Since the UK high court ruling in February against Diageo, many SAP customers have begun to proactively investigate their financial exposure stemming from indirect access. If you’ve been following the news, you might have noticed that publicized cases and examples of indirect access often seem to center around Salesforce.com or Workday implementations. This, however, is a bit misleading. We speak with many customers who have gone through an unfriendly audit with SAP. In the majority of cases the root of indirect access penalties wasn’t an interface to Salesforce. Very often it is caused by a homegrown application that was deployed years ago. If you’re looking for an indirect access checklist to gauge your financial risk, I can share from experience that it takes more than asking yourself if you have a Salesforce connector.
It’s important to remember which scenarios make it likely for SAP to take a closer look at your interface landscape:
- No license purchases in the past 12-18 months
- Decision against SAP-owned solutions in the favor of a competitor’s offering (SuccessFactors vs. Workday, etc.)
- Annual audit activity: Recently, SAP has been examining customers’ annual workbench reports much more closely in regard to possible indirect use violations. In some cases customers may have had integrated applications for years and were never questioned for indirect license compliance when submitting prior LAW reports. However, now they are being asked for indirect access licensing fees.
How to identify indirect access
An actual or perceived loss of revenue on SAP’s side is often the motivation behind an indirect access audits. A good approach to mitigate your financial exposure is to begin with a thorough discovery of your interfaces across the IT landscape. Keep in mind that RFC interfaces as well as connections made via iDocs, PI or XML all create potential risks.
In our recent webinar in collaboration with ITAM Review, we shared best practices around assessing and reducing financial risks. Our advanced methodology let us analyze the throughput of homegrown and 3rd-party solutions. This way you can calculate the ROI for your interfaces and determine which of them are critical. This knowledge should be the foundation to determine which interfaces can be retired or replaced, and which licensing strategies are possible options once indirect access exposure is confirmed.
If you’re looking for a crash course in indirect access, I recommend you watch our recent webinar. We have also published a white paper, which includes a helpful check list you can follow. If you want a definite answers on how to mitigate your exposure or need immediate audit defense support, please feel free to contact us.