Technical Document - Overview of Detection Methods For Internal Auditing

Overview of Detection Methods for
Internal Auditing and Anti-Corruption

Compliance
SAP provides over 50 detection methods as standard business content for
detection and investigation of fraud scenarios in procurement, internal
audit, and for anti-corruption compliance. The business content is ready
to use, and provides an excellent starting point for additional content. The
standard scenarios and detection methods are shown in the following
tables.
Irregularities in Accounting Documents

Investigation object type: FRA_ACCDOC (Accounting Document)
Detection object types:
 FRA_ACCDOC (Accounting Document)
Detection Method: Accounting

Documents Posted on Non-Working Days
You can use this method to find accounting documents that were posted on
non-working days. You can specify the factory calendar to use for checking
posting dates. The calendar can either be specified for all documents of a
company code or for particular users in company codes.
Logic
The method compares the accounting document entry date (field CPUDT in
table BKPF) with the dates in the factory calendar (table TFACS), and
recognizes those accounting documents that were posted on non-working
days.
To establish which factory calendar is valid, Customizing
table FRA_C_USER_FCA must be maintained in Customizing
(transaction SPRO, SAP Fraud Management Industry Solutions Governance,
Risk, and Compliance Factory Calendar Settings for Use in Detection Methods ).
The data entered into the customizing table is used to check the validity of
entries in the replicated tables.
The Customizing may apply to individual users and to all users in an entire
company code. User-specific customizing takes precedence over
company-code customizing. A particular user in a company code may be
checked against one calendar, other users in the company code against
another. Below are sample entries from table FRA_C_USER_FCA:
Company Code User Factory Cal. ID
BUKRS (table BKPF) USNAM (table BKPF) IDENT (table TFACS)
1000 Aschmidt 02
1000 01
In these entries, Factory Calendar 01 is used for all users who posted
documents in company code 1000, except for user ASCHMIDT.
Documents posted by this user in company code 1000 are checked against
factory calendar 02. For more information on table FRA_C_USER_FCA,
see the Customizing for SAP Fraud Management, in
transaction SPRO under SAP Fraud Management Industry
Solutions Governance, Risk, and Compliance Factory Calendar Settings for Use
in Detection Methods Factory Calendar Settings for Use in Detection Methods .
Investigation and Detection Object Types

 Investigation object type FRA_ACCDOC
 Detection object type FRA_ACCDOC
ERP Tables Used

 BKPF: Accounting Document Header
 TFACS: Factory calendar (display)
 T001: Company Codes
 TFACT: Factory calendar texts
 TFACD: Factory calendar definition
 ADRP: Persons (Business Address Services)
 USR21: User Name/Address Key Assignment
Procedures for Detection Methods
Procedur Procedure Name Procedur Package

e e Type
Category
e e Type
Category
Selection PR_ACCDOC_EXCEPTIONAL_DATES_SEL SQLScript sap.hana-app.fra-

E Procedure suite.acc.dt.accdoc.s
e
Execution PR_ACCDOC_EXCEPTIONAL_DATES_EXE SQLScript sap.hana-app.fra-

C Procedure suite.acc.dt.
accdoc.ex
Additional PR_ACCDOC_EXCEIONAL_DATES_ADDIN SQLScript sap.hana-app.fra-

Informatio F Procedure suite.acc.dt.
n accdoc.ai
Additional AT_FRA_C_USER_FCA : Attribute view on SQLScript sap.hana-

Views table FRA_C_USER_FCA – used internally Procedure app.fra.suite.fnd
Detection Method Parameters

None
Alert Messages
Message ID Message Message Text

Number
FRA_INTERNAL_AUDIT 061 User &1 posted a document on a non-working

day
FRA_INTERNAL_AUDIT 062 Document entry date: &1
Detection Method: Business Partner

Address in High-Risk Country
You can use this detection method to identify payments to debtors or
creditors that have a business address located in a high-risk country.
Logic
A payment proposal item will be marked as suspicious, and an alert will be
created if the country of a partner matches an entry in the high-risk country
list that has been uploaded into the SAP Fraud Management System.
This method checks the following fields and tables:
 Field LAND1 in table LFA1 for regular vendors
 Field LAND1 in table KNA1 for regular customers
 Field LAND1 in table BSEC for one-time customers or one-time vendors

 Investigation object type: FRA_ACCDOC (Accounting Document)
 Detection object type: FRA_PAYPRO (Payment Proposal Item)
ERP Tables Used

 BSEC: One-Time Account Data Document Segment
 BSEG: Accounting Document Segment
 LFBK: Vendor Master (Bank Details)
 LFA1: Vendor Master (General Section)
 KNBK: Customer Master (Bank Details)
 KNA1: General Data in Customer Master
SAP HANA Procedures for Detection Methods
Proced Procedure Name Proced Package

ure ure
Categor Type
y
Selectio PR_BP_HIGH_RISK_CTRY SQLScri sap.hana-

n _SELE pt app.fra.suite.acc.dt.accdocitem.paymentpr
Procedu oposalitem.se
re
Executio PR_BP_HIGH_RISK_CTRY SQLScri sap.hana-

n _EXEC pt app.fra.suite.acc.dt.accdocitem.paymentpr
Procedu oposalitem.ex
re
Addition PR_BP_HIGH_RISK_CTRY SQLScri sap.hana-

al _ADDINF pt app.fra.suite.acc.dt.accdocitem.paymentpr
Informat Procedu oposalitem.ai
ure ure
Categor Type
y
ion re

 HIGH_RISK_COUNTRY_LIST contains the ID of the high-risk country
list to use.
 BOTTOM_N_RANKS is filled with a numeric value and determines how
many of the worst-ranked high-risk countries are to be considered in the
detection process.
Example
ISO Country Code Country Name Rank
DE Germany 12
IQ Iraq 175
KP North Korea 175
AF Afghanistan 176
 If BOTTOM_N_RANKS = 1 it will return only the country AF because it
occupies the single highest rank.
 If BOTTOM_N_RANKS = 2 it will return the countries AF, IQ,
and KP because they populate the two highest ranks.
Note how the parameter does not equal the number of returned
countries.
 If BOTTOM_N_RANKS = 3 it will return the countries AF, IQ, KP,
and DE because they populate the three highest ranks.
Note how the procedure ignores gaps in the numbering and
includes DE although it is much less riskier than IQ.
Messages
 Message ID: FRA_INTERNAL_AUDIT, Message Number: 136, Message
text: The address of business partner &1 (&2) is in the high-risk country
&3
Detection Method: Accounting Document
Line Item Smurfing
You can use this detection method to identify payments of amounts due
that are broken up into several smaller payments.
Logic
A payment proposal item will be marked as suspicious if the payment of a
total amount is made in several small payments.
The selection procedure joins the input table with the database mentioned
tables on the key fields and filtered by the ones with the attribute BSEG-
KOART equal to ‘K’ for vendors or ‘D’ for customers. The output is the
union of the regular vendor, regular customer, one-time account vendors,
and one-time account customers with relation to delivery scheduling
agreement (EKKO-BSTYP <> L) . The execution procedure calls
the PR_CONVERT_THRESHOLD_AMOUNT_TO_LOCAL_CURRENCY pr
ocedure available at sap.hana-app.fra.suite.lib., which converts the
threshold amount to the local currency.
Payment proposal items are filtered by the document type (REGUP-
BLART) and terms of payment key (REGUP-ZTERM) provided as
parameters. The payment proposal items below the single threshold
specified as parameters are filtered, grouped, and summed up depending
on the business partner type (vendor, customer or one time
vendor/customer).
The output is those sums that are over the sum threshold specified as a
parameter and belong to the working set. The risk amount is the group
amount and currency.

 Investigation object type: FRA_DOC_IT (Accounting Document Line Item
for Outgoing Payment)
 Detection object type: FRA_PAYPRO (Payment Proposal Item)
ERP Tables Used

 REGUP: Processed items from payment program
 REGUH: Settlement data from payment program
 EKKO: Purchasing Document Header
 RSEG: Document Item: Incoming Invoice
Proce Procedure Name Proce Package

dure dure
Categ Type
ory
Selecti PR_SMURFING_SELE SQLS sap.hana-

on cript app.fra.suite.acc.dt.accdocitem.pa
Proce ymentproposalitem.se
dure
Execu PR_SMURFING_EXEC SQLS sap.hana-

tion cript app.fra.suite.acc.dt.accdocitem.pa
Proce ymentproposalitem.ex
dure
Additi PR_SMURFING_ADDINF SQLS sap.hana-

onal cript app.fra.suite.acc.dt.accdocitem.pa
Inform Proce ymentproposalitem.ai
ation dure
Conve PR_CONVERT_THRESHOLD_AMOUNT SQLS sap.hana-app.fra.suite.lib

rt _TO_LOCAL_CURRENCY cript
thresh Proce
old dure
amou
nt to
local
Parameter Use
THRESHOLD_SINGLE Threshold amount for single payment proposal items.
THRESHOLD_SINGLE_CURRENCY Threshold currency for single payment proposal

items.
THRESHOLD_SUM Threshold amount for the sum of payment proposal

items.
Parameter Use
THRESHOLD_SUM_CURRENCY Threshold currency for the sum of payment proposal

items.
DOCUMENT_TYPE Document type.
TERM_PAYMENT_KEY Terms of payment key.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number
128, Acc.Doc.Line with &1 &2 is part of group &3 which has a total value
of &4
The messages variables are set as follows:
o &1 – The amount
o &2 – The local currency
o &3 – The group information
o &4 – The risk amount
Detection Method: Duplicate Travel

Expense Claim Made by One Employee
Use this detection method to find cases in which an employee has
submitted a similar or duplicate receipt for different travel expense claims.
Logic
In order to determine if an employee has submitted and reused receipts on
more than one travel expense, the fields Personnel Number, Travel
Expense Type, Amount, and Currency are compared. As well, the field Trip
Number must be different. Only the last 180 days are selected as relevant.
In order not to create too many alert items, only one record with the latest
date for these fields is selected. Only receipts that have the same currency
as defined in the currency parameter are considered. The risk amount will
be the sum of all the reused receipts (plus the original one).

