Indirect access and audit risk after a merger is the exposure that catches the most sophisticated buyers off guard, because it does not look like a licensing problem when it is created. It looks like good engineering. When two organisations merge and their systems are connected, applications begin reading and writing each other's data, and that machine to machine use can be licensable even though no person ever logs in. The publishers that license enterprise data, SAP most prominently, treat the value of their data as residing wherever it is used, not only where a human signs on. A merger multiplies the points where data crosses a boundary, and each one is a potential charge. This page sets out the risk, as a child of the cluster on M&A software audit risk.
Indirect access and audit risk after a merger begins with the connections
The mechanics start with integration. Before a merger, the target's ERP system served the target's users and its own connected applications. The acquirer's systems served the acquirer. After the merger, the integration team builds bridges: the acquirer's customer system reads order data from the target's ERP, the combined ecommerce platform writes transactions into it, an automated process pulls inventory figures across the boundary. Every one of these bridges is a connection through which the publisher's data is used by a system the publisher did not license for that purpose. SAP frames this within its digital access model, which counts the documents created through such connections rather than the users behind them. Because integrated and automated systems generate high document volumes, the measured exposure can be large, and because the connections are built to solve technical problems rather than to consume licenses, no one in procurement sees them coming. The way SAP specifically pursues this after a deal is set out in how SAP targets recently acquired companies.
Why a merger is the worst case for indirect access
A single acquisition connecting one new system to an ERP estate creates some indirect access. A merger of two substantial organisations creates a web of it. Both parties bring their own applications, their own automated processes, and their own integration patterns, and combining them means connecting many systems across the boundary in both directions. The target's ERP may now be read by a dozen of the acquirer's applications, while the acquirer's ERP is read by the target's. Each direction generates document throughput, and the totals compound. Worse, the connections are usually built in haste, under integration deadlines, by engineers focused on making the business work rather than on licensing consequences. The result is an estate criss crossed with data flows that no single person has mapped and no contract anticipated. This is why a merger represents the worst case for this exposure, and why mapping the interfaces is the essential first move, a discipline that also applies when two licensed estates combine, covered in audit risk from mergers of two licensed estates.
Why buyers underestimate it
Indirect access is underestimated for a simple reason: it does not behave like the licensing buyers are used to. Most software licensing is intuitive. You count users, or installs, or processors, and you can see what you are counting. Indirect access is counterintuitive because the licensable event is invisible. No one logs in. No new software is installed. A system that was already running simply starts reading data it did not read before, and a charge accrues. The people who build the connection, integration engineers, are not the people who manage licensing, procurement, and the two functions rarely talk during the pressure of integration. So the exposure accumulates in a blind spot, growing with every interface, until a publisher measures the document throughput and presents the total. The defense is not technical wizardry, it is visibility: knowing where the data flows before the publisher counts it.
| Connection type | What it does | Why it is licensable |
|---|---|---|
| Customer system to ERP | Reads orders and customer data | External system uses ERP data |
| Ecommerce to ERP | Writes transactions into the ERP | Document creation through a connection |
| Automated process | Pulls inventory or pricing data | High volume machine to machine use |
| Data warehouse | Extracts ERP data for reporting | Bulk reads of licensed data |
| Partner integration | Third party reads or writes data | Use by a party outside the license |
Key takeaways
- Indirect access is the use of a publisher's data by systems that do not log in, and it is licensable.
- A merger connects many systems across the boundary in both directions, multiplying the exposure.
- SAP measures digital access by document throughput, so automated connections produce large counts.
- The risk grows in a blind spot because integration engineers and procurement rarely coordinate.
- Mapping every interface before connecting anything new is the essential control, not technical complexity.
Mapping the interfaces is the control
The single most effective response to indirect access is also the least glamorous: map every interface into and out of the inherited ERP estate before connecting anything new, and keep the map current as integration proceeds. The map shows where data crosses a boundary, which connections create licensable use, and which can be re engineered or licensed deliberately. With it, a buyer can decide how to handle each flow on its own terms, license the genuine digital access at a negotiated rate, remove connections that are not needed, or restructure those that generate disproportionate throughput. Without it, the buyer is blind to its own exposure and reliant on the publisher to reveal the number, which the publisher will do at the least convenient moment and the least favourable rate. The same latent dynamic, where a technical decision creates an unpriced liability, runs through the broader pattern of inherited exposure described in how latent under licensing becomes an eight figure claim.
Licensing digital access deliberately
Indirect access is not inherently a problem to be eliminated. In many integrated businesses, connecting systems across a boundary is exactly what the merger is meant to achieve, and the data flows deliver real value. The goal is not to avoid digital access but to license it deliberately rather than discover it. A buyer that has mapped its interfaces can approach the publisher proactively, negotiate a digital access arrangement that reflects the genuine throughput, and price it as a known cost of integration. That is a very different conversation from defending an audit finding after the fact, because the buyer holds the information and the timing. The principle that connects this whole subject is control: control the map, control the timing, and control the commercial conversation, so that a normal feature of a merged business does not become a surprise claim. The wider defensive posture is set out in defending a software audit after an acquisition.
Recommendations for buyers
- Map every interface first. Document each connection into and out of the inherited ERP before integration adds more.
- Identify licensable flows. Separate genuine digital access from connections that can be removed or re engineered.
- Quantify document throughput. Measure the volume the way the publisher will, so the exposure holds no surprises.
- License deliberately. Negotiate a digital access arrangement proactively rather than defending an audit finding.
- Coordinate engineering and procurement. Close the blind spot between the people who build connections and those who manage licenses.
The contract terms that decide the outcome
How indirect access is treated in a given estate depends heavily on the terms of the underlying agreement, which is why the contract review and the technical mapping have to be read together. Some agreements predate the publisher's current digital access model and contain older indirect use language that is ambiguous about machine to machine connections. Others have been updated to the document based model with defined metrics and conversion terms. The version that applies to an inherited estate shapes the buyer's exposure and its options, because an older agreement may be both a risk and an opportunity: a risk because its vagueness lets the publisher argue for a broad interpretation, and an opportunity because converting to the current model on negotiated terms can cap a previously open ended liability. A buyer that knows which version governs the target's estate can decide whether to hold the existing terms, negotiate a conversion, or restructure the connections to reduce the metric the contract counts. None of this can be judged from the technical map alone, and none of it can be judged from the contract alone. The two together, the flows the systems actually create and the terms the agreement actually sets, are what determine the real exposure and the right response. The interpretation of the contract language belongs with counsel, while the measurement of the flows belongs with the licensing review.
Indirect access and audit risk after a merger, in one line
Indirect access and audit risk after a merger comes down to data crossing boundaries. Integration connects systems that read and write a publisher's data without anyone logging in, the publisher counts that use as licensable digital access, and a merger multiplies the points where it happens. A buyer that maps every interface, quantifies the throughput, and licenses the genuine access deliberately keeps a normal feature of a merged business from becoming a claim. We do that mapping on the buyer side only, paid solely by the acquirer.