Transcription
2018 SAP SE or an SAP affiliate company. All rights reserved.SAP Global License Audit and ComplianceUpdateApril 20181 / 14
Table of Contents3Overview53Clear Separation of License Auditand SalesSimplify License Self-Measurementand Monitoring by Customers5Availability of License Audit Tools3Nomination of Audits5License Compliance Advisory Services4Dedicated Audit Delivery Personnel6Indirect Access Audit Practice4Commercial Resolution of Overuse7Is There Use of SAP Software?4Establish Consistent and TransparentAudit Procedures7Licensing Misconceptions4Ensure Consistency in License Auditing4License Audit Scope4License Audit Report and Completionof the Audit12 Examples of Indirect Static Read andNon-Indirect Static Read Scenariosin Legacy Pricing ModelThis document is for existing SAP ERP (SAP ECC) and SAP S/4HANA customers withcontracts based on SAP pricing policies prior to April 10, 2018.On April 10, 2018, SAP introduced new outcome-based ERP pricing for the digital age. This new pricing model accounts for all forms of indirect and digital access, including access from IoT devicesand bots.For additional information, please refer to the “SAP ERP Pricing for the Digital Age” white paper orcontact your SAP account executive.This document is for informational purposes only and it does not modify or supplement a customer’s agreement inany way. Should a customer have questions, they should engage the SAP Global License Audit and Compliance organization. SAP reserves the right to revise its audit practices and policies from time to time. Further, the contents ofthis document and any inferred, proposed, or referenced commitments of any kind shall have no effect and are notbinding upon SAP. SAP assumes no responsibility for errors or omissions in this document.2 / 14 2018 SAP SE or an SAP affiliate company. All rights reserved.
OVERVIEWSAP is committed to our customers’ long-termsuccess and is empathetic to our customers’experiences and the challenges they face. Whenit comes to the consumption and proper licensing of SAP products, our global audit and licensecompliance process is intended to responsiblyprotect SAP’s core business assets and alsoensure that our customers can manage theirSAP assets effectively, that we provide transparency to license compliance, and that we enablecustomers to reduce the overconsumption ofsoftware.While we believe that SAP should be fairly compensated for the use of its products, it is important for SAP to collaborate with our customersand partners to ensure a fair, transparent, andconsistent license audit experience.SAP license audits are to be conducted in thespirit of trust and customer empathy. After listening to customer feedback, SAP is takingaction to clarify essential rules of engagementand to promote consistency across its licenseauditing and compliance practices.CLEAR SEPARATION OF LICENSE AUDITAND SALESNomination of AuditsSAP license audits are scheduled centrally andindependently of the sales organization. Alllicense audits will be initiated according to oneof the following criteria: Analytics criteria: For example, time elapsedsince the last audit or consumption (cloud)of licenses since the last audit Proactive initiation: For example, campaignsfocused on specific industries or based onmerger and acquisition activity Reactive initiation: For example, conversionto a new license model or cloud extensions Random spot checksAd hoc audits will be permitted only with theapproval of the license compliance organizationand only in exceptional situations, such as customer consultation or risk of overuse.Just as sales cannot initiate an audit, sales cannot cancel an audit. Once an audit begins, onlythe SAP Global License Audit and Complianceorganization can close it.3 / 14 20xx SAP SE or an SAP affiliate company. All rights reserved.