 Investigation object type: FRA_EMPL (Employee)
 Detection object type: FRA_TERCPT (Travel Expense Receipt)
ERP Tables Used
 PTRV_SREC: Trip Statistics - Receipts
 PTRV_HEAD: General Trip Data
 PA0001: HR Master Record: Infotype 0001 (Org. Assignment)
 PA0002: HR Master Record: Infotype 0002 (Personal Data)

e e Type
Category
Selection PR_SAME_RECEIPT_SEL SQLScrip sap.hana-

E t app.fra.suite.hr.dt.employee.travexprecei
Procedur pt.se
e
Execution PR_SAME_RECEIPT_EXE SQLScrip sap.hana-

C t app.fra.suite.hr.dt.employee.travexprecei
Procedur pt.ex
e
Additional PR_SAME_RECEIPT_ADD SQLScrip sap.hana-

Informatio INF t app.fra.suite.hr.dt.employee.travexprecei
n Procedur pt.ai
e
Technical Name Description Definition
NO_OF_SAME_RECEIPT Minimum or Determines the minimum or equal number of

equal match receipts which are classified as the same
receipt
AMOUNT Minimum match Determines the minimum amount a receipt

must have in order to be evaluated
AMOUNT_CURRENCY Exact match The currency for parameter AMOUNT
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 133, Receipt
&1 for &2 and &3 &4
 Message ID FRA_INTERNAL_AUDIT, message number 140, In trip &1
was already used for trip &2 and receipt &3
Detection Method: Travel Expenses with
Rounded Amounts
Travel expenses can be used to mask payments that actually have another
purpose, for instance bribes. Use this detection method to identify one
suspicious pattern: Employees who have repeatedly filed travel expenses
with unusually rounded amounts above a threshold amount.
Logic
The detection method returns a high detection score if the following
conditions are met:
 The number of relevant rounded receipts exceeds the threshold that you
set. A receipt is relevant only if it is rounded according to the rules in
table PR_TREXRECEIPTS_EVENAMOUNTS_DT. The receipt must
also exceed the minimum amount that is also set in this table.
 Review Period
A list of travel receipts is created for a defined period of time including
the posting date of the receipt.
The list of travel receipts contains receipts have been posted up
to n days prior, it also considers the posting date of the receipt.
n corresponds to the parameter “Review Period in Days” that has to be
maintained at strategy level.
This execution procedure performs the following steps:
1. Selecting the receipts that are associated
The receipts that are associated to the trips in table IT_DATA are
selected.
The underlying receipt table is joined with the trips to be analyzed from
table IT_DATA (using the personnel number PERSONNEL_NR).
The analyzed trip is in the database (during mass detection) but must be
removed before counting the suspicious receipts.
2. Discovering rounded, nontrivial amounts
Based on currency and amount, the decision table returns a divisor and
an intermediate score. If the intermediate score is 0, then the amount is
trivial. The receipt is ignored.
All “uneven” results are ignored and not exported to the additional
information procedure. This has an influence on the calculated risk
amount.
3. Discovering even amounts
The method uses the divisor from the decision table to determine
whether an amount is rounded. Receipts with rounded amounts are
reported as alert items and are added up to yield the risk value.
Decision Table for Rounded Amounts

This detection method uses a decision table to determine the following:
 Whether the amount on a travel receipt is rounded or not; and
 Whether the amount is large enough to be included in processing.
Receipts that do not have rounded amounts, or that have trivial amounts,
are not processed by this detection method.
The decision table is PR_TREXRECEIPTS_EVENAMOUNTS_DT. It is
defined in the SAP HANA database.
The decision table is used to:
 Specify what an “even amount” is.
The formula for evaluating an amount is shown after the table excerpt,
below.
 Specify the minimum amount for relevant receipts.
The standard SAP rules skip all receipts for less than or equal € 40, $
50, CHF 10, and JPY 10000, even if the amounts are even.
 Specify the value for the intermediate score of a relevant receipt.
The detection method treats all currencies not explicitly listed in the table
as currency “*”. The table contains more standard entries than are shown
here.
Note
If you wish to change the rules in the decision table, then you must copy
the table. Do this in the SAP HANA Studio. You must then also copy and
modify the detection method procedures cited in Procedures for Detection
Methods, below. These procedures must then use your new table. You
must also replace the methods in any detection methods that you have set
up for travel expenses.
Currency Amount DIVISOR INTERMEDIATE_SCORE
EUR <= 40 10 0
EUR > 40 10 1
USD <= 50 10 0
USD > 50 10 1
Currency Amount DIVISOR INTERMEDIATE_SCORE
CHF <= 10 10 0
CHF > 10 10 1
JPY <= 10000 1000 0
JPY > 10000 1000 1
* <= 10 10 0
* > 10 10 1
Deciding whether an amount is even: This detection method uses the
following formula to decide whether an amount is rounded:
1. The amount is divided by the DIVISOR from the decision table.
2. Any decimal remainder is removed from the new amount. The new
amount is not rounded up on the basis of the remainder.
3. The new amount is multiplied by the DIVISOR.
4. The new amount is subtracted from the original amount. If the result is 0,
then the original amount was rounded. If the result is greater than 0, then
the receipt is ignored.
Example
The amount of a travel receipt is 4350. The divisor defined in the decision
table is 100.
The even amount is calculated as follows:
1. The amount is divided by the divisor.
4350/100 = 43.5
The result is 43.5.
2. The decimal is cut of/removed: 43.5 => 43.
3. This result is multiplied by the divisor.
43 * 100 = 4300
The result is 4300.
4. The difference between the “original” amount and the result from step 3
is calculated.
The difference is 50; that is unequal zero.
Therefore, the “original” amount is not considered as an even amount.
According to the decision table JPY 4300 is an even amount, whereas JPY
4350 is not an even amount.
Detection and Investigation Object Types

 Investigation object type FRA_EMPL (Employee)
 Detection object type FRA_TERCPT (Travel Expense Receipt)
ERP Tables Used

 PTRV_SREC: Trip Statistics - Receipts
 PA0001: HR Master Record: Infotype 0001 (Org. Assignment)
 PA0002: HR Master Record: Infotype 0002 (Personal Data)

ure ure
Categor Type
y
Selectio PR_TREXRECEIPTS_EVENAMOUN SQLScri sap.hana-

n TS_SELE pt app.fra.suite.hr.dt.employee.travex
Procedu preceipt.se
re
Executi PR_TREXRECEIPTS_EVENAMOUN SQLScri sap.hana-

on TS_EXEC pt app.fra.suite.hr.dt.employee.travex
Procedu preceipt.ex
re
Addition PR_TREXRECEIPTS_EVENAMOUN SQLScri sap.hana-

al TS_ADDINF pt app.fra.suite.hr.dt.employee.travex
Informat Procedu preceipt.ai
ion re

 NUMBER_OF_RECEIPTS: The threshold for the minimum number of
receipts with rounded amounts. A detection result of 100 and alert items
are returned only if the number of receipts exceeds this threshold.
REVIEW_PERIOD_IN_DAYS: The period of time to review in days.
Alert Messages
Message ID Message Number Message Text
FRA_INTERNAL_AUDIT 069 Associated trip: &1 - &2; Amount: &3 &4

Detection Method: Suspicious Trend in
Trip Expenses
You can use this method to identify suspicious trends in employees’ trip
expenses.
Logic
An alert is generated if there is an increase in an employee’s travel
expenses by N-percent over a given time period. Each trip’s duration is
taken into account when determining the actual cost.
A linear regression is used to determine the regression line slope. If the
angle of the regression line is greater than a configured threshold, it
indicates a suspicious trend in the employee’s travel expenses and an alert
is created.
The linear regression is implemented with the “least squares” method.

 Investigation object type: FRA_EMPL (Employee)
 Detection object type: FRA_TREND (Employee Travel Expense Trend)
ERP Tables Used

 PTRV_SHDR: Trip Statistics
 PA0001: HR Master Record (Org. Assignment)

e e Type
Category
Selection PR_TRIP_COST_TREND_SEL SQLScrip sap.hana-

E t app.fra.suite.hr.dt.employee.traveltre
Procedur nd.se
e
Execution PR_TRIP_COST_TREND_EXE SQLScrip sap.hana-

C t app.fra.suite.hr.dt.employee.traveltre
Procedur nd.ex
e
e e Type
Category
Additional PR_TRIP_COST_TREND_AD SQLScrip sap.hana-

Informatio DINF t app.fra.suite.hr.dt.employee.traveltre
n Procedur nd.ai
e

 Minimum Number of Trips – at least two (on different dates) required.
 Trend Period – evaluation period in months based on latest trip begin
date.
 Minimum Trend Increase Percent – defines the % of the expense rate
increase (value of regression line slope) that is considered suspicious.
This value can be used to filter out small deviations, such as inflation
rate.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 138, Suspicious
trend in trip expenses for employee &4 (ID &3) from &1 to &2
Where &4 is the employee name, &3 is the employee ID, &1 period of
evaluation start (from) &2 period of evaluation end (to).
Detection Method: Changes to Customer

Master Data
You can use this method to find customers whose address master data has
changed more frequently within the last 12 months than the threshold that
you specify for such changes.
Logic
The selection procedure PR_CUSTOMER_CHANGES_SELE selects all
changes for each pair of customer and company code specified in the input
parameter. Changes from tables CHDIR/CDPOS are taken into account;
these are updates (field CHNGIND has the value U in table CDPOS). Also
the field OBJCTCLAS must contain the value DEBI , and the FNAME field
must have one of the following values: Name1 , STRAS , PSTLZ , ORT0 , or REGIO .
The execution procedure PR_CUSTOMER_CHANGES_EXEC counts the
number of changes during the last 12 months, starting from the latest
change selected in selection procedure. If this number is greater than or
equal to the threshold specified in the input
parameter NO_CUSTOMER_CHANGES, then the customer, customer
name, company code, and number of changes are inserted into the result
list.

 Investigation object type: FRA_CUST (Customer)
 Detection object type: FRA_CUST (Customer Master Data)
ERP Tables Used

 KNB1: Customer Master (Company Code)
 CDPOS: Change document items
 CDHDR: Change document header

e e Type
Category
Selection PR_CUSTOMER_CHANGES_SEL SQLScrip sap.hana-app.fra-

E t suite.ord.dt.customer.masterdata
Procedur .se
e
Execution PR_CUSTOMER_CHANGES_EXE SQLScrip sap.hana-app.fra-

C t suite.ord.dt.customer.masterdata
Procedur .ex
e
Additional PR_CUSTOMER_CHANGES_ADD SQLScrip sap.hana-app.fra-

Informatio INF t suite.ord.dt.customer.masterdata
n Procedur .ai
e

 NO_CUSTOMER_CHANGES: Specifies the threshold for the number of
permissible changes to customer address data during the last 12
months.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT message number 087 Customer
&1 changed name or location &2 times in 12 months.
Variable &1 contains the customer name and variable &2 is the number
of changes during the last 12 months.
Detection Method: Customer and Bank

Location Differ
Use this detection method to find customers whose bank account is located
in a different country than the home country of the customer.
Logic
The execution procedure checks whether the bank location country from
the bank account (Input
field IT_DATA_FOR_RULE.BANK_COUNTRY_KEY) is different than the
customer location country (database table field KNA1.LAND1). If the bank
account location is identified as suspicious, the bank account is added to
the result table with 100 as detection result.

