SAP audit preparation and self-assessment in 2026

How SAP GLAS audits actually work in 2026

SAP's Global Licence Audit and Compliance organisation (GLAS) operates with two distinct audit modalities in 2026. The first is the formal compliance audit, invoked under the audit clause in the SAP Software Use Rights agreement, with a defined data-collection methodology, a documented finding and a binding commercial outcome. The second, and increasingly more common, is the self-declaration request: GLAS asks the customer to run USMM, LAW and Digital Access measurement tools and to declare the results, with no formal audit clause invoked. The self-declaration is presented as commercially efficient but produces a finding that is contractually as binding as a formal audit.

The two modalities require different responses. The formal audit triggers the buyer's contractual rights (notice window, scope limitation, response cadence) and frequently allows scope to be narrowed during the engagement. The self-declaration does not invoke those rights, which means the buyer must impose them voluntarily through the engagement governance. Buyers who treat the self-declaration as a casual data exchange routinely produce findings that GLAS uses as the basis for a $5M–$45M commercial conversation.

The preparation discipline applies equally to both modalities. The data flows the same way; the contractual position drives the negotiable surface; the settlement mechanics are identical. The disciplined buyer prepares for SAP audit on a continuous basis regardless of which modality is in flight at any given point.

Why S/4HANA migration intensifies audit activity

SAP's S/4HANA migration deadline (currently 2027 for ECC support, with extended-support options to 2030) has produced a structural intensification of GLAS activity since 2022. The mechanic is straightforward: GLAS engagements that surface indirect access exposure or named-user misclassification create commercial pressure that supports the S/4HANA migration conversation. The audit finding becomes the trigger for the migration commit; the migration commit becomes the negotiating leverage for the audit settlement.

For SAP customers running ECC with no current S/4HANA migration plan, the implication is that the audit timing is partly within SAP's control. GLAS engagements cluster around the customer's perceived readiness to move; an ECC customer who is silent on S/4HANA for too long becomes a higher audit priority. The disciplined response is to maintain an active S/4HANA conversation on the buyer's terms (with controlled pace, defined scope and credible alternative options) rather than to wait for SAP to introduce the conversation through the audit.

Named-user reconciliation: SU01 vs. actual use

SAP named-user licensing distinguishes between several user categories: SAP Application Professional User, SAP Application Limited Professional, SAP Application Worker, SAP Application Self-Service, and others. Each category carries a different price point and a different scope of permitted activity. The standard GLAS audit reads the SU01 transaction (the SAP user master record) and classifies users based on the authorisation profile assigned in SU01.

The audit-defence position rests on the difference between authorised scope and actual use. A user with broad authorisations in SU01 but narrow actual usage qualifies for a lower licence category. The reconciliation requires the buyer to extract activity data from SM20 (security audit log), SAP Solution Manager or third-party SAP user-activity tools, and to map actual transaction usage to the appropriate user category. The disciplined reconciliation routinely shifts 25–45 percent of SU01-categorised Professional Users to lower categories with corresponding licence cost reduction.

Digital Access document counting

SAP Digital Access (introduced 2018, refined 2023) prices indirect access to SAP based on a count of digital documents created across nine document types (sales order, invoice, material movement, time-management entry and others). The pricing replaced the older named-user-equivalent model for indirect access and is structurally more favourable for high-volume integration scenarios.

The audit-defence position on Digital Access has three components. First, accurate document counting: the standard SAP-provided counting tool (Passport or SLAW) measures the gross volume of documents created by indirect access; the contractual definition allows for exclusions (technical documents, system-generated documents that do not represent business transactions). Second, exemption claims for specific document types where the customer's actual use does not match the SAP-defined document type. Third, conversion mechanics from named-user-equivalent to Digital Access pricing where the customer has not yet migrated to the document-based model; the conversion typically produces a 30–60 percent price reduction at equivalent business volume.

