SAP Audit Rights: What Your Contract Actually Says

SAP's Standard Audit Clause: What It Actually Says

SAP's standard Software License and Support Agreement (SLSA) includes an audit provision — typically in the section entitled "Licence Compliance" or "Verification Rights" — that grants SAP the right to audit the licensee's use of the licensed software. The standard language includes several components that are individually significant.

The Notice Requirement

SAP's standard audit clause requires SAP to provide advance written notice before conducting an audit — typically 30 days, though some older agreements specify different periods. This notice requirement is not merely administrative: SAP's failure to provide adequate notice as specified in the contract gives you grounds to require that SAP restart the audit process with proper notice before you have any obligation to cooperate. In practice, SAP sometimes initiates data requests informally before providing formal notice — you are not obliged to respond to informal requests as if they were formal audit notifications.

The "Reasonable" Access Standard

SAP's audit clause typically grants SAP "reasonable access" to records necessary to verify licence compliance. The word "reasonable" is doing significant work here. SAP's requests for comprehensive system landscape data, detailed integration mapping, and information about third-party systems that interact with your SAP environment often go beyond what is "reasonable" for the purpose of verifying named user counts and product deployments. Requiring SAP to justify each data request against the reasonableness standard is a legitimate and effective scope-limiting strategy.

The Confidentiality Obligation

SAP's audit clause typically includes a confidentiality provision requiring SAP to treat all information provided during the audit as confidential and to use it only for audit purposes. This provision is your contractual basis for requiring SAP to sign a specific audit confidentiality undertaking before data collection begins — ensuring that your infrastructure architecture, integration patterns, and commercial data cannot be used by SAP's sales teams as intelligence for upsell conversations.

Scope Limitations in SAP's Audit Rights

SAP's audit rights under a standard SLSA are limited to verifying that your use of the licensed software — specifically the SAP products named in the licence agreement — is within the scope of the granted licence rights. This creates several important limitations.

Indirect Access Audit Rights: The Contested Territory

SAP's indirect access audit rights are the most commercially significant and the most legally contested aspect of SAP's audit programme. Indirect access refers to access to SAP data or functionality by third-party systems — either through RFC connections, APIs, BAPIs, or integration middleware — without those systems being licensed as named users of the relevant SAP product.

What Older SAP Contracts Say About Indirect Access

SAP licence agreements signed before approximately 2015 typically do not contain explicit provisions addressing indirect access as a separately licensable use. The original SAP licence model was built around named users directly operating SAP software — it did not contemplate, or explicitly licence, the access patterns that now exist in complex enterprise architectures where dozens of SaaS applications integrate with SAP via APIs.

SAP's indirect access audit claims against customers with older contracts are therefore based on SAP's interpretation that indirect system access triggers named-user licence obligations under the existing contract — a position that courts have not consistently supported. The UK High Court's 2017 Diageo v SAP ruling found that SAP had not proven its interpretation of indirect access licensing was correct under the relevant contract, and other legal proceedings have produced mixed outcomes. The legal uncertainty around indirect access claims under older contracts is a significant basis for challenging SAP's audit findings.

What Newer SAP Contracts Say

SAP introduced the Digital Access model from 2018 onwards, providing a document-based licensing metric for indirect access (rather than per-named-user). Contracts signed or significantly amended since 2018 may include specific digital access provisions. If your contract includes digital access terms, SAP has a clearer contractual basis for auditing this area — though the methodology for counting documents and the scope of what triggers a document-based licence obligation are still contested in many engagements.

Procedural Requirements SAP Must Meet

Beyond the substantive scope of SAP's audit rights, SAP's licence agreement typically specifies procedural requirements that SAP must follow when conducting an audit. Enforcing these procedural requirements is a legitimate and effective strategy for managing the audit process and limiting SAP's ability to conduct an unconstrained investigation.

Qualified Auditor Requirement

Most SAP agreements require that any audit be conducted by SAP directly or by an independent, qualified auditor agreed by the parties. SAP's internal audit team — the Global Licence Audit team — satisfies the "SAP directly" requirement. However, requests for SAP to use a specific third-party auditing firm without your agreement may exceed what the contract requires. Requiring that the auditor's qualifications and independence be established before the audit begins is a legitimate procedural request.

Audit Frequency Limitations

SAP's standard clause typically limits audit frequency to once per 12-month period, absent specific cause. SAP sometimes conducts follow-up audits or re-audits shortly after a prior audit settlement. Identifying and enforcing the frequency limitations in your agreement prevents SAP from treating audit resolution as an ongoing iterative process that perpetually generates commercial pressure.

Data Handling Requirements

SAP's audit clause confidentiality provisions should be supplemented by a specific data handling agreement before any data is provided. This should specify: what data will be collected, how it will be stored, who will have access to it within SAP's organisation, and how it will be destroyed after the audit is concluded. The risk that audit data is used for purposes beyond the stated audit — particularly commercial intelligence for SAP's account team — is real and documented.

Your Rights During a SAP Audit: The Comparison

Indirect Access vs Digital Access: The Framework Difference

SAP's shift from indirect access to digital access licensing represents one of the most significant changes in enterprise software licensing in the past decade. Understanding which framework applies to your situation determines both the audit risk you face and the options available for resolution.

Indirect Access (Pre-2018 Framework)

Under the legacy framework, SAP's position is that any third-party system that accesses SAP data — even without a human user logging into SAP — triggers a named-user licence requirement for that system's access. This position is commercially aggressive and legally contested. The count of "indirect users" in a large enterprise with many third-party integrations can quickly exceed the count of direct named users — sometimes by multiples. SAP uses this framework in audits against customers with older contracts where digital access terms have not been introduced.

Digital Access (Post-2018 Framework)

SAP's digital access model, introduced with S/4HANA and available for earlier systems, licenses indirect access through document-based metrics — counting the number of documents (sales orders, purchase orders, delivery notes, etc.) created or changed through third-party integrations. This is commercially preferable to per-user counting for most enterprises, but introduces its own complexity: document counting methodology, which document types are in scope, and the cumulative cost of document-based licensing for high-volume operations can produce significant licence obligations.

See the SAP Digital Access Licensing Guide and the dedicated SAP Indirect Access Audit Defence article for detailed analysis of both frameworks.

Negotiating Improved Audit Clause Protections at Renewal

Every SAP contract renewal is an opportunity to improve the audit provisions in your agreement. SAP's account team will not volunteer these improvements — but most are negotiable, particularly at renewal where SAP has commercial incentive to maintain the relationship. Key improvements to seek include:

Explicit indirect access scope definition: If your contract lacks clear indirect access provisions, negotiate an explicit definition that limits SAP's indirect access audit rights to specific, defined integration scenarios rather than any third-party system interaction with SAP data.

Extended notice period: Negotiate a minimum 45-60 day notice period before audit commencement, giving you adequate time to complete your internal licence review and engage specialist advice before the audit formally begins.

Methodology specification: Where possible, specify in the contract how licence counts will be calculated — particularly user type classifications and indirect access counting methodology. Contractually specified methodology prevents SAP from applying a more aggressive methodology in an audit than you agreed to at contract signature.

Audit frequency and scope cap: Negotiate explicit annual audit frequency limitations and confirmation that each audit will be limited to the specific products and entities named in the audit notification, with no scope expansion without fresh consent.

For the complete SAP audit defence framework, see the Vendor Audit Defence Complete Guide and download the Vendor Audit Defence Handbook. For SAP licensing context, see the SAP Licensing Complete Guide and the SAP Indirect Access Licensing Guide.