 Investigation Object Type: FRA_CUST (Customer)
 Detection Object Type: FRA_CUBANK (Customer Bank Account)
ERP Tables Used

 KNBK: Customer Master (Bank Details)

e e Type
Category
Selection PR_BANK_ACCOUNT_SEL SQLScrip sap.hana-

e e Type
Category
E t app.fra.suite.ord.dt.customer.bankaccou
Procedur nt.se
e
Execution PR_BANK_ACCOUNT_EXE SQLScrip sap.hana-

C t app.fra.suite.ord.dt.customer.bankaccou
Procedur nt.ex
e
Additional PR_BANK_ACCOUNT_ADD SQLScrip sap.hana-

Informatio INF t app.fra.suite.ord.dt.customer.bankaccou
n Procedur nt.ai
e

None.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 083, The
customer &1 is in &2, but the bank account is located in &3
Detection Method: Customer Invoice

Irregularities (Split Invoice)
You can use this detection method to detect smurfing, that is, the split-
payments of invoices. This method evaluates the selected invoice items
related to a particular customer to check that payments are not split into
many small payments instead of one larger payment that is greater than a
threshold specified by the user.
In general the method adds up small payments, as defined by a maximum
amount parameter, during a specified period of time. If the sum of
payments exceeds a specified threshold, then an alert is raised. The
method is restricted to invoice items with posting keys Reverse Invoice,
Credit Invoice, Invoice, Reverse Credit Memo
(‘01’ OR ‘02’ OR ‘11’ OR ‘12’), which are not intercompany, and which have
the account type Customer.
Logic
The execution procedure first converts
the THRESHOLD_SINGLE parameter to the currency of the company
code, so that the threshold may be applied to invoice item amounts. Then
all line items that have an amount smaller than
the THRESHOLD_SINGLE parameter and that have the correct posting
key are selected and converted to the currency of
the THRESHOLD_SUM parameter
(THRESHOLD_SUM_CURRENCY parameter).
These line items are then summed up and aggregated by customer,
whereby credits are added to the sum, debits are subtracted.
If the sum of all relevant invoices related to this customer is greater than
the THRESHOLD_SUM limit on the sum of the invoices, then the invoice
items of the customer are suspicious and an alert is raised.
The Risk Amount is defined as the sum of the amounts of the selected
invoice items of the customer.

Investigation object type: FRA_CUST (Customer)
Detection object type: FRA_CUINVI (Customer Invoice Item)
ERP Tables Used

 Tables for currency conversion (TCURV… ) These tables are replicated
as part of the standard default replication, if you are using the Internal
Audit business content and SAP LT data replication. The complete list of
currency conversion tables is listed in the Installation
Guide at http://help.sap.com/fra .
Procedur Procedure Name Procedu Package

e re Type
Category
Selection PR_CUST_SPLIT_INVOICE_S SQLScrip sap.hana-

ELE t app.fra.suite.ord.dt.customer.invoiceit
Procedur em.se
e re Type
Category
Execution PR_CUST_SPLIT_INVOICE_E SQLScrip sap.hana-

XEC t app.fra.suite.ord.dt.customer.invoiceit
Procedur em.ex
e
Additional PR_CUST_SPLIT_INVOICE_S SQLScrip sap.hana-

Informati ELE t app.fra.suite.ord.dt.customer.invoiceit
on Procedur em.ai
e

 THRESHOLD_SINGLE: The maximum amount of an invoice item that is
to be processed by this detection rule. If the invoice item amount
exceeds this threshold, then the invoice item is ignored for detection
purposes. All amounts (threshold and invoice item amounts) are
converted into the currency of the company code in order to compare the
amounts in the same currency.
 THRESHOLD_SINGLE_CURRENCY: The currency of the threshold
single amount.
 THRESHOLD_SUM: The alert threshold for the sum of the invoice items
of a customer. If the sum of the invoice items for the customer is lower
than this threshold, then the invoice items are deemed not to be
suspicious. All amounts are converted into the currency of the company
code in order to compare the amounts in the same currency.
 THRESHOLD_SUM_CURRENCY: The currency of the threshold sum
amount.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 085; The sum
of invoices &1 &2 exceeds the given limit of &3 &4 for the sum
Detection Method: Suspicious Terms

Screening for Customer Invoice Items
You can use this method to screen the text of customer invoice items for
specific terms. Terms that are thought to be suspicious can be specified
and grouped to lists using the Suspicious Terms tile in SAP Fraud
Management.
Logic
The execution procedure checks if the field SGTXT in table BSEG contains
one of the terms in the suspicious terms list. The terms are compared by a
fuzzy search with the specified fuzziness factor. The search is contained in
the procedure sap.hana-
app.fra.suite.lib/PR_INVOICE_ITEM_SUSPICIOUS_TERMS_EXEC.
To improve performance, the search direction is reversed in mass
detection, by searching one suspicious term at a time in all customer
invoice texts. This requires the creation of a full text index on
field SGTXT of table BSEG.
Investigation and Detection Object

 Detection object type: FRA_CUINVI (Customer Invoice Item)
ERP Tables Used

 BKPF
 BSEG
Procedu Procedure Name Procedu Package

re re Type
Categor
y
Selection PR_SUSP_TERM_INVOICE_S SQLScri sap.hana-

ELE pt app.fra.suite.ord.dt.customer.invoiceit
Procedur em.se
e
Executio PR_SUSP_TERM_INVOICE_E SQLScri sap.hana-

n XEC pt app.fra.suite.ord.dt.customer.invoiceit
Procedur em.ex
e
Additiona PR_SUSP_TERM_INVOICE_A SQLScri sap.hana-

re re Type
Categor
y
l DDINF pt app.fra.suite.ord.dt.customer.invoiceit
Informati Procedur em.ai
on e

 FUZZINESS: Indicates how precise a hit needs to be. A fuzziness of 100
indicates that the terms must match exact to each other.
 SUSP_TERM_LIST_ID: Specifies which list is used as foundation for the
screening.
Alert Messages
FRA_INTERNAL_AUDIT 074 Suspicious terms "&1" found in text "&2"
Detection Method: Paying Customer

Differs from Invoiced Customer
You can use this method to find cases in which the following are true:
 A customer payment was made by an alternative payer specified in the
invoice other than the invoiced customer; and
 The alternative payer is not recorded in the customer master data.
An invoice can be paid by an alternative payer by choosing the
option Payer in document in the General Data area of an invoice. If this
option is selected, then the system displays a screen with the master data
of the payer. Such cases are relevant for detection because an alternative
payer who is recorded in the master data has given special written
permission to the company to allow payment from their accounts. The
exceptional Payer in document procedure does not include this protection.
Logic
The working set is restricted to invoice items that are not intercompany
(field VBUND is initial) and that are set to account type D. The execution
procedure uses the
fields COMPANY_CODE, DOCUMENT_NUMBER, ITEM_NUMBER,
and FISCAL_YEAR to identify detection objects in the working set.
The method reads tables BKPF, BSEG, BSEC, and KNA1.
Table BKPF contains the document header information for debtors.
Table BSEG contains document item information.
The company code, document number, invoice item and fiscal year are
read from the input parameters and are joined with table BSEG on these
fields where the client equals the session context. Table BSEG is needed
for reading the customer and selecting only those documents that have
accounting key 01 (BSEG.BSCHL). A join on table KNA1 on the client and
the customer filter out only those customers for which field XZEMP is set
to X. Finally, a join with table BSEC on the fields from the input parameters
tables is made to obtain the alternative payer name (BSEC.NAME1).
No risk amount is calculated.
A detection result of 100 is returned if an alternative payer name is found
that meets the conditions described above.

 Detection object type: FRA_CUINVI (Customer Invoice Item)
ERP Tables Used


re re Type
Categor
y
Selection PR_DIFFERENT_CUSTOMER_S SQLScri sap.hana-

ELE pt app.fra.suite.ord.dt.customer.invoice
Procedur item.se
e
Executio PR_DIFFERENT_CUSTOMER_E SQLScri sap.hana-

n XEC pt app.fra.suite.ord.dt.customer.invoice
re re Type
Categor
y
Procedur item.ex
e
Additiona PR_DIFFERENT_CUSTOMER_A SQLScri sap.hana-

l DDINF pt app.fra.suite.ord.dt.customer.invoice
Informati Procedur item.ai
on e

None
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 104; Invoice to
customer &1 was paid by customer &2
Detection Method: Growth Between 1st

and 2nd Year Exceeds Threshold
You can use this detection method to find new vendors the growth of
whose turnover between the first and second years of business is
suspiciously high.
The method compares turnover in the first and second years in which
vendor turnover is found for a company code. The beginning date is the
first day of the month in which vendor turnover is found for the first time
within a company code.
An alert is triggered if the percentage growth in turnover is bigger than the
growth threshold and if the turnover amount exceeds in one of the two
years the threshold for maximum allowable turnover. If the company code
currency and threshold currency are different, currency conversion takes
place.

Investigation object type: FRA_NEWVEN (New Vendor)
Detection object type: FRA_NEWVEN (New Vendor Master Data)
ERP Tables Used
 LFB1: Vendor Master (Company Code)
 BSEC:One-Time Account Data Document Segment

ure ure
Categor Type
y
Selectio PR_RGB_VENDOR_TURNOVER_TWO_YE SQLScri sap.hana-

n ARS_SELE pt app.fra.suite.pur.dt.newve
Procedu ndors.se
re
Executio PR_RGB_VENDOR_TURNOVER_TWO_YE SQLScri sap.hana-

n ARS_EXEC pt app.fra.suite.pur.dt.newve
Procedu ndors.ex
re
Addition PR_RGB_VENDOR_TURNOVER_TWO_YE SQLScri sap.hana-

al ARS_ADDINF pt app.fra.suite.pur.dt.newve
Informat Procedu ndors.ai
ion re

 THRESHOLD_REVENUE_GROWTH: The threshold in percent for the
maximum growth in turnover from the first year to the second year of
business with a new vendor.
 THRESHOLD_REVENUE_YEAR: The threshold for the minimum
amount of turnover considered relevant for investigation by this detection
rule. If the total turnover of the first and/or the second year DOES NOT
exceed this threshold, then the detection rule skips the new vendor; the
new vendor is not evaluated.
 THRESHOLD_CURRENCY: The currency in
which THRESHOLD_REVENUE_YEAR is denominated.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 003, Growth is
&1 % (threshold for growth is &2 %)
Detection Method: Turnover of New

Vendor in First Year Exceeds Threshold
You can use this detection method to find new vendors whose turnover in
the first year of business exceeds a threshold that you specify.
Logic
The beginning date for the first year’s turnover is the first day of the month
in which vendor turnover is found for the first time within a company code.
An alert is raised if the amount of turnover exceeds the amount threshold. If
the company code currency and threshold currency are different, currency
conversion takes place.

