ERP Audit Universe for Electrical Distribution

Use cases covered

130+

Across 8 SAP modules

SAP modules

8

FI, MM, SD, WM, HCM, Basis, CO, PM

Organized by

Risk area

Not by audit procedure

Reading time

45 min

SAP S/4HANA reference environment

This catalog uses SAP S/4HANA as its primary reference environment. The use case categories and risk logic apply across ERP platforms. Oracle and Microsoft Dynamics environments contain equivalent data and equivalent risk -- the module names and table structures are different, the audit logic is the same.

How This Catalog Is Organized

The catalog is organized by SAP module because module boundaries map directly to data boundaries. Each module owns a distinct set of transaction tables, master data records, and process flows. Monitoring logic that works against FI data cannot be applied to MM data without redesign. Understanding this structure is prerequisite to building monitoring that actually executes.

Within each module, use cases are organized by risk type rather than by procedure. The goal is risk identification, not step-by-step testing instructions. Each entry describes what to look for, what data it requires, and what a finding in that area typically looks like. The specific queries, thresholds, and exception workflows are built from that foundation.

Use this catalog as a starting point for annual risk assessment, not as a default scope template. Prioritize based on data availability, transaction volume, and control maturity -- then build monitoring logic against the highest-priority items first.

FI -- Financial Accounting

The general ledger, accounts payable, accounts receivable, and asset accounting processes. High transaction volume and broad access make FI one of the highest-priority modules for continuous monitoring.

Accounts Payable

Duplicate Payments and Vendor Fraud

Duplicate invoices across vendor, amount, date, and document number. Payments to vendors with employee address or bank account matches. Vendors created and paid in the same period without prior transaction history. Split payments across multiple documents to stay below approval thresholds. Key tables: BSEG, BKPF, LFA1, LFBK.

General Ledger

Journal Entry Anomalies and Closing Manipulation

Manual journal entries posted outside normal business hours. Round-number entries with no supporting document reference. Entries posted by users without typical GL access. Period-end clustering of reversals and adjustments. Entries that offset each other across cost centers or profit centers in ways that obscure the original transaction. Key tables: BKPF, BSEG, SKA1.

Accounts Receivable

Write-offs, Credits, and Aging Manipulation

Write-offs applied without supervisor approval or above delegated authority. Credit memos issued to customers with no corresponding return or dispute record. Customer account modifications proximate to balance forgiveness. Aging buckets that shift consistently near reporting periods. Payments applied to the wrong invoice across customers. Key tables: BSID, BSAD, KNA1, KNBK.

Fixed Assets

Asset Manipulation and Retirement Anomalies

Assets retired without physical verification documentation. Additions capitalized below the policy threshold that should be expensed. Depreciation method changes without supporting rationale. Asset transfers between cost centers that coincide with budget cycle timing. Duplicate asset records across different company codes. Key tables: ANLA, ANLB, ANLC, ANEK.

When AP Spans Multiple Systems

Duplicate payment detection in SAP alone tests only the invoices that flow through SAP. In organizations where AP activity is distributed across an ERP, an expense management platform (such as Concur), and bank-managed card programs (p-cards, merchandise cards, T&E cards), a cross-system duplicate will not appear in any single system's dataset. The same vendor, same amount, and same transaction date may appear as a legitimate SAP invoice and a separately submitted expense report -- invisible to either system's native controls in isolation. Testing for this risk requires a unified dataset drawn from all AP-adjacent systems. Third-party cross-platform analysis tools -- such as Detect by Oversight -- are designed specifically for this scenario: they ingest structured data from multiple source systems and run duplicate and anomaly detection across the combined population. The data access request template on the SAP Tool Ecosystem page provides a starting point for initiating the cross-platform data access conversation.

MM -- Materials Management

Procurement, goods receipt, invoice verification, and vendor master management. In electrical distribution, procurement volume and vendor ecosystem complexity create significant fraud and error exposure.

Procurement

Purchasing Limit Violations and Split Orders

Purchase orders split across multiple documents to remain below approval thresholds. POs created after goods receipt date. Emergency procurement designations applied to non-urgent purchases. Sole-source justifications applied to vendors with existing competitive alternatives. Purchases to vendors not on the approved vendor list. Key tables: EKKO, EKPO, EKBE.