Dedicated Audit Delivery PersonnelLicense audits are performed by dedicatedlicense auditors from the SAP Global LicenseAudit and Compliance organization. Audits andany systematic license compliance verificationmay not be conducted by sales personnel orsales designees.Commercial Resolution of OveruseThe assigned SAP account or sales executive isthe primary owner of the commercial relationship with our customer. In cases of a customer’slicense overuse, the account or sales executive isresponsible for resolving that customer’s licensecompliance matter, and a commercial resolutionis always the preferred outcome. SAP GlobalLicense Audit and Compliance team memberswill not be responsible for sales matters andwill be limited to providing license managementexpertise to the customer and the account/sales team.ESTABLISH CONSISTENT AND TRANSPARENTAUDIT PROCEDURESEnsure Consistency in License AuditingAs described above, there will be only one organization within SAP authorized to perform licenseaudits. This team will harmonize the end-to-endaudit processes globally, from nomination todelivery of the license audit report. In each case,a customer will be informed of the scope, process, and results of the audit.License Audit ScopeAudits will be comprehensively outlined andcommunicated in advance to customers. In general, SAP performs basic audits and enhancedaudits.Basic audits cover most SAP customers on anannual basis and are based on customer selfdeclarations and automatic measurements thatcustomers perform. As such, their scope is limited to the information the customer provides,and most often they do not cover all licensedSAP products. Should the audit begin as a basicaudit, SAP will adhere to the defined scope ofinformation provided by the customer. However,SAP retains the right to request additional information or to expand the audit when specific indicators have been discovered within the definedscope.For license compliance audits in which SAPbelieves findings show a significant issue, SAPmay engage one of its auditors from anotherregion to verify audit results. This would occurbefore the report is issued to the customer andwould improve the consistency and quality ofthe audit results.Enhanced audits start with a clear statementof scope. On-site audits begin with a kick-offmeeting, during which the audit’s scope iscommunicated.License Audit Report and Completionof the AuditThere will be a clear notice of the audit’s closure.The SAP Global License Audit and Complianceteam will create a report for every license auditperformed, and the license compliance team willbe responsible for informing the customer ofthe report’s availability.4 / 14 2018 SAP SE or an SAP affiliate company. All rights reserved.
In some cases, a license overuse may be identified without the performance of a license audit if required information verifying license compliance is publicly available. Anexample is product use based on the number of employeesdisclosed in a company’s publicly available annual report.If the SAP Global License Audit and Compliance organi zation is involved in such a case, a report will be issued,shared, and discussed with the customer.SIMPLIFY LICENSE SELF-MEASUREMENTAND MONITORING BY CUSTOMERSA license audit is typically a better experience for a customer if it does not result in unexpected overuse oflicenses. To reduce the risk of an unexpected license gap,SAP wants to make it easier for customers to monitortheir license compliance themselves.Availability of License Audit ToolsCertain tools that SAP license auditors use already areavailable to customers. One example is the license auditworkbench tool used for basic audits. It is available tocustomers as part of their traditional SAP ERP application. Customers may use these tools internally at anytime to monitor their license consumption. SAP plans tofurther enhance these measurement tools and improvetheir availability.License Compliance Advisory ServicesSAP offers advisory services from the SAP Global LicenseAudit and Compliance organization. This service focuseson knowledge transfer and enablement. The verificationof the status of license compliance is included solely ata customer’s request. 5 / 14 2018 SAP SE or an SAP affiliate company. All rights reserved.
INDIRECT ACCESS AUDIT PRACTICEWhile SAP maintains the position that any useof SAP software needs to be properly licensed,this document is intended to provide additionalclarity on SAP’s license audit practices. SAP hasvarious types of customers and correspondinglicensing models. These include traditional SAPERP (SAP ERP Central Component or SAP ECC)customers with the named user licensing model,SAP S/4HANA customers without a nameduser model, and customers with both traditionalSAP ERP and SAP S/4HANA, both under a nameduser licensing model. The indirect access auditpractice and approach described here and in thefollowing sections specifically address indirectaccess of the core SAP ERP for traditional SAP ERP(SAP ECC) customers that have not licensed the“SAP digital access software engine.” Individualcontracts may include special agreements thatdeviate from the standard approach. In such cases,the process described by the decision tree belowwould not apply. To determine whether indirectaccess of the core SAP ERP software is within thecustomer’s SAP ERP license level, SAP licenseauditors will normally follow the decision treeshown Figure 1.Figure 1: Decision Tree for License Auditors to Verify Indirect Access ScenariosIs there any “use” of SAP ERP software?YesIs the access occurring directly by individuals?YesNamed user, application, and/or engine licensesare required for direct use.NoIs the indirect access of core SAP ERP softwarecaused by other SAP applications?YesUse of SAP ERP is typically covered by licensefor those applications and/or user license.NoIs the specific indirect access covered byspecific SAP engines?YesNoIs the indirect access limited to nontransactionaldata in core SAP ERP?YesNoIs the indirect access limited to indirectstatic read?YesCertain indirect use of core SAP ERP is coveredby SAP engine licenses such as SSOE or POE.Indirect access resulting in other than reading,creating, modifying, or deleting transactional datain core SAP ERP will not be counted as use againstthe SAP ERP metric levels under audit practice.Other than for the SAP Business Warehouseapplication, indirect static read does not requirea separate license.NoThis type of use of core SAP ERP softwaretypically requires a dedicated license.6 / 14 2018 SAP SE or an SAP affiliate company. All rights reserved.
