Escolar Documentos
Profissional Documentos
Cultura Documentos
Logic
The method compares the accounting document entry date (field CPUDT in
table BKPF) with the dates in the factory calendar (table TFACS), and
recognizes those accounting documents that were posted on non-working
days.
To establish which factory calendar is valid, Customizing
table FRA_C_USER_FCA must be maintained in Customizing
(transaction SPRO, SAP Fraud Management Industry Solutions Governance,
Risk, and Compliance Factory Calendar Settings for Use in Detection Methods ).
The data entered into the customizing table is used to check the validity of
entries in the replicated tables.
The Customizing may apply to individual users and to all users in an entire
company code. User-specific customizing takes precedence over
company-code customizing. A particular user in a company code may be
checked against one calendar, other users in the company code against
another. Below are sample entries from table FRA_C_USER_FCA:
Company Code User Factory Cal. ID
1000 Aschmidt 02
1000 01
In these entries, Factory Calendar 01 is used for all users who posted
documents in company code 1000, except for user ASCHMIDT.
Documents posted by this user in company code 1000 are checked against
factory calendar 02. For more information on table FRA_C_USER_FCA,
see the Customizing for SAP Fraud Management, in
transaction SPRO under SAP Fraud Management Industry
Solutions Governance, Risk, and Compliance Factory Calendar Settings for Use
in Detection Methods Factory Calendar Settings for Use in Detection Methods .
Alert Messages
Logic
A payment proposal item will be marked as suspicious, and an alert will be
created if the country of a partner matches an entry in the high-risk country
list that has been uploaded into the SAP Fraud Management System.
This method checks the following fields and tables:
Field LAND1 in table LFA1 for regular vendors
Field LAND1 in table KNA1 for regular customers
Field LAND1 in table BSEC for one-time customers or one-time vendors
ion re
DE Germany 12
IQ Iraq 175
AF Afghanistan 176
If BOTTOM_N_RANKS = 1 it will return only the country AF because it
occupies the single highest rank.
If BOTTOM_N_RANKS = 2 it will return the countries AF, IQ,
and KP because they populate the two highest ranks.
Note how the parameter does not equal the number of returned
countries.
If BOTTOM_N_RANKS = 3 it will return the countries AF, IQ, KP,
and DE because they populate the three highest ranks.
Note how the procedure ignores gaps in the numbering and
includes DE although it is much less riskier than IQ.
Messages
Message ID: FRA_INTERNAL_AUDIT, Message Number: 136, Message
text: The address of business partner &1 (&2) is in the high-risk country
&3
Detection Method: Accounting Document
Line Item Smurfing
You can use this detection method to identify payments of amounts due
that are broken up into several smaller payments.
Logic
A payment proposal item will be marked as suspicious if the payment of a
total amount is made in several small payments.
The selection procedure joins the input table with the database mentioned
tables on the key fields and filtered by the ones with the attribute BSEG-
KOART equal to ‘K’ for vendors or ‘D’ for customers. The output is the
union of the regular vendor, regular customer, one-time account vendors,
and one-time account customers with relation to delivery scheduling
agreement (EKKO-BSTYP <> L) . The execution procedure calls
the PR_CONVERT_THRESHOLD_AMOUNT_TO_LOCAL_CURRENCY pr
ocedure available at sap.hana-app.fra.suite.lib., which converts the
threshold amount to the local currency.
Payment proposal items are filtered by the document type (REGUP-
BLART) and terms of payment key (REGUP-ZTERM) provided as
parameters. The payment proposal items below the single threshold
specified as parameters are filtered, grouped, and summed up depending
on the business partner type (vendor, customer or one time
vendor/customer).
The output is those sums that are over the sum threshold specified as a
parameter and belong to the working set. The risk amount is the group
amount and currency.
Parameter Use
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number
128, Acc.Doc.Line with &1 &2 is part of group &3 which has a total value
of &4
The messages variables are set as follows:
o &1 – The amount
o &2 – The local currency
o &3 – The group information
o &4 – The risk amount
Logic
In order to determine if an employee has submitted and reused receipts on
more than one travel expense, the fields Personnel Number, Travel
Expense Type, Amount, and Currency are compared. As well, the field Trip
Number must be different. Only the last 180 days are selected as relevant.
In order not to create too many alert items, only one record with the latest
date for these fields is selected. Only receipts that have the same currency
as defined in the currency parameter are considered. The risk amount will
be the sum of all the reused receipts (plus the original one).
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 133, Receipt
&1 for &2 and &3 &4
Message ID FRA_INTERNAL_AUDIT, message number 140, In trip &1
was already used for trip &2 and receipt &3
Detection Method: Travel Expenses with
Rounded Amounts
Travel expenses can be used to mask payments that actually have another
purpose, for instance bribes. Use this detection method to identify one
suspicious pattern: Employees who have repeatedly filed travel expenses
with unusually rounded amounts above a threshold amount.
Logic
The detection method returns a high detection score if the following
conditions are met:
The number of relevant rounded receipts exceeds the threshold that you
set. A receipt is relevant only if it is rounded according to the rules in
table PR_TREXRECEIPTS_EVENAMOUNTS_DT. The receipt must
also exceed the minimum amount that is also set in this table.