ERP Tables Used

 BSET: Tax Data Document Segment

ure ure
Categor Type
y
Selectio PR_RGB_VENDOR_TURNOVER_FIRST_Y SQLScri sap.hana-

n EAR_SELE pt app.fra.suite.pur.dt.newve
Procedu ndors.se
re
Executio PR_RGB_VENDOR_TURNOVER_FIRST_Y SQLScri sap.hana-

ure ure
Categor Type
y
n EAR_EXEC pt app.fra.suite.pur.dt.newve
Procedu ndors.ex
re
Addition PR_RGB_VENDOR_TURNOVER_FIRST_Y SQLScri sap.hana-

al EAR_ADDINF pt app.fra.suite.pur.dt.newve
Informat Procedu ndors.ai
ion re

 THRESHOLD_REVENUE_1ST_Y: The threshold for the maximum
amount of first-year turnover allowed by this detection rule. Higher
amounts trigger an alert.
which THRESHOLD_REVENUE_1ST_Y is denominated.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 004, Revenue:
1st year is &1 &2; 2nd year is &3 &2
Detection Method: Percentage of

Turnover Approved by a Single Person
You can use this method to detect cases in which a large percentage of the
turnover by a new vendor is approved by a single person.
The method reads the accounting documents and their segments of the
first 2 years after the first revenue of the vendor in the company code. It
then looks up the corresponding workflow items and finds the approver for
each accounting document. The method then aggregates the revenue per
vendor and company code by approver.
The execution procedure outputs results for each vendor in a company
code where at least one approver exists who approved more gross revenue
than the threshold specified in
parameter APPROVER_THRESHOLD_PERC.
Logic
The selection procedure reads the accounting documents (BKPF) and their
line items (BSEG). Only the documents of the first 2 years after the first
booking are considered, which reflects the rolling fiscal years in the
detection methods for rapidly growing business. Therefore, the end dates
of the first 2 years of each vendor need to be calculated so that all
accounting document line items in these 2 years can be selected.
These accounting document line items are also used to calculate the
turnover sum of each vendor and for further processing when finding the
approvers.
That is, for each accounting document segment, the respective workflow
item is searched (not all accounting document line items are approved by a
workflow). First the table SWW_WI2OBJ is read and the value for
field INSTID is a concatenated field of certain other key fields.
The structure of the key fields differs per BOR object type
(SWW_WI2OBJ.TYPEID) that is approved. The structure per BOR object
type can be found in program RFPPWF01. In the current selection
procedure only the type BSEG(and its subtypes) is investigated. In these
subtypes, the first 18 characters of the field SWW_WI2OBJ.INSTID is the
concatenation of BKPF.BUKRS, BKPF.BELNR, BKPF.GJAHR.
The subtypes for the BOR object types can be found in table SWOTIP.
The SWW_WI2OBJ entries are also filtered for a certain task ID, which is
hard-coded and corresponds to an approval step in the workflow. The hard-
coded value matches the task IDs of the standard SAP workflow. To find
the approver for each accounting document segment that has a
corresponding workflow item, the field WI_AAGENT in
table SWWWIHEAD is evaluated.
The accounting document entries are then aggregated by company code,
vendor ID and approver to sum up the monetary amount approved by a
person.
The execution procedure compares each approver’s turnover per vendor
with the vendor’s total turnover and computes the percentage. If one
approver has approved more turnover for a vendor than the detection
method parameter specifies, then the vendor is added to the result set.
If one accounting document was approved by more than one person (which
can happen), then each approver is responsible for the whole turnover
amount; the procedure does not split the turnover amount equally between
all approvers of one accounting document.
ERP Tables Used

 SWWWIHEAD: Workflow Runtime: Header Table for All Work Item
Types
 SWW_WI2OBJ: Workflow Runtime: Relation of Work Item to Object
 SWOTIP: Index Parent Object Types

e e Type
Category
Selection PR_APPROVER_STRUCTURE_SEL SQLScrip sap.hana-

E t app.fra.suite.pur.dt.newvendor
Procedur s.se
e
Execution PR_APPROVER_STRUCTURE_EXE SQLScrip sap.hana-

C t app.fra.suite.pur.dt.newvendor
Procedur s.ex
e
Additional PR_APPROVER_STRUCTURE_AD SQLScrip sap.hana-

Informatio DINF t app.fra.suite.pur.dt.newvendor
n Procedur s.ai
e

 APPROVER_THRESHOLD_PERCENT: The threshold in percent for the
maximum amount of new-vendor turnover that may be approved by a
single person.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 003, Growth is
&1 % (threshold for growth is &2 %)
Detection Method: Multiple OTA Postings
to Same Account
You can use this detection method to find bank accounts that were used multiple times in
one-time accounts (OTA).
This method reads the invoices that were booked on a one-time account. It then checks
whether the bank account used in the OTA has been used in other invoices that were also
booked on one-time accounts.
You can control the method by specifying minimum thresholds for the value of invoices and
the number of times an account is used in OTA invoices. The method does not evaluate
accounts that do not reach these thresholds. If the invoice currency and the threshold currency
are different, then currency conversion is performed.
The risk value that is returned by the additional information procedure is the transaction
amount (field WRBTR of table BSEG) of a suspicious accounting document.
Logic
The selection procedure finds the accounting documents for one-time accounts, using as keys
the fields BUKRS(Company Code), GJAHR (Fiscal Year), BELNR (Document Number),
and BUZEI (Item Number) in table BSEC.
In the execution procedure, the total number of postings in the table BSEC is determined for
each account that is passed to the execution procedure. For this purpose, the input table is
grouped by accounts (BANKL, BANKN, BANKS), and the grouped result is joined with
the BSEC table. In a second step, the result of this join is combined with the BSEG table and
is then grouped by accounts once again. This construct ensures that all postings in the past in
table BSEG are considered for the count of postings to the OTA account.

Investigation object type: FRA_ONETIM (One-Time Vendors)
Detection object type: FRA_ONETIM (One-Time Vendors Invoices)
ERP Tables Used


e re Type
Category
Selection PR_MULTIPLE_OTA_POSTINGS_SE SQLScrip sap.hana-

LE t app.fra.suite.pur.dt.onetimeacc
Procedur ts.se
e
Execution PR_MULTIPLE_OTA_POSTINGS_EX SQLScrip sap.hana-

EC t app.fra.suite.pur.dt.onetimeacc
Procedur ts.ex
e
Additional PR_MULTIPLE_OTA_POSTINGS_A SQLScrip sap.hana-

Informati DDINF t app.fra.suite.pur.dt.onetimeacc
on Procedur ts.ai
e

 THRESHOLD_POSTINGS: Minimum number of one-time account postings to the same
bank account. If the number of postings does not exceed this threshold, then the postings
to the OTA are ignored.
 THRESHOLD_AMOUNT: Minimum value (amount) of OTA postings to the same bank
account. If the sum of the postings does not exceed this threshold, then the postings to the
OTA are ignored.
 THRESHOLD_CURRENCY: The currency in which the THRESHOLD_AMOUNT is
denominated.
Alert Messages
Detection Method: OTA Uses Bank

Account of Regular Vendor
Use this detection method to find one-time bank accounts that also belong
to a regular vendor. A posting on such an account is considered relevant
only if the amount of the invoice exceeds a minimum value threshold
specified by the customer.
Logic
An accounting document consists of a header that stores general
information and one or more line items. The equivalents at the database
level are the tables BKPF (accounting document header)
and BSEG (accounting document segment).
One-time accounts additionally need to store the bank details of the
vendor, as one time vendors are not regularly listed in the company’s
vendor master data. Therefore, one-time accounts need database
table BSEC (one-time account data document segment) as well as
table BSEG. The bank details of a regular vendor are stored in the vendor
master data in database table LFBK. For currency conversion that may be
performed during detection method execution the additional table T001 is
used which also stores company code currencies.
The selection procedure finds accounting documents for one-time
accounts.
The execution procedure then checks whether the bank account cited in a
one-time account invoice is also the bank account of a regular vendor.
If the amount of a relevant invoice exceeds the minimum value threshold,
then an alert is created.

Investigation object type: FRA_ONETIM (One-Time Vendors)
Detection object type: FRA_ONETIM (One-Time Vendors Invoices)
ERP Tables Used

 BKPF: Vendor Master (Company Code)

e e Type
Category
Selection PR_REG_VENDOR_ACCT_SELE SQLScript sap.hana-

Procedure app.fra.suite.pur.dt.onetimeaccts.
se
e e Type
Category
Execution PR_REG_VENDOR_ACCT_EXEC SQLScript sap.hana-

ex
Additional PR_REG_VENDOR_ACCT_ADDI SQLScript sap.hana-

Informatio NF Procedure app.fra.suite.pur.dt.onetimeaccts.
n ai

 THRESHOLD_AMOUNT: The minimum value of an invoice to be
considered relevant for alerting. If an OTA invoice uses a bank account
that also belongs to a regular vendor, an alert is created only if the value
of the invoice exceeds the threshold amount.
which THRESHOLD_AMOUNT is denominated.
Alert Messages
FRA_INTERNAL_AUDIT 021 Invoice amount is &1 &2
FRA_INTERNAL_AUDIT 022 Invoice unpaid
FRA_INTERNAL_AUDIT 023 One time account number: &1 &2
FRA_INTERNAL_AUDIT 024 Invoice paid with payment number &1 on &2
Detection Method: Duplicate Regular

Vendor and One-Time Vendor
You can use this detection method to find regular vendors that exist in the ERP system as
one-time vendors.
Logic
The name of the one-time vendor (field NAME1 from table BSEC) is compared against the
name of the regular vendor (field NAME1 from table LFA1) to detect duplicate regular and
one-time vendors.
 Investigation object type: FRA_ONETIM (One-Time Vendors)
 Detection object type: FRA_ONETIM (One-Time Vendor Invoices)
ERP Tables Used


e e Type
Category
Selection PR_REG_VENDOR_NAME_SELE SQLScript sap.hana-

se
Execution PR_REG_VENDOR_NAME_EXE SQLScript sap.hana-

C Procedure app.fra.suite.pur.dt.onetimeaccts.
ex
Additional PR_REG_VENDOR_NAME_ADDI SQLScript sap.hana-

Informatio NF Procedure app.fra.suite.pur.dt.onetimeaccts.
n ai

None.
Alert Messages
Detection Method: Multiple Changes on

Purchase Orders
You can use this detection method to find purchase orders to which an
excessive number of changes have been made.
When a purchase order is created, a limited number of changes may be
expected after the purchase order has been saved. If however the number
of changes exceeds a defined limit, then the legitimacy of the changes that
have been made needs to be verified.
This method detects those purchase orders in which a defined limit of
changes was exceeded.
Logic
The execution procedure selects all purchase order numbers (PO) from the
Input Parameters table IT_PO_DETAIL on an inner join with
table CDHDR on the purchase order number (OBJECTID).
Then it counts the number of changes (NR_OF_CHANGES) from
table CDHDR, field CHANGE_IND for each distinct purchase order
number, where the CHANGE_IND does not have the attribute I (I = insert),
the client (MANDT) equals the session client, and the
field OBJECTCLAS has the attribute EINKBELEG.
The THRESHOLD_CHANGES input parameter specifies the minimum
number of changes that must have been made. An alert is generated if
the NR_OF_CHANGES – the number of changes made to a purchase
order – is greater than the parameter THRESHOLD_CHANGES.

 Investigation object type: FRA_PO (Purchase Order)
 Detection object type: FRA_POHEAD (Purchase Order Header)
ERP Tables Used

 CDHDR: Change Document Header

ure ure
Catego Type
ry
Selecti PR_PURCHASE_ORDER_MULTIPLE_C SQLSc sap.hana-

on HANGES_SELE ript app.fra.suite.pur.dt.purchaseor
Proced der.header.se
ure
Executi PR_PURCHASE_ORDER_MULTIPLE_C SQLSc sap.hana-

ure ure
Catego Type
ry
on HANGES_EXEC ript app.fra.suite.pur.dt.purchaseor

Proced der.header.ex
ure
Additio PR_PURCHASE_ORDER_MULTIPLE_C SQLSc sap.hana-

nal HANGES_ADDINF ript app.fra.suite.pur.dt.purchaseor
Informa Proced der.header.ai
tion ure

 THRESHOLD_CHANGES: Limit on allowed number of changes (such as
5) on a purchase order.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 082; Purchase
order &1 was changed &2 times within the purchasing process
Detection Method: Address Screening for

Politically Exposed Persons (PEP List)
This method screens the partner addresses listed in a purchase order against a Politically
Exposed Persons (PEP) list.
Lists must be downloaded from an external data provider and can be uploaded using a
conversion implementation that uses SAP BusinessObjects Data Services. Such an
implementation is available for download at the SAP Fraud Management wiki in the SAP
Community Network (SCN).
Address screening is technology shared among multiple detection methods. For more
information, see Address Screening.
Logic
The execution procedure starts by selecting unique addresses from the input work set of
purchase order addresses. To maximize performance, the procedure evaluates the addresses
in parallel.
A purchase order item is the detection object. If a partner address is found in an item, then
this address is used. If there is no partner address in the item, then the address is copied from
the purchase order header. If a manually changed address is found, then this address is used
rather than the vendor address in the master data.
The screening logic is held in procedure PR_SCRL_SCREEN_ADDRESSES. This procedure
processes each individual address to find hits against the screening list.
The procedure returns a detection result of 100 if a match is found on the name of a partner is
found or on the name and address (city, street, country). The user specifies whether address
information is checked along with the name.