Is There Use of SAP Software?A license auditor will first determine if SAP software is “used,” as any use of the SAP softwarerequires an appropriate license. “Use” is definedin SAP’s current standard contractual documentsas: “to activate the processing capabilities of thesoftware, load, execute, access, employ the software, or display information resulting from suchcapabilities.” SAP’s current standard contractualdocuments state that use also may occur by wayof an interface delivered with, or as a part of, thesoftware, a licensee or third-party interface, oranother intermediary system.Licensing MisconceptionsThere are many misconceptions regarding licensing required for indirect access of SAP ERP. Clarification of the most common misconceptions arelisted below: One-way or two-way: Regardless of whethera user performs read-only, write-only, or readand-write transactions, all such transactionsare considered use, and the user must belicensed as a named user. Synchronous or asynchronous: Real-time orbatch transactions that activate processing inthe SAP ERP system is use and must belicensed. More than one intermediate system: Userswho access the SAP ERP system through oneor more intermediary systems must belicensed. Access through another technical interface:Use of the SAP ERP system is independent ofthe technical setup (for example, SAP enterpriseservices, SAP Web services, BAPI programming interfaces, RFC, IDocs, ABAP programming language code, user exits, database link,file interface). No matter which interface isused to activate processes in SAP ERP, theuser needs to be properly licensed. Access through a non-SAP application: Ifa user is accessing SAP ERP through a thirdparty application (for example, Salesforce orWorkday) or through a custom front-end application that triggers SAP ERP processing, theuser must be properly licensed.Indirect static read is an exception to many ofthe above examples.Upon the determination of “use” of SAP software,the auditor will verify the following decision node:Is the use occurring directly (direct useby individuals)?The above definition of use from SAP’s standardcontractual documents covers both direct andindirect access. As this document concerns verification of indirect activities, it will focus on indirect use of SAP ERP (indirect access is a type ofindirect use). Indirect access of SAP ERP typicallyoccurs by way of a non-SAP front end, by nonSAP intermediary software, or through Internetof Things (IoT) devices. Table 1 provides examples of direct use and indirect access.7 / 14 2018 SAP SE or an SAP affiliate company. All rights reserved.
Table 1: Examples of Types of Use of the Digital CoreAccess typeExamplesDirect humanaccess Customers’ employees logging directly into the digital core Customers’ business partners logging directly into the digital coreIndirect/digitalaccess RPA bots directly logging into the digital core End consumers accessing the digital core through a third-party e-commerceWeb site IoT devices accessing the digital core through a custom solution built on topof SAP Cloud Platform or the SAP IoT Application Enablement toolkitSAP applicationaccess Customers’ business partners accessing the digital core through an SAP Ariba solution IoT devices accessing the digital core through the SAP Predictive Maintenanceand Service solution Customer’s employees accessing the digital core through SAP Solution ExtensionsUse of SAP ERP through direct access by an individual does require a named user license. If suchuse occurred by indirect access, the auditor willverify the next decision node:Is the indirect access of SAP ERP initiatedby other SAP applications?Depending on the customer’s license model,when indirect access of SAP ERP occurs fromother SAP applications, such use of SAP ERPmay be included in the SAP application license,regardless of whether the application is in thecloud or on premise. Examples of using SAP ERPthrough other SAP applications are: Purchase orders generated in SAP ERP by anSAP Ariba solution Sales orders in SAP ERP modified throughthe SAP Customer Relationship ManagementapplicationWhen this type of indirect access of SAP ERP iscovered by the license of the SAP applications,it does not count against the license level forSAP ERP. However, if the indirect access is notcaused by such other SAP applications, theauditor will verify the next decision node:Is the indirect access right coveredby specific SAP software engines?Some SAP software engines are designed forsimplified licensing of specific indirect access,especially in business-to-business (B2B) andbusiness-to-consumer (B2C) activities. Examplesof such engines are: SAP Sales and Service Order Execution solutionfor use in B2B and B2C activities SAP Purchase Order Execution solution8 / 14 2018 SAP SE or an SAP affiliate company. All rights reserved.
