SAP Audit Guide

for Inventory
 This audit guide is designed to assist the
review of inventory management processes
that rely upon controls enabled in SAP
systems.

The specific areas examined in this guide are relevant

configurables, transactions, authorizations and reports
in the Materials Management (MM) module of SAP ERP.

The guide provides instructions for assessing

application-level controls in the following areas:

Materials Master Data

Goods Movement

Physical Inventory

Inventory Valuation

The guide is delivered using clear, non-technical terms

to enable financial and operational auditors to
successfully navigate the complexities of SAP security.
Other volumes of this guide deal with SAP controls in
areas such as Financial Accounting, Revenue,
Expenditure, Human Resources, and Basis.

Materials Master Data

The organizational structure in Materials Management

consists of several hierarchal layers including client,
company code, plant and storage location. These
organizational units are defined and managed in the
Logistics area of the Enterprise Structure within the
Implementation Guide (IMG) and should agree with the
actual structure of the logistics organization.

Information related to products and services is

managed through the materials master which
integrates directly with other areas of SAP ERP
including Sales and Distribution and Financial
Accounting. There are several critical configuration
areas in the material master that should be closely
scrutinized during an audit. This includes posting
periods which are set within the Basic Settings for each
company code. Posting periods should match periods
configured in FI. The materials master should be
configured to allow posting to only the current period
and the most recently closed period. This is also

Inventory selected in the Basic Settings. The runtime for the

period close program in MM can be several hours and
locks any changes to records during including goods
SAP Audit Guide
re c e i p t s , s h i p m e n t s a n d o t h e r m o v e m e n t s .
Furthermore, global companies with distributed
operations can have plants and storage locations
 2
located in different time zones within the same company
TRANSACTION DESCRIPTION
code. To minimize any potential conflict and the risk of
posting transactions to the incorrect period, runtimes MM01 Create Material
should be set to the timezone with the greatest number of
users and posting should be set to local date and time. MM02 Change Material

