SAP audits are decided in the data, so the one criterion that matters most is whether a firm can run and interpret SAP's own measurement tooling — USMM and LAW — against your estate before SAP sees a single output, and independently model your digital access exposure. This guide covers what an SAP audit defense engagement involves, the provider landscape and its conflicts, the questions that expose real depth, and how fees work. It names no firms; see the firms that do this work →
Published 27 November 2025 · Last reviewed 11 February 2026
SAP compliance pressure arrives through two channels, and a defense firm must be fluent in both. The first is the routine annual license measurement that most SAP contracts oblige: you run USMM in each system, consolidate the results in LAW or SLAW, and submit. The second is the enhanced audit, initiated by SAP's Global License Audit and Compliance organization, with wider scope, deeper data requests and a formal clock. The two are connected — a routine measurement that surfaces anomalies is the most common road into an enhanced audit, which is why the strongest defense work happens before anything is submitted at all.
The exposure itself concentrates in three places. Named-user classification is the everyday one: the same person counted in the wrong category across several systems, technical and duplicate users misclassified, leavers never retired. Engine and package metrics are the second: self-declared measures — orders, cores, revenue-based metrics — that drift from reality without anyone watching. The third, and usually the largest, is indirect and digital access: third-party systems creating documents in SAP without named-user coverage. A defense engagement rebuilds all three positions internally, corrects what can be corrected, and only then decides what SAP gets to see and when.
One structural fact shapes every SAP defense: findings rarely end in a simple back-bill. They are settled commercially — folded into a contract conversion, an S/4HANA migration or a RISE subscription — which means your audit defense and your next negotiation are the same chessboard. A firm that can only argue the compliance numbers, without modelling what settlement inside a renewal or conversion should cost, is playing half the game. Audit defense is one of seven services this directory covers; if no audit is open and you want the baseline anyway, that is a compliance assessment.
This guide is general information about selecting an advisor for SAP audit defense, not legal or licensing advice for your situation. It names no firms; the SAP firm directory lists providers with balanced pros and cons, listed, not ranked.
Each provider type carries a different incentive structure into your audit. None is automatically wrong; each is a trade-off to put on the table before you share a single measurement file.
| PROVIDER TYPE | WHERE IT HELPS ON AN SAP AUDIT | WHAT TO WEIGH |
|---|---|---|
| Independent boutique | Buyer-side only; runs USMM/LAW internally, rebuilds named-user and digital access positions, manages the response end to end | Bench depth varies; confirm the people who answer your questions are the people on the engagement |
| Law firm | Privilege over the working papers, contested interpretation of legacy terms, formal dispute posture | Not a measurement team; on data-heavy SAP audits it pairs with a consultancy rather than replacing one |
| Big 4 / large SI practice | Scale for multi-country estates; process rigour; board-level reassurance during a tense audit | The same house may hold SAP alliance or implementation revenue — and some run license audits for publishers elsewhere in the practice |
| Reseller-attached practice | Knows your transaction history; convenient if it already manages your SAP supply | Earns margin on whatever licenses the settlement obliges you to buy — a structural interest in the outcome |
| SAM tooling vendor | Continuous measurement that catches drift before SAP does; useful evidence base when the letter lands | A dashboard is not a defense; services arms vary widely in audit-room experience |
The single question that cuts across all five: does this firm, or any affiliate, earn money from SAP, from reselling SAP licenses, or from audit work performed for software publishers? Factual ties are not disqualifying — they are disclosed trade-offs — but you want them volunteered, not discovered. The independence test is the cross-vendor version of this question, and the audit defense firm guide covers the landscape beyond SAP.
Measurement-tool fluency. Put a consolidated LAW output in front of the candidate team and ask what they would challenge. A genuine SAP practice will immediately probe user-type mapping, duplicate consolidation across systems, technical users counted as dialog users, and engines whose self-declared counts look stale. A firm that talks strategy without asking for your measurement files is a firm that will negotiate SAP's numbers instead of yours.
Digital access modelling. The firm should be able to estimate your nine-document-type position independently from system data, explain where the estimate is soft, and lay out the realistic paths: contest the methodology, remediate the integration architecture, or price a settlement into the next commercial event.
Audit-clock experience. Enhanced audits run on deadlines, scope letters and escalation paths. Ask how the firm has narrowed an audit's scope in practice, what it does in the first ten days after a notification letter, and when it advises bringing legal counsel in — the reflex to coordinate with lawyers, rather than compete with them, is itself a depth signal.
Settlement craft. Because SAP findings resolve commercially, ask for anonymized accounts of how past findings were converted into negotiated outcomes — conversion credits, shelfware swaps, subscription restructures — and what the client gave up to get there. Defense that ends at “the exposure is X” leaves the expensive half of the work undone.