Review Period
A list of travel receipts is created for a defined period of time including
the posting date of the receipt.
The list of travel receipts contains receipts have been posted up
to n days prior, it also considers the posting date of the receipt.
n corresponds to the parameter “Review Period in Days” that has to be
maintained at strategy level.
This execution procedure performs the following steps:
1. Selecting the receipts that are associated
The receipts that are associated to the trips in table IT_DATA are
selected.
The underlying receipt table is joined with the trips to be analyzed from
table IT_DATA (using the personnel number PERSONNEL_NR).
The analyzed trip is in the database (during mass detection) but must be
removed before counting the suspicious receipts.
2. Discovering rounded, nontrivial amounts
Based on currency and amount, the decision table returns a divisor and
an intermediate score. If the intermediate score is 0, then the amount is
trivial. The receipt is ignored.
All “uneven” results are ignored and not exported to the additional
information procedure. This has an influence on the calculated risk
amount.
3. Discovering even amounts
The method uses the divisor from the decision table to determine
whether an amount is rounded. Receipts with rounded amounts are
reported as alert items and are added up to yield the risk value.
EUR <= 40 10 0
EUR > 40 10 1
USD <= 50 10 0
USD > 50 10 1
Currency Amount DIVISOR INTERMEDIATE_SCORE
CHF <= 10 10 0
CHF > 10 10 1
* <= 10 10 0
* > 10 10 1
Deciding whether an amount is even: This detection method uses the
following formula to decide whether an amount is rounded:
1. The amount is divided by the DIVISOR from the decision table.
2. Any decimal remainder is removed from the new amount. The new
amount is not rounded up on the basis of the remainder.
3. The new amount is multiplied by the DIVISOR.
4. The new amount is subtracted from the original amount. If the result is 0,
then the original amount was rounded. If the result is greater than 0, then
the receipt is ignored.
Example
The amount of a travel receipt is 4350. The divisor defined in the decision
table is 100.
The even amount is calculated as follows:
1. The amount is divided by the divisor.
4350/100 = 43.5
The result is 43.5.
2. The decimal is cut of/removed: 43.5 => 43.
3. This result is multiplied by the divisor.
43 * 100 = 4300
The result is 4300.
4. The difference between the “original” amount and the result from step 3
is calculated.
The difference is 50; that is unequal zero.
Therefore, the “original” amount is not considered as an even amount.
According to the decision table JPY 4300 is an even amount, whereas JPY
4350 is not an even amount.
Alert Messages
Logic
An alert is generated if there is an increase in an employee’s travel
expenses by N-percent over a given time period. Each trip’s duration is
taken into account when determining the actual cost.
A linear regression is used to determine the regression line slope. If the
angle of the regression line is greater than a configured threshold, it
indicates a suspicious trend in the employee’s travel expenses and an alert
is created.
The linear regression is implemented with the “least squares” method.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 138, Suspicious
trend in trip expenses for employee &4 (ID &3) from &1 to &2
Where &4 is the employee name, &3 is the employee ID, &1 period of
evaluation start (from) &2 period of evaluation end (to).
Logic
The selection procedure PR_CUSTOMER_CHANGES_SELE selects all
changes for each pair of customer and company code specified in the input
parameter. Changes from tables CHDIR/CDPOS are taken into account;
these are updates (field CHNGIND has the value U in table CDPOS). Also
the field OBJCTCLAS must contain the value DEBI , and the FNAME field
must have one of the following values: Name1 , STRAS , PSTLZ , ORT0 , or REGIO .
The execution procedure PR_CUSTOMER_CHANGES_EXEC counts the
number of changes during the last 12 months, starting from the latest
change selected in selection procedure. If this number is greater than or
equal to the threshold specified in the input
parameter NO_CUSTOMER_CHANGES, then the customer, customer
name, company code, and number of changes are inserted into the result
list.
Alert Messages
Message ID FRA_INTERNAL_AUDIT message number 087 Customer
&1 changed name or location &2 times in 12 months.
Variable &1 contains the customer name and variable &2 is the number
of changes during the last 12 months.
Logic
The execution procedure checks whether the bank location country from
the bank account (Input
field IT_DATA_FOR_RULE.BANK_COUNTRY_KEY) is different than the
customer location country (database table field KNA1.LAND1). If the bank
account location is identified as suspicious, the bank account is added to
the result table with 100 as detection result.
E t app.fra.suite.ord.dt.customer.bankaccou
Procedur nt.se
e
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 083, The
customer &1 is in &2, but the bank account is located in &3
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 085; The sum
of invoices &1 &2 exceeds the given limit of &3 &4 for the sum
Logic
The execution procedure checks if the field SGTXT in table BSEG contains
one of the terms in the suspicious terms list. The terms are compared by a
fuzzy search with the specified fuzziness factor. The search is contained in
the procedure sap.hana-
app.fra.suite.lib/PR_INVOICE_ITEM_SUSPICIOUS_TERMS_EXEC.
