The contractor question, contractually framed.

Contractors are the most consistently disputed user population in SAP named-user audits. The dispute is not principally technical — contractors leave a clear audit trail in HR and procurement systems — but contractual. Most SAP master agreements either define a contractor inadequately or do not define one at all, which means each audit can re-litigate the question of who counts, on what basis, and with what category.

This article maps the contractor classification question against the contractual frame, sets out the four sub-populations that drive the bulk of the dispute, and describes the offboarding control that converts the recurring audit finding into a documented compliance posture.

What the contract usually says

The standard SAP named-user definition is some variant of: "Named User means each individual person who is authorised to use or access the Software, regardless of whether the individual is actually accessing the Software at any given time, and regardless of whether the access is direct or indirect." The definition does not distinguish between permanent employees, contractors, third-party administrators, or service-provider personnel. It captures the individual person.

Where contracts diverge is in the qualifying phrase that often follows: "...by, or on behalf of, Customer." That phrase pulls third-party administrators (managed-services providers, payroll outsourcers, etc.) into the licensed count whenever they access the SAP system to perform services for the customer. Contractor classification therefore turns on the interaction between the named-user definition, the "on behalf of" phrase, and any side-letter exclusions.

The four contractor sub-populations

Sub-population 1: long-term embedded contractors

Contractors engaged for 12 months or longer, working alongside permanent staff, accessing SAP for the same workflow purposes. The contractual treatment is uncontroversial — these contractors are counted as named users at the same category as the equivalent permanent role. The dispute typically arises only on the category, not on inclusion.

Sub-population 2: short-term project contractors

Contractors engaged for a defined project of 3 to 12 months. These users should be counted while the engagement is active and removed at engagement end. The audit finding here is almost always about the offboarding discipline, not the classification itself.

Sub-population 3: managed-services providers and outsourced administrators

External service providers who access SAP to perform managed services — payroll administration, treasury operations, IT support, application management. These users are usually captured under the "on behalf of" phrase but may be excluded by a side-letter provision that the original deal team negotiated. The classification question is also harder: the category should reflect the work performed, which may be Professional even though the provider's commercial relationship is operational.

Sub-population 4: temporary access — auditors, consultants, advisors

Short-term users accessing SAP for a few hours or days to perform a specific task — an external auditor reviewing the close, an SAP-certified consultant performing a configuration review, a regulator exercising a statutory inspection right. The contractual position is ambiguous. SAP's auditor will usually push for inclusion; the defensible position is that statutory-rights access and audit-rights access are exclusions whether or not the contract says so explicitly.

For deeper context on the named-user audit findings ranked by frequency, see our audit risk areas article.

The category mapping question

Even when contractor inclusion is settled, the category mapping question often produces a separate finding. The auditor's default is to apply the Professional category to any contractor with operational system access, on the grounds that the contractor's role content is operationally similar to a Professional permanent employee. The defensible position is that contractor category should be mapped to role content, not to engagement type. A contractor performing a Limited Professional role should be classified as Limited Professional.

The defence requires the same role-content evidence that supports any reclassification — authorisation profile, role description, business process scope. The work is identical to the work described in our employee category cleanup article; the only difference is the user population.

The offboarding control

The single most valuable operational control in contractor classification is the offboarding discipline. Most audit findings on contractors do not involve current contractors at all. They involve contractor accounts left active after the engagement ended.

The control has three components:

1. Engagement-end trigger. The contractor master in HR or procurement records the engagement end date. A scheduled task locks the SAP account on that date without manual intervention.
2. Thirty-day archive. The locked account is reviewed at 30 days post-lock. If no extension has been recorded, the account is deleted from the productive system and archived in a non-licensed system.
3. Quarterly reconciliation. The active SAP user list is reconciled quarterly against the active contractor master. Any contractor account active in SAP but absent from the contractor master is flagged for investigation.

This control, properly implemented, removes roughly 85 per cent of the recurring contractor finding on most estates. The remaining 15 per cent is the genuine classification dispute described above, which is settled through contract analysis rather than operational cleanup.

The multi-account contractor problem

A common audit finding involves the same contractor with multiple accounts across different engagements over time. The SAP audit team will sometimes consolidate these into a single counted user (which is the customer-favourable interpretation) and sometimes count each account separately (which is the auditor-favourable interpretation). The treatment depends on whether the contract's named-user definition references unique persons or unique accounts.

Where the contract references unique persons (the more common modern wording), the customer's defence is to demonstrate the human-level uniqueness through HR or procurement contractor IDs. Where the contract references accounts, the defence is more limited — the operational discipline of giving each contractor a single SAP account across engagements becomes the only meaningful control.

This is one of the cleanest places to negotiate a contract amendment at the next renewal — moving the language from accounts to unique persons typically saves the customer 4 to 9 per cent of the named-user base over the contract term. For renewal sequencing, see our contract negotiation service.

The contractor classification policy document

Customers who do not have a written contractor classification policy are negotiating from a weak position in every audit. The policy is short — usually three to five pages — and addresses six questions:

• Which contractor populations are included in the named-user count, citing the contract clause that supports the inclusion or exclusion.
• What category mapping applies to each population, citing the role-content basis for the mapping.
• What onboarding workflow creates the SAP account, with the licence-category assignment step explicit.
• What offboarding workflow locks and archives the SAP account, with the trigger date and the thirty-day archive sequence.
• What evidence retention applies — typically two years for the contractor master records.
• What governance owns the policy and reviews it annually.

The policy document is the customer's single most useful piece of evidence in a contractor-classification audit. Producing it on day one of the engagement signals a well-controlled environment and shifts the auditor's default from "include everything" to "examine the policy and reconcile against the data."

What this looks like in a worked example

A European industrial group with 18,000 SAP users and roughly 2,800 contractor accounts faced a $4.2M opening claim on contractor-related findings in a 2024 audit. The defence rested on three elements: a side-letter exclusion of managed-services personnel that had been forgotten in the customer's own files, a documented offboarding control that demonstrated 91 per cent of the contractor accounts flagged by the auditor were properly handled, and a category mapping policy that downgraded roughly 600 contractor users from Professional to Functional or Limited based on documented role content.

The settled finding was $1.1M, against the $4.2M opening claim — a 74 per cent reduction. Roughly half of the value came from the side letter, a quarter from the category mapping, and a quarter from the offboarding control evidence. For the full case file, see the European industrial contractor defence. For the broader contractual frame, see the Named User Licensing Survival Guide.