user account in a system could actually represent thousands of unseen users that require licenses. This type of event can cost millions of dollars in audit fees.

The most aggressive publisher regarding indirect access is, hands down, SAP, which has developed a robust auditing practice to drive revenue from noncompliance findings surrounding this issue. Below, we’ve summarized the top three risks to SAP customers.

SAP Indirect Access Risk #1: Order to Cash

When customers have multiple sales channels for customer order entry, it drastically increases the chances that indirect access can occur. Different channels that commonly access SAP’s platform, thus triggering indirect access, include Electronic Data Interchanges (EDI), call center orders, and third-party application ordering systems. As orders are placed by customers via the internet, phone, email, or fax, invoices and order confirmations are typically required to be produced for such orders.

SAP is the main system that produces these orders, so third-party applications, call centers, or EDI transactions must interact with SAP to fulfill the final invoices or order confirmations. It does not matter if the SAP interaction is from a person or an automated system: any interaction with SAP needs to be licensed. Individuals entering orders into SAP need to have a Named User License.

Individuals utilizing third-party applications and EDI trading channels activate and execute the processing capabilities of the SAP software by entering and approving sales orders into other software that updates values stored and calculated by SAP. These users are not typically licensed by organizations, as they do not directly interact with SAP’s software, but SAP’s licensing rules require that each of these users is licensed, given their ability to interact with the platform. This means licensing the thousands of users that could potentially utilize the solution or accrue millions in compliance fees.

SAP Indirect Access Risk #2: Procure to Pay

When organizations need to pay outside vendors for product or services, they often have to interact with SAP’s platform to fulfill a procurement order. The process of procure to pay (P2P) is similar to the order to cash process, but this time the customer is paying another entity instead of receiving payment from such entity.

Payment orders are usually processed by EDIs or third-party applications/partners. Again, these scenarios lead to indirect use of SAP’s platform, which requires licensing. Organizations using EDI’s or third- party applications typically do not have an end user that is an SAP Named User, and this can lead to compliance violations.

SAP Indirect Access Risk #3: Human Resources and Payroll

Like the previous risk, Human Capital Management systems that control payroll information, such as Workday or ADP, need to create journal entries that are submitted to finance. To complete the financial reporting of HCM costs and allocations, organizations typically need to use a file that is provided to the SAP financial users. As these files are processed directly in SAP, licensing is required to cover this interaction. In most cases, finance enters this information into SAP and would be covered by their SAP user licenses. However, if a process is set up in an automated (RPA) or where the third-party application like Workday or ADP is passing through SAP’s system, it poses the risk of indirect access exposure and requires SAP licensing.

How to Safeguard Your Organization

Because contract language does not adequately cover the automations and integrations that occur today, there is much ambiguity and confusion about how to properly license indirect access, which can cost customers millions of dollars in unforeseen audit findings. To help protect clients from these predatory audit practices, ClearEdge recommends they establish a strong SAM process to optimize indirect access licensing. Specifically, we urge clients to pro-actively identify compliance gaps and prevent financial exposure by conducting mock audits.

Because many of our clients lack the resources or expertise required for these practices, ClearEdge has assembled a team of experienced licensing specialists and former software auditors to augment their in-house SAM programs and guard against audit risk. The newly-created Indirect Access Assessment team provides the following deliverables:

  • Identifies total licenses required under the supplier’s indirect access licensing model and associated cost estimates.

  • Provides recommendations and a roadmap for changing license models, improving supplier license management and/or addressing any license compliance areas.

  • Delivers indirect access assessment services remotely by deploying a team of experienced professionals to work directly with the clients on software licensing and purchasing engagements.

To learn more about ClearEdge’s Indirect Access Assessment Services, visit this page on our website or contact your ClearEdge representative.

- ClearEdge’s Director of SAM Services Richard Wright contributed to this article.