Other important configuration areas in the materials master MMS1 Create Material Master
are material types (SAP is preconfigured with dozens of
material types that are identified through unique three or
MMS2 Change Material Master
four-character references), material groups, units of
measure and rounding rules for units of measure. The last
area is configured through Order Optimizing in the OMS2 Define Attributes of Material Types
Purchasing area of MM. Note that units of measure may
vary according to the organizational unit. Items may be Maintain Company Codes for
OMSY
Materials Management
measured in crates at a plant level, for example, and
individually at the level of a storage location.
OMSF Define Material Groups
Ideally, SAP should be configured to block negative stocks.
However, this is often required by organizations when, for
MB1C Maintain Stock
example, there is a need to issue goods that have been
physically received but not entered into MM. Negative
stocks have to be enabled in valuation areas, storage MMBE Create Stock
locations and each material master record. For the latter,
the Neg. stocks in plant indicator should be checked. MMPV Close Period
Negative stocks should be short-lived and should not be
carried forward at period end. MMRV Allow Posting to Previous Period
Required, optional and suppressed fields during the
creation of new material records are defined and managed Table A: Materials Master Transactions
through IMG – Logistics – General – Material Master – Field
Selection – Maintain Field Selection for Data Screens.
Goods Movement
Mandatory fields should include Tax Indicator for Material
and Material Freight Group. Critical fields that do not need Receipts, issues, transfers, and reversals are defined as
to be updated once an initial entry has been made should movement types in SAP. There are a variety of
be set as lock-relevant. This will prevent changes to the preconfigured movement types, identified through unique
field in dialog mode, Locking and unlocking fields in three character references. They perform an important
material master records requires authorization object control function by directing updates to stock locations,
M_MATE_MAF. Access to specific fields in master records quantities and values. Standard and custom movement
should also be restricted through the use of field groups. types available in an SAP system can be viewed via
transaction OMJJ or through IMG – Material Management
The creation and maintenance of material master records is
– Inventory Management and Physical Inventory –
performed through transactions MM01 and MM02.
Movement Type. 711 and 712 are used for adjusting
Relevant authorization objects include M_MATE_BUK
differences between book and actual inventories. Reversals
(company code level), M_MATE_WRK (plant level) and are performed through the movement type reference +1.
M_MATE_MAR (material type level). The key materials
For example, the reversal of a goods receipt for a purchase
master transactions are listed in Table A.
order (movement type 101) is performed using movement
type 102.
 3
A particular concern is movement type 501, used to enter a
goods receipt without a preexisting purchase order. This
could be used to receive goods that were neither ordered
nor approved. Best practice is to disable the movement
type. Another option is to only allow receipts without a
purchase order if they are within a specified tolerance level.
Delivery tolerances should also be set for receipts with
purchase orders. This will limit under and over-deliveries to
acceptable levels. Tolerances can be applied and managed
through tolerance keys on a company code level. SAP is
preconfigured with two tolerance keys for purchase order
price and quantity variances. B1 displays an error message
when limits are exceeded and blocks the posting of the
goods receipt. B2 issues a warning message but will not
block posting. Tolerance limits should be specified for each
key using transaction OMC0 or through the menu path IMG
– Materials Management – Inventory Management and
Physical Inventory – Goods Receipt – Set Tolerance Limit.
The GR message indicator must be selected in purchase
orders as prerequisite for tolerance checks.
The B1/ B2 tolerance keys check against minimum and
maximum variances in price and quantity and therefore
have greater application during invoice verification. Material
quantity variances can be more effectively controlled
through thresholds defined directly in material records using
purchasing value keys configured through transaction
OME1, purchasing info records and within the items details
section of purchase order documents.
The use of movement types 103 and 501 should be closely
monitored. These enable the receipt of goods into so-
called blocked stock which is not recorded in the general
ledger. Blocked stock should be accrued at period end if
items have not been accepted into inventory during the
financial close. The standard report Display material
documents can be used to identify receipts into blocked
stock.
SAP will allow the reversal of a goods receipt even if the
corresponding invoice has been verified and processed by
the system as long as the RevGR desp. IR indicator is
checked for movement type 102 in transaction OMBZ (Rev.
GR Despite Invoice). Best practice is to uncheck the
indicator and configure a warning or error message for
reversal attempts. This is performed through transaction
OMCQ (System Messages for Inventory Management).
Note that movement type 161 (returns for purchase order)
can also be used to process reversals through transaction
MIGO. Reversals should be approved before they are
processed in SAP and should be referenced to the original
purchase order. They should also be entered with the
correct reason code to provide a sufficient audit trail.
The automatic posting of MM documents to FI accounts is
controlled through transaction OBYC (Configure Automatic
Posting). Access to this transaction should be restricted.
Other key transactions include MB1A (Goods Issue), MB1B
(Transfer Posting), MB1C (Other Goods Receipt), MBAD
(Delete Material Documents) and, most importantly, the
wide-ranging MIGO (Goods Movement). Relevant MIGO
authorizations are listed in Table B.
AUTHORIZATIONS
M_MRES_BWA M_MSEG_ BWF
M_MRES_WWA M_MSEG_LGO
M_BEST_WRK M_MSEG_WMB
M_MSEG_BMB M_MSEG_WWA
M_MSEG_BWA M_MSEG_WWE
M_MSEG_ BWE
Table B: MIGO Authorizations
Physical Inventory
Physical inventory procedures in companies relying upon
SAP for materials management should follow a fixed
process flow consisting of three distinct phases. The first
phase should involve the creation of a physical inventory
document that specifies the plants or storage locations
where the count will take place, the timing of the counts
and the stock types and materials selected for inspection.
This is performed through the menu path Logistics –
Materials Management – Physical Inventory – Create Phys.
Inv. Docs. Documents can be generated in single form for
targeted counts and in session form for counts covering
multiple stock types, materials, plants or storage locations.
During this phase, SAP places an automatic block on the
posting of material which is only lifted when posting the
results of the physical count. The actual count should be
performed during the second phase and results should be
recorded on the physical inventory documents prepared by
the system. The final phase of the process should involve
entering the results of the count into SAP, analyzing the
results and posting inventory differences.
 Blocked stock is not recorded
in the general ledger
4

Count data can be imported from non-SAP systems

through batch input or Portable Data Capture (PDC). If TRANSACTION DESCRIPTION
necessary, recounts should be triggered for specific
materials, generating a new set of inventory documents. MI07 Process List of Differences