To improve performance, the search direction is reversed in mass
detection, by searching one suspicious term at a time in all customer
invoice texts. This requires the creation of a full text index on
field SGTXT of table BSEG.
l DDINF pt app.fra.suite.ord.dt.customer.invoiceit
Informati Procedur em.ai
on e
Alert Messages
Logic
The working set is restricted to invoice items that are not intercompany
(field VBUND is initial) and that are set to account type D. The execution
procedure uses the
fields COMPANY_CODE, DOCUMENT_NUMBER, ITEM_NUMBER,
and FISCAL_YEAR to identify detection objects in the working set.
The method reads tables BKPF, BSEG, BSEC, and KNA1.
Table BKPF contains the document header information for debtors.
Table BSEG contains document item information.
The company code, document number, invoice item and fiscal year are
read from the input parameters and are joined with table BSEG on these
fields where the client equals the session context. Table BSEG is needed
for reading the customer and selecting only those documents that have
accounting key 01 (BSEG.BSCHL). A join on table KNA1 on the client and
the customer filter out only those customers for which field XZEMP is set
to X. Finally, a join with table BSEC on the fields from the input parameters
tables is made to obtain the alternative payer name (BSEC.NAME1).
No risk amount is calculated.
A detection result of 100 is returned if an alternative payer name is found
that meets the conditions described above.
Procedur item.ex
e
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 104; Invoice to
customer &1 was paid by customer &2
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 003, Growth is
&1 % (threshold for growth is &2 %)
Logic
The beginning date for the first year’s turnover is the first day of the month
in which vendor turnover is found for the first time within a company code.
An alert is raised if the amount of turnover exceeds the amount threshold. If
the company code currency and threshold currency are different, currency
conversion takes place.
n EAR_EXEC pt app.fra.suite.pur.dt.newve
Procedu ndors.ex
re
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 004, Revenue:
1st year is &1 &2; 2nd year is &3 &2
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 003, Growth is
&1 % (threshold for growth is &2 %)
Detection Method: Multiple OTA Postings
to Same Account
You can use this detection method to find bank accounts that were used multiple times in
one-time accounts (OTA).
This method reads the invoices that were booked on a one-time account. It then checks
whether the bank account used in the OTA has been used in other invoices that were also
booked on one-time accounts.
You can control the method by specifying minimum thresholds for the value of invoices and
the number of times an account is used in OTA invoices. The method does not evaluate
accounts that do not reach these thresholds. If the invoice currency and the threshold currency
are different, then currency conversion is performed.
The risk value that is returned by the additional information procedure is the transaction
amount (field WRBTR of table BSEG) of a suspicious accounting document.
Logic
The selection procedure finds the accounting documents for one-time accounts, using as keys
the fields BUKRS(Company Code), GJAHR (Fiscal Year), BELNR (Document Number),
and BUZEI (Item Number) in table BSEC.
In the execution procedure, the total number of postings in the table BSEC is determined for
each account that is passed to the execution procedure. For this purpose, the input table is
grouped by accounts (BANKL, BANKN, BANKS), and the grouped result is joined with
the BSEC table. In a second step, the result of this join is combined with the BSEG table and
is then grouped by accounts once again. This construct ensures that all postings in the past in
table BSEG are considered for the count of postings to the OTA account.
Alert Messages
Logic
An accounting document consists of a header that stores general
information and one or more line items. The equivalents at the database
level are the tables BKPF (accounting document header)
and BSEG (accounting document segment).
One-time accounts additionally need to store the bank details of the
vendor, as one time vendors are not regularly listed in the company’s
vendor master data. Therefore, one-time accounts need database
table BSEC (one-time account data document segment) as well as
table BSEG. The bank details of a regular vendor are stored in the vendor
master data in database table LFBK. For currency conversion that may be
performed during detection method execution the additional table T001 is
used which also stores company code currencies.
The selection procedure finds accounting documents for one-time
accounts.
The execution procedure then checks whether the bank account cited in a
one-time account invoice is also the bank account of a regular vendor.
If the amount of a relevant invoice exceeds the minimum value threshold,
then an alert is created.
Alert Messages
Logic
The name of the one-time vendor (field NAME1 from table BSEC) is compared against the
name of the regular vendor (field NAME1 from table LFA1) to detect duplicate regular and
one-time vendors.
Investigation and Detection Object Types
Investigation object type: FRA_ONETIM (One-Time Vendors)
Detection object type: FRA_ONETIM (One-Time Vendor Invoices)
Alert Messages
Logic
The execution procedure selects all purchase order numbers (PO) from the
Input Parameters table IT_PO_DETAIL on an inner join with
table CDHDR on the purchase order number (OBJECTID).
Then it counts the number of changes (NR_OF_CHANGES) from
table CDHDR, field CHANGE_IND for each distinct purchase order
number, where the CHANGE_IND does not have the attribute I (I = insert),
the client (MANDT) equals the session client, and the
field OBJECTCLAS has the attribute EINKBELEG.
The THRESHOLD_CHANGES input parameter specifies the minimum
number of changes that must have been made. An alert is generated if
the NR_OF_CHANGES – the number of changes made to a purchase
order – is greater than the parameter THRESHOLD_CHANGES.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 082; Purchase
order &1 was changed &2 times within the purchasing process
Logic
The execution procedure starts by selecting unique addresses from the input work set of
purchase order addresses. To maximize performance, the procedure evaluates the addresses
in parallel.
