SAP runs an annual measurement and audit program where the largest single finding is usually indirect (now "digital") access, the value created when non-SAP systems read or write SAP data without a named user. The firms below defend that exposure and the related named-user and S/4HANA migration reviews, with balanced pros and cons so you can choose for yourself.
LAST REVIEWED: JUNE 2026 · REVIEWED QUARTERLY
The recurring moves in an SAP measurement and audit. Recognize them early and you keep leverage.
SAP requires a yearly self-measurement using the USMM (User and System Measurement) transaction, consolidated through the License Administration Workbench (LAW). The results feed SAP's view of your named-user and engine consumption.
When a non-SAP application (a CRM, a web shop, a bot) reads or writes SAP data, SAP can claim a license is owed. Since 2018 this is measured under the Digital Access document model, counting nine document types created in the system.
Users are categorized (for example Professional, Functional/Limited Professional, Employee/Self-Service). Audit findings often assume the most expensive category where activity is ambiguous, inflating the user bill.
SAP "engines" (Payroll, BW, PI/PO and others) each carry their own metric, from records to orders to GB. Mismeasured or double-counted engine usage is a common source of inflated claims.
Moving from ECC to S/4HANA reopens the whole contract. SAP increasingly uses conversion projects to resolve historic indirect-access exposure and reprice the estate under new metrics.
Findings frequently surface near a maintenance renewal or a digital-transformation deal, where the commercial pressure to settle quickly is highest.
The licensing metrics behind the common findings, described factually.
Each person with access needs a named-user license in a defined category. The defense question is whether each user is classified at the right (often lower) type for what they actually do.
Nine document types (sales, invoice, purchase, service, material, financial, time-management, quality-management, manufacturing) are counted to value indirect use. Estimating and contesting the real document count is central.
Engine metrics vary by product. Findings turn on whether usage is measured correctly and whether entitlements already cover it.
SAP's bundled cloud offer changes the metric mix and is often proposed as the resolution to an audit finding, which makes independent valuation of the bundle important.
SAP remains one of the most audit-active enterprise publishers, alongside Microsoft, IBM, Oracle (Java in particular), Red Hat and Broadcom VMware. Across the market, an estimated 62 to 63 percent of companies report being audited within any 12-month window (industry surveys, 2025 to 2026), and roughly 52 percent now bring in outside defense help rather than handle a publisher review alone. For SAP specifically, indirect and digital access remains the single largest finding type in 2026, and S/4HANA migration reviews are rising as the ECC maintenance horizon pushes customers to convert.
The defining feature of an SAP audit is that much of the exposure is created by systems other than SAP. A CRM, an e-commerce front end, an EDI feed or an RPA bot that reads or writes SAP data can generate documents that SAP values under the Digital Access model, even though no human logged in. That is why measurement, not negotiation, is where SAP matters are usually won or lost: the first job is to establish the real, defensible document count and named-user classification before any number hardens into a claim.
Audit posture and local procedure differ by market, from German works-council constraints on data export to Singapore's PDPA transfer rules. Pick your jurisdiction below for the firms serving it and the local legal context.
Audit posture and local procedure differ by market. Pick yours for the firms serving it.
BGB limitation, BDSG data limits and works-council rules shape an SAP review.
Swiss Code of Obligations and the revised FADP frame data handover.
Dutch BW limitation and UAVG data rules apply to measurement export.
State-law contracts and aggressive discovery shape settlement leverage.
PDPA transfer limits and the SIAC arbitration option frame disputes.
English contract law, six-year limitation and UK GDPR apply.
Listed alphabetically with balanced pros and cons — a directory, not a ranking. Every firm here is independent and buyer-side; none resells SAP licenses.
Zurich boutique serving regulated industries such as banking and pharma, with deep Oracle ULA and SAP S/4HANA migration experience and a discretion-first engagement model.
Munich-based licensing law boutique that combines German contract-law litigation with technical SAP measurement to scope down indirect-access claims.
Ex-IBM measurement specialists with solid Western-Europe coverage, applying disciplined metric analysis to SAP, IBM and Oracle estates.
European SAM specialists with genuine SAP indirect-access defense across EU jurisdictions, alongside Microsoft and Oracle work.
Tokyo-based APAC practice offering bilingual negotiation and localization of global SAP and Oracle audit positions for Japanese and pan-Asian entities.
Independent enterprise software licensing advisory covering Oracle, SAP, IBM and Microsoft. No vendor partnership, no reseller relationship and no commission, with engagements focused on audit defense and renewal resets.
Listed alphabetically — not a ranking.
It is the licensing question that arises when a non-SAP system reads or writes SAP data without a named user logging in. Since 2018 SAP measures this under the Digital Access model, counting nine document types created in the system rather than counting the connected users.
SAP requires an annual self-measurement via the USMM transaction, consolidated in the License Administration Workbench (LAW). Discrepancies, integrations with non-SAP systems, mergers, and S/4HANA conversion projects are common reasons a routine measurement escalates into a formal audit.
It can be the vehicle for resolution, but it also reopens the entire contract. SAP frequently uses a conversion or RISE with SAP deal to settle historic indirect-access exposure and reprice under new metrics, so the bundle should be valued independently before you accept it.
Often, yes. Findings tend to assume the most expensive user category where activity is ambiguous. Reclassifying users to the type that matches what they actually do is a common, defensible way to reduce a named-user finding.
No. This is a directory, not a ranking. Firms are listed alphabetically with balanced pros and cons, and the site recommends none of them. You weigh independence against any reseller relationship for yourself.
Yes. The directory and matching are free for buyers. We are not a law firm and take no money from software publishers.