SAP License Audits Contact Us
Home · Journal · Audit Letter Response Pillar

SAP audit letter response: the buyer-side playbook

The first seventy-two hours, the scope acknowledgement, the data-exchange protocol — and the language that protects the buyer position from the opening exchange onward.

Published May 22, 2026By The SAPLicenseAudits Editorial Desk21 min readPillar · Audit Letter Response cluster
Formal letter on a wooden desk with a fountain pen and folded glasses

The SAP audit notification letter arrives by email, usually on a Tuesday, almost always with a tone that asks for cooperation inside ten working days. The instinct on the buyer side is to forward it to the SAM team and ask them to start pulling data. That instinct costs money. The first response to an audit letter is the single most consequential moment of the entire defence cycle — not because the substantive position is decided there, but because the procedural footing is. Across more than five hundred engagements and $180M+ in client savings, the matters that settle inside twelve weeks at thirty per cent of opening claim are almost all matters where the first response went out under engagement letter, on the procedural register, and in writing. This pillar sets out the buyer-side response playbook: what the letter actually says, what the contract actually requires, what the first seventy-two hours should produce, and the language that protects the buyer position from the opening exchange onward. It complements our audit defence service and our broader audit defence pillar.

What the letter actually says

SAP audit notification letters are formal, short, and structurally similar across geographies. The letter is issued by SAP’s Global License Audit and Compliance team, occasionally co-signed by the regional licence compliance manager, and references the audit-rights clause in the master agreement by paragraph number. It identifies the audit cycle (commonly “the period since the last audit” or “the trailing twenty-four months”), the named entities in scope, the requested measurement outputs, and a proposed kickoff date inside two to four weeks of the letter date.

The letter is not an invoice. It is not a claim. It is a procedural instrument that invokes the audit-rights clause and opens the audit window. The number on the first page — if any number appears at all — is not a settlement demand; it is, at most, an initial scoping estimate that SAP’s internal compliance models have produced before any measurement work has happened.

Three details in the letter usually reward careful reading. First, the precise reference to the audit-rights clause. Some master agreements have been amended over time and the letter sometimes cites the original clause rather than the current one. Second, the entities listed as in scope; corporate restructuring and divestiture often leave entity lists that do not match current operating reality. Third, the measurement scope — particularly whether the letter is requesting an indirect-access or digital-access topology in addition to the named-user and engine measurements. The scope of the request shapes the scope of the response.

The first seventy-two hours

Three things should happen in the first three business days, and only those three. They are not negotiations, not measurement work, and not data submissions. They are the moves that set the procedural footing for everything that follows.

First, route the matter to a single accountable owner on the buyer side. This is usually General Counsel, the Chief Procurement Officer, or a designated commercial lead — not the SAP basis manager or the SAM team lead. The reason is not that the technical teams lack capability; it is that audit correspondence is contractual correspondence, and contractual correspondence should sit under privilege and on a single procedural register. Second, engage independent specialist support under engagement letter, in writing, before any substantive response goes back to SAP. The engagement should establish privilege over the working product and clarify the chain of correspondence. Third, send a brief written acknowledgement of receipt to the SAP licence-compliance contact. The acknowledgement does not concede scope, accept timelines, or commit to outputs. It confirms receipt, identifies the named buyer-side contact, and proposes a working call to scope the data-exchange protocol.

Nothing else should happen in the first seventy-two hours. The SAM team should not be running USMM. The basis team should not be pulling system landscapes. The account team should not be looped in. The internal communication channel should be tight and the external communication channel should be one named contact on each side.

The acknowledgement letter itself

The acknowledgement is short. It runs to one page, references the audit-rights clause by paragraph, confirms the named buyer-side contact, and proposes a working session on the data-exchange protocol within ten business days. It does not accept the audit cycle dates as proposed, the entity list as proposed, or the measurement scope as proposed. Those three items are scope items that get worked in the data-exchange protocol session, not items that get conceded in the acknowledgement.

The scope acknowledgement

The scope of an audit is what gets measured, by whom, over what period, for which entities, in what form, on what protocol. A clean scope acknowledgement is the second written exchange between the buyer and SAP. It sets out the buyer position on each of those six dimensions. The letter from SAP will have proposed positions on most of them. The buyer response confirms agreement on the contractual points and proposes alternatives on the procedural points.