 Investigation object type FRA_PO (Purchase Order)
 Detection object typeFRA_POITEM (Purchase Order Item)
ERP Tables Used

 EKPA: Partner Roles in Purchasing
 EKPO: Purchasing Document Item
 ADRC: Vendor Master (General Section)
SAP HANA Procedures for Detection Method

ure ure
Categor Type
y
Selectio PR_PURCHASR_ORDER_PARTNE SQLScri sap.hana-

n R_SELE pt app.fra.suite.pur.dt.purchaseorde
Procedu r.item.se
re
Executio PR_PURCHASR_ORDER_PARTNE SQLScri sap.hana-

n R_EXEC pt app.fra.suite.pur.dt.purchaseorde
Procedu r.item.ex
re
Addition PR_PURCHASR_ORDER_PARTNE SQLScri sap.hana-

al R_ADDINF pt app.fra.suite.pur.dt.purchaseorde
Informati Procedu r.item.ai
on re
Technical Name Descriptio Definition

n
FUZZINESS Parameter Specifies by how much two words can differ in spelling
for Fuzzy or additional characters. An error tolerance factor on the
Search scale of 1 to 100.
The parameter controls the sensitivity of the match. For
example: The name “Torsten Holsh” will not
match “Thorsten Hölsh” with a fuzziness of 90, but it will
produce a hit if the fuzziness is set to 80.
The recommended setting is in the range of 80 to 100. A
lower fuzziness factor may produce too many false
positives.
MINIMATCH Minimum Determines the minimum match score that a match has
Match to reach to be classified as a hit. For example: The
name “Airlines” is found inside the name “Consolidated
Airlines”. But the score calculated would be very low
if “Airlines”is defined as a stop word. Minimum match
therefore helps eliminate undesirable or false hits.
ANDTHRESHOLD Address There could be different number of words in a name or

Terms address component. For example, if the name on a
Threshold purchase order is “David Jones” and there is a list
entry “David Robin Jones”, with this option you can
specify that if 2 out of 3 words match, it will be a hit.
ALIAS Include Aliases or term mappings can be used to extend the

Additional search by adding additional search terms. These terms
Terms for must be added to the table FRA_D_SCRL_TERM.
Address For a detailed explanation of term mapping, see SAP
Screening Library for SAP HANA
at http://help.sap.com/hana/hana_dev_en.pd
f
EXCLUSION_TERM Use Excluded terms or stop words are words that you wish
S Excluded to exclude from a search. Certain words, such
Terms as “AG”, “Limited”, “Airlines” etc. are common words
and do not add any value in search. The stop word list is
defined in table FRA_D_SCRL_STPW.
For a detailed explanation of stop words, see SAP
Library for SAP HANA
at http://help.sap.com/hana/hana_dev_en.pd
f
Technical Name Descriptio Definition
n
INITIALS Activate Some names may be maintained with initials only. To

Initials find a hit against such name entries, this flag must be
Check activated.
For example: The name “D. R. Jones”produces a hit
against “David Robin Jones” if the initials flag is turned
on.
LIST_ID List ID Multiple screening lists can be uploaded to the SAP

Fraud Management system. Each list is identified by a
list ID.
With this parameter, you can specify which list you want
to use.
For information on uploading lists, see the SAP Fraud
Management wiki pages in SAP Community Network
(http://scn.sap.com ).
CHECK_ADDRESS Address If this option is set to “Y” (yes), then address information
Must Match is also compared along with name to find a hit. By
default, the name is a must for a hit and the address is
ignored.
Alert Messages
Message ID
Message Number
Message Text
FRA_INTERNAL_AUDIT
072
One-time vendor &1 resides in &2, ranked &3 in CPI
FRA_INTERNAL_AUDIT
073
Vendor &1 resides in &2, ranked &3 in Corruption Perceptions Index (CPI)
Detection Method: Purchase Order Item

with Vendor from High-Risk Country
This detection method lets you find purchase order items that have a
vendor who is located in a high-risk country. A high-risk country is one that
is characterized by high levels of corruption, or by risk of instability or
conflict, or by regulatory or trade risk.
This method checks vendor locations against a list of high-risk countries
that you specify. High-risk country lists rank countries by their risk. The
lower the rank, the lower the risk.
A detection result of 100 is returned for any vendor in a high-risk country.
Alert messages provide detailed information about the purchase order item
and each suspicious vendor or partner. You can view these in the Alert
Details.
Logic
High-risk country lists belong to technology shared among detection rules.
For more information on this technology, see High-Risk Country Screening.

 Detection object type FRA_POITEM (Purchase Order Item)
ERP Tables Used

 EKPA: Partner Roles in Purchasing
 ADRC: Addresses (Business Address Services)
 TPART: Business Partner Functions: Texts
For information on the high-risk country tables, see High-Risk Country List.

re re Type
Categor
y
Selection PR_POITEM_HI_RISK_CNTRY_S SQLScri sap.hana-

ELE pt app.fra.suite.pur.dt.purchaseorder.i
Procedur tem.se
e
Executio PR_POITEM_HI_RISK_CNTRY_E SQLScri sap.hana-

n XEC pt app.fra.suite.pur.dt.purchaseorder.i
Procedur tem.ex
e
re re Type
Categor
y
Additiona PR_POITEM_HI_RISK_CNTRY_A SQLScri sap.hana-

l DDINF pt app.fra.suite.pur.dt.purchaseorder.i
Informati Procedur tem.ai
on e

list to use.
detection process.
Example
DE Germany 12
IQ Iraq 175
KP North Korea 175
AF Afghanistan 176
 If BOTTOM_N_RANKS = 2 it will return the countries AF, IQ, and KP
because they populate the two highest ranks.
countries.
 If BOTTOM_N_RANKS = 3 it will return the countries AF, IQ, KP, and
DE because they populate the three highest ranks.
Note how the procedure ignores gaps in the numbering and includes DE
although it is much less riskier than IQ.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 105, Partner &1
with role &2 is located in high-risk country &3 with rank &4
Variable role (&2) is specified in column PARVW of table EKPA. The
partner functions are defined in table TPAR and described in table TPART.
To ensure translatability, the procedure returns the function’s code. The
field PARTNER_FUNCTION in source domain INTERNAL_AUDIT then
applies an SAP standard conversion
exit CONVERSION_EXIT_PARVW_OUTPUT to convert the partner
function code to text. The function module reads the attribute
view sap.hana-app.fra.suite.fnd/AT_PARTNER_FUNCTION to get the
description in the user’s current language.
Variable country &3 provides the country in which the partner is located. To
ensure translatability, the procedure provides the country’s code. The
field COUNTRY_CODE in source domain INTERNAL_AUDIT (in the
Customizing activity Define Source Domain and Field Settings) then
applies the SAP standard conversion
exit CONVERSION_EXIT_CTRYC_OUTPUT, which replaces the code with
its description. The function module reads table T005T in the SAP Fraud
Management database schema to provide the description. It uses the long
or short description in the user’s current language, or the long or short
description in English as a fallback language, whichever is available in this
order. If no description is available, then it returns the code itself.
Detection Method: Purchase Invoice

Greater Than Goods Received
This detection method lets you find cases in which the invoice receipt
quantity is greater than the goods received quantity. In purchasing, it is
possible to defraud by invoicing a higher quantity than is actually received.
If, on the other hand, the quantity of goods received is higher than ordered,
but the invoiced quantity is correct, then this is not considered to be fraud.
Logic
This method compares the quantity received in the goods receipt with the
quantity in the invoice. Both documents refer to a foregoing purchase order.
If the invoiced quantity is higher than the received one, then the purchase
order item is suspicious. If the quantities in the goods receipt and in the
invoice are the same but nevertheless higher than in the purchase order,
then the purchase order item is again suspicious.
For the comparison, the quantities in the goods receipt and in the invoice
are aggregated on their debit/credit flag per purchase order item.
Afterwards the credit is subtracted from the debit and the real quantity per
purchase order item is determined.
The user can also define a threshold in percent that indicates how much
the quantity in the invoice may exceed the quantity to which it is being
compared.
The calculation of the risk value in the additional information procedure is
determined in the following way:
 If the quantity delivered is smaller than the quantity ordered, then the net
price of the purchasing document (field NETPR of table EKPO) is
multiplied by the difference between invoiced and delivered quantity.
 If the delivered quantity is greater than or equal to the ordered quantity
(but fraud is assumed), then the risk value is calculated by multiplying
the net price by the difference between the quantity invoiced and the
quantity ordered.
This calculation ensures that the largest difference – between invoiced and
ordered or invoiced and received quantity – is multiplied by the net price
and returned as the risk value.
Example 1: 10 pieces are ordered, 5 pieces are delivered and 10 pieces
are invoiced, threshold 10. In this case the invoiced quantity is greater than
the delivered quantity plus 10%. This would be considered suspicious.
Example 2: 10 pieces are ordered, 20 pieces are delivered, 20 pieces are
invoiced. In this case the invoiced quantity is greater than the ordered
quantity plus 10%. This would be considered suspicious.

ERP Tables Used

 MSEG: Document Segment: Material

ure ure
Categor Type
y
Selectio PR_PURCHASE_ORDER_QUANTIT SQLScri sap.hana-

n Y_SELE pt app.fra.suite.pur.dt.purchaseorde
Procedu r.item.se
re
Executio PR_PURCHASE_ORDER_QUANTIT SQLScri sap.hana-

n Y_EXEC pt app.fra.suite.pur.dt.purchaseorde
Procedu r.item.ex
re
Addition PR_PURCHASE_ORDER_QUANTIT SQLScri sap.hana-

al Y_ADDINF pt app.fra.suite.pur.dt.purchaseorde
on re

 THRESHOLD_QUANTITY: Indicates in percent how much higher the
quantity in the invoice may be than the quantity to which it is being
compared. If the difference lies within this percentage, then no alert is
created.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 067, Delivered
quantity &1 < invoiced quantity &2 in accounting document(s)
Detection Method: Purchase Order

Overpaid
You can use this detection method to find cases in which the amount paid
in an invoice is greater than the amount shown in the relevant purchase
order item.
Logic
The method compares the amount in the purchase order item with the
amount in the invoice. If the invoiced amount is higher than the amount in
the purchase order item, then the purchase order item is suspicious.
For the comparison, the amounts in the purchase order item and the
invoice recipient are converted into the currency of the company code. The
net values of the invoice recipient are then added up according to the
debit/credit sign in the record. Any credit is subtracted from the debit, and
the real amount in the invoice document is determined.
Similarly, the net value of the purchase order item is calculated with respect
to the invoiced quantity, so that the amounts are compared using the same
quantity (here, the quantity in the invoice). The net values are then
aggregated per purchase order item. The amounts are then compared and
the result is evaluated against the threshold amount/currency and threshold
percent (defined by the user) that indicate how much the amount in the
invoice may exceed the amount in the purchase order item to which it is
being compared. The risk amount is then the difference between the
invoice amount and the purchase order amount.
Note
 The currency conversion uses the standard conversion at average type
of type M and the business document dates of the purchase order and
invoice.
 The functionality is restricted to purchase order items of the
category Standard (PSTYP = 0).
 Amount values (that is, the purchase order item net value, the invoice
net value, and the risk value) are rounded to two decimal places.

