You are on page 1of 8

SAP Audit Guide

for Inventory
This audit guide is designed to assist the
review of inventory management processes
that rely upon controls enabled in SAP
systems.
The specific areas examined in this guide are relevant
configurables, transactions, authorizations and reports
in the Materials Management (MM) module of SAP ERP.
The gui de provi des i nstructi ons for assessi ng
application-level controls in the following areas:
Materials Master Data
Goods Movement
Physical Inventory
Inventory Valuation
The guide is delivered using clear, non-technical terms
to enable financial and operational auditors to
successfully navigate the complexities of SAP security.
Other volumes of this guide deal with SAP controls in
areas such as Financial Accounting, Revenue,
Expenditure, Human Resources, and Basis.
Materials Master Data
The organizational structure in Materials Management
consists of several hierarchal layers including client,
company code, plant and storage location. These
organizational units are defined and managed in the
Logistics area of the Enterprise Structure within the
Implementation Guide (IMG) and should agree with the
actual structure of the logistics organization.
Information related to products and services is
managed through the materi al s master whi ch
integrates directly with other areas of SAP ERP
including Sales and Distribution and Financial
Accounting. There are several critical configuration
areas in the material master that should be closely
scrutinized during an audit. This includes posting
periods which are set within the Basic Settings for each
company code. Posting periods should match periods
configured in FI. The materials master should be
configured to allow posting to only the current period
and the most recently closed period. This is also
selected in the Basic Settings. The runtime for the
period close program in MM can be several hours and
locks any changes to records during including goods
recei pt s, shi pment s and ot her movement s.
Furthermore, global companies with distributed
operations can have plants and storage locations
Inventory
SAP Audit Guide
2
located in different time zones within the same company
code. To minimize any potential conflict and the risk of
posting transactions to the incorrect period, runtimes
should be set to the timezone with the greatest number of
users and posting should be set to local date and time.
Other important configuration areas in the materials master
are material types (SAP is preconfigured with dozens of
material types that are identified through unique three or
four-character references), material groups, units of
measure and rounding rules for units of measure. The last
area is configured through Order Optimizing in the
Purchasing area of MM. Note that units of measure may
vary according to the organizational unit. Items may be
measured in crates at a plant level, for example, and
individually at the level of a storage location.
Ideally, SAP should be configured to block negative stocks.
However, this is often required by organizations when, for
example, there is a need to issue goods that have been
physically received but not entered into MM. Negative
stocks have to be enabled in valuation areas, storage
locations and each material master record. For the latter,
the Neg. stocks in plant indicator should be checked.
Negative stocks should be short-lived and should not be
carried forward at period end.
Required, optional and suppressed fields during the
creation of new material records are defined and managed
through IMG – Logistics – General – Material Master – Field
Selection – Maintain Field Selection for Data Screens.
Mandatory fields should include Tax Indicator for Material
and Material Freight Group. Critical fields that do not need
to be updated once an initial entry has been made should
be set as lock-relevant. This will prevent changes to the
field in dialog mode, Locking and unlocking fields in
material master records requires authorization object
M_MATE_MAF. Access to specific fields in master records
should also be restricted through the use of field groups.
The creation and maintenance of material master records is
performed through transactions MM01 and MM02.
Relevant authorization objects include M_MATE_BUK
(company code level), M_MATE_WRK (plant level) and
M_MATE_MAR (material type level). The key materials
master transactions are listed in Table A.
TRANSACTION DESCRIPTION
MM01 Create Material
MM02 Change Material
MMS1 Create Material Master
MMS2 Change Material Master
OMS2 Define Attributes of Material Types
OMSY
Maintain Company Codes for
Materials Management
OMSF Define Material Groups
MB1C Maintain Stock
MMBE Create Stock
MMPV Close Period
MMRV Allow Posting to Previous Period
Table A: Materials Master Transactions
Goods Movement
Receipts, issues, transfers, and reversals are defined as
movement types i n SAP. There are a vari ety of
preconfigured movement types, identified through unique
three character references. They perform an important
control function by directing updates to stock locations,
quantities and values. Standard and custom movement
types available in an SAP system can be viewed via
transaction OMJJ or through IMG – Material Management
– Inventory Management and Physical Inventory –
Movement Type. 711 and 712 are used for adjusting
differences between book and actual inventories. Reversals
are performed through the movement type reference +1.