Note: Some engines, such as the SAP Budgeting andPlanning for Public Sector application and the SAP Tax,Benefits, and Payment Processing for Public Sector solution for SAP CRM, do not require named users. Ifthe indirect access is not covered by another engine,the auditor will verify the next decision node as follows:Is the indirect access limited to nontransactional data?SAP’s contractual use definition does not differentiatebetween data types. However, for core SAP ERP, thelicense auditor will follow a more limiting practice: Auditors review only cases of indirect access that result inthe reading, creation, modification, or deletion of trans actional data in core SAP ERP. Indirect access that doesnot result in the reading, creation, modification, or deletion of transactional data in SAP ERP will not be countedagainst the license metric for SAP ERP.As a guiding principle, transactional data is: Business process centric Rapidly changing and event drivenTable 2 lists typical examples for transactional data incore SAP ERP.9 / 14 2018 SAP SE or an SAP affiliate company. All rights reserved.
Table 2: List of Transactional Data RecordsDocument TypeDescriptionSalesordersCreation of business documents for the sales of goods and services withinSAP software. These can be created, changed, or viewed through electronicdata interchange (EDI), external non-SAP applications, and other means. Suchdocuments may include sales quotations, sales and service contracts, salesorders, and returns.Customeror supplierinvoiceInvoices are documents that indicate the material and/or service being billed,including, but not limited to, reading (automated import) supplier invoices intoSAP software, or creating and sending invoices to customers from SAP software.PurchaseorderCreation of procurement documents for goods or services that are loaded intoan SAP software system. Such documents can be created, changed, and viewedthrough various interfaces and can include purchase requisitions, purchase orders, purchasing contracts, and confirmations.Service orderor maintenanceorderService and maintenance documents created within SAP software for the management of work to be performed. These can be created approved, adjusted,or viewed through external non-SAP applications by the service team.ProductionorderCreation within the SAP software of production documents that indicate productionrelated details associated with the manufacturing of a material (for example,type, quantity, and color of a material to produce and when to produce it). Thesecan be created, changed, or viewed through, for example, EDI or external non-SAPappli cations.QualitynotificationCreation of quality-related documents for machines and tools that are loadedinto an SAP software system. A quality notification can include the details of anonconformance (for example, an independent defect). These can be created,changed, viewed, approved, or rejected through third-party applications or othernon-SAP products.Material documents (goodsmovement)Creation of material documents for the movement of goods. The documentsusually indicate specific material received, issued, or transferred to, from, orwithin a storage location or plant.Travel expenseclaimCreation of travel expense claim for reimbursement of accrued expenses thatare loaded into an SAP software system. Such documents can be created,changed, approved, and viewed through various interfaces.10 / 14 2018 SAP SE or an SAP affiliate company. All rights reserved.
Table 2: List of Transactional Data RecordsDocument TypeDescriptionVacationrequestCreation and approval of vacation requests within the SAP software for the pro cessing of off-time and payroll. Such documents can be created, changed, andviewed through various interfaces.InvoicecreationInvoices created by SAP software. These can be created, adjusted, and viewedthrough external non-SAP applications.PaymentCreation of payment files through an SAP automatic payment program informats such as SWIFT and ISO. Such documents can be created, changed,approved, and viewed through various interfaces.11 / 14 2018 SAP SE or an SAP affiliate company. All rights reserved.
Note: The audit practice for differing treatments of indirect access to various types of data, as specificallydescribed in this document, is not and will not be reflectedin customer contracts, as it is only a practice. SAP has atransactional data-based approach for indirect access,which may be reflected in a customer’s contract if thecustomer licenses a new SAP digital access softwareengine. The SAP digital access software engine differsfro
If the SAP Global License Audit and Compliance organi-zation is involved in such a case, a report will be issued, shared, and discussed with the customer. SIMPLIFY LICENSE SELF-MEASUREMENT AND MONITORING BY CUSTOMERS A license audit is typically a better experience for a customer