ERP Tables Used

 T001: Company Codes Tables for the currency conversion (TCUR…)

Procedu Procedure Name Proced Package
re ure
Categor Type
y
Selectio PR_PURCHASE_ORDER_AMOUNT SQLScri sap.hana-

n _SELE pt app.fra.suite.pur.dt.purchaseorde
Procedu r.item.se
re
Executio PR_PURCHASE_ORDER_AMOUNT SQLScri sap.hana-

n _EXEC pt app.fra.suite.pur.dt.purchaseorde
Procedu r.item.ex
re
Addition PR_PURCHASE_ORDER_AMOUNT SQLScri sap.hana-

al _ADDINF pt app.fra.suite.pur.dt.purchaseorde
on re

 THRESHOLD_AMOUNT: Indicates how much larger the amount in the
invoice may be in comparison to the amount in the corresponding
purchase order item. A smaller difference between invoice and purchase
order amounts does not trigger an alert. All amounts are converted into
the currency of the company code so that the amounts are compared in
the same currency.
 THRESHOLD_CURRENCY: Is the currency of the threshold amount.
 THRESHOLD_PERCENTAGE: Indicates how much larger in percent the
amount in the invoice may be in comparison to the amount in the
purchase order item.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 065, Ordered
amount &1 &2 < invoiced amount &3 &4 in accounting document(s)
Detection Method: Vendor Bank Data

Change (Flip-Flop Vendor)
This detection method lets you find vendors for which the master data –
especially bank account information – has changed often within a specified
period of time.
Logic
This detection method reads changes to the bank data of vendors and
checks whether each change reverses a previous change to the same
bank data. The previous change must occur within the interval specified in
the input parameters to the detection method. If these conditions are met,
then the detection method determines whether invoices were paid to the
vendor during the specified period of time.
The detection result is 50 if there was a master data change without
payments. The detection result is 100 if payments are found while the
master data was changed. The risk value is the aggregated payment
amount in investigation currency.

 Investigation object type: FRA_VMDCHG (Vendor Master Data Change)
 Detection object type: FRA_VMDCHG (Vendor Master Data Change)
ERP Tables Used


ure ure
Categor Type
y
Selectio PR_BB_VENDOR_BANK_DATA_CHAN SQLScri sap.hana-

n GED_SELE pt app.fra.suite.pur.dt.vendormas
Procedu terchng.se
re
Executi PR_BB_VENDOR_BANK_DATA_CHAN SQLScri sap.hana-

on GED_EXEC pt app.fra.suite.pur.dt.vendormas
Procedu terchng.ex
re
Addition PR_BB_VENDOR_BANK_DATA_CHAN SQLScri sap.hana-

ure ure
Categor Type
y
al GED_ADDINF pt app.fra.suite.pur.dt.vendormas
Informat Procedu terchng.ai
ion re

 REVIEW_PERIOD_IN_DAYS: Period in days in which changes to
previous changes to the alternative payee are to be sought.
Alert Messages

Number
FRA_INTERNAL_AUDIT 041 No payment available
FRA_INTERNAL_AUDIT 042 Date and time when the new bank account was
active the last time: &1, &2
FRA_INTERNAL_AUDIT 043 The document number of the payment is &1
Detection Method: Alternative Payee

(Flip-Flop Payee) – Cross Company Code
This detection method reads the master data changes of vendors and
checks whether, within a given period of time:
 A previous change of the field Alternative Payee exists for the same
vendor, and
 This change has been reversed by the current change.
These checks are made across the company codes of an enterprise.
If these conditions apply, then the method checks whether any invoices
have been paid during the period of time in which the alternative payee was
changed. The detection result is 50 for changes without payments and 100
for changes with payments. The risk value is the aggregated payment
amount in the investigation currency.
Logic
The business logic is the same for both versions of the flip-flop payee
detection method.
For each change in the incoming data table, the execution procedure
checks whether a payment has taken place in the critical period (between
the flip-flops of the alternative payee name). To make this check, the
procedure joins the incoming data table with the database
tables BSEG and BKPF and selects the company code, the vendor, the
change date and time as well as the connected change date and time
where the client equals the session client, the account type (KOART)
equals K, the posting key (BSCHL) is 25and the date on which the
accounting document was entered (CPUDT) is greater than the connected
change date as well as lower than the change date.
If the date on which the accounting document was entered is equal to the
connected change date, then the time on which the accounting document
was entered (CPUTM) must be greater than the connected change time.
If the date on which the accounting document was entered is equal to the
change date, then the time on which the accounting document was entered
must be lower than the change time. This selection leads to a table with all
the changes with payments in the critical period.
To find all payee changes without payments, the procedure collects
company code, vendor, change date, change time, connected change date,
and connected change time from the incoming data table that are not in the
first selection of the procedure.
The result is built by setting 100 as detection result for changes with
payments and 50 for changes without payments and combining the table of
the changes with payment with the table containing the changes without
payments.

 Investigation object type: FRA_VMDCHG (Vendor Master Data Change)
 Detection object type: FRA_VMDCHG (Vendor Master Data Change)
ERP Tables Used

 CDPOS: Change document items

ure ure
Categor Type
y
Selectio PR_VENDOR_PAYEE_DATA_CHANG SQLScri sap.hana-

n ED_SELE pt app.fra.suite.pur.dt.vendormast
Procedu erchng.se
re
Executio PR_VENDOR_PAYEE_DATA_CHANG SQLScri sap.hana-

n ED_EXEC pt app.fra.suite.pur.dt.vendormast
Procedu erchng.ex
re
Addition PR_VENDOR_PAYEE_DATA_CHANG SQLScri sap.hana-

al ED_ADDINF pt app.fra.suite.pur.dt.vendormast
Informat Procedu erchng.ai
ion re

 REVIEW_PERIOD_IN_DAYS: Period in days in which changes to
previous changes to the alternative payee are to be sought.
Alert Messages

Number
FRA_INTERNAL_AUDIT 070 Time when the alternative payee was changed

the last time: &1 &2
FRA_INTERNAL_AUDIT 071 The document number of the payment is &1
Detection Method: Duplicate Invoice with

Same Approver 1
Use this detection method to determine if a document reference number
(external invoice ID) has been used more than once for the same vendor
and if it was approved by the same person.
Logic
Invoices are considered suspicious if the:
 Vendor (field LIFNR in table BSEG) is the same
 Reference number (field XBLNR in table BKPF) is the same
 And if one of the following fields are different:
o Company code (field BUKRS in table BKPF)
o Document number (field BELNR in table BKPF)
o Fiscal year (field GJAHR in table BKPF)
If the above conditions are met, the detection method returns a score of 50.
If the suspicious invoices were also approved by the same person
(field WI_AAGENT in table SWWWIHEAD), then it returns a score of 100.
To determine the approver, only workflow items with task ID TS00407862,
which is the standard payment release task (field WI_RH_TASK in
table SWW_WI2OBJ), are considered. This information may need to be
adapted for customer-specific workflow implementations.

 Investigation object type FRA_VEND (Vendor)
 Detection object type FRA_VEINVH (Vendor Invoice Header)
ERP Tables Used

Types

re re Type
Categor
y
Selection PR_INVOICE_REF_DOUBLES_S SQLScri sap.hana-

ELE pt app.fra.suite.pur.dt.vendor.invoicehe
Procedur ader.se
e
Executio PR_INVOICE_REF_DOUBLES_E SQLScri sap.hana-

re re Type
Categor
y
n XEC pt app.fra.suite.pur.dt.vendor.invoicehe
Procedur ader.ex
e
Additiona PR_INVOICE_REF_DOUBLES_A SQLScri sap.hana-

l DDINF pt app.fra.suite.pur.dt.vendor.invoicehe
Informati Procedur ader.ai
on e
Alert Messages

Number
FRA_INTERNAL_AUDIT 063 External document reference number &1 is also

used with invoice &2/&3/&4
FRA_INTERNAL_AUDIT 064 Both invoices have been approved by the same

person
Detection Method: Duplicate Invoices with

Same Approver 2
Use this detection method to find duplicate invoices that were approved by
the same user.
Logic
Invoices are considered duplicates if the:
 Company code (field BUKRS in table BKPF) is the same
 Vendor (field LIFNR in table BSEG) is the same
 Reference number (field XBLNR in table BKPF) is the same
 Amount (field WRBTR in table BSEG) is the same
 Document currency (field WAERS in table BKPF) is the same
 Document numbers (field BELNR in table BKPF) are different
If the invoices are duplicates and the approver (field WI_AAGENT in
table SWWWIHEAD) is identical, then the detection method returns a score
of 100.
To determine the approver, only workflow items with task ID TS00407862,
which is the standard payment release task (field WI_RH_TASK in
table SWWWIHEAD), are considered. This information may need to be
adapted for customer-specific workflow implementations.

 FRA_VEND: (Vendor)
 FRA_VEINVH: (Vendor Invoice Header)
ERP Tables Used

Types
Procedu Procedure Name Proced Package

re ure
Categor Type
y
Selectio PR_DUP_INV_SAME_APPROVER SQLScri sap.hana-

n _SELE pt app.fra.suite.pur.dt.vendor.invoiceh
Procedu eader.se
re
Executio PR_DUP_INV_SAME_APPROVER SQLScri sap.hana-

n _EXEC pt app.fra.suite.pur.dt.vendor.invoiceh
Procedu eader.ex
re
Addition PR_DUP_INV_SAME_APPROVER SQLScri sap.hana-

al _ADDINF pt app.fra.suite.pur.dt.vendor.invoiceh
Informati Procedu eader.ai
on re

None
Alert Messages

Number
FRA_INTERNAL_AUDIT 116 Invoice has a duplicate in the system:
FRA_INTERNAL_AUDIT 117 Invoice number: &1 Fiscal year: &2 Approved

by: &3
Detection Method: Round Invoice

Amounts Above Threshold for Vendor
You can use this method to detect vendors for whom there is a high
percentage of invoices with rounded amounts, such as 1000.00 or
10,000.00. For this method, you specify the following:
 The minimum percentage of invoices that must be rounded in order to be
relevant for a fraud alert
 The number of trailing digits that must be 0 to qualify an amount as
rounded
 The minimum threshold for the amount of a rounded invoice
An alert is triggered for a vendor if all of the threshold conditions are met
Logic
Relevant detection objects are restricted to those with
table BSEG field VBUND = initial (not intercompany) and account
type KOART = K.
The execution procedure first converts the threshold amount from the input
parameters into the currency of the invoice item. It then determines how
many invoices have rounded amounts as a percentage of all invoices. If
this percentage exceeds the threshold for a vendor, then the method
returns those rounded invoices that exceed the minimum amount in the
input parameters.

