Comprehensive software reviews to make better IT decisions

Indirect Access of SAP Systems May Cost You Millions

SAP customers beware! With the relatively slow uptake of SAP S/4 Hana Cloud Platform and an increased focus on booking cloud based recurring revenues via SAP’s recent acquisition spree (e.g. Concur, SuccessFactors, FieldGlass, Hybris, Ariba), the pressure is immense for SAP to maintain revenue growth. Auditing the existing SAP customer base for indirect access usage, especially for customers with static or declining revenues with SAP, has become a relatively easy way to boost the bottom line. With the recent UK court ruling against Diageo, SAP has the law on its side as it comes knocking on customers’ doors in search of this non-compliance scenario. In today’s cloud-enabled world, where SAP is more frequently the “back-end” system, it is very difficult for most organizations to avoid integrating homegrown or third-party applications into their ERP environments.

The concept and contractual construct of indirect access within software license agreements is not a new phenomenon. Historically, the interpretation and application of indirect usage of software has been the source of massive amounts of confusion in the SAP practitioner community. The recent ruling by the UK High Court in favor of SAP in the case of SAP UK v Diageo Great Britain Ltd has cast a new light on this issue, not to mention sending waves of fear cascading across the SAP’s vast user community. SAP claimed they are due additional license fees and back support in the amount of ~$74M USD as a result of Diageo’s integration and use of the SAP software to third-party software from Salesforce.com. The Salesforce application was utilized by Diageo’s 5,800 customers to place orders with Diageo as well as a second Salesforce application used by Diageo’s sales staff to access customer data residing in an Oracle database supporting the mySAP ERP software. Keep in mind that Diageo is a significant SAP customer that has paid between $53M - $77M USD in license and support fees for use rights of the mySAP Business Suite to date. The fact that SAP has taken this legal action against an existing major customer should send a clear message to SAP customers!

Indeed, a survey of SAP end users conducted by The ITAM Review demonstrates that the issue of SAP indirect access is the top priority:

The UK court has ruled in favor of SAP with the exact amount of damages to be determined at a later date. This is a critical point as this type of third-party software integration was ruled to constitute indirect access of the SAP software and, as such, does allow SAP to charge for this usage but the court has yet to determine the value of this type of access. Additionally, another clause within Diageo’s SAP agreement states that any use of the SAP software from which Diageo is not explicitly licensed within the contract, but whereby Diageo derives business benefit, that compensation would be negotiated between the two parties.

SAP’s license agreement with Diageo states that a “Named User” is defined as:

an individual representative (e.g. employee, agent, consultant, contractor) of the Customer, a Group Company, an Outsource Provider or a Supply Chain Third Party who is authorised to access the Software directly or indirectly (e.g. via the Internet or by means of a hand-held or third party device or system). The extent to which a Named User is authorised to use the Software depends upon his user category as set out in the schedule.

As defined in the license agreement, SAP is ostensibly basing its financial claim on the list price of a Professional Named User license and back support for all users accessing the SAP software via Diageo’s Salesforce applications that are integrated and accessing the SAP environment and for which a Named User license has not been procured.

While the technical details of the court ruling could easily occupy the body of this research note a few times over, this note will focus on:

• The notion of indirect access.
• What you need to research in your own SAP agreement.
• Next steps to take in order to ascertain your organizations’ level of vulnerability to an indirect access claim by SAP.

So, What Is the Definition of “Indirect Access”?

This is a loaded question to be sure! Prevailing opinions hold that the customer owns their business data and that infrequent batch data transfers of customer owned data from a SAP system should not constitute instances of indirect access. This sounds logical, however, as will be demonstrated momentarily, logic, technology, and contracts do not always mesh seamlessly. It is more commonly agreed across software licensing specialists that real time (or near real time), synchronous and bi-directional use of the SAP application with another application, as well multiplexing front-end applications that access the SAP software back-end and provide a data interface to innumerable external users can generally be deemed as indirect access and be subject to proper licensing.

For any particular organization researching SAP indirect access, you must refer to your specific contract to find out if and how indirect access is defined. Target areas of the agreement to focus on are the Definitions, License Grant, and Verification sections of the SAP Software License Agreement. Even so, when referencing the Named User definition above, the term “indirect” was not defined in the Diageo contract. It is a frequently reported occurrence that SAP customers actively inquiring with SAP about this type of license compliance are not provided with clear and actionable guidance, and in many cases receive a response from SAP that it is the customer’s responsibility to understand their contract and to stay compliant.

What Are the Risk Criteria for Triggering a SAP Audit?

There are several factors that influence an organization’s risk for being audited by SAP for indirect access, discussed in more detail below:

1. Lack of Investment in SAP
   1. Limited or lack of adoption of SAP cloud or S/4 Hana solutions
   2. Lack of organic license growth for on-premises solutions
   3. Lack of clarity in the organization’s planned investments
2. Decline in SAP relationship
   1. Avoidance of engagement with sales team
   2. Lack of SAP executive level sponsor
   3. Change in customer leadership
3. System/Business Architecture
   1. Non-SAP solutions in use for edge solutions such as e-Commerce, SCM, and CRM
   2. Business process workflows moving through SAP but tethered to a separate application (homegrown or third party)
4. Vendor Competition
   1. SAP losing competitive bids to Best of Breed (BoB) vendors
   2. Evidence of ring-fencing SAP system and trending away from SAP solutions
   3. Investigation of third-party support
5. IT Roadmap Visibility
   1. Limited visibility provided into IT roadmap
   2. Limited view of SAP utilization
   3. Known collaboration with non-SAP partners

Recommendations:

1. Control SAP account team communications. If you are asked to conduct a whiteboard exercise to “map out your business processes” or even provided a System Architecture Worksheet to complete, you are being audited!
2. Determine your audit risk profile. Examine your lifetime spend to date with SAP with an acute focus on spend with SAP over the previous 3 years. Have spend levels increased, decreased, remained static? Are you engaging SAP in the exploration of their cloud offerings or are you moving towards a BoB environment?
3. Review your SAP agreement. Understand how indirect access is addressed in your SAP contract. Is your agreement long in the tooth, perhaps before the concept of cloud-based integrations were in play?
4. Examine your application environment. Build on your understanding of how indirect access applies to your organization and review the environment with the aim of identifying SAP interfaces to non-SAP applications and classify the type of integration and data access, modification, display, or functionality that exists.
5. Don’t go it alone. Enlist the assistance of expert IP legal counsel in the review of your SAP contract, along with industry experts in the software licensing and procurement field.
6. Build a plan for risk mitigation. Taking into account the factors discussed above, future project roadmap initiatives and your overall risk profile, develop technical workarounds and strategies to leverage your engagement with SAP on this issue. Engaging with SAP on this topic requires a well-crafted and thoughtful approach in order to yield a commercially successful outcome.

Bottom Line:

In the area of indirect access usage for SAP systems, the laws of logic do not rule supreme. It is imperative for organizations to identify their vulnerability to indirect access usage within their SAP environments and to work towards a commercial resolution while resisting the urge to pursue a legal remedy. Negotiating and collaborating with the SAP sales organization will almost always yield a preferred outcome vs. a formal audit conducted by SAP’s Strategic Initiatives Group.

---

Want to Know More?

Prepare and Defend Against a Software Audit