A purchase order item is the detection object. If a partner address is found in an item, then
this address is used. If there is no partner address in the item, then the address is copied from
the purchase order header. If a manually changed address is found, then this address is used
rather than the vendor address in the master data.
The screening logic is held in procedure PR_SCRL_SCREEN_ADDRESSES. This procedure
processes each individual address to find hits against the screening list.
The procedure returns a detection result of 100 if a match is found on the name of a partner is
found or on the name and address (city, street, country). The user specifies whether address
information is checked along with the name.
FUZZINESS Parameter Specifies by how much two words can differ in spelling
for Fuzzy or additional characters. An error tolerance factor on the
Search scale of 1 to 100.
The parameter controls the sensitivity of the match. For
example: The name “Torsten Holsh” will not
match “Thorsten Hölsh” with a fuzziness of 90, but it will
produce a hit if the fuzziness is set to 80.
The recommended setting is in the range of 80 to 100. A
lower fuzziness factor may produce too many false
positives.
MINIMATCH Minimum Determines the minimum match score that a match has
Match to reach to be classified as a hit. For example: The
name “Airlines” is found inside the name “Consolidated
Airlines”. But the score calculated would be very low
if “Airlines”is defined as a stop word. Minimum match
therefore helps eliminate undesirable or false hits.
EXCLUSION_TERM Use Excluded terms or stop words are words that you wish
S Excluded to exclude from a search. Certain words, such
Terms as “AG”, “Limited”, “Airlines” etc. are common words
and do not add any value in search. The stop word list is
defined in table FRA_D_SCRL_STPW.
For a detailed explanation of stop words, see SAP
Library for SAP HANA
at http://help.sap.com/hana/hana_dev_en.pd
f
Technical Name Descriptio Definition
n
CHECK_ADDRESS Address If this option is set to “Y” (yes), then address information
Must Match is also compared along with name to find a hit. By
default, the name is a must for a hit and the address is
ignored.
Alert Messages
Message ID
Message Number
Message Text
FRA_INTERNAL_AUDIT
072
One-time vendor &1 resides in &2, ranked &3 in CPI
FRA_INTERNAL_AUDIT
073
Vendor &1 resides in &2, ranked &3 in Corruption Perceptions Index (CPI)
Logic
High-risk country lists belong to technology shared among detection rules.
For more information on this technology, see High-Risk Country Screening.
DE Germany 12
IQ Iraq 175
AF Afghanistan 176
If BOTTOM_N_RANKS = 1 it will return only the country AF because it
occupies the single highest rank.
If BOTTOM_N_RANKS = 2 it will return the countries AF, IQ, and KP
because they populate the two highest ranks.
Note how the parameter does not equal the number of returned
countries.
If BOTTOM_N_RANKS = 3 it will return the countries AF, IQ, KP, and
DE because they populate the three highest ranks.
Note how the procedure ignores gaps in the numbering and includes DE
although it is much less riskier than IQ.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 105, Partner &1
with role &2 is located in high-risk country &3 with rank &4
Variable role (&2) is specified in column PARVW of table EKPA. The
partner functions are defined in table TPAR and described in table TPART.
To ensure translatability, the procedure returns the function’s code. The
field PARTNER_FUNCTION in source domain INTERNAL_AUDIT then
applies an SAP standard conversion
exit CONVERSION_EXIT_PARVW_OUTPUT to convert the partner
function code to text. The function module reads the attribute
view sap.hana-app.fra.suite.fnd/AT_PARTNER_FUNCTION to get the
description in the user’s current language.
Variable country &3 provides the country in which the partner is located. To
ensure translatability, the procedure provides the country’s code. The
field COUNTRY_CODE in source domain INTERNAL_AUDIT (in the
Customizing activity Define Source Domain and Field Settings) then
applies the SAP standard conversion
exit CONVERSION_EXIT_CTRYC_OUTPUT, which replaces the code with
its description. The function module reads table T005T in the SAP Fraud
Management database schema to provide the description. It uses the long
or short description in the user’s current language, or the long or short
description in English as a fallback language, whichever is available in this
order. If no description is available, then it returns the code itself.
Logic
This method compares the quantity received in the goods receipt with the
quantity in the invoice. Both documents refer to a foregoing purchase order.
If the invoiced quantity is higher than the received one, then the purchase
order item is suspicious. If the quantities in the goods receipt and in the
invoice are the same but nevertheless higher than in the purchase order,
then the purchase order item is again suspicious.
For the comparison, the quantities in the goods receipt and in the invoice
are aggregated on their debit/credit flag per purchase order item.
Afterwards the credit is subtracted from the debit and the real quantity per
purchase order item is determined.
The user can also define a threshold in percent that indicates how much
the quantity in the invoice may exceed the quantity to which it is being
compared.
The calculation of the risk value in the additional information procedure is
determined in the following way:
If the quantity delivered is smaller than the quantity ordered, then the net
price of the purchasing document (field NETPR of table EKPO) is
multiplied by the difference between invoiced and delivered quantity.
