How to Respond to an SAP Audit Notification

The first 14 days

An SAP audit notification arrives by formal letter to the customer of record. The letter typically requests acknowledgement within 14 days, names an audit lead at SAP, and includes a generic data request list. Most customers respond to the letter directly. That is the first mistake.

The first 14 days are the most important phase of the entire audit. The response that the customer files inside this window defines the perceived scope, the perceived posture, and the cooperation tempo for the remainder of the engagement. Customers who respond procedurally produce procedural audits. Customers who respond strategically produce strategic audits. The framework that sits behind this article is in our SAP license audit complete guide and our audit defense expertise page.

Acknowledge without conceding

The acknowledgement letter is a contractual moment. It confirms receipt and confirms that the customer will participate in the audit, but it should not concede scope, timeline, or methodology beyond what the contract requires. Customers who acknowledge with language such as "we will fully cooperate with all SAP requests" have already conceded scope before scope has been defined. Customers who acknowledge with language such as "we acknowledge the notification and will engage on the basis of the contractual audit clause" preserve every contractual position.

The language matters because SAP will refer back to it during scope disputes. Each conceded phrase becomes a contractual data point against the customer position. Our audit rights contractual analysis goes through the specific phrases that should and should not appear in the acknowledgement, with reference to the standard SAP audit clause.

Identify the audit lead

The audit notification typically names an SAP audit lead and an SAP delivery partner. The customer should not engage with the SAP delivery partner directly until the customer has identified its own audit lead. The customer audit lead carries three responsibilities. Single point of contact with SAP, internal coordination across IT and procurement and legal, and authority to make audit related decisions on behalf of the company.

Most Fortune 500 customers appoint a senior IT executive as the audit lead, supported by a procurement counterpart and a legal counterpart. The audit lead does not need to be a license expert. The audit lead needs to be senior enough to make decisions and disciplined enough to route all SAP communication through one channel. Our audit team composition guide explains the role allocation in detail.

The audit lead who answers SAP email directly without routing through the internal review process produces inconsistent positions across the audit, and those inconsistencies become material findings in the SAP report.

Confirm scope before agreeing to scope

The notification letter typically lists a scope that exceeds what the contract permits. The list includes products that are not on the contract, time periods that exceed the contractual retention, and measurement methodologies that are not contractually defined. The customer should not agree to this scope without a written scope confirmation that aligns the audit with the contractual audit clause.

The scope confirmation letter responds to the SAP notification with three points. The contractual products that are in scope, the contractual time period for measurement, and the methodology that the contract requires. Each point references the specific clause that governs it. Customers who file a scope confirmation typically reduce audit scope by 20 to 40 percent before measurement starts. The detail is in our scope confirmation playbook.

Mobilize internal stakeholders

The internal mobilization happens in parallel with the SAP response. The customer assembles the audit team, briefs the executive sponsor, engages outside counsel, and engages independent advisory. The mobilization runs on a 7 day clock from the notification date.

The executive sponsor is typically the CIO or CFO. The audit team includes the audit lead, the SAP basis lead, the procurement lead, the legal lead, the security lead where indirect access is in scope, and the finance lead where settlement budget is required. The advisory team includes the independent license advisor and outside counsel. Most Fortune 500 customers engage independent advisory inside the first 14 days. The role of the advisor is to provide audit defense experience that the internal team typically does not have because audits are rare events. Cross reference our license consulting service and the internal mobilization guide.

Set the cooperation tempo

The cooperation tempo is the rhythm at which the customer responds to SAP requests during the audit. The contract typically obligates reasonable cooperation. Reasonable does not mean immediate. Customers who respond to SAP requests within hours train SAP to expect that tempo. Customers who respond on a 5 to 10 business day cycle train SAP to a tempo that the customer can sustain without burning out the internal team and without filing rushed responses that produce future audit findings.

The tempo also creates space for internal review. Every response that goes to SAP should pass through the audit lead, the legal lead where contractual interpretation is involved, and the independent advisor where measurement methodology is involved. The detail is in our audit data collection guide and our evidence pack guide.

Document everything from day one

The audit defense rests on documentation. Every SAP request, every customer response, every SAP statement, every meeting agenda and meeting notes, every data extract that the customer provides, and every position taken by either side should be recorded in an audit log. The audit log becomes evidence in dispute resolution and in settlement negotiation. Customers who do not maintain an audit log are unable to refute SAP positions that contradict statements SAP made earlier in the engagement.

The audit log lives with the audit lead and is updated within 24 hours of every audit related event. The format is simple. Date, event, source, summary, decision, owner. The discipline is the point. Our audit documentation guide includes the template that our Fortune 500 engagements use.

What the response sets in motion

The response posture established in the first 14 days shapes everything that follows. Scope. Tempo. Posture. Documentation discipline. Each of these compound across the multi month audit cycle. Customers who establish a strong posture early routinely settle for less than half what comparable customers settle for under a weak posture, even when the underlying license exposure is similar.

The next phase after the response is the data exchange. The data the customer hands to SAP determines what SAP can measure and what SAP cannot. Cross reference our audit timeline article for the full sequence of audit phases, our SAP LAW measurement explainer for the measurement methodology, and the audit defense service for the supporting engagement model.