I am not a licensing expert, but I know that it depends on the deal you have with SAP and the "normal" Netweaver license hat 5 developer keys included. So you can activate them on the SMP and deactivate old ones when people leave. If you register more keys then you probably have to pay for them. That is "invoicing" side of it.
License auditing is when SAP comes and checks your system to determine license compliance. Here they will expect that all they keys are still in DEVACCESS and additionally check to see which users with keys there are valid / unlocked in the system. That should not exceed 5 -> otherwise you might have deactivated the key on SMP but in real life it is still active in the system.
In contrast if you have an "eat as much as you want" contract with SAP, you can do as you please and there is only a security consideration -> here authorizations are much more reliable that the existence of a DEVACCESS key and you should only rely on that. Secondary control is SCC4 / SE06 settings. Third you should scan for critical ABAP statements of the workbench in Z-programs which do not make authority-checks (can happen!). 4th monitor the DEVACCESS. In this case you probably don't need to care about SMP at all (as far as I am aware, and it has no affect on security anyway).
Cheers,
Julius