You are here

SAP Audits – Is it really impossible to accurately determine your financial exposure?

Written by Dan Kirtley On the 0 Comments

SAP licensing is complicated. License entitlements can be open to interpretation and contract amendments can mean that financial liability for one customer may be very different in comparison to another, even if their usage and requirements are identical. It often depends on what deal was struck at the time of purchase.

Traditionally SAP licensing reviews and system measurements have focused on direct usage of an organization’s SAP environment. Direct usage on an individual level describes one user accessing SAP data directly through the SAP interface. The transactions which they perform determine what license type (or types) the user should be assigned. This in turn determines the associated cost for that user to perform their required tasks within the SAP system.

Even correctly managing licensing of direct users is more complicated than it might first appear. An organization with 10,000 users of its SAP environment could have many groups of users who transact in very different ways. The users may change jobs and so need to use the SAP environment differently from one year to the next. Other users leave the organization and of course it’s no longer necessary to have a license assigned to them.

If your organization's doesn’t keep on top of this and effectively manage licenses, you’ll almost definitely be paying over the odds for your licenses or you will be hit with a big fee following system measurement (LAW) submission or a more comprehensive SAP audit.

The risk becomes even greater when you consider Indirect Usage. That’s because you may face licensing liability for a far greater number of users compared to those who you know directly access the SAP system. That 10,000 user license requirement could two, three, even four times more if a third-party application accesses your SAP data.

One thing is clear. The better prepared your organization is, the better you understand overall usage of your SAP environment from every user and the better you can map this to existing entitlements, the stronger you will be when it comes to an audit or a negotiation. To do this effectively, you need a system that can automatically consolidate all of the necessary data and automate the required tasks.

 

So what is Indirect Usage?

A simple example of Indirect Usage is where an SAP system is accessed or queried through a third-party application. The way in which that third-party system interacts with the SAP system, whether the interaction originates from a users’ actions and whether data is manipulated or changed within the SAP system all contributes to whether SAP defines the need for an additional license and, therefore, additional cost.

If you had to read that sentence twice, you’re likely not to be the only one. The fundamental issue is that SAP “Indirect Usage” changes definition from company to company and that is causing confusion amongst the SAP user community.

In a rather ironic twist of fate, the push from the large SAP user communities across the globe for more clarity on Indirect Usage has actually led to potentially greater financial exposure. That’s because SAP made changes to their enforcement of the price and conditions list (PCL) in October 2016. More on this below. Indirect Usage is categorized in a few different ways depending on the technical method used to access the SAP environment. To add to the opacity around this, there is also a greater or lesser likelihood that SAP will choose to charge additional license fees dependent on the “type” of Indirect Usage there is.

 

External third-party systems which access SAP via RFC or HTTP:

Common examples of this type of Indirect Usage include large ISVs like SalesForce.com, Workday and QlikView; Business Intelligence systems and payroll systems. This may also include smaller systems to perform a particular task not possible in default SAP software.

In this instance, the third party systems are accessing the SAP environment, pulling data and often writing it back via a connection to the SAP environment. Here a “user” must be set up to gain access to the SAP system. On the surface then it can appear like only one user (or a small number of users) is performing actions on the SAP system. In reality though, the “user” will be performing far more tasks than is possible for a single person to undertake.

Multiple users are indirectly using SAP data to perform tasks. The challenge that someone investigating this type of Indirect Usage often faces is that they are unaware of these third-party systems within their organization’s IT estate. To identify such systems requires either surveying application owners or looking for anomalous usage directly within the SAP system. Flags to look out for include:

#1: “Work time” check for all users: Checks rolling two-day time windows for constant activity without a pause of at least eight hours

#2: “Volume of work” check: Looks for users with an extraordinary amount of activity (measured by changed or newly created DB table entries)

#3: “Cross-component usage” check: Looks for users which changed DB table entries or newly created them from different SAP modules in the same second.

In practise, the interviewing process alone is insufficient and attempting to analyse the SAP system manually is impractical for a system with over a certain amount of users. This is because it requires manual consolidation of numerous data sources before any possible conclusions can be made.

The more efficient approach is to use a system which can automatically consolidate the data meaning that anomalous activity can be identified much faster.

