Know Your Position Before SAP Does

SAP audit defence is not something that begins when the audit letter arrives. By that point the clock is already running, SAP controls the timeline, and the organisation is responding from a position of reaction rather than preparation. The customers who consistently achieve the best commercial outcomes in audit situations, in licence negotiations, and in transformation planning are the ones who understand their licence position before SAP raises the question.

That understanding, what we call knowing your Level of Use, is the single most important piece of preparation an organisation can do. It applies whether you are managing a stable SAP environment with no immediate transformation on the horizon, or whether you are in the early stages of planning a move to S/4HANA. The context is different. The discipline is the same.

And that discipline matters more now than it ever has, because the way SAP sees your environment has fundamentally changed.

Many organisations still think about SAP auditing the way it worked five or ten years ago: SAP sends a letter, you run a measurement, the results are reviewed, and a conversation follows. That model assumed SAP's visibility into your environment was periodic and event-driven. It no longer is.

SAP for Me, SAP's customer portal, now includes a License Utilization Information dashboard that displays your current licence consumption against your entitlements. For organisations running SAP cloud and SaaS products, including SuccessFactors, Ariba, and S/4HANA Cloud, SAP automatically takes regular snapshots of your usage. No customer-initiated measurement is required. SAP has continuous visibility into your consumption because they run the infrastructure.

For on-premise customers the measurement still requires you to run USMM and upload the results, but those results are submitted through SAP for Me and become visible to SAP's commercial teams. The License Consumption reporting within the portal aggregates daily measurement values using a maximum-value method, meaning the highest usage recorded is what counts against your entitlements.

The implication is significant. For organisations on cloud or RISE contracts, SAP no longer needs to wait for an annual measurement or a formal audit to understand your usage patterns. They already have the data. They can see where you are under-consuming, where you are over-consuming, and where your usage profile does not align with what was contracted. The traditional approach of cleaning up your environment before an audit still has value, but it is far less effective when SAP already has months or years of usage data captured automatically.

This means that maintaining your users, security authorisations, and licence assignments needs to become a continuous discipline rather than an annual or reactive exercise. The organisation that treats licence hygiene as something that happens before an audit is operating on assumptions that no longer reflect how SAP monitors and commercialises your environment.

SAP licensing is complex by design. User classifications, indirect access provisions, digital access metrics, engine licences, and package entitlements interact with each other in ways that are not intuitive and not well understood by most internal teams. The people responsible for managing the SAP environment day to day are typically focused on keeping it running, not on monitoring whether the organisation's actual usage aligns with what was licensed.

Over time, access drifts. Users are provisioned with broader permissions than they need. People move roles within the organisation but their SAP access is not reclassified to match. Integrations with third-party systems are added without anyone assessing the indirect access implications. The result is a licence position that looks significantly different from what the organisation actually contracted for, and that gap usually runs in SAP's favour.

In a world where SAP now has continuous or near-continuous visibility into that drift through SAP for Me, the gap is not something you discover at audit time. It is something SAP can see building in real time. That fundamentally changes the urgency of understanding and managing your position proactively.

For organisations running a mature SAP environment without an immediate transformation project, the priority is establishing audit readiness as a continuous discipline rather than a reactive exercise. SAP can issue an audit notice with as little as 30 days notice under most agreements. An organisation that waits until the letter arrives faces two compounding problems: compressed timelines that prevent thorough analysis, and a reactive posture in a conversation where SAP already has the data.

A self-audit is the starting point. This means running your own measurement internally, reviewing user classifications against actual usage, identifying dormant accounts, and reconciling your entitlements against your contracts before SAP does any of this for you. The critical point is that this analysis should never be submitted to SAP without independent review. Every data point you share with SAP becomes the formal basis for their compliance assessment. Handing over raw measurement data without first cleaning and reclassifying locks you into an inflated baseline that is extremely difficult to walk back.

Named user misclassification is consistently the single largest source of audit exposure. Users provisioned as Professional who are actually performing Limited Professional, Employee Self-Service, or Developer activities are routinely over-classified, and the commercial difference between the user types is substantial. A structured reclassification exercise before any engagement with SAP removes this exposure and turns what would have been a compliance finding into a non-issue.

It is also worth understanding that SAP's audit findings, when they arrive, are presented with an authority that implies they are definitive. They are not. They are interpretations based on measurement data, and they are challengeable on technical, contractual, and procedural grounds. Organisations that engage with SAP's findings as a starting point for discussion rather than a final position consistently achieve significantly better outcomes.

When a major upgrade or transformation is on the horizon, the case for understanding your licence position early becomes even more pressing. SAP increasingly uses the transformation process itself as an opportunity to establish a conversion baseline: a documented statement of your current on-premise licence position that SAP then uses to price your cloud migration, your RISE contract, or your S/4HANA licensing arrangement.

