The mythology around SAP audits is that the auditor looks everywhere and the customer has to defend everywhere. In practice, SAP's audit teams follow a relatively standardised playbook that targets eight specific risk areas, in roughly the same order, with roughly the same evidence-gathering approach. A customer who knows the playbook can triage their estate before the next measurement window and shift the audit's findings substantially in advance of the engagement.
This article ranks the eight areas by frequency of finding and median exposure value, drawing on patterns observed across more than 500 SAP audit engagements in the last six years. The exposure values are normalised to a typical enterprise estate of 8,000 to 25,000 SAP users with revenues over $1B.
Risk area 1: operational users assigned as Limited Professional
The single most common finding in SAP audits, particularly in manufacturing, retail, logistics, and field-service estates. A user classified as Limited Professional is contractually constrained to self-service activity. Any operational transaction — goods movements, sales document creation, purchase requisition release, service notification creation — exceeds the Limited Professional perimeter and falls back into Functional or Professional territory.
Median exposure on a typical estate: $2.4M to $6.8M. Defence requires authorisation-content extracts and a written classification policy that maps roles to user types under the contract definitions, not the price-list descriptions. For full detail, see the Professional vs Functional vs Limited classification guide.
Risk area 2: dormant accounts retained in the user table
The second most common finding, and the easiest to fix in advance. Any user record that exists in SU01 and has a licence type assigned will be counted by USMM, regardless of whether the user has logged in for two years. Dormant Professional users carry the highest per-seat list value on the price list, so even a small dormant-user population can drive a meaningful finding.
Median exposure: $800K to $2.1M. Defence is a quarterly dormant-account purge: any user with no logon activity for one hundred and eighty days is locked, reviewed, and either reclassified or deleted before the next USMM run. The defence is operationally trivial and the finding is preventable in advance.
Risk area 3: contractor accounts left active after engagement end
Closely related to dormant accounts but with an additional contractual exposure. Many SAP contracts treat contractor accounts in the named user count if they have transacted in the system, but contractors who have left the engagement should be locked and removed. The audit finding here is often paired with a "named user is named user" position, meaning each unique human (rather than each unique account) is counted.
Median exposure: $1.2M to $3.4M. Defence is a contractor-offboarding control that locks accounts on the engagement end date, with a quarterly reconciliation against the contractor master in the HR or procurement system.
Risk area 4: cross-module authorisation creep
A Functional user who has been granted authorisations that cross the boundary of their nominal module — for example, an HR business partner who can release financial workflows — falls into Professional territory. The authority-creep finding is technically subtle, often caused by composite roles that were copied between business functions without a careful review of the authorisation objects, and is one of the harder findings to defend without an authority-mining tool.
Median exposure: $900K to $2.6M. Defence is a quarterly authority-content audit of every active role, with cross-module authorisation objects flagged for explicit business approval or removed.
Risk area 5: technical and service accounts misclassified
Service accounts that perform RFC calls, batch jobs, or technical integration are sometimes treated as Professional users under the contract definition and sometimes as indirect-access workloads. The treatment depends on whether the technical account is invoking SAP functionality as itself (Professional user required) or proxying for a human or external system (indirect-access framework applies). See our indirect access topic page for the deeper analysis.
Median exposure: $600K to $1.8M. Defence is a documented service-account inventory with a clear classification rationale for each, and a careful read of the contract's named-user and indirect-access definitions.
Risk area 6: multi-system landscape consolidation
The LAW (License Administration Workbench) process consolidates users across multiple systems in the SAP landscape. The default consolidation behaviour assigns each unique human the highest-tier classification observed across all of their accounts. A user who is correctly Professional in production but mislabelled as Limited Professional in a sandbox is, by default, repriced across the entire landscape.
Median exposure: $400K to $1.4M. Defence is LAW consolidation rule configuration that excludes non-productive landscapes from the consolidation, combined with explicit classification consistency across the systems that are in the consolidation scope.
