A global pharmaceutical group built its first independent SAP license compliance baseline. The baseline removed $11.2M of forecast exposure before the next audit cycle even began.
Every result on this site is anonymised at the client’s request. Specific figures are real and verifiable through a confidentiality-protected reference call arranged on request.
The pharma group had not run an independent SAP license compliance baseline in eight years. The internal SAM function had reported the baseline as compliant in each annual self-declaration, but the underlying methodology had not been independently validated. A new CIO arrived and asked for an independent baseline before the next renewal cycle.
The internal estimate of exposure, prepared by the SAM function for the CIO’s onboarding briefing, suggested approximately $14.6M of cumulative risk across named users, engine metrics, and indirect-access pathways. The estimate had been prepared conservatively, but the underlying analysis was four years old.
We were engaged on a baseline brief: rebuild the compliance position from first principles, document the methodology, and produce a remediation plan with quantified savings. The engagement specifically excluded any negotiation work — the priority was a defensible baseline ahead of the next audit.
The pre-baseline internal forecast landed at $14.6M of cumulative risk. The forecast was structured by component rather than by audit category, but the components mapped to the categories SAP would have used in an audit.
Four programmes, run in parallel over twenty-two weeks. Each programme produced a documented baseline component and a remediation plan with measurable savings.
We rebuilt the named-user classification across the full 47,000-user population. The 8,200 users flagged in the internal forecast were re-examined against twelve months of activity data. Of those, 5,400 were reclassified to lower bands on evidence, 1,800 were retired as inactive, and 1,000 were confirmed at the existing band. The named-user exposure moved from $6.4M to $0.9M.
The three external integration points were independently quantified, with document-flow analysis performed end-to-end. Two of the three platforms were resolvable through aggregation in the integration layer, reducing the licensable document count by 71%. The third was converted to Digital Access on a fixed annual document allowance. The indirect-access exposure moved from $5.1M to $1.6M.
Both the FI and HR engines were re-presented on twelve-month rolling-average measurements rather than the peak-period snapshots used in the internal forecast. The contractual measurement clauses supported the rolling treatment. The engine exposure moved from $3.1M to $0.7M.
All four components of the baseline were documented in a single compliance manual covering scope, methodology, evidence sources, and remediation actions. The manual was structured to be reusable in subsequent annual self-declarations and to provide a defensible position in the event of audit.
The post-baseline forecast landed at $3.4M against the $14.6M pre-baseline estimate. The reduction was $11.2M of forecast exposure, all of which was eliminated through remediation work rather than negotiation.
The compliance manual produced during the baseline was adopted as the basis for the next annual self-declaration. The self-declaration came in within 2% of the baseline forecast, validating the methodology in a measurable way ahead of the next audit cycle.
The internal SAM function was restructured around the documented baseline methodology, with a quarterly review cadence and a defined remediation backlog. The structure converted the baseline from a one-time programme into a continuous compliance operation.
The baseline was built bottom-up from primary evidence rather than top-down from the prior self-declaration. Named-user evidence came from twelve months of transaction history across the active SAP estate, joined against role-collection and authorisation-object assignment tables. Indirect-access evidence came from document-flow logs at the three integration points, supplemented by message-broker logs where available. Engine-metric evidence came from SAP’s configured measurement scripts run on a rolling-quarter basis with the configuration documented. The methodology manual produced during the engagement covers scope, evidence sources, exclusion rules, and review cadence, and is structured to be reusable in subsequent annual self-declarations.
Eight years of self-declarations had told us we were compliant. The baseline showed us we were compliant by accident, not by methodology. The methodology is the real deliverable.
A pre-audit examination of named users, engine measurements, and indirect-access pathways. We surface the exposure before SAP does, and we quantify the remediation cost.
Read the brief →Reclassify users. Retire shelfware. Right-size engine metrics. The continuous reduction programme that runs between the audit cycles, year after year.
Read the brief →Where compliance baselines come from. The methodology, the scope, and the structure that holds up under audit.
The licensing model, the FUE conversion math, and the migration-stage compliance work.
How a manufacturer reclassified 6,400 users on activity evidence and removed $4.8M from a pending audit position.
Further reading: related white paper · cluster pillar · topic page
An audit notification is not an invoice. It is the opening position of a negotiation. The first conversation is at no cost and under privilege.
Contact Us →Every Wednesday. Field reports from active matters, decoded SAP communications, and what to look for in the next audit cycle. Work email only.