The single most consequential document in an SAP audit engagement is the customer's first written reply. Once that reply is sent, the procedural and substantive perimeter of the engagement is largely fixed. Subsequent letters can adjust tone and pressure but rarely reset the scope, the data-exchange protocol, or the time window. This article is the structural guide to that letter — what belongs in it, what should never be in it, and the wording that holds the line without escalating.
The template below is the one our practice uses across matters, with adjustments for the specific contract language. The structural elements are stable across SAP product lines and across audit triggers (compliance audit, indirect access review, RISE-driven measurement, S/4HANA conversion entitlement check). For the operational sequence leading up to the letter, see the first seventy-two hours article.
The structural skeleton
The letter has six load-bearing elements. Each element should be a short paragraph. The total length should be one to two pages. Brevity is part of the position.
- Procedural acknowledgement. One sentence confirming receipt of the audit notification dated [date], referencing the master agreement under which the audit right is being exercised.
- Contractual response window. A single sentence asserting the customer's contractual response period — typically thirty days from notification — and the date by which the customer's substantive response will be transmitted.
- Scope-setting proposal. A short paragraph setting out the perimeter the customer believes the contract permits, with explicit references to the audit-rights clause and any product-specific scope definitions.
- Data-exchange protocol proposal. A short paragraph defining the format, the aggregation level, the transmission channel, and the cadence of any data exchange that will occur during the engagement.
- Nominated point of contact. A single sentence naming the customer's designated engagement lead — usually the legal counsel or procurement director — with the contact channel for all written communication.
- Reservation of rights. A closing sentence reserving the customer's rights under the master agreement, including the right to challenge any audit finding through the contractual dispute resolution mechanism.
What to include in each element
The procedural acknowledgement
The acknowledgement should reference the master agreement by date and parties and the specific clause under which the audit right is exercised. This forces the conversation onto the contract from sentence one and signals to the auditor that the customer's response is being prepared on a contractual footing.
Suggested wording: "We acknowledge receipt of your notification dated [date], in which SAP exercises the audit right granted under Section [X] of the Master Software License and Services Agreement between [Customer] and [SAP entity] dated [date]."
The contractual response window
State the response window explicitly. SAP audit notifications sometimes propose tighter timelines than the contract permits, and the auditor's preferred timeline is not the contractual timeline. The customer's letter establishes that the customer is exercising its full contractual period.
Suggested wording: "Pursuant to Section [X.Y] of the Master Agreement, our substantive response will be transmitted to SAP within the [thirty-day] contractual response period, by [date]."
The scope-setting proposal
The scope-setting paragraph is where the most defensive work happens. The customer should explicitly state which systems, which time period, which contracts, and which data types are within scope under the contractual audit right — and, by implication, what is not. This is the perimeter the customer is willing to defend.
Where the audit notification appears to exceed the contractual scope, the letter should flag the apparent inconsistency without escalating: "We note that the scope outlined in your notification appears to include [X], which is governed by a separate agreement and falls outside the audit right granted in the referenced Master Agreement. We propose to confine the engagement to [Y]."
The data-exchange and contact paragraphs
The data-exchange protocol proposal
The data-exchange paragraph is the one that prevents the auditor from defining the data shape on their own terms. The customer should propose:
- What data formats are acceptable for transmission (typically aggregated CSV, not raw database extracts).
- What aggregation level (system, organisation, period) is appropriate.
- What transmission channel is used (encrypted email through a defined gateway, secure file-transfer through a contracted portal).
- What cadence is acceptable (typically batched, not continuous).
This single paragraph prevents many of the operational headaches that emerge in week four or five when SAP requests live access to systems or raw extracts that include data outside the audit scope. For more on the data-exchange discipline, see the audit defence service and the Audit Defence Playbook.
The nominated point of contact
Naming a single point of contact in the legal or procurement function prevents the auditor from approaching operational IT teams who may inadvertently provide unhelpful commitments. The named contact should have authority to bind the customer on procedural matters and access to the senior decision-makers on substantive ones.
The reservation of rights
The closing sentence reserves the customer's contractual rights without escalating. The intent is to signal that the customer is well-represented and is reserving the option to dispute findings through the formal mechanism.
Suggested wording: "We reserve all rights under the Master Agreement, including without limitation the right to dispute any finding arising from this engagement through the contractual dispute resolution mechanism."
What to exclude
Four categories of content most consistently weaken a customer's position when included in the first reply. Each is included because it feels professionally polite or proactively helpful. Each costs material money over the course of the engagement.
Preliminary compliance assertions
Any statement like "we believe our current compliance position is broadly aligned with our entitlements" reads as professional candour and is treated as an admission by the auditor. The customer's compliance position is what the customer's evidence supports, not what the customer believes. Save the substantive position for the formal response, after independent measurement.
Commitments to run USMM or to share measurement outputs
Statements like "we will run USMM in the next two weeks and share the output" anchor the customer to a deliverable that should be deferred until after the scope and data-exchange protocol are agreed. USMM should be run when the customer chooses to run it, not on the auditor's preferred timeline.
Operational meeting commitments
Offers to "schedule a workshop with our technical team" produce auditor-led meetings where the customer's technical staff are asked questions outside the contractual frame. Meetings should be agreed only after the scope and protocol are set, and the customer's legal lead should be on every call.
Apologies, regret, or admissions of fault
Phrases like "we regret any inconvenience" or "we apologise for the delay" do not de-escalate the engagement. They signal a customer who is positioning to settle rather than to defend. The reply should be procedurally polite without being apologetic.
The tone calibration
The letter should be polite, contractual, and short. The auditor reads dozens of customer replies a year. Replies that signal a well-represented customer change the auditor's subsequent behaviour materially. Replies that signal a panicked or under-prepared customer invite a more aggressive auditor.
The tone signals are subtle: explicit contract references, no expressions of regret, specific procedural language, no requests for clarification about basic audit mechanics, named legal contact rather than IT contact. A reader who sees those signals knows the matter is being handled professionally and adjusts their approach accordingly.
The follow-on letter discipline
The first reply is not the only structured letter in the engagement. Every subsequent written communication should be drafted with the same discipline: short, contractual, reservation of rights, named contact, no unbidden disclosures. The discipline gets harder to hold as the engagement progresses and the operational pressure to "just send what they want" intensifies. Customers who hold the line through to the settlement letter get materially better outcomes than those who relax the discipline in week six.
For a recent example of the full epistolary sequence, see the Fortune 100 manufacturer case file and the named user audit risk areas article.