Three-Way Match

Receipt and Invoice Exceptions

Invoices paid without a matching goods receipt. Goods receipts reversed after payment. Quantity or price variances between PO, GR, and invoice above tolerance without documented approval. Invoices posted with a GR reference that does not correspond to the actual receipt record. Key tables: EKBE, RSEG, RBKP, MKPF.

Vendor Master

Unauthorized Changes and Duplicate Records

Vendor bank account changes without dual approval. New vendor records created and activated without the standard onboarding workflow. Vendor name, address, or payment terms changes proximate to payment runs. Duplicate vendor records across company codes or purchasing organizations. Vendors sharing bank accounts with other active vendors or with employees. Key tables: LFA1, LFB1, LFBK, LFM1.

Inventory Valuation

Goods Movement and Valuation Anomalies

Movement types used outside standard workflows -- particularly 551 (scrapping) and 555 (goods issue to cost center) applied at unusual volumes or frequencies. Price changes to material master that affect inventory valuation without supporting documentation. Batch-level goods movements that do not correspond to production or distribution orders. Key tables: MSEG, MKPF, MBEW, MARA.

SD -- Sales and Distribution

Order management, pricing, credit management, and revenue recognition. Pricing override risk is particularly elevated in electrical distribution where complex pricing structures create broad authority to deviate from standard pricing.

Pricing

Override Patterns and Discount Authority Violations

Manual price overrides by sales rep, customer, and product -- compared against standard pricing conditions. Discount authority applied above delegated limits. Margin compression patterns by rep, branch, and customer segment. Pricing exceptions with no corresponding customer agreement or approval record. Quotes converted to orders where price changed between stages. Key tables: KONV, VBAP, VBKD, PRCD_ELEMENTS.

Credit Management

Credit Limit Bypasses and Exposure Anomalies

Orders processed for customers above credit limit without documented override approval. Credit limit increases applied within the same period as large order activity. Customer credit status changes proximate to significant order volume. Orders flagged in credit hold released without documented resolution of the underlying credit issue. Key tables: KNKK, VBAK, VBAP, S066.

Returns and Credits

Credit Memo and Return Authorization Patterns

Credit memos issued without a corresponding return material authorization. Return volumes by customer and sales rep above threshold relative to sales volume. Credits applied to customers with no purchase activity in the same period. Credits issued and subsequently reversed -- particularly where the reversal occurs after period close. Key tables: VBFA, VBAK, VBAP, VBRP.

Revenue Timing

Period-End Manipulation and Recognition Anomalies

Deliveries created and goods issued in the final days of a reporting period at volumes inconsistent with earlier periods. Billing documents created with billing dates that differ from the actual goods issue date. Orders with future delivery dates confirmed with revenue recognized in the current period. Unusual concentrations of intercompany orders near period close. Key tables: LIKP, LIPS, VBRK, VBRP.

WM/EWM -- Warehouse Management

Inventory movements, goods receipt and issue, transfer orders, and physical inventory. Branch-level warehouse operations in distribution create decentralized risk that is difficult to monitor without system-level data access.

Inventory Adjustments

Adjustment Anomalies and Unauthorized Movements

Inventory adjustments above threshold without dual approval. Adjustments posted outside normal business hours or on weekends. Adjustment patterns by individual warehouse employee that deviate from branch averages. Negative inventory positions created and immediately corrected -- a pattern associated with fictitious inventory movement. Key tables: LQUA, LTAP, LGPLA, MKPF, MSEG.

Goods Receipt / Issue

Receipt and Issue Discrepancies

Goods received quantities that differ from purchase order quantities without a documented tolerance override. Goods issues not matched to a sales order or production order. Transfer orders cancelled after partial execution with no inventory reconciliation. Goods movements processed by users without standard warehouse authorization. Key tables: MKPF, MSEG, LTAP, LHOR.

Physical Inventory

Cycle Count Accuracy and Manipulation Signals

Cycle count variance rates by branch, product category, and counter -- identifying locations or individuals with consistently high variance or consistently perfect counts. Count documents re-entered after the initial count with changes to quantity. Physical inventory counts conducted without proper document authorization. Variance postings applied at amounts that stay below the review threshold. Key tables: IKPF, ISEG, LINK.

Negative Inventory

Negative Stock and Valuation Exposure

Storage locations or materials with persistent negative stock positions. Negative inventory used to enable goods issue before physical receipt -- bypassing the standard goods receipt workflow. Negative positions concentrated at specific branches or in specific material categories. Valuation impact of negative positions on period-end inventory reporting. Key tables: LQUA, MARD, MSEG.