If the delivered quantity is greater than or equal to the ordered quantity
(but fraud is assumed), then the risk value is calculated by multiplying
the net price by the difference between the quantity invoiced and the
quantity ordered.
This calculation ensures that the largest difference – between invoiced and
ordered or invoiced and received quantity – is multiplied by the net price
and returned as the risk value.
Example 1: 10 pieces are ordered, 5 pieces are delivered and 10 pieces
are invoiced, threshold 10. In this case the invoiced quantity is greater than
the delivered quantity plus 10%. This would be considered suspicious.
Example 2: 10 pieces are ordered, 20 pieces are delivered, 20 pieces are
invoiced. In this case the invoiced quantity is greater than the ordered
quantity plus 10%. This would be considered suspicious.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 067, Delivered
quantity &1 < invoiced quantity &2 in accounting document(s)
Logic
The method compares the amount in the purchase order item with the
amount in the invoice. If the invoiced amount is higher than the amount in
the purchase order item, then the purchase order item is suspicious.
For the comparison, the amounts in the purchase order item and the
invoice recipient are converted into the currency of the company code. The
net values of the invoice recipient are then added up according to the
debit/credit sign in the record. Any credit is subtracted from the debit, and
the real amount in the invoice document is determined.
Similarly, the net value of the purchase order item is calculated with respect
to the invoiced quantity, so that the amounts are compared using the same
quantity (here, the quantity in the invoice). The net values are then
aggregated per purchase order item. The amounts are then compared and
the result is evaluated against the threshold amount/currency and threshold
percent (defined by the user) that indicate how much the amount in the
invoice may exceed the amount in the purchase order item to which it is
being compared. The risk amount is then the difference between the
invoice amount and the purchase order amount.
Note
The currency conversion uses the standard conversion at average type
of type M and the business document dates of the purchase order and
invoice.
The functionality is restricted to purchase order items of the
category Standard (PSTYP = 0).
Amount values (that is, the purchase order item net value, the invoice
net value, and the risk value) are rounded to two decimal places.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 065, Ordered
amount &1 &2 < invoiced amount &3 &4 in accounting document(s)
Logic
This detection method reads changes to the bank data of vendors and
checks whether each change reverses a previous change to the same
bank data. The previous change must occur within the interval specified in
the input parameters to the detection method. If these conditions are met,
then the detection method determines whether invoices were paid to the
vendor during the specified period of time.
The detection result is 50 if there was a master data change without
payments. The detection result is 100 if payments are found while the
master data was changed. The risk value is the aggregated payment
amount in investigation currency.
al GED_ADDINF pt app.fra.suite.pur.dt.vendormas
Informat Procedu terchng.ai
ion re
Alert Messages
FRA_INTERNAL_AUDIT 042 Date and time when the new bank account was
active the last time: &1, &2
Logic
The business logic is the same for both versions of the flip-flop payee
detection method.
For each change in the incoming data table, the execution procedure
checks whether a payment has taken place in the critical period (between
the flip-flops of the alternative payee name). To make this check, the
procedure joins the incoming data table with the database
tables BSEG and BKPF and selects the company code, the vendor, the
change date and time as well as the connected change date and time
where the client equals the session client, the account type (KOART)
equals K, the posting key (BSCHL) is 25and the date on which the
accounting document was entered (CPUDT) is greater than the connected
change date as well as lower than the change date.
If the date on which the accounting document was entered is equal to the
connected change date, then the time on which the accounting document
was entered (CPUTM) must be greater than the connected change time.
If the date on which the accounting document was entered is equal to the
change date, then the time on which the accounting document was entered
must be lower than the change time. This selection leads to a table with all
the changes with payments in the critical period.
To find all payee changes without payments, the procedure collects
company code, vendor, change date, change time, connected change date,
and connected change time from the incoming data table that are not in the
first selection of the procedure.
The result is built by setting 100 as detection result for changes with
payments and 50 for changes without payments and combining the table of
the changes with payment with the table containing the changes without
payments.
Alert Messages
Logic
Invoices are considered suspicious if the:
Vendor (field LIFNR in table BSEG) is the same
Reference number (field XBLNR in table BKPF) is the same
And if one of the following fields are different:
o Company code (field BUKRS in table BKPF)
o Document number (field BELNR in table BKPF)
o Fiscal year (field GJAHR in table BKPF)
If the above conditions are met, the detection method returns a score of 50.
If the suspicious invoices were also approved by the same person
(field WI_AAGENT in table SWWWIHEAD), then it returns a score of 100.
To determine the approver, only workflow items with task ID TS00407862,
which is the standard payment release task (field WI_RH_TASK in
table SWW_WI2OBJ), are considered. This information may need to be
adapted for customer-specific workflow implementations.
n XEC pt app.fra.suite.pur.dt.vendor.invoicehe
Procedur ader.ex
e
Alert Messages
Logic
Invoices are considered duplicates if the:
Company code (field BUKRS in table BKPF) is the same
Vendor (field LIFNR in table BSEG) is the same
Reference number (field XBLNR in table BKPF) is the same
Amount (field WRBTR in table BSEG) is the same
Document currency (field WAERS in table BKPF) is the same
Document numbers (field BELNR in table BKPF) are different
If the invoices are duplicates and the approver (field WI_AAGENT in
table SWWWIHEAD) is identical, then the detection method returns a score
of 100.
