Independent SAP advisory. Not an SAP partner, reseller, or affiliate.
SAP License Consulting

How SAP Detects Indirect Access

The technical and observational methods SAP uses to detect indirect access during audits. Integration discovery, document volume analysis, network analysis, and the customer defense posture that addresses each detection method.

SAPAudits Research May 18, 2026 10 minute read
Enterprise integration architect mapping SAP indirect access flows across surrounding systems on a whiteboard
In this article
  1. Indirect access detection is methodical, not opportunistic
  2. Detection method one: integration discovery
  3. Detection method two: document volume analysis
  4. Detection method three: network and transaction analysis
  5. Detection method four: customer disclosed information
  6. The customer defense posture against each method

Indirect access detection is methodical, not opportunistic

Indirect access remains one of the highest impact audit findings across the Fortune 500 SAP portfolio. The magnitude of the finding depends on detection. Customers who understand the detection methods SAP applies can assess their own exposure, address the highest probability detection paths, and approach the audit with a posture rather than a defense.

This article maps the four detection methods SAP commonly applies, the customer artifacts that each method targets, and the defense posture that addresses the method. The framework supports the broader indirect access defense covered in our indirect access expertise page and the complete audit guide.

Detection method one: integration discovery

Integration discovery is the first detection method. SAP requests an inventory of integrations that connect to SAP systems, including the surrounding application name, the integration technology, the data exchanged, and the user volume on the surrounding system. The request typically arrives early in the audit and frames the indirect access investigation.

Customers who answer the request without preparation typically disclose integrations that were not material to their license posture and create indirect access exposure during the disclosure itself. Customers who prepare a documented integration inventory before the request typically disclose accurately and avoid creating exposure. The indirect access explainer covers the integration taxonomy.

Detection method two: document volume analysis

Digital access is measured by document volume. SAP requests, or runs through the LAW measurement, the count of documents created in the SAP system from each integration source. The document count converts to a digital access license requirement under the digital access model. Customers with high integration document volumes have the highest exposure.

Defense against this method requires measuring the document volume internally before SAP measures it externally, evaluating whether the digital access conversion is appropriate, and where appropriate, contractually narrowing the document categories that count. See our digital access conversion guide and the LAW measurement guide.

Indirect access exposure is most material when SAP measures it first. The customer who measures it first, who documents the measurement, and who establishes the interpretation, typically defines the discussion that follows.

Detection method three: network and transaction analysis

SAP can analyze RFC traffic, IDoc volumes, and similar transaction patterns to identify integrations that the customer did not disclose. The analysis is technical, uses standard SAP tools, and produces a defensible finding even when the customer disagrees with the categorization.

Defense against this method requires the customer to know what its own RFC, IDoc, and similar transaction patterns reveal. The customer should run the same analysis internally, before SAP does, and prepare an interpretation that supports the customer position. Cross reference our audit data collection guide and the indirect access expertise.

Related white paper

SAP Indirect Access Guide

The complete indirect access framework. Detection methods, measurement, conversion strategy, contractual defenses, and remediation patterns from Fortune 500 engagements.

Access the paper

Detection method four: customer disclosed information

The most common detection vector is the customer itself. Marketing collateral, conference presentations, vendor case studies, and public integration architectures all disclose indirect access patterns that SAP audit teams reference during audits. Customers who have publicized an SAP integration without anticipating audit consequences typically discover the disclosure during the audit when it is too late.

Defense against this method requires a review of public disclosures before the next audit, a disclosure policy that screens future communications for audit implications, and an internal log of public references to SAP integrations. See our indirect access explainer for the disclosure taxonomy.

Key takeaway

How SAP detects indirect access in the audit cycle

The customer defense posture against each method

The customer defense posture against indirect access detection has four components matched to the four detection methods. A current integration inventory that is more complete and more accurate than the inventory SAP could reconstruct. A document volume measurement that the customer controls and references before SAP does. A transaction pattern analysis that the customer interprets in support of the customer position. A disclosure review that closes the public disclosure detection vector.

Customers who maintain all four components typically face indirect access discussions with a posture rather than a defense. The shift from defense to posture is the principal lever that converts indirect access from a high impact finding into a manageable line item. Cross reference our complete audit guide, the license consulting service, and the audit readiness guide.

SR
SAPAudits Research
Senior practitioners, sap license consulting

The SAPAudits research team includes senior advisors with combined experience supporting more than 500 enterprise SAP engagements. We do not hold any commercial relationship with SAP.

Independent SAP advisory

Facing a similar SAP situation?

Talk to a senior advisor. We respond within 24 hours. No fee, no obligation, no SAP commercial relationship.

Schedule a confidential consultation
Continue reading

Related insights

License Consulting

SAP Digital Access Conversion Strategy

The conversion decision framework and the contractual considerations.

9 minute read
License Consulting

SAP LAW Measurement

How the LAW measurement run reveals indirect access patterns.

8 minute read
License Consulting

SAP License Audit Complete Guide

The pillar that covers the full audit framework.

22 minute read