Audit Prep Series: How to Prepare for an SAP Audit
Just hearing the word “audit” can send shivers down the spine. This might be because many companies are unprepared for an audit and/or not equipped to handle the work required. Knowing how an SAP audit works and learning what your organization can do to prepare will help you get started on the right foot. Here are a few tips and tricks to help you feel confident for your next SAP audit.
Why Does SAP Conduct Audits?
Within most – almost all – SAP on-premise contracts, there exists an audit clause or term that enables SAP to measure the consumption of SAP products on an annual basis. The overarching theme of these measurements is to protect the intellectual property (IP) of SAP. However, on occasion, the timing and circumstance of these measurements can seem to be more related to revenue generation. In either case, SAP has the contractual right to annually collect these measurements from each licensee. Of course, audits such as these are not unique to SAP, but are common among all major software publishers.
How does the SAP audit process work?
The first contact from SAP to ‘kickoff’ a measurement will be from an individual working for SAP’s Global License Auditing Service (GLAS) – not a sales executive. In fact, SAP has made it clear in recent publications that, “SAP license audits are scheduled centrally and independently of the sales organization.” GLAS will provide documents that will help to guide you through the process of measuring each SAP system. These documents usually include a System Measurement Plan and Self-Declaration forms. GLAS may also provide list price information, timelines for the measurement, and any number of additional requests (usually around architecture diagrams – which are indicators for indirect access). All of these data points are intended to help measure every aspect of SAP consumption.
What is missing from these original requests is entitlement information, clarification of scope, and a timeline regarding when to expect a final report of compliance (in other words, when they plan on finishing their analysis and officially complete the audit). Entitlement information is expected to be maintained by the licensee and therefore is not provided by SAP. It is highly encouraged to have a summary of all entitlements granted through the SAP contract and related appendices and amendments. If there are concerns or questions about what licenses your organization owns, entitlement information will be provided with the System Measurement Report at the conclusion of a basic or enhanced audit – not before.
Although we have not seen strict, standardized criteria for how licensees are “nominated” for measurement, we have seen the following:
– Analytics criteria – SAP has used an internal BI tool that helps auditors evaluate basic information to determine a suitable candidate. This tool may look at data such as the time elapsed since the most recent audit, previous audit results, number of test users, etc.
– Proactive initiation – These licensees are usually chosen due to industry and/or merger activities. If a licensee is making huge growth claims in the media or has announced a merger, they may be targeted for a measurement.
– Reactive initiation – This category is wide open. There are many things that could result in a measurement that fall into this category. For example, SAP losing a competitive bid, converting to a new license model, lack of purchase in recent years, public posts about new integrations with SAP, etc.
– Random spot checks – This category is also wide open. Any number of situations could result in a measurement that would fall into this category. I cannot imagine SAP auditors pulling names out of a hat to decide, but rather there is likely some sort of strategy for each organization that is selected for measurement.
While we recognize SAP may very well limit the sales executives’ ability to unilaterally start an audit, the above rules of engagement do not preclude sales executives from providing compelling criteria to trigger a measurement. As the relationship manager for each licensee, SAP sales executives play a large role in measurements, and in some cases even help auditors follow up, schedule meetings, and drive measurements to closure.
Once a licensee has been selected and the audit request notice has been received, the overall process for measuring SAP products during a basic audit is relatively straightforward, with the execution of the following steps:
– Clean up USMM reports.
– Pull and import USMM reports into the LAW.
– Consolidate USMM measurement data in the LAW.
– Send measurement data from the LAW to SAP (can be optional).
– Fill out Self-Declaration forms and send to SAP.
Enhanced audits can include the basic audit steps, but usually either come after the LAW reports have been provided or the LAW reports will be integrated with the initial data requests. Enhanced audits can take months and are very iterative by nature, thus requiring a custom approach from SAP auditors. For example, we have clients who have endured enhanced audits that have lasted more than 12 months.
How can you prepare for an SAP audit?
A woodsman was once asked, “What would you do if you had just five minutes to chop down a tree?” He answered, “I would spend the first two and a half minutes sharpening my ax.”*
While we may not deal with wood or axes, the principle of preparedness stands true. A sufficient amount of time and effort should be put into preparing for an SAP audit before an audit is actually initiated.
Here are a few tips on how to prepare properly:
Entitlement
Establish and understand your entitlements on a per application level, based on details in your SAP contract and appendices covering all of the SAP purchases throughout the years. The contract analysis should include quantities, license metrics, product-specific use rights, and any use limitations. Identifying specific language that defines user types or/and other product “Use” terms is very important. A proper understanding and visibility into entitlement information is required to determine a true and accurate license position.
Usage Measurement – Named Users and Engines
The first step, and likely the best use of time, is to run the USMM and License Administration Workbench (LAW) tools to measure all Production and Development systems. This step can be treated as a ‘mock’ audit to test what SAP would see if they were to audit today. Caution: DO NOT send these results to SAP via the electronic method. Some licensees are unsure if the USMM and LAW tools can be used outside of an audit. The answer is a resounding, YES. We recommend licensees run these tools regularly to prepare for SAP audits. Truly, the only difference between an official SAP audit and a ‘mock’ audit is if the results are sent to SAP or not.