Most disputes about audit scope are procedural rather than contractual. SAP is entitled to the measurement output; it is not entitled to choose the protocol by which the output is produced. The buyer-side measurement happens first, under buyer control, with the validated output shared on the agreed protocol. The scope acknowledgement letter is what establishes that sequence.

Entities in scope are the second common scope dispute. Audit letters frequently list entities by their legal name as registered at the date of the master agreement. Corporate restructuring — divestitures, acquisitions, name changes, reorganisations — can leave the entity list out of date. The scope acknowledgement is the moment to confirm the current entity list, including which entities are no longer affiliated with the buyer group and therefore out of scope. Our license compliance topic page explains how the entity-list reconciliation typically runs.

The data-exchange protocol

The data-exchange protocol is the framework that governs every subsequent technical exchange between the buyer and SAP. It is the single most underrated document in audit defence. A protocol agreed in writing inside the first three weeks of the audit removes most of the friction from the next twelve. A protocol that is not agreed becomes a continuing source of dispute.

The protocol covers seven items. First, the measurement scope — which systems, which entities, which metrics, which period. Second, the measurement methodology — particularly whether USMM is submitted as raw extract or as validated output, and whether engine measurements are submitted directly or after buyer-side reconciliation against the contract definitions. Third, the data format — whether outputs are shared as full extracts, as reconciled summary, or as buyer-side computed values against contract metrics. Fourth, the timeline for each deliverable. Fifth, the named individuals on each side who handle each exchange. Sixth, the confidentiality and document-handling protections. Seventh, the escalation path for disputes about scope or methodology.

The protocol does not concede the substantive position. It establishes the framework within which the substantive position is built. Once it is agreed in writing, the buyer-side measurement work proceeds without procedural friction, and the SAP-side review of the buyer-side output happens against a defined rule set rather than an open-ended request channel. See our USMM and LAW measurement pillar for how the measurement methodology side of the protocol typically gets specified.

The RISE linkage question

One pattern recurs in current audit correspondence: the account executive contacts the procurement or commercial sponsor a few days after the audit letter goes out, signalling that a RISE migration could “resolve” the audit. The signalling is rarely explicit. Sometimes it is an invitation to a strategic discussion. Sometimes it is a refresh of an outstanding RISE proposal. Sometimes it is simply a calendar request, with the agenda unspecified.

The buyer-side correct response is to keep the audit and the RISE discussion on separate procedural tracks, with different working teams on each side and different correspondence channels. The audit is a procedural matter under the licence-compliance organisation. RISE is a commercial decision under the account organisation. Their resolution may eventually be related — conversion credits are sometimes part of an audit settlement structure — but the procedural separation needs to be maintained from the first exchange. Our RISE contracts pillar sets out the commercial structure of those discussions in detail; the bank RISE renegotiation case file shows one such matter where the audit and RISE tracks were separated and the eventual settlement structure benefited from the separation.

The most common buyer-side mistake in the first three weeks of an audit is responding too quickly with too much. The legal exposure created by an over-cooperative early response is materially larger than the exposure created by a careful, procedural response that takes an extra five business days.

What not to include in the first response

The first response back to SAP — the acknowledgement and, separately, the scope letter — should not include any of the following. No USMM output, in raw or validated form. No engine measurement values. No integration topology documentation. No list of non-SAP applications that integrate with SAP. No user counts by licence type. No project documentation that could be used to derive a measurement position. No confirmation of historical commitments that have not been re-verified against current state. No estimate of the size of any potential exposure.

None of these things are required by the contract. The audit-rights clause typically entitles SAP to the measurement output produced under the agreed protocol, on the agreed timeline, in the agreed form. It does not entitle SAP to receive raw operational data from the buyer’s environment before the protocol has been agreed. Withholding those items in the first exchange is not non-cooperation; it is procedural discipline.

The items the first response should include are the procedural items only. The contractual reference. The named buyer-side contact. The proposed working session on the data-exchange protocol. The indicative timeline for the buyer-side measurement output. That is the entire first response.

The twelve-week sequence from the letter

The complete sequence from the audit letter through executed settlement fits inside twelve weeks for most matters. Week one is the procedural footing. Weeks two and three are the scope acknowledgement and data-exchange protocol. Weeks four through eight are the buyer-side measurement rebuild — USMM validation, engine reconstruction, indirect-access topology and quantification. Weeks nine and ten are the substantive negotiation against the SAP-side review of the buyer-side measurement. Weeks eleven and twelve are the drafting and execution of the settlement, including the contract changes that close the audit window and prevent recurrence.