For example, the reversal of a goods receipt for a purchase
order (movement type 101) is performed using movement
type 102.
3
A particular concern is movement type 501, used to enter a
goods receipt without a preexisting purchase order. This
could be used to receive goods that were neither ordered
nor approved. Best practice is to disable the movement
type. Another option is to only allow receipts without a
purchase order if they are within a specified tolerance level.
Delivery tolerances should also be set for receipts with
purchase orders. This will limit under and over-deliveries to
acceptable levels. Tolerances can be applied and managed
through tolerance keys on a company code level. SAP is
preconfigured with two tolerance keys for purchase order
price and quantity variances. B1 displays an error message
when limits are exceeded and blocks the posting of the
goods receipt. B2 issues a warning message but will not
block posting. Tolerance limits should be specified for each
key using transaction OMC0 or through the menu path IMG
– Materials Management – Inventory Management and
Physical Inventory – Goods Receipt – Set Tolerance Limit.
The GR message indicator must be selected in purchase
orders as prerequisite for tolerance checks.
The B1/ B2 tolerance keys check against minimum and
maximum variances in price and quantity and therefore
have greater application during invoice verification. Material
quantity variances can be more effectively controlled
through thresholds defined directly in material records using
purchasing value keys configured through transaction
OME1, purchasing info records and within the items details
section of purchase order documents.
The use of movement types 103 and 501 should be closely
monitored. These enable the receipt of goods into so-
called blocked stock which is not recorded in the general
ledger. Blocked stock should be accrued at period end if
items have not been accepted into inventory during the
financial close. The standard report Display material
documents can be used to identify receipts into blocked
stock.
SAP will allow the reversal of a goods receipt even if the
corresponding invoice has been verified and processed by
the system as long as the RevGR desp. IR indicator is
checked for movement type 102 in transaction OMBZ (Rev.
GR Despite Invoice). Best practice is to uncheck the
indicator and configure a warning or error message for
reversal attempts. This is performed through transaction
OMCQ (System Messages for Inventory Management).
Note that movement type 161 (returns for purchase order)
can also be used to process reversals through transaction
MIGO. Reversals should be approved before they are
processed in SAP and should be referenced to the original
purchase order. They should also be entered with the
correct reason code to provide a sufficient audit trail.
The automatic posting of MM documents to FI accounts is
controlled through transaction OBYC (Configure Automatic
Posting). Access to this transaction should be restricted.
Other key transactions include MB1A (Goods Issue), MB1B
(Transfer Posting), MB1C (Other Goods Receipt), MBAD
(Delete Material Documents) and, most importantly, the
wide-ranging MIGO (Goods Movement). Relevant MIGO
authorizations are listed in Table B.
AUTHORIZATIONS AUTHORIZATIONS
M_MRES_BWA M_MSEG_ BWF
M_MRES_WWA M_MSEG_LGO
M_BEST_WRK M_MSEG_WMB
M_MSEG_BMB M_MSEG_WWA
M_MSEG_BWA M_MSEG_WWE
M_MSEG_ BWE
Table B: MIGO Authorizations
Physical Inventory
Physical inventory procedures in companies relying upon
SAP for materials management should follow a fixed
process flow consisting of three distinct phases. The first
phase should involve the creation of a physical inventory
document that specifies the plants or storage locations
where the count will take place, the timing of the counts
and the stock types and materials selected for inspection.
This is performed through the menu path Logistics –
Materials Management – Physical Inventory – Create Phys.
Inv. Docs. Documents can be generated in single form for
targeted counts and in session form for counts covering
multiple stock types, materials, plants or storage locations.
During this phase, SAP places an automatic block on the
posting of material which is only lifted when posting the
results of the physical count. The actual count should be
performed during the second phase and results should be
recorded on the physical inventory documents prepared by
the system. The final phase of the process should involve
entering the results of the count into SAP, analyzing the
results and posting inventory differences.
4
Blocked stock is not recorded
in the general ledger
Count data can be imported from non-SAP systems
through batch input or Portable Data Capture (PDC). If
necessary, recounts should be triggered for specific
materials, generating a new set of inventory documents.
The block on the movement of goods can be released
immediately after the count and before the results are
entered into SAP by freezing the book inventory. This will
allow logistics to quickly resume normal operations without
impacting the count results. The system calculates
material differences by comparing counted quantities
entered against the book inventory. Differences are
adjusted by SAP as results are posted through system
generated documents that adjust the relevant materials
master records and general ledger accounts.
