A Tier-1 European retail bank refused SAP's request to install discovery tooling on production systems, rebuilt the measurement under privilege, and settled at sixty-nine per cent below the opening claim.
Every result on this site is anonymised at the client's request. Specific figures are real and verifiable through a confidentiality-protected reference call arranged on request.
The client is a Tier-1 retail and commercial bank headquartered in the Eurozone, with subsidiaries across the United Kingdom and the Nordic countries. SAP ECC 6.0 has run core general ledger, treasury, and counterparty reporting since 2012, with a partial S/4HANA conversion underway in the wealth-management subsidiary. Eleven engine licences sit on top of the named-user base, including HANA runtime, BW, Process Orchestration, and FI-CA for the consumer-credit book.
SAP opened the matter by serving a measurement notice plus a request to install three discovery utilities — a custom RFC-based inventory program, an extended user-trace logger, and a document-flow probe — on every production client. Within forty-eight hours of that request, before any tooling had been installed, SAP also issued a written opening position of twelve million four hundred thousand dollars, derived from indicative measurements taken from one quarterly snapshot run by the bank's SAM team a year earlier.
The opening claim divided into three lines. A USMM under-classification of roughly 2,900 users currently sitting in Employee Self-Service bands that SAP claimed should be Limited Professional or Professional, valued at $6.1M. A Process Orchestration engine measurement running at 4.4x the contracted message volume, valued at $4.0M. And an indirect-use position attached to a customer-facing online-banking platform with an undisclosed methodology, valued at $2.3M.
The bank's procurement team referred the matter to outside counsel before any data was released and before any of the discovery utilities had been authorised for deployment to production.
The first step was procedural. We confirmed in writing within seven business days that the audit-rights clause in the active enterprise agreement did not give SAP a right to install third-party utilities on the bank's production systems, and that any measurement would proceed under the SAP-standard USMM and LAW process plus an agreed sample protocol for indirect-use evidence. The discovery-tool request was declined in formal correspondence citing the contractual language.
We then rebuilt the user model independently against a twelve-month transaction-evidence window. The internal classification had relied on role-collection assignment, which over-counts in environments where roles are designed broadly to support job rotation across branch staff. Of the 2,900 disputed users, 2,100 had no Professional-grade activity recorded across the measurement window and were correctly assignable to Employee Self-Service or Limited Professional. The remaining 800 were reclassified accurately into the higher bands, producing a net exposure of approximately $1.3M against the claimed $6.1M.
On Process Orchestration, we obtained the raw measurement extract, validated it against the engine-counter configuration, and demonstrated that more than half of the counted messages were system-to-system traffic between SAP-internal components, which is excluded under the engine definition. The corrected measurement ran at 1.2x the contracted volume, not 4.4x.
On the online-banking indirect-use position, we built a complete integration topology and demonstrated that the customer journey contained only one chargeable read event per session under the contract definitions, not the per-page-view methodology SAP had assumed. Converted to Digital Access at the bank's negotiated DAE tier, the exposure fell from $2.3M to approximately $480K, with a re-measurement protection clause attached.
Final settlement closed at three million eight hundred thousand dollars, against an opening claim of twelve point four million. The reduction was approximately sixty-nine per cent. No additional named-user licences were purchased outside the existing enterprise pool. The indirect-use exposure was converted to Digital Access at a per-document tier with a hard cap on year-on-year growth set at twelve per cent.
Four contract clauses were rewritten as part of the release. The audit-rights clause was narrowed to a two-year cycle with ninety days' written notice, scope confined to LAW output and a defined sample protocol, and an explicit prohibition on the installation of additional measurement utilities without a separate written change order. The engine measurement clause for Process Orchestration was redefined to exclude internal traffic by reference to specific message-class identifiers. The Digital Access conversion clause attached a re-measurement protection valid for the remainder of the contract. And a settlement-as-release clause confirmed no further claim could be raised on the audited period.
Total elapsed time from the initial measurement notice to signed release was fourteen weeks. The matter closed before the bank's half-year disclosure, allowing the contingent liability to be removed cleanly from the position statement.
The matter closed under privilege and the specifics are confidential, but the methodology applies to most SAP estates of comparable size. The pattern is repeatable across the banking sector and beyond.
For the firm's full procedural sequence on matters of this kind, see the SAP Audit Defence Playbook and the related working notes in the the sap audit letter response cluster.
We refused the discovery installation, and within a week the measurement returned to LAW. From that point the bank's position carried evidentiary weight and SAP's did not.
End-to-end engagement on matters of this kind. We take control of the process the day the letter arrives, define the scope in writing, validate every measurement, and negotiate the settlement.
Read the brief →We validate the LAW configuration, clean the user classification against transaction evidence, and prepare the submission that goes to SAP under privilege.
Read the brief →The topic page covering the field this matter sits within, with linked guides and field notes from across the practice.
A Continental bank rebuilt 18,000 named-user classifications against transaction evidence, dropping the audit exposure by seventy-two per cent.
How a global asset manager refused SAP's data-export request and forced the measurement to proceed under the existing audit-rights clause.
Matters of this scale move quickly. The first conversation is at no cost and under privilege.
Contact Us →Every Wednesday. Field reports from active matters, decoded SAP communications, and what to look for in the next audit cycle. Work email only.