If SAP sets that baseline without challenge, the organisation typically overpays. The baseline reflects SAP's measurement and SAP's interpretation of the data, which will always produce the widest possible reading of what the organisation owes. By conducting your own self-audit before engaging with SAP on the transformation, you establish an independent view of your actual position. That independent view becomes your foundation for every commercial conversation that follows.

This is also the point at which the existing environment needs careful attention. The fact that you are planning a transformation does not pause your current licensing obligations. Your existing environment needs to remain appropriately licensed throughout the transition period, and any compliance gaps that exist in the current state will be visible to SAP during the transformation engagement, particularly now that SAP for Me gives their commercial teams a clearer picture of your usage history. Identifying and resolving those gaps before the conversation starts removes a significant piece of leverage from the vendor and gives your team time to consider optimisation options or alternative approaches without the pressure of a compliance finding hanging over the negotiation.

Customers who self-audit before approaching the market find themselves in a fundamentally stronger position. They understand their requirements clearly. They can define what they actually need from a licensing perspective rather than accepting what SAP or a partner proposes. And they enter the negotiation with a clean, defensible position that leaves no room for SAP to anchor the conversation around compliance exposure.

For organisations transitioning to or already operating on a RISE with SAP subscription, the Full User Equivalent model introduces a different set of risks that require specific attention. FUE is not a simple user count. It is a weighted metric that converts different user types into a single number, and the weighting is heavily skewed toward higher-classification users. An Advanced user consumes significantly more FUE capacity than a Self-Service user, which means even a small number of misclassified users can dominate your total FUE position and inflate your subscription cost.

Under RISE contracts, FUE consumption is measured monthly and the highest monthly count during your contract period can become the billing baseline at true-up. This is not an annual audit. It is a running meter, and SAP for Me gives both you and SAP visibility into that meter on an ongoing basis. Without continuous governance of your FUE position, the organisation can accumulate exposure month by month without realising it until the true-up conversation arrives.

This is where access governance becomes directly relevant to commercial outcomes. Organisations that have granted access in excess of what users actually need, through lack of GRC controls, role creep, or historical provisioning practices, will see that excess reflected directly in their FUE count. Every unnecessary authorisation that classifies a user into a higher FUE tier is a cost the organisation is carrying without receiving any corresponding value.

Solutions like CERPASS provide the visibility and simulation capability needed to address this efficiently. FUE assessment tools can map your current access landscape against the FUE classification model, identify where authorisation objects are driving users into higher tiers than their actual activity warrants, and simulate the impact of changes before they are applied in production. This allows the team to progress reclassification work systematically rather than through the kind of manual, consultant-intensive process that many organisations default to. The cost savings from optimising your FUE position before the contract measurement can be substantial, and they are realised before the transformation project even begins.

One dynamic that catches many organisations off guard is what the market refers to as a soft audit. This is a consultative or relationship-led review, often positioned as an advisory conversation, a health check, or a transformation readiness assessment, that does not carry the formal structure of a contractual audit but still produces findings that SAP's commercial team can use. The tone is collaborative. The intent is information gathering. And the outcome is a set of data points that SAP can reference in future commercial discussions.

With SAP for Me now providing SAP's teams with a more detailed and continuous view of customer usage, the soft audit becomes even more potent. SAP may already have a view of your consumption patterns before the conversation begins. The health check is as much about confirming what they already suspect as it is about discovering something new.

Organisations should approach any SAP-initiated review of their licensing position, regardless of how it is labelled, with the same level of preparation and caution as a formal audit. If you would not hand over raw measurement data in a formal audit without independent review, you should not hand it over in a soft audit either. The commercial implications are the same.

Whether you are managing a stable environment, preparing for a transformation, or already operating on a RISE subscription, the principle is the same: know your position before SAP does. In a world where SAP's visibility into your environment is increasingly continuous rather than periodic, that principle has moved from good practice to urgent necessity.

Self-auditing is not about creating an adversarial relationship with SAP. It is about ensuring that when the commercial conversation happens, and it will happen, your organisation is leading it from a position of clarity rather than responding from a position of uncertainty. The difference between the two is not marginal. It determines the commercial terms, the flexibility provisions, and the cost trajectory of your SAP relationship for years to come.

If you want to understand where your organisation actually stands before the next conversation with SAP, that is exactly the work we do.

Precipio provides independent SAP licence assessment, audit defence, and negotiation support. We help organisations understand their true licence position and engage SAP from a place of preparation rather than reaction.

SAP licence advisory and negotiation