A $22.6M opening claim, closed at seven point nine.

The opening claim

The client is a globally systemically important financial institution operating across the United States, EMEA, and the Asia-Pacific. The SAP estate spans ECC 6.0 for general ledger, treasury, and counterparty reporting, an S/4HANA platform deployed in the corporate-banking subsidiary, and fourteen engine licences ranging from HANA runtime and BW to FI-CA, IS-Banking, and Process Orchestration. Sixty-three SAP-integrated applications connect to the core platform.

SAP's global audit function issued a measurement notification followed three weeks later by a formal opening position of twenty-two point six million dollars. The bank's chief procurement officer was copied directly, alongside the group general counsel and chief financial officer, with an explicit reference to potential material disclosure consequences. The opening position decomposed into five lines: a $9.1M USMM reclassification of users across multiple subsidiaries; a $6.4M Process Orchestration engine over-measurement; a $4.2M FI-CA indirect-use position attached to a custom collections workflow; a $2.0M HANA runtime over-deployment claim; and a $0.9M LAW double-counting position arising from CUA mis-configuration.

The bank's existing internal SAM function was capable but had been operating on an informal basis with the SAP regional account team. A series of unrecorded calls in the months preceding the audit notification had inadvertently provided SAP with snapshot data from one prior quarterly measurement that was substantially out of date. The opening position was anchored on that snapshot.

The board's audit committee requested external defence within seventy-two hours of the opening position landing.

The defence

We were retained by the general counsel's office under privilege and stood up a defence governance structure within five business days. The structure covered three layers: a steering group of the CFO, GC, and CPO meeting weekly; a working group of SAM, contract, and outside counsel meeting daily; and a fact-finding cell of three technical reviewers with read access to the SAP estate and the LAW history. All communications with SAP were channelled through outside counsel; no further informal calls were taken.

The first action was a written scope letter to SAP defining the entitlement of the audit, the data-exchange protocol, and the resolution timeline. The bank's earlier snapshot data was withdrawn from the negotiating record on the grounds that it had been shared informally and was now superseded by a current LAW measurement.

The team rebuilt the user classification independently across all subsidiaries. Of the 9,400 users implicated in the $9.1M USMM line, 7,200 were demonstrated through transaction evidence to be in the correct band already, 1,600 were reclassified into Limited Professional, and 600 were correctly Professional. Net exposure on that line fell to $1.4M.

On Process Orchestration the measurement was reconstructed message-class by message-class, demonstrating that fifty-eight per cent of counted messages were SAP-internal traffic excluded under the engine definition. Net exposure: $1.1M. On FI-CA indirect use, the collections workflow was re-modelled and shown to be running approximately 18,000 chargeable events per month, not the 230,000 SAP had assumed; conversion to Digital Access gave a $0.7M final position. The HANA over-deployment was resolved against the deployment register and corrected at $0.4M. The CUA double-counting was eliminated entirely.

The settlement

Settlement closed at seven million nine hundred thousand dollars cash, against an opening position of twenty-two point six million. The reduction was sixty-five per cent. Four indirect-use positions were converted to Digital Access at a per-document tier, with a hard cap on year-on-year volume growth at fifteen per cent and a re-measurement protection clause for the duration of the agreement.

Five contract clauses were rewritten in the release. The audit-rights clause was narrowed to a two-year cycle with ninety days' written notice and a defined data-exchange scope. The engine measurement clause for Process Orchestration was redefined with explicit exclusions for internal traffic. The Digital Access conversion attached a measurement cap. A no-further-claim clause covered the audited period. And a confidentiality clause restricted SAP's circulation of measurement data within its own organisation.

The matter closed sixteen weeks from the initial notification, allowing the audit committee to record a final position before the next quarterly disclosure cycle.

The broader read

The matter closed under privilege and the specifics are confidential, but the methodology applies to most SAP estates of comparable size. The pattern is repeatable across the banking sector and beyond.

Four observations applicable to other estates

• Informal account-team calls before an audit notification are the single largest source of negative anchoring. Channel all SAP communications through one named contact once the audit window opens.
• Snapshot data shared informally can be withdrawn from the negotiating record on procedural grounds if a current LAW measurement is run on agreed scope.
• For complex estates a three-layer governance structure — steering, working, and fact-finding — resolves the speed-versus-rigour trade-off more cleanly than a single committee.
• Confidentiality clauses in settlement releases are often available without resistance from SAP and constrain the circulation of negotiating data within SAP itself, which matters for repeat-customer relationships.

For the firm's full procedural sequence on matters of this kind, see the SAP Audit Defence Playbook and the related working notes in the the sap audit letter response cluster.