SAP Is Checking Your Audit Results – Are You Prepared?

Guido Schneider

The times when SAP would just accept audit results seem to be over. And there’s more: The data you need isn’t as simple as it used to be.

Of course customers audit their systems with tools supplied by SAP (see SAP’s Terms and Conditions). 

SAP can also remotely audit the systems if customers refuse to do so. However, SAP usually doesn’t make use of these remote audit privileges. Instead, it asks its customers to supply additional data.

More data, please

SAP will send not only the measurement plan that usually accompanies an audit request, but also a document “Measurement Deliverables for SAP Software License Audit”. Step by step, this document explains what customers need to do and what data they need to deliver. You could call this an advanced audit.

This document also details when customers have to deliver the data and where to upload them to SAP. Customers should also adapt the measurement plan according to their specifications. To comply with this request is highly recommendable since SAP will use the adapted plan for the audit.

The advanced audit comprises the old standard (License Audit Workbench Report), according to which all Abap-based SAP systems in production and development need to be audited. This means that customers should make use of the tools supplied by SAP like USMM, LAW, and LMBI. If you’re using database Hana, you need to audit it in compliance with the “SAP Hana Database, User’s Guide to Measurement”.

Some engines are licensed for cores. Previously, customers were asked to indicate these in the self-declaration form. Now, customers need to evaluate the number of cores according to SAP’s specifications (Processor Core Worksheet). 

This task needs to be taken seriously because, for example, cluster installations on virtual servers can mean more cores than expected. Engines that cannot be audited in this way still need to be indicated in the self-declaration form.

More than an audit

System data extract is where it becomes really advanced. Regarding development systems, SAP wants to know who has the S_Develop rights, among other things. It’s not about code customizations anymore, but about rights. In productive environments, SAP goes several steps further. Here’s a selection of tables and reports that customers have to deliver data from: UST12, USRBF2, AGR_PROF, AGR_TEXTS, AGR_1251, USR11, SM37, WE21.

If you combine all of these, SAP is requiring customers to bare all: Rights, use, interfaces, IDocs as well as a jobs overview and all repository objects not created by SAP. This is so much more than a simple audit. It evokes the impression that SAP is either not trusting its own audit tools anymore or that the results the tools deliver are not enough anymore. This advanced audit could soon become the new normal.

Leverage the advanced audit blueprint

My recommendation has been to use SAP’s classification guide before sending the audit results to SAP. 

However, SAP is now digging deeper, not trusting customers with user classification anymore, among other things. This is why I now implore you to check all your results before sending them. 

How? Well, SAP itself has already delivered a great blueprint with its guidelines for advanced audits. Use it to be prepared for your next SAP audit.

Looking for pre-audit assistance? Please do drop me a line, I’d be happy to discuss further.

SLC365 was founded to deliver to businesses a complete SAP licensing solution. Guido Schneider, Founder and CEO, is a renowned independent SAP licensing authority whose reputation has been built around his extensive experience in the field having helped over 150 major international clients achieve compliance in their software licensing.

Leave a Reply

Your email address will not be published. Required fields are marked *