Are You Prepared for your SAP Annual Audit?

SAP have had the right to audit their customers for over 20 years but research shows a sudden rise in the amounts of requests they are seeing, from 7% of organizations receiving a request in 2009 to 19% in 2012. Like all software vendors, their main objective is to ensure their customers are compliant, but as they’re a commercial business like everyone else, they may also see a revenue opportunity (not uncommon for any vendor). Once you have received your 30 day notice (more likely to be direct from SAP than a third party) you need to start preparing for your audit. It is more common for SAP to opt for a remote audit but be prepared in case you receive an on-site visit. If you are well prepared for this audit and have kept up to date with any SAP changes within your organization, it will take roughly two weeks to gather all the relevant data that SAP require, however if you are not prepared, this process could take a minimum of four weeks.

Compliance with SAP is complicated

Customers have to provide significant entitlement validation to prove they are licensed to use SAP application bundles, these functional entitlements vary considerably depending on which bundle was purchased. Unlike desktop software, which can be easier to implement and track, SAP’s progression from the 1980s legacy through to, then Business Suite and SAP Application has changed the required entitlement proofs. It is not SAP’s responsibility to document an organization’s entitlement, which could put the customer in a compromising position.

Once you have a baseline contract in place you can add appendices for every new deal but unfortunately, these may have conflicting terms. Due to this complex contract mechanism Software Asset Managers need to utilize the resources provided, which will help manage SAP systems on a day-to-day basis when documenting the contractual differences.

Whether the products you use are SAP developed or not they will have audit and compliance provision included in the terms of use. Reviewing these regularly will keep you on top of your SAP licenses and help prepare you for the annual audit. Validate all the data before sending the information across, if you uncover any problems negotiate an extension. Re-evaluate the efficiency of internal processes and tweak where necessary, this proactive approach will ensure you have the best chance of identifying problems early. As soon as you commit to new contracts or implement new systems, confirm that audit documentation is up to date to help prepare you for the next audit. If you are found to be non-compliant, SAP are entitled to charge you for the time the audit took.

The documentation needed to cover your SAP evaluation is complex and includes;

– SAP Systems Measurement Guide
– SAP Measurement Plan
– LAW (License Administration Workbench) tool
– Contract entitlements
– Current maintenance invoices & payments
– User and package metric definitions

It is highly recommended that Software Asset Managers to download and evaluate the raw data from the LAW reporting tool into a spread sheet and report on license use. Ensuring that named users are clearly based on usage and defining the proper categories that will help you organize your system information as well as discuss any open issues with SAP to clarify your usage. If this documentation is kept up to date, gathering the data should take roughly a week.

How to prepare

To mitigate some of the risk, prioritize and follow the below practices when calculating your license inventory and validation entitlement;

Properly calculate package/engine metrics
Typical package/engine calculations carry a single metric such as revenue, budget, business partners etc. all of these license metrics must be provided to SAP, whether that’s through the LAW tool or manually. Check your bundled packages/engines to ensure that the correct metrics are measured on both old and new definitions.

Classify named user license categories
Every named user definition should have a defined category number to save confusion on reporting, therefore all negotiated named user licenses must have a complementary category ID assigned for compliance management.

Validate all category fields
The LAW tool doesn’t determine whether your ID category is correct, LAW will assign the most common user type to that ID so ensuring all categories are correct is essential for your audit.

Counting single users who have multiple IDs
It is important to identify where individuals are using multiple SAP systems but also using different IDs. A slight variation in the username means each ID will count as a unique license and you may be paying for the same person multiple times.

Potential misuse of IDs
The LAW tool states when a user is logged on more than once. Pay attention to this report as it could indicate multiple people using the same user ID which immediately puts you in a state of non-compliance, unless negotiated in the first place.

Are you prepared?

SAP may notify your organization of the upcoming self-audit 30 days before your agreed annual date, but ensure this activity is in your Software Asset Management (SAM) and SAP workload as many organizations won’t receive any notice. Preparing your organization by educating each department about the agreed usage rights and license restrictions will help lower your risk of non-compliance and by staying on top of your documentation will help minimise potential unbudgeted license costs.

Ben Eagling

Ben Eagling

Leave a Reply