HCM -- Human Capital Management

Employee master data, payroll, time management, and compensation. In distribution, commission-based compensation creates specific manipulation risk that differs from salaried workforce audit programs.

Platform note: Workday and dedicated HCM systems

The use cases in this section address HR and payroll data. In organizations where HR and payroll are managed in a dedicated HCM platform such as Workday rather than in SAP HCM, the data for these tests resides outside the ERP entirely. Data access, extraction method, and the applicable native monitoring capabilities will differ by platform. The audit logic -- what to test, what the exception looks like, and what evidence supports a finding -- applies regardless of the source system. Workday provides its own reporting and analytics layer; the equivalent of the ERP inventory-first framework should be applied to the HCM platform separately.

Payroll

Ghost Employees and Payroll Calculation Anomalies

Active employees in payroll with no corresponding time records for the period. Employees paid after documented termination date. Payroll runs producing results more than a defined threshold above the prior period for the same employees. Multiple employees sharing a bank account for direct deposit. Employees with payment addresses that match vendor records. Key tables: PA0001, PA0002, PA0009, PA0012, RGDIR.

Commission

Commission Accuracy and Manipulation Patterns

Commission calculations that do not align with the documented commission schedule for the employee's role and territory. Sales credited to a rep that were shipped to locations outside their territory. Orders split across periods in ways that accelerate commission recognition. Commission adjustments posted after period close without documented approval. Commission paid on orders subsequently returned or credited. Key tables: PA0015, VBAK, VBAP, HRP1001.

Time and Attendance

Overtime Patterns and Time Record Anomalies

Overtime patterns by employee and supervisor compared against organizational averages. Time records approved by the same person who submitted them. Overtime claimed on days when the employee has no system activity records. Time submissions significantly below or above hours that correspond to recorded system access logs. Branch-level overtime that does not correlate with transaction volume. Key tables: PA2001, PA2002, PA2010, CATS.

Master Data

Unauthorized Changes to Employee Records

Changes to employee bank account or payment information without dual approval. Salary adjustments outside the documented compensation cycle or above the delegated approval limit. New employee records activated without corresponding onboarding documentation. Position and cost center changes that would affect incentive eligibility made without HR approval. Key tables: PA0001, PA0002, PA0008, PA0009, HRPAD00LOGSYS.

Basis / Security -- IT General Controls

Role administration, segregation of duties, privileged access, and system configuration. ITGC failures in SAP create the environment in which every other module's controls can be bypassed.

Segregation of Duties

SoD Conflicts and Compensating Control Gaps

Users with access to both create and approve purchase orders. Users with access to both create vendors and process payments. Users with both goods receipt and invoice verification access. Access combinations that enable the complete procure-to-pay cycle without a second approver. Role combinations that allow creation and approval of journal entries. Key tables: USR02, AGR_USERS, AGR_1251, AGR_TCODES.

Privileged Access

Super User and Emergency Access Monitoring

SAP_ALL and SAP_NEW assignments outside the designated system administration accounts. Emergency access (firefighter ID) usage frequency, duration, and scope relative to documented incident tickets. Basis transactions executed by non-Basis personnel. Administrative access granted during implementation that was not removed after go-live. Key tables: USR02, UST04, AGR_USERS, SUIM data.

Role Changes

Role Administration and Change Monitoring

Role modifications made outside the change management process. New roles created and assigned in the same change request without dual approval. Role assignments granted temporarily that were never removed. Users with roles that grant access beyond their documented job function. Access provisioning that bypasses the standard identity management workflow. Key tables: AGR_1251, AGR_TCODES, AGR_USERS, SUSR_USER_PROFILE_EXT_DATA.

System Configuration

Unauthorized Configuration Changes

Transport requests moved to production outside the approved change window. Configuration changes in client 000 or 001 without a corresponding change request. Number range changes for financial documents that could affect auditability. System parameter changes affecting authorization checks or document retention. Changes to the audit log configuration that reduce the scope of recorded events. Key tables: E070, E071, TPARAMS, RSECADMIN.

CO -- Controlling

Cost center accounting, internal orders, profit center accounting, and intercompany processes. CO data provides the analytical layer for management reporting and is a frequent target for budget manipulation.