Indirect access: the largest single exposure

Indirect access is the largest single audit exposure category for most SAP customers and accounts for 40–70 percent of GLAS opening claims across our engagement library. The exposure exists because every integration that reads or writes SAP data through non-dialogue channels (REST APIs, RFC connections, IDocs, BAPIs, web services) potentially counts as indirect access. Enterprises routinely have 30–150 active integrations with SAP and have rarely catalogued them comprehensively.

The preparation discipline requires the customer to inventory every integration, classify the integration against the SAP indirect access framework (Digital Access document categories or named-user equivalents), document the technical mechanics (which API, which document types, what business purpose) and identify exemption claims. Common exemption candidates: integrations that are technical only (system-to-system synchronisation without business transaction), integrations that operate on SAP-derived data outside SAP without further SAP interaction (data warehouse loads, reporting), integrations that mirror existing licensed users (the user already pays for their named-user licence; the integration does not create incremental usage).

Reading USMM and LAW outputs critically

SAP's standard audit tooling consists of USMM (User Master Measurement, run per SAP system) and LAW (License Administration Workbench, which consolidates USMM outputs across multiple SAP systems). The outputs are not neutral measurements; they apply SAP's licensing interpretation at every step and produce a result that reflects the maximum vendor-favourable position.

The disciplined buyer extracts the underlying raw data (transaction usage logs, authorisation profile assignments, dialogue and non-dialogue access patterns) and runs an independent measurement against the contractual definitions. The independent measurement frequently produces a position 30–55 percent lower than the USMM and LAW outputs for the same SAP estate. Submitting only the USMM and LAW outputs to GLAS, without the independent measurement, anchors the negotiation against the vendor-favourable position from the start.

The self-assessment framework

The self-assessment framework runs the same data through the same tools but with buyer-controlled interpretation and explicit exemption claims. The framework has six steps.

First, run USMM and LAW against the current SAP estate but treat the outputs as draft data requiring interpretation. Second, extract independent transaction usage data from SM20 and Solution Manager covering a representative 90-day window. Third, reconcile named-user categorisation against actual transaction usage with the objective of moving users to the lowest defensible category. Fourth, run Digital Access measurement with explicit exemption claims for technical and non-business document types. Fifth, document the indirect access integration inventory with exemption claims for each integration. Sixth, produce a self-assessment report that presents the buyer's defensible licence position with full evidence backing.

The self-assessment report becomes the buyer's anchor in any subsequent GLAS conversation. If GLAS initiates a formal audit, the self-assessment is the starting position the buyer defends. If GLAS issues a self-declaration request, the self-assessment is the response. Either way, the work is done before the engagement opens.

Settlement timing against the S/4HANA conversation

The final discipline is timing. SAP GLAS settlements close at materially better terms when bundled with an S/4HANA migration commit, a RISE conversion or a Digital Access transition. The vendor's incentive to land a forward commitment exceeds the value of a standalone settlement; the buyer's leverage from the migration alternative (the option to migrate to another platform or to defer S/4HANA) is at its highest at this point.

Buyers approaching S/4HANA in 2026–2027 should treat any open GLAS finding as a parallel negotiation lever in the migration conversation. Settling the audit at standalone terms ahead of the migration forfeits the parallel value. Bundling the audit settlement into the migration agreement, with the migration commit reducing the audit claim and the audit settlement reducing the migration price, frequently produces a combined outcome that improves both negotiations by 20–40 percent compared with handling them separately.

For the full SAP audit defence framework including the named-user reconciliation templates, the Digital Access exemption library and the S/4HANA-aligned settlement mechanics, see our SAP vendor intelligence page or our vendor audit defence practice. For related preparation see our software audit preparation guide.

Strategic advisory — not legal advice. SAP audit mechanics, GLAS engagement procedure and settlement structuring vary by contract vintage, by governing law and by SAP region. Engagement-specific structuring is required before any of the above is executed.

Related articles in this cluster

Three further articles in our engagement library.

Common questions