The ability to initiate physical inventory counts and enter or
update the results of such counts should be restricted. This
includes transactions listed in Table C.
TRANSACTION DESCRIPTION
MI01 Create Physical Inventory Document
MI02 Change Physical Inventory Document
MI04 Enter Inventory Count with Document
MI05 Change Inventory Count
TRANSACTION DESCRIPTION
MI07 Process List of Differences
MI08 Create List of Differences with Doc
MI09 Enter Inventory Count w/o Document
MI10 Create List of Differences w/o Doc.
MI11
Recount Physical Inventory
Document
MI31 Batch Input: Create Phys. Inv. Doc.
MI32 Batch Input: Block Material
MI33 Batch Input: Freeze Book Inv.Balanc
MI34 Batch Input: Enter Count
MI35 Batch Input: Post Zero Stock Balanc
MI37 Batch Input: Post Differences
MI38 Batch Input: Count and Differences
MI39 Batch Input: Document and Count
Table C: Physical Inventory Transactions
5
TRANSACTION DESCRIPTION
MI40 Batch Input: Doc.; Count and Dif
SM35 Batch Input Monitoring
Table C: Physical Inventory Transactions Cont.
Inventory Valuation
Material valuation should generally be configured at the plant
rather than company code level. This can be verified through
IMG – Enterprise Structure – Logistics General – Define Valuation
Level. Different stocks of the same material are often valuated
separately. This is referred to as split valuation. Partial stocks are
created by split valuation. When processing transactions such
as a goods receipts, goods issue or invoice receipt against
materials subject to split valuation, the partial stocks affected by
the transaction are selected. Split valuations are configured
through the valuation category and valuation type fields in each
master record which allow partial stocks to be valued based on
country of origin, grade, procurement type and other factors.
Material is valuated at either standard price or moving average
price. This is controlled through the price control field within the
Accounting tab in the master records. If the standard price
method is selected, SAP values stock at the price set in the
material master and posts any variances during invoice
verification and other procedures to designated expense/
revenue accounts. With the moving average price method,
receipts are valued at the purchase order price and goods
issues are valued by dividing the total value of the stock by the
total quantity of stock at the time of the issue. Regardless of
which method is used, any adjustment to the material price will
lead the system to revaluate the stock. This is performed
through transactions MR21 (Material Price Change) and MR22
(Material Debit/ Credit).
Balance sheet valuation methods can be either FIFO, LIFO or
lowest value determination. This is configured and activated for
each valuation area through transactions OMWL (LIFO/ FIFO
Global Setting) and OMWE (Activate/ Deactivate LIFO/ FIFO
Valuation).
Access to
material price
changes and
adjustments
should be
restricted
Layer Seven Security
Web
www.layersevensecurity.com
Email
info@layersevensecurity.com
Telephone
1 888 995 0993
Address
Westbury Corporate Centre
Suite 101
2275 Upper Middle Road East
Oakville, Ontario
L6H 0C3, Canada
About Us
Layer Seven Security specialize in SAP security. The company serves customers across the globe to protect
SAP systems against internal and external threats and comply with industry and statutory reporting
requirements. It fuses technical expertise with business acumen to deliver unparalleled implementation,
consulting & audit services targeted at managing risks in contemporary SAP systems.
Layer Seven Security employs a distinctive approach to SAP risk management that examines and manages
vulnerabilities at the platform, application, program and client level. Through partnerships with leading software
developers, the company is able to develop SAP systems with defense in depth and perform integrated
security assessments that improve the quality and lower the cost of SAP audits. Layer Seven Security leverage
leading SAP-certified solutions to provide comprehensive and rapid results covering risks in every component
of SAP landscapes.
© Copyright Layer Seven Security 2012 - All rights reserved.
No portion of this document may be reproduced in whole or in part without the prior written
permission of Layer Seven Security.
Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the
information presented, but the professional staff of Layer Seven Security makes every reasonable
effort to present the most reliable information available to it and to meet or exceed any applicable
industry standards.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP
NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. Business Objects and the Business Objects logo,
BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business
Objects products and services mentioned herein are trademarks or registered trademarks of Business
Objects in the United States and/or other countries.