paint-brush
How to Prepare For Your Next SAP Auditby@basquillatconsulting
277 reads

How to Prepare For Your Next SAP Audit

by Basquillat ConsultingNovember 10th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

In the Business to Business world, the word audit may be an alarming word. Either it's a financial or a software system compliance check, being part of an audit is kind of usually seen as a time overwhelming, sudden and expensive inconvenience for corporations.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - How to Prepare For Your Next SAP Audit
Basquillat Consulting HackerNoon profile picture

In the Business to Business world, the word audit may be an alarming word. Either it's a financial or a software system compliance check, being part of an audit is kind of usually seen as a time overwhelming, sudden and expensive inconvenience for corporations.

When presented with an audit letter at the end of audit procedures, organizations are facing some common questions: “Am I actually non-compliant?”, ”There should be a reason why they started this audit, however what's that?”,“ What am I missing here? ”. This uncertainty comes from a scarcity of a restricted summary of the software system licenses that they're entitled to use, their location and configuration (what is included), who has access to licenses and in what manner are these licenses being utilized within the corporation.

Usually, vendors like Oracle, Microsoft or IBM are famous and dreaded at the same time when we talk about audits; however, the SAP audits are extremely complicated and difficult events for user organizations. Preparation is essential in negotiating and passing through an SAP audit with success. During this article, we'll provide to you essential tips and sensitive recommendations which will increase oversight over the SAP auditing method.

Objectives of SAP audit team

The entity known by clients as SAP Global License Auditing and Compliance (GLAC) team performs the audits based on clear outlined procedures and protocols associated with the manner the audit should be conducted. The only purpose of the audit is to review your software system usage compliance position. The SAP engagement team expects you to demonstrate that your usage is in compliance with the acquired and available licenses. It is a particularity of SAP to use very close deadlines to perform the audit, adding additional pressure on Companies which are less organized and require more resources in terms of time and manpower.

The GLAC team will allow the small/ medium companies an amount of 3 weeks to perform the audit and provide all the requested deployment and usage information, whereas giant enterprises are expected to come back with the evidence within four weeks. Not a surprise, this short timeframe limits your and the other users' capability to properly analyze and perform minor adjustment in case of potential compliance issues.

It is best practice that your Internal Audit/ Compliance functions to perform a periodical review of the licenses, ideally prior to the start of the SAP audit.

Know your prerogatives

Performing a self-assessment is only effective when your Company has a deep understanding of the contractual agreement with SAP. This is not usually a transparent process, given the higher complexity of contractual documents and legal terminology; at the same time, the original contract might be old and multiple additional clauses have been signed and added since, including or removing additional SAP products and services.

As such, a detailed review of the contract and addendums over the years is crucial for the preparation of your internal audit/ review. By going one level deeper, it's necessary to grasp the context under which those SAP products were sold. It might be the case that the end users purchased licenses only for a specific business unit while it was agreed per contract that an enterprise metric for the entire Company is applicable. Understanding the product metrics, the number of blocks and the particular clauses that may have been agreed through contract (e.g. indirect use of service) are just a few examples of contractual terms that need to be taken into account.

Advice

As it needs to stay within fix boundaries, SAP cannot evaluate product retailed under changed or inconsistent metrics. In fact, SAP will just create evaluations in agreement with the current metric maintained within the actual price list. In this situation, as a client, you have a specific advantage of negotiating this in your favor if you have a proficient understanding of the written agreement clauses, associated metrics and rating.

It is our recommendation that your Company maintains a system landscape status (e.g. production use, decommissioned) in your dedicated SAP Support Portal. If this tool is not updated and you are in the middle of the audit, you can be requested by the SAP audit team to include systems in the USMM (“System Measurement”, transaction code USMM) which might even not be active at that moment in time.

The SAP Support Portal is the reference for the auditors and needs to replicate in real time your effective and system use. If particular focus in not granted to this aspect, your Company can face the situations in which the measurement of the SAP environments includes usage of modules or engines that the IT personnel have tested long prior to audit period, but for which you were never licensed. In short terms, need to prepare as SAP might ask about all the SAP systems linked to your Company. The inactive SAP systems may be included in the measurement plan as provided by SAP, with negative financial consequences arising from this situation.

The core of the SAP audit

Another recommendation to consider is to simply run check measurements with the SAP activity program (transaction USMM). This action should be performed in order to do an internal analysis of users and engines - it's clearly not a good idea to send the output to SAP, as this might trigger a response (i.e. audit). Most organizations do not manage their systems (users and engines) on a regular basis and also the activity may contain inaccurate information. As such, it is recommended to run a measurement test and have it reviewed by an external SAP consultant. After implementing the SAP consultant’s points (e.g. cleanup of user base, implement notes, etc.), the final product can be shared with SAP.

User

Determining the right classification for SAP users is extraordinarily tough for pretty much any end user. In the case of basic user definitions, it is easier as they are available on the SAP Support Portal, but the contractual agreement might contain additional definitions and classifications that should be clear in order to perform the internal review or to validate the results of the SAP audit.

Inside the SAP activity program (USMM), there are a plethora of methods used for the user classification. The main classification is based on the user authorization and contractual agreement, which should correspond with the price list which sits at the core of the SAP contract. The following topics will be for sure covered by the SAP audit:

  • Locked Users
  • Deleted Users
  • Expired Users
  • Users with Multiple Logons (possibly more individuals are granted access)
  • Users with Late Logons
  • Reclassification of “Workbench Development Users”
  • Users with SSCR Keys used for development purposes
  • Test Users in production (advice: 10% is allowed by SAP per system measurement)
  • Dialog Users vs. Measured Standard Users

Engines

The last step of the SAP measurement if the consolidation of all measured systems within the License Administration Workbench (LAW). By performing the consolidation, user and user types are recorded and assigned to one contractual user type. On condition that LAW user criteria are regularly updated across the total system landscape, the Company eliminates the risk of counting records multiple times. If the amount of consolidated users detected by LAW is outside the contract limits, it is recommended that you simply ask for verification of the following:

  • LAW criteria (as used to deduplicate user counts across multiple SAP systems)
  • Locked users (and if the expiration date has been maintained correctly)
  • Unclassified users (per default counted as professional users on production systems)
  • Technical users maintained as Dialog Users
  • Users authorizations based on your contractual user type assignment

In addition to LAW measurement results, you will be required to provide additional details as requested by SAP (e.g. Self-Declaration product, HANA, Business Object). In every step of the audit, SAP has outlined extra information gathering processes to follow.

Increase internal SAP experience

Ensure that the measurement is validated by an expert SAP consultant, in advance of sharing the data with SAP. In the least desirable situation, when you already have shared the output with SAP, require the SAP consultant to perform the analysis in parallel, in order to find out as soon as possible of potential non-conformities. Consider the latest changes in technology changes, including SAP GLAC, when planning for the SAP audit prep phase. Preparing for future SAP audit will be time overwhelming, complicated and extremely difficult for several organizations.

Also published here.