SAP Is Checking Your Audit Results – Are You Prepared?

It’s common knowledge that customers audit their systems with tools supplied by SAP (see SAP’s Terms and Conditions). SAP can also remotely audit the systems if customers refuse to do it themselves. However, SAP usually doesn’t make use of these remote audit privileges. Instead, it asks its customers to supply additional data.

More data, please!

If this is the case, SAP will send not only the measurement plan that usually accompanies an audit request, but also a document named “Measurement Deliverables for SAP Software License Audit”. Step by step, this document explains what customers need to do and what data they need to deliver. You could call this an advanced audit.

This document also details until when customers have to deliver the data and where to upload them to SAP. Customers should also adapt the measurement plan according to their specifications. To comply with this request is highly recommendable since SAP will use the adapted plan for the audit.

The advanced audit comprises the old standard (License Audit Workbench Report), according to which all Abap-based SAP systems in production and development need to be audited. This means that customers should make use of the tools supplied by SAP like USMM, LAW, and LMBI. If you’re using database Hana, you need to audit it in compliance with the “SAP Hana Database, User’s Guide to Measurement”.

Some engines are licensed for cores. Previously, customers were asked to indicate them in the self-declaration form. Now, customers need to evaluate the number of cores according to SAP’s specifications (Processor Core Worksheet). This task needs to be taken seriously because, for example, cluster installations on virtual servers can mean more cores than expected. Engines that cannot be audited in this way still need to be indicated in the self-declaration form.

More than an audit

System data extract is where it becomes really advanced. Regarding development systems, SAP wants to know who has the S_Develop rights, among other things. It’s not about code customizations anymore, but about rights. In productive environments, SAP goes several steps further. Here’s a selection of tables and reports that customers have to deliver data from: UST12, USRBF2, AGR_PROF, AGR_TEXTS, AGR_1251, USR11, SM37, WE21.

If you combine all of the things listed above, SAP is basically ordering customers to bare all: Rights, use, interfaces, IDocs as well as a jobs overview and all repository objects not created by SAP. This is so much more than a simple audit. It evokes the impression that SAP is either not trusting its own audit tools anymore or that the results the tools deliver are not enough anymore. This advanced audit could soon become the new normal.

Leverage the advanced audit blueprint!

My recommendation up until now has been to use SAP’s classification guide before sending the audit results to SAP. However, SAP is now digging deeper, not trusting customers with user classification anymore, among other things. This is why I now implore you to check all your results before sending them. How, you may ask? Well, SAP itself has already delivered a great blueprint with its guidelines for advanced audits. Use it to be prepared for your next SAP audit.