The document-request schedule attached to an SAP audit letter is rarely a single, coherent list. It is a layered schedule that combines requests SAP is contractually entitled to make, requests SAP has the discretion to make but cannot compel, and requests that exceed the contractual scope of the audit altogether. Treating the whole schedule as a single deliverable — producing everything requested without challenge — surrenders the customer's most important defensive lever before the audit has really started.
This article explains how to read the document-request schedule, where the legitimate scope ends, and the seven categories of request that warrant a documented pushback before any production happens.
The three layers of an audit request schedule
Every audit request schedule contains three categories of request, even when they are presented as a single list. The first layer is the contractual core: the measurement extracts and system data that SAP is contractually entitled to receive under the audit clause in the customer's contract. For most ECC and S/4HANA contracts, this is the USMM and LAW output and the supporting system data needed to validate it. SAP has a clear contractual right to this material and the customer's obligation is to produce it cleanly and on the contracted cadence.
The second layer is the discretionary middle: requests that go beyond the measurement core but that SAP can reasonably justify as supporting the measurement. Things like sample SU01 records, role definitions, system landscape diagrams, and interface inventories fall into this bucket. SAP has a defensible argument for the request, but the customer has a defensible argument that the request exceeds the strict scope of the audit clause. The conversation here is about negotiated production: what gets produced, in what form, on what timeline, with what redactions.
The third layer is the scope-exceeding tail: requests for material that has no contractual basis under the audit clause. Examples include unredacted commercial agreements with third parties, internal architecture documents, procurement system extracts, employee classification records, and so on. SAP may request these to support a particular line of inquiry, but the customer is under no obligation to produce them, and producing them sets a precedent that future audits will rely on.
Why the three-layer reading matters
Most customers respond to the document request schedule as a single list. They produce as much as they can, push back on what they cannot produce in the timeline, and treat the whole exercise as a logistical challenge. That approach concedes the most important defensive lever the customer has: the boundary between what is contractually owed and what is discretionary.
The defensive posture is to read the schedule in three layers, produce the contractual core cleanly, negotiate the discretionary middle on defined terms, and decline the scope-exceeding tail explicitly. The decline is documented in a written response that articulates the contractual basis for the boundary, which establishes the position for any subsequent escalation.
The seven categories of pushback request
1. Unredacted third-party commercial agreements
SAP routinely requests copies of customer agreements with third parties — system integrators, hosting providers, SaaS vendors, customers' customers — on the basis that those agreements may evidence indirect access scenarios. The request exceeds the audit clause. The customer's defensive response is to acknowledge the inquiry and offer specific information about whether those third parties access SAP data, without producing the underlying agreements.
2. Internal architecture and design documents
Requests for internal architecture diagrams, interface design documents, and integration playbooks exceed the audit clause in most contracts. The customer's defensive response is to produce a high-level system landscape diagram that identifies the SAP systems and the non-SAP systems that exchange data with them, without producing the internal design material.
3. Procurement system extracts
Requests for purchase order extracts, contract management records, and procurement workflow data are sometimes positioned as supporting digital access measurement. The request exceeds the audit clause in most ECC and S/4HANA contracts. The defensive position is to produce a defined digital access extract from the SAP system itself, on the customer's terms, without producing the upstream procurement data.
4. Employee classification or HR records
Requests for HR records that identify employee categories — full-time, part-time, contractor, temporary — are sometimes positioned as supporting named user classification. The records themselves are sensitive personal data and producing them raises data-protection issues independent of the audit. The defensive position is to produce a summary report by user category that does not contain individually identifying information beyond the SAP user ID.
5. RFC interface inspection
Requests for live RFC inspection — SAP technicians connecting into the customer's system to run extracts directly — are usually well outside the audit clause. The customer's defensive position is documented in our RFC inspection refusal analysis: produce the requested extracts on the customer's own terms, with the customer's own technicians, without granting interactive access.
6. Historical USMM reruns
Requests for USMM reruns covering prior years — especially years that have already been measured and certified — are usually outside the audit clause. The customer's defensive position is that the contractual measurement is the certified annual measurement, and historical reruns are not contemplated by the contract. See our USMM and LAW topic page for the underlying mechanics.
7. Cloud-side metering data
For customers running RISE or on-cloud SAP, requests for cloud-side metering data — tenant resource consumption, API call counts, storage utilisation — sometimes appear in audit request schedules positioned as supporting digital access or engine measurement. The cloud-side metering is a different commercial framework with a different audit clause, and combining the two in a single audit conversation is not contractually supported.
The escalation pathway
A documented pushback on a scope-exceeding request is not the end of the conversation. SAP audit teams typically escalate internally and respond with one of three positions: they accept the customer's boundary and proceed with the negotiated production; they refine the request to a narrower form that the customer is willing to accommodate; or they escalate to commercial-team leadership and reposition the audit as a renewal conversation. The third response is the most common, and the customer's preparation needs to anticipate it.
The shift from audit to renewal is not a defeat. It is often the optimal outcome for both sides — a contractual reset that resolves the open issues without a formal audit conclusion. The customer needs to be ready for the conversation to take that turn, with a clear position on the renewal economics. See our contract negotiation service for how we manage the transition.
The record the pushback creates
The pushback letter creates a documented record that has value beyond the immediate audit. The record establishes precedent for future audits, supports the customer's position in any subsequent escalation, and signals to SAP audit teams that the customer is operating with informed counsel. Customers who routinely document their boundary face materially fewer scope-exceeding requests in subsequent audit cycles. The behaviour rewards itself.
For the methodology behind the pushback framework, see our audit defence playbook. For the surrounding context on what the audit letter itself contains, see our analysis of audit response composition.