Investigation object type: FRA_VEND (Vendor)
Detection object type: FRA_VEINVI (Vendor Invoice Item)
ERP Tables Used

ure ure
Categor Type
y
Selectio PR_VENDOR_ROUND_INVOICE_AMO SQLScri sap.hana-

n UNT_SELE pt app.fra.suite.pur.dt.vendor.invo
Procedu iceitem.se
re
Executi PR_VENDOR_ROUND_INVOICE_AMO SQLScri sap.hana-

on UNT_EXEC pt app.fra.suite.pur.dt.vendor.invo
Procedu iceitem.ex
re
Addition PR_VENDOR_ROUND_INVOICE_AMO SQLScri sap.hana-

al UNT_ADDINF pt app.fra.suite.pur.dt.vendor.invo
Informat Procedu iceitem.ai
ion re

 NUMBER_OF_DIGITS: The number of trailing digits to the left of the
decimal sign in the invoice amount that must be “0” to qualify as a
rounded amount. Digits after the decimal sign must always be zero.
Example: If NUMBER_OF_DIGITS = 3, then 1000,00 is counted as a
rounded amount. 1000,34 would not be counted as a rounded amount.
 THRESHOLD_AMOUNT: The minimum amount of rounded invoices that
should be reported as irregular by the detection method.
which THRESHOLD_AMOUNT is denominated, so that amounts can be
converted for comparison.
 INVOICE_SHARE: Minimum percentage of rounded invoices. Invoices
above THRESHOLD_AMOUNT are returned as suspicious only if the
percentage of rounded invoices as a percentage of all invoices exceeds
the INVOICE_SHARE threshold.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 108, Invoice
item &1, from vendor &2, has a round amount: &3 &4
Variable &1 is the concatenation of the document and item numbers of the
invoice, variable &2 is the name of the vendor, variable &3 is the amount of
a rounded invoice, variable &4 is the currency.
Detection Method: Duplicate Invoices

Use this detection method to find vendors that have identical invoices.
Invoices are identical if the following invoice data match:
 The company code (field BUKRS in table BSEG)
 The reference number (field XBLNR in table BKPF)
 The item number (field BUZEI in table BSEG)
 The amount (field WRBTR in table BSEG)
 The currency (field WAERS in table BKPF)
 The vendor ID (field LIFNR in table BSEG) or the vendor VAT
registration number (field STCEG in table LFA1)
 The invoices have different document numbers (field BELNR in
table BSEG)
A detection result of 100 points is returned for every duplicate invoice.
Invoices are limited to type VBUND = initial (not intercompany) and account
type KOART = K in the BSEG table.

Investigation object type: FRA_VEND (Vendor)
Detection object type: FRA_VEINVI (Vendor Invoice Item)
ERP Tables Used


e e Type
Category
Selection PR_DUP_INVOICE_SELE SQLScript sap.hana-

e e Type
Category
Procedure app.fra.suite.pur.dt.vendor.invoiceitem.
se
Execution PR_DUP_INVOICE_EXEC SQLScript sap.hana-

Procedure app.fra.suite.pur.dt.vendor.invoiceitem.
ex
Additional PR_DUP_INVOICE_ADDIN SQLScript sap.hana-

Informatio F Procedure app.fra.suite.pur.dt.vendor.invoiceitem.
n ai
Alert Messages

Number
FRA_INTERNAL_AUDIT 110 Similar invoice exists for vendor &1 / VAT

registration number &2
Note
Variable &1 (Vendor) is filled with the contents of table BSEG field LIFNR.
Variable &2 (VAT registration number) is filled with the content of
table LFA1, field STCEG.
Detection Method: Split Invoices Exceed

Limit
This detection method examines the invoice items related to a vendor to
check that payments are not being split into many small payments instead
of one bigger payment that is greater than a permitted level. If split
payments that exceed the permitted level are present, then the invoice
items of the vendor are suspicious.
Detection Method Based on SQLScript Procedure

FRA_IA_PUR_V_II_SPLI
Logic
To allow comparisons, the amounts of thresholds are converted to the
currency of the company code. For the invoice item, the amount in
company code currency from the invoice is used.
The invoice items are summed in accordance with the debit/credit sign of
the record. The debit sum is subtracted from the credit sum and the real
amount of the invoices is determined. If the amount of a single invoice item
is smaller than the threshold for a single invoice (defined by the user), then
the invoice amounts are aggregated by vendor and company code. If the
sum of all invoices related to this vendor is greater than the threshold for
the sum of the invoices (defined by the user), then the invoice items of the
vendor are suspicious.
The risk amount is defined as the sum of the amounts of the selected
invoice items of the vendor.
Note
of type ‘M’.
 The functionality is restricted to invoice items with posting keys Reverse
Invoice, Credit Invoice, Invoice, Reverse Credit Memo
(21 OR 22 OR 31 OR 32) that are not intracompany, and Account
Type Vendor.
 Alerts are created only for invoice items with posting
key Invoice and Reverse Credit Memo.

 Investigation object type: FRA_VEND (Vendor)
 Detection object type: FRA_VEINVI (Vendor Invoice Item)
ERP Tables Used

 TCUR… tables for currency conversion

e e Type
Category
Selection PR_INVOICE_ITEM_SELE SQLScript sap.hana-

e e Type
Category
Procedure app.fra.suite.pur.dt.vendor.invoiceitem
.se
Execution PR_SPLIT_INVOICES_EXEC SQLScript sap.hana-

Procedure app.fra.suite.pur.dt.vendor.invoiceitem
.ex
Additional PR_SPLIT_INVOICES_ADDI SQLScript sap.hana-

Informatio NF Procedure app.fra.suite.pur.dt.vendor.invoiceitem
n .ai

 THRESHOLD_SINGLE: The maximum amount of an invoice item that is
checked. If the invoice item amount exceeds this threshold, then the
invoice item is ignored for detection purposes. All amounts (threshold
and invoice item amounts) are converted into the currency of the
company code in order to compare the amounts in the same currency.
 THRESHOLD_SINGLE_CURRENCY: The currency of the threshold
single amount.
 THRESHOLD_SUM: The amount that the sum of the invoice items of a
vendor must exceed to indicate suspicion of split invoices. If the sum of
the invoice item amounts for the vendor is lower than this threshold, then
the invoice items are deemed to be not suspicious. All amounts are
converted into the currency of the company code in order to compare the
amounts in the same currency.
 THRESHOLD_SUM_CURRENCY: Sets the currency of the threshold
sum amount.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message 078, Several invoices
under threshold exist; sum exceeds given limit: &1 &2
Detection Method: Suspicious Term

Screening for Vendor Invoice Items
You can use this method to screen the text of vendor invoice items for
specific terms. Terms that are thought to be suspicious can be specified
and grouped to lists using the Suspicious Terms tile in SAP Fraud
Management.
Logic
The execution procedure checks if the field SGTXT in table BSEG contains
one of the terms in the suspicious terms list. The terms are compared by a
fuzzy search with the specified fuzziness factor. The search is contained in
the procedure sap.hana-
app.fra.suite.lib/PR_INVOICE_ITEM_SUSPICIOUS_TERMS_EXEC.
To improve performance, the search direction is reversed in mass detection
by searching one suspicious term at a time in all vendor invoice texts. This
requires the creation of a full text index on field SGTXT of table BSEG.
Investigation and Detection Object

ERP Tables Used

 BKPF Accounting Document Header
BSEG Accounting Document Segment

ure ure
Categor Type
y
Selectio PR_SUSP_TERM_INVOICE_SELE SQLScri sap.hana-

n pt app.fra.suite.ord.dt.customer.invoi
Procedu ceitem.se
re
Executio PR_SUSP_TERM_VENDOR_INVOI SQLScri sap.hana-

n CE_EXEC pt app.fra.suite.pur.dt.vendor.invoicei
Procedu tem.ex
re
Addition PR_SUSP_TERM_INVOICE_ADDIN SQLScri sap.hana-

al F pt app.fra.suite.ord.dt.customer.invoi
ure ure
Categor Type
y
Informati Procedu ceitem.ai

on re
Note
The selection and additional information procedures from customer invoice
items are reused for this detection method for vendor invoice items.

 FUZZINESS: Indicates how precise a hit needs to be. A fuzziness of 100
indicates that the terms must match exact to each other.
 SUSP_TERM_LIST_ID: Specifies which list is used as foundation for the
screening.
Alert Messages
FRA_INTERNAL_AUDIT 074 Suspicious terms "&1" found in text "&2"
Detection Method: New Invoices to

Inactive Vendors
This detection method lets you find invoices for vendors that had no
invoices during the past x days, where x is defined by the input
parameter MIN_DAYS_NO_ACTIVITY of the rule.
Detection Method based on SQLScript Procedure

FRA_IA_PUR_V_II_N_A
Logic
For each vendor, the invoice with the latest date is selected. In a second
step, the invoice before the last one is determined. The final step is to
calculate the difference between the creation dates of the two invoices for
the vendor (the most recent and the previous invoices). If the difference is
equal to or larger than the threshold number of days in detection method
parameter MIN_DAYS_NO_ACTIVITY, then an alert is raised. If the most
recent invoice is also the first invoice created for a vendor, then no alert is
raised.
The risk amount of an alert is defined as the sum of the values of
the DMBTR field of the invoice items that are considered to be suspicious.
The method checks only invoices items that meet the following conditions:
 The invoices are for regular vendors (not one-time account invoices)
 The account type is set to K
 The field SHKZG has value H.

ERP Tables Used


re re Type
Categor
y
Selection PR_360DAYS_NO_ACTIVITY_SE SQLScrip sap.hana-

LE t app.fra.suite.pur.dt.vendor.invoiceit
Procedur em.se
e
Executio PR_360DAYS_NO_ACTIVITY_EX SQLScrip sap.hana-

n EC t app.fra.suite.pur.dt.vendor.invoiceit
Procedur em.ex
e
Additiona PR_360DAYS_NO_ACTIVITY_A SQLScrip sap.hana-

l DDINF t app.fra.suite.pur.dt.vendor.invoiceit
on e
 MIN_DAYS_NO_ACTIVITY: Threshold for the minimum number of days
of activity. An invoice that appears after longer inactivity than this
threshold is considered suspicious.
Alert Messages
FRA_INTERNAL_AUDIT 106 Vendor &1 had a new invoice
FRA_INTERNAL_AUDIT 107 The last posting to the account was on &1

Example
When Is an Alert Produced?
Business Rule “FRA_IA_PUR_V_II_NOAC”
Logic
For each vendor, the invoice with the latest date is selected. In a second
step, the invoice before the last one is determined. The final step is to
calculate the difference between the creation dates of the two invoices for
the vendor (the most recent and the previous invoices). If the difference is
equal to or larger than the threshold number of days in detection method
parameter Min days without account activity, then an alert is raised. If the
most recent invoice is also the first invoice created for a vendor, then no
alert is raised.
The method checks only invoices items that meet the following conditions:
 The invoices are for regular vendors (not one-time account invoices).
 The field DebitCreditCodehas the value for the creditor.
Used Entities
 DETECTION_OBJECT
 VENDOR_INVOICE_ITEM
SAP HANA Vocabulary

 Package: sap.hana-app.fra.suite.pur.dt.vendor.invoiceitem.dme
 Name: VendorInvoiceItem.hprvocabulary