Risk area 7: licence-type changes inside the measurement period
Where users have moved between licence types during the measurement period — for example, reclassified from Professional to Functional in mid-year as part of an optimisation exercise — SAP's auditor will sometimes apply the higher tier across the whole period. The contract definition usually allows for prorated treatment but only if the reclassification was documented in a way the auditor can verify.
Median exposure: $300K to $1.1M. Defence is a documented reclassification log that records the date, the justification, and the role-content change supporting every licence-type change in the measurement period.
Risk area 8: the indirect-access overlap
The eighth area is the boundary between named-user licensing and indirect-access exposure. Where external systems (Salesforce, ServiceNow, custom portals, RPA bots) interact with SAP through interfaces, SAP's auditor will sometimes find both indirect-access exposure on the document side and named-user reclassification on the user side covering the same workload. The two findings are partially overlapping and must be settled together, not separately.
Median exposure: $1.6M to $4.8M. Defence is integrated: the indirect-access analysis and the named-user analysis must be performed by a team that can reconcile the two and present a single integrated counter-position. See the Indirect Access Survival Guide for the integrated treatment.
The triage approach
A customer reading this list should not attempt to remediate all eight areas at once. The right approach is a triage by exposure-to-effort ratio. The highest-value, lowest-effort remediations are dormant-account cleanup and contractor offboarding — both of which can be completed inside a quarter and substantially reduce the eventual audit finding.
The medium-effort remediations are operational user reclassification and cross-module authority cleanup — both of which require deeper role-content analysis and typically need ninety to one hundred and twenty days to complete properly.
The longest remediations are the indirect-access overlap and the multi-system landscape consolidation, both of which can require six to twelve months of architectural and operational work. These should be initiated in parallel to the faster remediations rather than sequentially after them.
Pre-audit triage as a programme
The customers with the best audit outcomes treat named-user licence hygiene as a continuous programme rather than a pre-audit exercise. The continuous programme is built around four quarterly cadences:
- Q1: dormant-account purge and contractor reconciliation.
- Q2: classification policy review and reclassification execution.
- Q3: cross-module authority audit and remediation.
- Q4: pre-USMM independent measurement and variance analysis.
This programme, run for two consecutive years, typically shifts the audit exposure curve by sixty to seventy per cent. For the broader treatment, see our license optimization service and the USMM topic page. For a real example of how the programme was applied at a global retailer, see the retailer reclassification case file.
How to sequence the remediation across a calendar year
A practical sequencing for the eight risk areas, based on what an enterprise team can actually deliver inside calendar boundaries, looks like this:
Q1 — Quick wins: Dormant account purge (risk area 2), contractor account offboarding (risk area 3), technical and service account inventory (risk area 5). Each is operationally bounded and deliverable inside ninety days. Combined exposure reduction typically lands at $2.6M to $7.3M on an enterprise estate.
Q2 — Classification remediation: Operational user reclassification (risk area 1), licence-type change documentation (risk area 7). These require role-content analysis and operational coordination with business users. Combined exposure reduction typically lands at $2.7M to $7.9M.
Q3 — Authority cleanup: Cross-module authority audit and remediation (risk area 4). The hardest to scope and the most operationally disruptive, because it requires role-redesign work in production. Best delivered after the classification work in Q2 has established the role baseline. Exposure reduction $900K to $2.6M.
Q4 — Pre-audit measurement and the integrated indirect-access view: Multi-system consolidation discipline (risk area 6) and the indirect-access overlap (risk area 8). The Q4 work is partly preparatory for the next year's audit cycle and partly closing-out the year's remediation. Exposure reduction $2.0M to $6.2M.
The full programme, executed across two consecutive years, typically reduces audit exposure by 60 to 70 per cent against the un-remediated baseline. The exposure reduction translates to settlement reduction in the next audit cycle at roughly the same ratio.
What to do this week
For customers who have not yet started any of this work, the most useful single step is a dormant-account extract. Run SUIM with a logon-history filter of 180 days, sort by licence type, and quantify the dormant Professional and Functional user population. The output is usually a six- or seven-figure exposure that can be addressed in a single quarter, and it provides the business case for the broader programme.