SAP Audits During COVID-19 – Your Company Should be Prepared

Since the very negative sentiment customers had against SAP related to Indirect and Digital Access in 2018, SAP had kept a relatively low profile tied to audits in 2019.  Toward the end of 2019, however, SAP started giving a heads-up to some clients — letting them know that audits were coming.  2020 has already been a significantly heavy audit year in just Q1 alone and I would anticipate SAP’s efforts in this area will continue.

With extremely poor Q1 results where software license revenue was down 31% (YoY) and many S/4HANA projects postponed due to COVID-19, SAP will have to delicately leverage audits as a means by which to drive additional software license revenue.  While audits may seem unlikely during COVID-19 with SAP’s audit team acting separately from your account teams, they are coming.

Companies often overlook high risk items and opportunities to proactively mitigate risk and exposure.

Yes, SAP Will Continue to Audit Customers

With many companies likely requesting relief from SAP’s software maintenance and subscriptions, they may find it hard to believe SAP would position an audit.  However, with an obligation to protect their intellectual property and march toward their objectives to Wall Street, SAP will still audit customers despite COVID-19.  The difficulty for SAP in the context of their past behaviors will be meeting their internal obligations while not looking predatory to their customers, given past sentiment.

  • Compliance Will Act Separately from Account Teams

Those who have been through SAP audits before know that the requests do not come from your friendly account team, but instead from the Global License Audit team.  With an obligation to protect their intellectual property and ensure adequate compensation for their software, this separate SAP entity will position an obligation to regularly measure your SAP systems under your contract.  They can do this with a straight face because they are not the team that you have developed your partnership with, but rather a team that almost seems outside of SAP.  As a result, requests of the account team to postpone audits will likely be submitted to the audit team who will likely deny your request.

  • SAP Will Provide Flexibility to its Advantage

As part of audits, SAP will provide flexibility, and of course, it will be to their advantage.  More specifically, I anticipate that in the event exposure is uncovered as part of an audit, SAP may allow for strategic solutions to substitute those exposures.  One example would be for a company to  invest in Qualtrics instead of legacy ECC as a means for SAP to show additional commitments to strategic solutions despite COVID-19.  In addition, I also anticipate SAP will allow deferred payments for audit exposure to provide customers temporary relief, which would also be a means for SAP to beef up their backlog revenue for future quarters and show a strong comeback to the market.

High-Risk Items to Monitor in Preparation for a Potential Audit

While I consistently see audit costs from companies who do not proactively monitor their users and engine licenses on an ongoing basis, below are some high-risk items to manage in preparation for a potential audit:

  • Repackaged Solutions — Many customers who are leveraging older software applications which have been repackaged may see some additional focus from SAP. The hyper-focus on repackaged software applications is because customers typically do not have price protections on these older solutions and SAP can position a requirement to move to the repackaged solution during an audit.  For example, if you are still on Hybris (and especially on Hybris legacy) and have not moved to C/4HANA, I would anticipate SAP will include Hybris requests in the audit to move you to C/4HANA – even if it’s just a paper exercise.
  • HANA Database — While many companies do not think about their databases when it comes time for an audit given previous pricing for databases simply being a percentage of your Software Application Value (e.g., Oracle, IBM DB2, etc.), with HANA it is different. The reason is that HANA Runtime has very clear limitations and if you, in fact, violate those limitations, SAP can compel you to move to HANA Enterprise Edition even if it’s unplanned.  If you already have HANA Enterprise Edition, you likely do not know how much you are using, and SAP will ask you to run a tool to determine GB utilization.  Even worse, HANA database is non-discountable.
  • Indirect and Digital Access — Not a surprise to many, Indirect and Digital Access are also high-risk items to manage with SAP. While it may not be obvious to the technical team responding to an audit, SAP has previously weaved Indirect and Digital Access questions into audits without notice.  In doing this, unbeknownst to the technical team, they are opening up the kimono to SAP in order to position Indirect and Digital Access licensing fees.

Companies Do Not Need to be Audited to be at Risk

While many customers only put their guards up when SAP is in audit mode, it does not take an audit for SAP to position compliance gaps.  As part of working with them to refine requirements as part of a strategic program or obtaining a proposal in support of a board package, customers have provided unfettered visibility into their current and intended landscapes.  All throughout a customer’s organization, SAP is having discussions and gaining visibility – from the executive level to the technical level.

While customers do not view SAP’s visibility outside of an audit to be particularly risky, this has been an opportunity for them to position their products over competing solutions and to position compliance gaps.  For example, I have seen SAP position their solutions as a means by which to avoid Indirect/Digital Access fees.  In addition, I have seen SAP position compliance gaps as a result of your intended landscapes.

SAP Customers Can Mitigate Risk and Exposure

So, what can you do to mitigate risk and exposure?  SAP customers can mitigate their exposure as part of a self-assessment activity and planning for projects or programs independent of SAP.

  • Conduct Self-Assessment of Compliance Risk

In preparation for SAP audits, undertake a self-assessment of compliance risk in advance of receiving SAP’s audit notification.  They are not only assessing utilization of users and engines to understand traditional compliance positions, but also, Indirect and Digital Access requirements.  Based on the findings of these assessments, customers can proactively budget and address these risks or exposures with SAP as part of strategic purchase events – when customer leverage is at its peak.

  • Independence of SAP During Project Planning and Costing

Beyond self-assessments, we do see risk working with SAP to refine requirements as part of strategic programs.  While we certainly think engaging SAP is appropriate, the level of transparency you provide to them must be tailored to mitigate inadvertent disclosures and a communication directive must be given from the top down.  In lieu of providing SAP with transparency into your requirements, work with a System Integrator to determine your licensing requirements and a capable third-party to determine the costs of your program.

While audits may seem unlikely during COVID-19, SAP customers should expect the unexpected and take the opportunity to get prepared and proactively mitigate risk and exposure.  In terms of approach, I would expect SAP to take a more delicate approach to manage perception, including a friendly heads-up, complete separation of the SAP account team, and providing a slightly more flexible audit team.  However, I would also expect the audit team to broaden scope compared to past audits, be aggressive on the depth of their requests, and to position all exposures.

What to Read Next:

Related Blogs