To determine the approver, only workflow items with task ID TS00407862,
which is the standard payment release task (field WI_RH_TASK in
table SWWWIHEAD), are considered. This information may need to be
adapted for customer-specific workflow implementations.
Alert Messages
Logic
Relevant detection objects are restricted to those with
table BSEG field VBUND = initial (not intercompany) and account
type KOART = K.
The execution procedure first converts the threshold amount from the input
parameters into the currency of the invoice item. It then determines how
many invoices have rounded amounts as a percentage of all invoices. If
this percentage exceeds the threshold for a vendor, then the method
returns those rounded invoices that exceed the minimum amount in the
input parameters.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 108, Invoice
item &1, from vendor &2, has a round amount: &3 &4
Variable &1 is the concatenation of the document and item numbers of the
invoice, variable &2 is the name of the vendor, variable &3 is the amount of
a rounded invoice, variable &4 is the currency.
Procedure app.fra.suite.pur.dt.vendor.invoiceitem.
se
Alert Messages
Note
Variable &1 (Vendor) is filled with the contents of table BSEG field LIFNR.
Variable &2 (VAT registration number) is filled with the content of
table LFA1, field STCEG.
Logic
To allow comparisons, the amounts of thresholds are converted to the
currency of the company code. For the invoice item, the amount in
company code currency from the invoice is used.
The invoice items are summed in accordance with the debit/credit sign of
the record. The debit sum is subtracted from the credit sum and the real
amount of the invoices is determined. If the amount of a single invoice item
is smaller than the threshold for a single invoice (defined by the user), then
the invoice amounts are aggregated by vendor and company code. If the
sum of all invoices related to this vendor is greater than the threshold for
the sum of the invoices (defined by the user), then the invoice items of the
vendor are suspicious.
The risk amount is defined as the sum of the amounts of the selected
invoice items of the vendor.
Note
The currency conversion uses the standard conversion at average type
of type ‘M’.
The functionality is restricted to invoice items with posting keys Reverse
Invoice, Credit Invoice, Invoice, Reverse Credit Memo
(21 OR 22 OR 31 OR 32) that are not intracompany, and Account
Type Vendor.
Alerts are created only for invoice items with posting
key Invoice and Reverse Credit Memo.
Procedure app.fra.suite.pur.dt.vendor.invoiceitem
.se
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message 078, Several invoices
under threshold exist; sum exceeds given limit: &1 &2
Logic
The execution procedure checks if the field SGTXT in table BSEG contains
one of the terms in the suspicious terms list. The terms are compared by a
fuzzy search with the specified fuzziness factor. The search is contained in
the procedure sap.hana-
app.fra.suite.lib/PR_INVOICE_ITEM_SUSPICIOUS_TERMS_EXEC.
To improve performance, the search direction is reversed in mass detection
by searching one suspicious term at a time in all vendor invoice texts. This
requires the creation of a full text index on field SGTXT of table BSEG.
Note
The selection and additional information procedures from customer invoice
items are reused for this detection method for vendor invoice items.
Alert Messages
Logic
For each vendor, the invoice with the latest date is selected. In a second
step, the invoice before the last one is determined. The final step is to
calculate the difference between the creation dates of the two invoices for
the vendor (the most recent and the previous invoices). If the difference is
equal to or larger than the threshold number of days in detection method
parameter MIN_DAYS_NO_ACTIVITY, then an alert is raised. If the most
recent invoice is also the first invoice created for a vendor, then no alert is
raised.
The risk amount of an alert is defined as the sum of the values of
the DMBTR field of the invoice items that are considered to be suspicious.
The method checks only invoices items that meet the following conditions:
The invoices are for regular vendors (not one-time account invoices)
The account type is set to K
The field SHKZG has value H.
Alert Messages
Logic
For each vendor, the invoice with the latest date is selected. In a second
step, the invoice before the last one is determined. The final step is to
calculate the difference between the creation dates of the two invoices for
the vendor (the most recent and the previous invoices). If the difference is
equal to or larger than the threshold number of days in detection method
parameter Min days without account activity, then an alert is raised. If the
most recent invoice is also the first invoice created for a vendor, then no
alert is raised.
The method checks only invoices items that meet the following conditions:
The invoices are for regular vendors (not one-time account invoices).
The field DebitCreditCodehas the value for the creditor.
Used Entities
DETECTION_OBJECT
VENDOR_INVOICE_ITEM
Risk Value
AmountInAlertCurrency: The Risk Value is the amount of the specific
invoice in the alert currency.
Additional Information
The alert shows the last posting to the account.
Logic
The amount of an invoice is the amount in field DMBTR. All invoices with
field AWTYP set to RMRP are evaluated. AWTYP = RMRP means that the
base business transaction is of type Material Management Incoming
Invoice.
In invoices with AWTYP RMRP, the AWKEY field consists of two parts.
These two fields are the document ID and the fiscal year
(fields BELNR and GJAHR). These fields are the key for the entries in the
table RBKP and are part of the key for table RSEG. The key is split up in its
parts and is used to identify the relevant lines in RBKP and RSEG.