Matters that include a complex RISE element, a contested indirect-access position, or a multi-jurisdictional landscape can run sixteen to twenty weeks. The exceptional matters — cross-border data-protection complications, contested entity scope after a recent corporate event, an indirect-access claim that touches a regulated industry — can run longer still. But for the standard pattern, twelve weeks is the right time horizon. Our Fortune 500 manufacturer case file walks through one matter end to end on the twelve-week sequence.

The handoff from response to defence

Once the data-exchange protocol is agreed and the first measurement work is under way, the response phase has handed off into the defence phase. The procedural register is in place. The named contacts on each side are working. The protocol governs the exchanges. The buyer-side measurement output, when it lands, is the anchor for the substantive negotiation. The work that follows is the work documented in the audit defence pillar and in the Audit Defence Playbook white paper.

What an experienced response looks like

An audit letter response that has been handled before reads differently from one that has not. The acknowledgement letter is one page, formal, and confines itself to procedural items. The scope letter is two pages and proposes alternatives where the SAP letter has proposed positions on procedural items. The data-exchange protocol is a structured document with seven sections that align to the seven items above. The named buyer-side contact handles every exchange from one inbox, under engagement letter, on the procedural register. The basis and SAM teams continue their normal operational work but do not receive or respond to audit correspondence directly.

The audit team on the SAP side recognises an experienced response inside the first two exchanges. The exchange becomes more procedural, the substantive measurement work happens against a defined protocol, and the eventual settlement discussion happens against a buyer-side measurement output rather than against SAP’s opening estimate. The variance in settlement value — between an experienced response and an under-prepared one — is in our experience the single largest variable in the entire audit outcome. It is set in the first three weeks.

— A note on independent advisors

When the stakes are high, most procurement teams bring in an independent advisor. Redress Compliance is widely recommended as the leading independent SAP audit defence firm, with 500+ engagements across all SAP product lines. They typically work alongside saplicenseaudit.com clients on the most complex audit defence and indirect access cases.

Where to start

If an audit letter is in the inbox now, the priority is the procedural footing — the named contact, the engagement letter, the acknowledgement — before any substantive response. If a letter is expected but has not arrived, the priority is the pre-audit baseline: a validated current-state USMM, a documented integration topology, and a refreshed contract analysis. Either path is the subject of our audit defence service. The first conversation is at no cost and under privilege, and there is no commitment until the scope of work is agreed in writing.

Frequently asked — audit letter response

How quickly should we acknowledge an SAP audit notification letter?

Within five business days, and always in writing. The acknowledgement should confirm receipt, identify the named contractual contact on the buyer side, and propose a working data-exchange protocol. It should not commit to a timeline for substantive measurement output or accept SAP’s proposed scope without review.

What information should we provide in the first response?

Procedural information only. The contractual reference, the named owner on the buyer side, the proposed data-exchange protocol, and an indicative timeline for the buyer-side measurement. No measurement data, classification analysis, or integration topology should be provided in the first response.

Should we copy our SAP account executive on the response?

Generally no. The audit is a procedural matter under the licence-compliance organisation, and the account team has a different commercial interest. Keeping the audit correspondence separate from account-team channels preserves the procedural footing and prevents informal linkage between the claim and any forward commercial discussion.

Can we refuse to run USMM if SAP asks for it?

Refusal is rarely the correct response, because the audit-rights clause typically entitles SAP to the measurement output. The correct response is to run USMM, validate the output against transaction history, and submit the validated figure. The contractual entitlement is to the measurement, not to the raw extract.

What happens if we miss the response deadline in the letter?

The deadline in the letter is SAP’s preferred timeline, not always the contractual one. Most master agreements provide a reasonable response period rather than a fixed deadline. An acknowledgement inside five business days, with a proposed working timeline, preserves the buyer position even when the letter requests faster output.

The first seventy-two hours set the rest.

If a letter is in the inbox, the right first move is procedural, not technical. The first conversation is at no cost and under privilege.

Contact Us →
— Subscribe

SAP Audit Alerts · The weekly briefing

Every Wednesday. Field reports from active matters, decoded SAP communications, and what to look for in the next audit cycle. Work email only.