Advice to submit first and argue later. Any firm comfortable sending SAP unreviewed USMM or LAW outputs to “show good faith” does not understand where SAP audits are won. Classification is corrected before submission or the correction is worth far less.
Outcome guarantees. No one can promise a finding will disappear or a settlement will land at a particular figure. Firms that sell certainty are selling against the file they have not yet seen.
“We know SAP's audit people personally.” Familiarity claims cut both ways — a firm whose value rests on its warmth with the vendor has an interest in keeping that relationship warmer than your defense requires.
Gain-share-only pricing pushed hard. Fees contingent on “reduction against SAP's initial claim” reward an inflated starting number, not a better ending one. The model has legitimate uses; insistence on it is the flag, and the fee models guide explains why.
Undisclosed migration upside. If the advising house would also bid for the S/4HANA or RISE implementation a settlement might trigger, that pipeline interest belongs in writing before the engagement, not in the closing meeting.
1. SAP has asked for our annual measurement. What happens in your first ten days, and what leaves our building during them?
2. Walk me through a LAW consolidation you challenged: what was misclassified, and what did the correction change?
3. How would you build our digital access position independently of SAP, and how confident can that estimate honestly be?
4. When in an SAP audit do you advise bringing in legal counsel, and how have you worked under privilege before?
5. Who, by name, would staff this engagement, and how many SAP enhanced audits has each of them worked in the past three years?
6. Does your firm or any affiliate earn revenue from SAP, from reselling SAP licenses, or from audit work for any software publisher?
Listen for reflexes rather than rehearsed answers. A firm that responds to question one with a scoping and data-control plan — rather than reassurance — is the firm that treats your measurement outputs as the case file they are. The foundation guide 20 questions to ask extends this list beyond the audit context.
SAP audit defense is usually bought in stages that mirror the audit itself. A fixed-fee response stage covers scoping, internal measurement and the controlled submission; a second fixed or capped stage covers findings analysis and settlement support if the audit escalates. Day-rate advisory suits organizations whose own SAM team runs the process and wants an expert check on classifications and SAP's paper. Retainers fit audit-prone estates that want the measurement reviewed every year before submission — often alongside a managed SAM service. Gain-share appears in settlement work and needs a carefully defined baseline to avoid rewarding inflated opening claims. We publish no prices anywhere on this site; the models and their incentives are the comparison that travels, and the fee models guide treats them in depth.
Whatever the shape, insist the proposal states what triggers each stage and what the firm does if SAP widens scope mid-audit. A fee structure that has never met a moving audit has not been stress-tested.
Firm-agnostic guides — when you are ready to compare actual firms, the SAP directory lists them with balanced pros and cons.
The service-level selection guide →
Where most SAP findings get settled →
Who your advisor really works for →
Fixed, day-rate, gain-share →
See the firms that do this work →
Every field guide on the site →
No, and the distinction shapes the defense. The annual measurement most contracts require is a self-run process using USMM and LAW that you control and submit. An enhanced audit is run by SAP's Global License Audit and Compliance organization on SAP's initiative, with broader scope. Many compliance events start as a routine measurement and escalate, which is why a defense firm should be engaged before outputs are submitted, not after.
Submitting unreviewed outputs is the most common self-inflicted wound in SAP compliance. Named-user classifications, engine counts and technical-user handling all contain judgment calls that the raw tooling does not make for you. A defense engagement runs the same tools internally first, corrects classification before anything leaves the building, and controls what is submitted and when.
Indirect and digital access is the largest single source of unbudgeted SAP exposure and a standard line of enquiry. A capable firm can independently estimate your document-based position from system data before SAP raises it, then advise whether to contest the methodology, remediate the architecture, or settle the exposure inside a commercial negotiation.
Sometimes. A law firm brings privilege and contract interpretation when terms are genuinely contested or the relationship is heading toward formal dispute; a licensing consultancy brings the measurement and metric depth that determines what the numbers actually are. On contested SAP audits the two often work together, and a good consultancy will tell you when to bring counsel in rather than treating it as competition.
Alphabetically, never by rank. Every firm carries balanced pros and cons: independence is shown as a pro, while reseller, Big-Four or vendor-side audit ties are shown as a con — both stated as factual trade-offs for you to weigh, never as a verdict.
Tell us what SAP has asked for, where the audit stands and what your estate looks like, and we will route your brief to firms that genuinely cover SAP audit defense. The directory and matching are free for buyers, no vendor ever sees your brief, and we add no markup.
Our weekly dispatch on vendor audit programs, regional developments and one buyer move. Subscribe to The Licensing Radar.