Cost Centers

Budget Override Patterns and Cost Manipulation

Cost center postings that exceed budget without a documented override approval. Year-end budget spend acceleration -- particularly in the final two weeks of the fiscal year -- that does not correspond to planned activity. Repostings between cost centers that move expenses from over-budget to under-budget centers without business justification. Internal service allocations applied at rates that deviate from the documented allocation methodology. Key tables: COSP, COSS, CSKS, KOSTL.

Profit Centers

Intercompany Transaction Anomalies

Intercompany transactions between profit centers that are not balanced or reconciled within the period. Profit center transfers that occur near reporting dates without corresponding operational activity. Revenue or cost assigned to profit centers inconsistent with the transaction's originating business unit. Manual reposting between profit centers by users without standard controlling authorization. Key tables: GLPCA, GLPCP, CEPC, BSEG.

Internal Orders

Capital Project and Settlement Anomalies

Internal orders settled to assets or cost centers without documented project completion approval. Orders kept open past their planned end date with continued cost postings. Settlement rules changed after posting activity to redirect costs. Internal order budgets exceeded without a documented budget revision approval. Capital projects where actual costs significantly exceed approved budget without a change request. Key tables: AUFK, COSP, BPGE, PRPS.

Management Reporting

Reporting Adjustments and Reclassifications

Assessment and distribution cycles run with parameters that differ from prior periods without documented rationale. Accruals posted to CO objects at the end of the period and reversed at the start of the next in patterns inconsistent with the underlying business activity. Reconciliation differences between FI and CO that are manually adjusted rather than investigated. Key tables: BKPF, BSEG, COEP, COSS.

PM -- Plant Maintenance

Work orders, equipment maintenance, parts consumption, and maintenance scheduling. In distribution, PM data covers fleet maintenance, facility upkeep, and material handling equipment -- all areas where unauthorized activity is difficult to detect without system-level data.

Work Orders

Unauthorized Work Orders and Cost Manipulation

Work orders created and settled without a corresponding maintenance notification or equipment record. Work orders settled to cost centers that are not associated with the equipment being maintained. Costs posted to maintenance orders at amounts significantly above prior periods for the same equipment type. Work orders created by users not assigned to the maintenance planning group. Key tables: AUFK, AFKO, AFPO, ILOA.

Parts and Materials

Parts Substitution and Consumption Anomalies

Components issued to maintenance orders that do not match the equipment's standard bill of materials. Parts issued in quantities inconsistent with the documented maintenance procedure. Returns of maintenance components posted back to unrestricted stock without inspection. High-value parts consumed on low-cost maintenance orders -- a pattern associated with parts diversion. Key tables: RESB, MSEG, MKPF, MARA.

Maintenance Timing

Scheduling Anomalies and Deferred Maintenance Risk

Equipment with overdue preventive maintenance plans and no documented deferral approval. Maintenance cycles compressed or extended beyond the documented tolerance without a technical justification. Counter-based maintenance plans with manually-entered readings that deviate from prior trends. Equipment with no maintenance activity recorded for periods exceeding the documented maintenance interval. Key tables: MPOS, QMEL, AUFK, PLKO.

External Services

Contractor and Service Order Management

External service orders placed with vendors not on the approved maintenance contractor list. Service entry sheets confirmed without documented supervisor approval. Contractor time entries significantly above or below prior periods for the same scope. Service orders created and confirmed on the same day by the same user -- bypassing the separation between ordering and acceptance. Key tables: ESSR, ESLH, EKKO, EKPO.

Starting Point for Audit Planning

This catalog is a risk identification tool, not a default scope. No audit function tests every use case here in a single year. The value is in the systematic prioritization that comes from having the full inventory visible.

Use the catalog to drive risk assessment conversations: which modules have the highest transaction volume? Which have the least mature access controls? Where has data access been established and validated? Where has prior audit work identified control gaps? The answers to those questions -- not habit or availability -- should determine where monitoring effort goes first.

The function that builds monitoring for FI duplicate payments and SD pricing overrides in Year 1, adds WM inventory adjustment monitoring and Basis SoD monitoring in Year 2, and extends to HCM commission and CO budget patterns in Year 3 is building something that compounds. The function that tries to monitor everything at once builds nothing sustainable.

Next in Chapter 1 SAP S/4HANA Monitoring →

Fiori configuration, BIS rule setup, and the end-to-end monitoring program design