If an invoice has an entry in table RSEG, then the methods checks whether
field EBELN is filled in RSEG. If this is not the case for at least one entry
in RSEG, then the invoice is missing a purchase order and is suspicious.
Invoices that have no corresponding entries in table RSEG but do have
entries in table RBKP are also considered to be suspicious.
Note
The currency conversion uses the standard conversion at average type
of type M and the business posting dates of the invoice.
The functionality is restricted to invoice items that have the posting
keys Invoice, Reverse Credit Memo (31 OR 32), which are
not Intercompany, Account Type Vendor, and with Debit/Credit Indicator
Credit.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 077, Selected
period has invoices above the threshold w/o reference to a PO
Parameter Meaning
LOWER_LIMIT Lower limit for invoice item amounts that are evaluated
by this detection method. Invoice items with lower
amounts are ignored.
UPPER_LIMIT Upper limit for invoice item amounts that are evaluated
by this detection method. Invoice items with larger
amounts are ignored.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 111, Similar
invoice for ref. doc. no. &1 found on date &2 with amount &3 &4
The message variables are as follows:
o &1 – Reference document (BKPF.XBLNR)
o &2 – Invoice date (BKPF.BLDAT)
o &3 – Risk amount (invoice amount from BSEG.WRBTR)
o &4 – Invoice currency (BKPF.WAERS)
Logic
Detection objects are restricted to those that are not of
type Intercompany (where field VBUND is initial). For each invoice item,
this method checks whether the country key of the receiving bank differs
from the country key of the vendor’s home country (field LAND1 in
table LFA1). The method returns a score of 100 if the country keys differ.
Alert Messages
Logic
The method works by selecting vendors from table LFA1 and then reading
the invoice items of the vendor from table BSEG. The vendor in an invoice
item in field LIFNR in table BSEG is then found in table LFA1. The country
of the vendor, from field LAND1 in table LFA1, is then checked against the
list of high-risk countries.
DE Germany 12
IQ Iraq 175
AF Afghanistan 176
If BOTTOM_N_RANKS = 1 it will return only the country AF because it
occupies the single highest rank.
If BOTTOM_N_RANKS = 2 it will return the countries AF, IQ, and KP
because they populate the two highest ranks.
Note how the parameter does not equal the number of returned
countries.
If BOTTOM_N_RANKS = 3 it will return the countries AF, IQ, KP, and
DE because they populate the three highest ranks.
Note how the procedure ignores gaps in the numbering and includes DE
although it is much less riskier than IQ.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 109, Vendor &1
is located in high-risk country &2, which has the rank &3
Logic
The invoice items that are processed must have a credit entry (in
table BSEG field SHKZG = H). Also, for accounting type, in
table BSEG field KOART = K), and the accounting key is of type credit
memo, reverse invoice, invoice, and reverse credit invoice
(table BSEG field BSCHL = 21 or 22 or 31 or 32).
The procedure works by calculating a tolerance date as the date on which
an accounting document was entered (table BKPF field CPUDT) plus the
largest cash discount days value minus the TOLERANCE_DAYS input
parameter.
For returning results, this TOLERANCE_DATE is compared with
the CLEARING_DATE. If the TOLERANCE_DATE is larger, then an alert is
created.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 096, Invoice
item was paid on the &1, &2 days earlier than the net due date &3
Logic
The execution procedure selects all invoices that have posting key
= 21 or 22 or 31 or 32, accounting type K, and a clearing document
number. The document number, company code, fiscal year, and item
number must be the same as from the input data set.
The execution procedure then checks whether any of the invoices were
manually paid. That is, the payments are of accounting type K, the posting
key = 25. The payments also must not have been done using transaction
code F110. All invoices that were paid manually are reported with a score
of 100.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 089, The
outgoing payment was posted on &1 by user &2
Message ID FRA_INTERNAL_AUDIT, message number 090, Payment
document number &1 / fiscal year &2 / company code &3
Logic
To check for a low DSO for a particular vendor, the method first calculates
the average payment term from the company code with the following
formula:
SQL Code:
SUM ( DAYS_BETWEEN (BKPF.CPUDT, BSEG.AUGDT) * BSEG.DMBTR
) / SUM ( BSEG.DMBTR )
The average time to payment of a vendor is calculated with the same
formula, but the SQL query is extended with the vendor number. Both
calculations select only data sets from tables BKPF and BSEG that have
accounting type (KOART) K, posting keys (BSCHL) 21, 22, 31, or 32 and a
valid clearing date (AUGDT).
When the values are calculated, the method checks whether the
differences in vendor and company-average DSO exceed the threshold
that you have input. If the threshold is exceeded, then an alert is generated
for the vendor and company code.
al ADDINF pt app.fra.suite.pur.dt.vendor.master
Informati Procedur data.ai
on e
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 103, Early
payment; average payment period in company code &1 is &2 days more
Logic
The method returns a detection result of 100 for any active vendor that has
blocked duplicates.
If the matching blocked vendor is blocked on company-code level
(field SPERR in table LFB1), then the matching vendors must have the
same company code in order to get a result for the matching active vendor.