Once the measurements have been completed and compiled into the LAW, check the Named User results with what was expected (comparing entitlement to deployment). If the numbers are too high or not what was expected, investigate where the overage or mismanagement is occurring. Here are a few areas to check in order to find users that can be removed or repaired:
– Users who have not logged on in 60, 90, 120+ days.
– Test users in Production (this is a red flag for SAP – do not allow this without justification).
– Non-Dialogue users (tech, communication, system users) with chargeable license types.
– Incorrect list prices for various systems (outdated user types being used).
– Locked users (these users are still counted by SAP).
– Default license types assigned (these users’ license types have been left blank).
Next, evaluate the Engine/Package measurements that are present in the LAW results. There is less opportunity for optimization in these types of measurements. This is usually a result of measurement statistics that are derived from historical usage. For example, if there is an XI/PI measurement result of 91GB from July 2018, the licensee cannot change how much data was measured from that month. Of course, the licensee could reduce usage now, but this specific measurement is based on a high-water-mark from the previous 12 months. Again, there is no opportunity to ‘optimize’ in this case.
With that covered, there are plenty of reasons to measure and compare results prior to an audit. If there are figures that seem to be incorrect or unrealistic, it is possible that an SAP note or patch needs to be applied to correctly measure a specific product. In these cases, it can take weeks or even months to apply the required/necessary fixes to the SAP systems.
Another important reason to review the Engine/Package measurements is to prepare and strategize for potential purchases. The last thing SAM teams or procurement analysts need is an out of budget compliance purchase. This causes the wrong type of attention and, in almost all cases, damages the relationship with the publisher.
Audit Methodology Document
The next step should be to create and/or update an Audit Methodology document. This document should define:
– Communication protocols
– Data request handling protocols
– Publisher expectations
– Data review and hand-off procedures
– Escalation criteria
– Timeline and closeout requirements.
If the licensee is using any 3rd Party SAM tools (Snow, Flexera, Aspera, Voquz, etc.), it is a good idea to run the optimization rules for Named Users and discover any additional opportunities to reduce, reuse, or right size the user population. Our recommendation is that these processes be completed at least three (3) months prior to the audit initiation.
Indirect Access Review
Lastly, a thorough and robust review of potential indirect access should be performed. This includes identifying all 3rd Party Apps that are connecting to SAP, defining the data interaction (direction, frequency, and type), supporting business process, and knowing how many ‘front-end’ users access these systems. After a complete list of potential indirect access interfaces have been identified, each SAP contract/product should be reviewed to discover any terms that would cover the indirect access identified (sales and service order processing for example). This is perhaps the most time and effort intensive step. Take note that these sort of reviews can present results that are difficult to understand. It can also be challenging to predict how SAP will respond to them.
On a positive note, earlier this year, SAP published three documents that attempt to help clarify both the audit procedures and indirect access. These documents should be reviewed at length and incorporated into how each audit is managed and how SAP indirect access is measured and evaluated. In these documents, SAP also introduces a new pricing model to handle indirect access. This new pricing model can be advantageous to some, so we highly recommend that licensees evaluate their options to determine the most beneficial way to leverage the new model.
Things to know throughout the SAP audit process.
Licensees will benefit greatly from creating and leveraging an SAP License Audit Methodology document. In this document, licensees can rely on best practices to ensure they are driving the audit and making decisions that support their best interests. If licensees go through an audit unprepared, it is likely that SAP will drive them to unnecessary or misunderstood purchases.
Throughout the audit process, it is paramount to remember that you are in the driver’s seat.
– If the audit needs to be postponed to allow more time for cleanup, notify SAP and quickly get started cleaning up.
– If you have questions around SAP’s data requests, do not comply until answers and clarity are provided.
– If an SAP audit completion date is not provided, do not start the audit until a completion date is agreed upon.
– Clarify and qualify every communication with SAP. What are they looking for? What product is this measuring? Why are they asking for this? What will they do with this data? What type of license does this data indicate? Does SAP need all of the data or just a portion?
By creating these types of procedural protocols, SAP audits can be less stressful and can be completed in a timely fashion. Ultimately, if audits are managed correctly they can be a useful and helpful service to both the publisher and to the licensee. This is the overarching goal.
With this guide in your toolkit, you can feel confident facing an SAP audit. Remember, you are in control of the audit. Nevertheless, performing all of these steps can be overwhelming. This is where we can help. If you would like extra guidance or support, please reach out to us at anglepoint.com/schedule to schedule a time to talk with an SAP expert.
* Reference: 1956, Increasing Understanding of Public Problems and Policies: A Group Study of Four Topics in the Field of Extension Education, “Objectives and Philosophy of Public Affairs Education” by C. R. Jaccard, Start Page 12, Quote Page 12, Published by Farm Foundation, Chicago, Illinois. (Verified on paper)