The block on the movement of goods can be released

immediately after the count and before the results are MI08 Create List of Differences with Doc
entered into SAP by freezing the book inventory. This will
allow logistics to quickly resume normal operations without MI09 Enter Inventory Count w/o Document
impacting the count results. The system calculates
material differences by comparing counted quantities MI10 Create List of Differences w/o Doc.
entered against the book inventory. Differences are
Recount Physical Inventory
adjusted by SAP as results are posted through system MI11
Document
generated documents that adjust the relevant materials
master records and general ledger accounts.
MI31 Batch Input: Create Phys. Inv. Doc.
The ability to initiate physical inventory counts and enter or
update the results of such counts should be restricted. This MI32 Batch Input: Block Material
includes transactions listed in Table C.
MI33 Batch Input: Freeze Book Inv.Balanc

TRANSACTION DESCRIPTION MI34 Batch Input: Enter Count

MI01 Create Physical Inventory Document MI35 Batch Input: Post Zero Stock Balanc

MI02 Change Physical Inventory Document MI37 Batch Input: Post Differences

MI04 Enter Inventory Count with Document MI38 Batch Input: Count and Differences

MI39 Batch Input: Document and Count

MI05 Change Inventory Count

Table C: Physical Inventory Transactions

 TRANSACTION DESCRIPTION

MI40 Batch Input: Doc.; Count and Dif

SM35 Batch Input Monitoring

Table C: Physical Inventory Transactions Cont.

Inventory Valuation

Material valuation should generally be configured at the plant

rather than company code level. This can be verified through
IMG – Enterprise Structure – Logistics General – Define Valuation
Level. Different stocks of the same material are often valuated
separately. This is referred to as split valuation. Partial stocks are
created by split valuation. When processing transactions such
as a goods receipts, goods issue or invoice receipt against
materials subject to split valuation, the partial stocks affected by
the transaction are selected. Split valuations are configured
through the valuation category and valuation type fields in each
master record which allow partial stocks to be valued based on
country of origin, grade, procurement type and other factors.

Material is valuated at either standard price or moving average

price. This is controlled through the price control field within the
Accounting tab in the master records. If the standard price
method is selected, SAP values stock at the price set in the
material master and posts any variances during invoice
verification and other procedures to designated expense/
revenue accounts. With the moving average price method,
receipts are valued at the purchase order price and goods
issues are valued by dividing the total value of the stock by the
total quantity of stock at the time of the issue. Regardless of
which method is used, any adjustment to the material price will
lead the system to revaluate the stock. This is performed
through transactions MR21 (Material Price Change) and MR22
(Material Debit/ Credit).

Balance sheet valuation methods can be either FIFO, LIFO or

lowest value determination. This is configured and activated for
each valuation area through transactions OMWL (LIFO/ FIFO Access to
Global Setting) and OMWE (Activate/ Deactivate LIFO/ FIFO
Valuation). material price
changes and
adjustments
should be
restricted 5
 Layer Seven Security

About Us

Layer Seven Security specialize in SAP security. The company serves customers across the globe to protect
SAP systems against internal and external threats and comply with industry and statutory reporting
requirements. It fuses technical expertise with business acumen to deliver unparalleled implementation,
consulting & audit services targeted at managing risks in contemporary SAP systems.

Layer Seven Security employs a distinctive approach to SAP risk management that examines and manages
vulnerabilities at the platform, application, program and client level. Through partnerships with leading software
developers, the company is able to develop SAP systems with defense in depth and perform integrated
security assessments that improve the quality and lower the cost of SAP audits. Layer Seven Security leverage
leading SAP-certified solutions to provide comprehensive and rapid results covering risks in every component
of SAP landscapes.

Address Web
Westbury Corporate Centre www.layersevensecurity.com
Suite 101 Email
2275 Upper Middle Road East info@layersevensecurity.com
Oakville, Ontario Telephone
L6H 0C3, Canada 1 888 995 0993
© Copyright Layer Seven Security 2012 - All rights reserved.

No portion of this document may be reproduced in whole or in part without the prior written
permission of Layer Seven Security.

Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the
information presented, but the professional staff of Layer Seven Security makes every reasonable
effort to present the most reliable information available to it and to meet or exceed any applicable
industry standards.

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP
NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. Business Objects and the Business Objects logo,
BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business
Objects products and services mentioned herein are trademarks or registered trademarks of Business
Objects in the United States and/or other countries.