If the matching blocked vendor is blocked on a general level
(field SPERR in table LFA1), then a result is created for the active vendor
independent of the company codes of both vendors.
Logic
For each employee record in the input data table, the execution procedure
checks whether the corresponding bank account is already a regular
vendor bank account. To make this check, the procedure first creates a list
of the regular vendor bank accounts by joining the database
table LFBK, LFA1 and LFB1 on the vendor account number (LIFNR),
where the client equals the session client and the vendor account group
(KTOKK) is unequal HRTP.
Afterwards the procedure compares the employee bank accounts with the
regular vendor bank accounts by joining the two lists. In case identical bank
account data is found for both a vendor and an employee, then the details
of the employee as well as the connected regular vendor are returned. In
addition, a detection result field with value 100 is returned.
Investigation and Detection Object Types
Investigation object type: FRA_VEND (Vendor)
Detection object type: FRA_VEND (Vendor Master Data)
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 079, Employee
&1, &2 and vendor &3, &4 have same bank account data
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 120, Vendor &1
(&2) has a "C/O" address
Detection Method: Vendors with Similar
Names
Use this method to find suspicious vendors that have similar names to a
high-volume vendor. Typically, a suspicious vendor makes little revenue
but their name resembles the name of a high-volume vendor. For example,
if there were a vendor called “Ziemens AG ” it might be considered
suspicious because it is similar to “Siemens AG”.
Logic
This method determines the low- and high-volume vendors based on the
revenue of the last 12 months. For each low-volume vendor, it tries to find
matching high-volume vendors that have similar names. The matching is
done with a freestyle fuzzy search on the four name columns of table LFA1.
You can restrict matching by specifying thresholds for the minimum
turnover of valid vendors and the maximum turnover of vendors that may
be suspicious.
Parameter Use
FUZZINESS Specifies by how much a search term and a hit in the data
being searched may differ. The parameter tells the SAP
HANA database how much fuzziness – differences in
spelling, differences in number of characters, and so on –
to allow in doing a search.
The error tolerance scale is a percentage, from 0 to 100,
where 100% is an exact match. The lower the value of the
fuzziness parameter, the higher the tolerance. That is, a
lower fuzziness value may produce too many false
Parameter Use
positives.
The recommended setting is in the range between 80 and
100.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 121, Vendor &1
(&2) has a similar name as high-volume vendor &3 (&4)
ure
Alert Messages
FRA_INTERNAL_AUDIT 098 The vendor has only a post office box address
Logic
The method returns all vendors without any contact number
(fields TELEFON_1_NUMBER, TELEFON_2_NUMBERand FAX_NUMBE
R are empty) with a detection result value of 100.
The method also returns vendors for whom the country area code of at
least one contact number does not match the area code of the country in
the vendor’s address. The detection result is set to 100 for these vendors.
For the comparison of the area codes, the method uses table T005K (area
codes for each country code).
Alert Messages
Logic
Vendors without bank details are identified by looking for vendors that have
no entry in table LFBK (Bank Details).
n EXEC pt app.fra.suite.pur.dt.vendor.master
Procedur data.ex
e
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 081, Vendor &1
in company code &2 has no bank details
SELE pt app.fra.suite.pur.dt.vendor.bankacc
Procedur ount.se
e
Alert Messages
FRA_INTERNAL_AUDIT, message number 127, Vendor &1 in &2 has
bank account &3 in &4
Logic
The execution procedure checks whether a vendor bank account is similar
to bank accounts of other vendors. Two bank accounts are similar if both
have the same BANK_COUNTRY_KEY and BANK_KEY.
The BANK_ACCOUNT_NUMBER may be different in the last 3 digits, but
must have the same length.
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 092, Vendor &1
&2 has a similar bank account
Detection Method: Manual Change to
Payment Proposal
Use this detection method to find payment proposals to which manual
changes have been made.
Note that exceptions in payment proposals are disregarded.
Logic
The execution procedure finds vendor payment proposals that have been
manually changed by checking whether the run ID (field LAUFI) and the run
date (field LAUFD) from table REGUP exists in table REGUA. If this is the
case, then alerts are created for all vendors related to the run ID and run
date. This detection method returns a score of 100.
The additional information procedure determines the users who changed
the payment proposal (field UNAME in table REGUA) and calculates the
risk amount, which is the sum of the manipulated payment proposals
(field RBETRin table REGUH) aggregated by vendor.
The field WAERS from table T001 is the currency key for the amount
field RBETR in table REGUH. These two tables are joined at the company
code (field BUKRS in table T001) and the paying company code of the
payment proposal (field ZBUKR in table REGUH).
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 091, Payment
proposal for vendor &1 was changed by
Logic
The execution procedure checks if the percentage increase in the count of
interactions for an item of interest exceeded a threshold parameter. The
evaluated period is compared with the previous period; the period length is
a parameter which specifies a multiple of 30 minutes.
Alert Messages
FRA_CUAN_MSG 001 Interest in '&1' has increased by &2 between &3 and
&4
Where &1 is the item of interest, &2 is the increase in %, &3 is
the beginning of the previous period, and &4 is the end of the evaluated
period.