This method of Indirect Usage is the clearest cut and we covered this in a lot more detail last year. If a system accesses SAP in such a way, you are likely to be financially liable. It’s extremely important to understand precisely how the interaction takes place, how may third-party users may require a license and what type of license they will require.

 

SAP-integrated add-ons via NetWeaver platform

In October 2016, SAP made changes to their enforcement of the price and conditions list (PCL) with the intention of clarifying some of the definitions around SAP and based upon pressure from the various user groups across the globe. This is where the irony lies because it has, in fact, led to a new license requirement for third-party add-ons.

Within the PCL, SAP added that users, in addition to the Runtime usage right of the SAP NetWeaver Foundation, must acquire an additional SAP NetWeaver Foundation for Third Party Applications.

This means that users of a third-party system which is an add-on to SAP and installed via the NetWeaver platform must pay an additional license fee on top of their existing Named-User license.

Many customers see this as a shift of the goalposts and it will be particularly frustrating to organizations who were recommended to develop customer-specific solutions into their landscape by SAP itself.

Because this enforcement is new, many organizations will not be immediately exposed to financial liability and SAP typically takes a staggered approach to enforcing licensing rules.

The best advice and option would be not to rest easy because of the lag between rule creation and rule enforcement. Make sure that you understand what your potential liability might be. Consider whether there are named user licenses which are assigned to inactive users and making up shelfware. If there’s a potential for this shelfware to use a third-party add on, there may be a case for SAP to charge your organization the additional fee. If your shelfware is properly expired and retired, there is no risk. Again, an automated system which can do the leg work for you will ensure you are in a stronger, optimized position.

 

The Internet of Things & other data transfer devices

The third and final category to consider is also the least well defined. However, it still absolutely should be taken into account. This category concerns “things” writing data to the SAP system. “Things” could mean sensors in a warehouse measuring temperature throughout the building and alerting when that temperature moves outside of defined parameters. It could mean data transferred from mining vehicles when they return to base, tracking usage of the vehicle and distance travelled to estimate when tyres need changing or when the truck must be serviced. In this real example, the customer wasn’t liable for any additional named user license because there is no human interaction. The data is transferred automatically when the vehicles cross a threshold.

On the other hand, a scenario where additional licenses were required was in a slightly different form of data exchange via Electronic Data Interchange or EDI. In this case, warehouse scanners were used to read data from barcodes into the SAP system. The difference was that humans click the button to read activate the scanner. The customer in this case was told that they needed named user licenses for each user who could potentially use the barcode scanner and hence “use” the SAP system.

”From a legal perspective, the issue of indirect usage and SAP’s respective license types is complicated as its assessment involves questions of contract law, copyright law and possibly also of competition law. What matters is that companies using SAP software are aware of the risk that is attached to indirect usage of the software.

In order to be able to evaluate such risks, technical tools that help to get an idea of the intensity of indirect usage helps. If a company believes that it has a high risk with regard to this issue and does not want to meet SAP’s additional payment request, an individual legal analysis may help to clear the picture.“

Dr. Jana Jentzsch - Certified lawyer for information technology law and specialist for SAP licensing. *

 

Fee or no fee?

So that is the distinction. Involve a human user in some way and you may be asked to license that user. Remove any human interaction and you are unlikely to need to pay for additional licenses (at the time of writing). As in all of the examples above, however, this won’t stay the same forever and if your organization is embracing new technologies at a rapid rate, just remember that SAP might want a cut of the pie at some point down the line.

Again, the advice remains the same. Understand usage, understand the architecture of your environment and continually optimize. Do not let things change over time without tracking it. If you do, you could be faced with a substantial unbudgeted bill.

The need to develop a comprehensive and up-to-date architectural diagram of your SAP landscape becomes more and more imperative to help you navigate the contemporary audit process with SAP.  We suggest you work with your SAP architecture team to assure this effort is underway and current and a top priority in your organization.

In the meantime why not join us on a webinar where I discuss SAP indirect usage with our inhouse SAP expert Brian Skiba: February 16, 16:00 GMT/ 17:00 CET/ 10: CET. Click on the image below to register.

* JENTZSCH IT - Email: mail@jentzsch-it.de | Skype: Jentzsch_IT | Webseite: www.jentzsch-it.de