 Min days without account activity (MIN_DAYS_WITHOUT_ACTIVITY)
Threshold for the minimum number of days of activity. An invoice that
appears after longer inactivity than this threshold is considered
suspicious.
Risk Value
AmountInAlertCurrency: The Risk Value is the amount of the specific
invoice in the alert currency.
Risk Value Currency

AlertCurrency: The Risk Value Currency is the Currency of the alert.
Additional Information
The alert shows the last posting to the account.
Detection Method: Invoice Without

Purchase Order Reference
You can use this detection method to find invoices that do not reference
any purchase order.
The method examines the invoice items of a vendor to verify that all
invoices whose amount exceeds a user-specified threshold reference a
purchase order. If an invoice item has no reference to a purchase order,
then this invoice item of the vendor is suspicious.
To allow comparisons, the amount of the threshold is converted to the
currency of the company code. For amounts on invoice items, the amount
in the currency of the company code currency of the invoice is used.
The risk amount of a resulting alert is defined as the sum of the amounts of
the invoice items of the vendor that are found to be suspicious.
Logic
The amount of an invoice is the amount in field DMBTR. All invoices with
field AWTYP set to RMRP are evaluated. AWTYP = RMRP means that the
base business transaction is of type Material Management Incoming
Invoice.
In invoices with AWTYP RMRP, the AWKEY field consists of two parts.
These two fields are the document ID and the fiscal year
(fields BELNR and GJAHR). These fields are the key for the entries in the
table RBKP and are part of the key for table RSEG. The key is split up in its
parts and is used to identify the relevant lines in RBKP and RSEG.
If an invoice has an entry in table RSEG, then the methods checks whether
field EBELN is filled in RSEG. If this is not the case for at least one entry
in RSEG, then the invoice is missing a purchase order and is suspicious.
Invoices that have no corresponding entries in table RSEG but do have
entries in table RBKP are also considered to be suspicious.
Note
of type M and the business posting dates of the invoice.
 The functionality is restricted to invoice items that have the posting
keys Invoice, Reverse Credit Memo (31 OR 32), which are
not Intercompany, Account Type Vendor, and with Debit/Credit Indicator
Credit.

 Investigation object type FRA_VEND (Vendor)
 Detection object type FRA_VEINVI (Vendor Invoice Item)
ERP Tables Used

 RBKP: Document Header: Invoice Receipt
 Tables for the currency conversion (TCUR…)

e e Type
Category
Selection PR_INV_WO_PO_REF_SELE SQLScript sap.hana-

Procedur app.fra.suite.pur.dt.vendor.invoiceite
e m.se
Execution PR_INV_WO_PO_REF_EXE SQLScript sap.hana-

C Procedur app.fra.suite.pur.dt.vendor.invoiceite
e m.ex
Additional PR_INV_WO_PO_REF_ADDI SQLScript sap.hana-

Informatio NF Procedur app.fra.suite.pur.dt.vendor.invoiceite
n e m.ai

 THRESHOLD_AMOUNT: The minimum amount threshold for invoice
items that are to be checked by the method. Invoice items for smaller
amounts are ignored. The threshold amount is converted into the
currency of the company code to compare the amounts in the same
currency.
 THRESHOLD_CURRENCY: Sets the currency of the threshold amount.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 077, Selected
period has invoices above the threshold w/o reference to a PO
Detection Method: Vendor Invoices with

Similar Amounts
You can use this detection method to find duplicate invoice items that have
similar amounts. Specifically, this detection method looks for invoice items
with the following characteristics; the invoice items:
 Were booked in the same company code
 Come from the same vendor
 Have the same invoice date
 Have the same line item number
 Have the same reference invoice number
 Have similar amounts
The amounts are similar if they do not differ by more than an amount that
you specify as a detection method parameter. Currency conversion
takes place to ensure the comparability of amounts.
You can restrict the invoice items that are evaluated by specifying upper
and lower thresholds on the invoiced amount. You can also specify the type
of invoice to be evaluated.
A detection result of 100 is returned for duplicate invoice items.

ERP Tables Used


re re Type
Categor
y
Selection PR_VEND_SIM_INV_AMOUNT_S SQLScri sap.hana-

ELE pt app.fra.suite.pur.dt.vendor.invoiceit
Procedur em.se
e
Executio PR_VEND_SIM_INV_AMOUNT_E SQLScri sap.hana-

n XEC pt app.fra.suite.pur.dt.vendor.invoiceit
Procedur em.ex
e
re re Type
Categor
y
Additiona PR_VEND_SIM_INV_AMOUNT_A SQLScri sap.hana-

l DDINF pt app.fra.suite.pur.dt.vendor.invoiceit
on e
Parameter Meaning
LOWER_LIMIT Lower limit for invoice item amounts that are evaluated
by this detection method. Invoice items with lower
amounts are ignored.
LOWER_LIMIT_CURRENCY Currency in which LOWER_LIMIT is denominated.
UPPER_LIMIT Upper limit for invoice item amounts that are evaluated
by this detection method. Invoice items with larger
amounts are ignored.
UPPER_LIMIT_CURRENCY Currency in which UPPER_LIMIT is denominated.
DIFFER_ALLOWED Absolute amount by which invoice item amounts may

differ. Invoice items amounts that differ by less than this
amount are considered similar. If the amounts are similar
and other characteristics match, then the detection result
is set to 100 for the pair of invoice items.
DIFFER_ALLOWED_CURRENCY Currency in which DIFFER_ALLOWED is denominated.
DOCUMENT_TYPE Specifies the document type of invoices (BKPF.BLART)

that are to be evaluated by this detection method.
Typical invoice types are RE (Gross Invoice Receipt)
or KR (Vendor Invoice).
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 111, Similar
invoice for ref. doc. no. &1 found on date &2 with amount &3 &4
The message variables are as follows:
o &1 – Reference document (BKPF.XBLNR)
o &2 – Invoice date (BKPF.BLDAT)
o &3 – Risk amount (invoice amount from BSEG.WRBTR)
o &4 – Invoice currency (BKPF.WAERS)
Detection Method: Divergent Vendor and

Payment Country
You can use this method to find cases in which the payment for an invoice
was transferred to a country that differs from the vendor’s home country.
Logic
Detection objects are restricted to those that are not of
type Intercompany (where field VBUND is initial). For each invoice item,
this method checks whether the country key of the receiving bank differs
from the country key of the vendor’s home country (field LAND1 in
table LFA1). The method returns a score of 100 if the country keys differ.

ERP Tables Used

 REGUH: Settlement data from payment program
 REGUP: Processed items from payment program

ure ure
Catego Type
ry
Selectio PR_INVOICE_ITEM_SUSP_PAYMNT_CO SQLScr sap.hana-

n UNTRY_SELE ipt app.fra.suite.pur.dt.vendor.in
Proced voiceitem.se
ure
Executi PR_INVOICE_ITEM_SUSP_PAYMNT_CO SQLScr sap.hana-

on UNTRY_EXEC ipt app.fra.suite.pur.dt.vendor.in
Proced voiceitem.ex
ure
ure ure
Catego Type
ry
Addition PR_INVOICE_ITEM_SUSP_PAYMNT_CO SQLScr sap.hana-

al UNTRY_ADDINF ipt app.fra.suite.pur.dt.vendor.in
Informa Proced voiceitem.ai
tion ure
Alert Messages

Number
FRA_INTERNAL_AUDIT 075 The country key of vendor &1 is &2
FRA_INTERNAL_AUDIT 076 Payment of this invoice was transferred to a bank

with country key &1
Detection Method: Vendor in Invoice Item

in High-Risk Country
You can use this detection method to find vendor invoice items with regular
or one-time vendors that are located in a high-risk country.A high-risk
country is one that is characterized by high levels of corruption, or by risk of
instability or conflict, or by regulatory or trade risk.
This method checks vendor locations in invoice items against a list of high-
risk countries that you specify. High-risk country lists rank countries by their
risk. The lower the rank, the lower the risk.
Note
High-risk country lists belong to technology shared among detection rules.
For more information on this technology, see High-Risk Country Screening.
A detection result of 100 is returned for a vendor located in any country in a
user-specified number of the highest risk countries by rank in the list. Alert
messages identify the vendor and the high-risk country.
Logic
The method works by selecting vendors from table LFA1 and then reading
the invoice items of the vendor from table BSEG. The vendor in an invoice
item in field LIFNR in table BSEG is then found in table LFA1. The country
of the vendor, from field LAND1 in table LFA1, is then checked against the
list of high-risk countries.

ERP Tables Used


re re Type
Categor
y
Selection PR_INVOICE_ITEM_SELE SQLScri sap.hana-

pt app.fra.suite.pur.dt.vendor.invoiceit
Procedur em.se
e
Executio PR_VEINVI_HI_RISK_CNTRY_E SQLScri sap.hana-

n XEC pt app.fra.suite.pur.dt.vendor.invoiceit
Procedur em.ex
e
Additiona PR_VEINVI_HI_RISK_CNTRY_A SQLScri sap.hana-

l DDINF pt app.fra.suite.pur.dt.vendor.invoiceit
on e

list to use.
detection process.
Example
DE Germany 12
IQ Iraq 175
KP North Korea 175
AF Afghanistan 176
 If BOTTOM_N_RANKS = 2 it will return the countries AF, IQ, and KP
because they populate the two highest ranks.
countries.
 If BOTTOM_N_RANKS = 3 it will return the countries AF, IQ, KP, and
DE because they populate the three highest ranks.
Note how the procedure ignores gaps in the numbering and includes DE
although it is much less riskier than IQ.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 109, Vendor &1
is located in high-risk country &2, which has the rank &3
Detection Method: Vendor Payments Too

Early
You can use this detection method to find instances in which a vendor has
been paid too quickly, relative to the agreed-upon payment terms. You can
allow a grace period in days. Early payments are ignored if their earliness
does not exceed the number of days in the grace period.
Detection Method based on SQLScript procedure

FRA_IA_PUR_VEN_INV_ITEM
Logic
The invoice items that are processed must have a credit entry (in
table BSEG field SHKZG = H). Also, for accounting type, in
table BSEG field KOART = K), and the accounting key is of type credit
memo, reverse invoice, invoice, and reverse credit invoice
(table BSEG field BSCHL = 21 or 22 or 31 or 32).
The procedure works by calculating a tolerance date as the date on which
an accounting document was entered (table BKPF field CPUDT) plus the
largest cash discount days value minus the TOLERANCE_DAYS input
parameter.
For returning results, this TOLERANCE_DATE is compared with
the CLEARING_DATE. If the TOLERANCE_DATE is larger, then an alert is
created.

ERP Tables Used


ure ure
Categor Type
y
Selectio PR_VENDOR_INV_EARLY_PAYMEN SQLScri sap.hana-

n T_SELE pt app.fra.suite.pur.dt.vendor.invoi
Procedu ceitem.se
re
Executio PR_VENDOR_INV_EARLY_PAYMEN SQLScri sap.hana-

n T_EXEC pt app.fra.suite.pur.dt.vendor.invoi
Procedu ceitem.ex
re
Addition PR_VENDOR_INV_EARLY_PAYMEN SQLScri sap.hana-

al T_ADDINF pt app.fra.suite.pur.dt.vendor.invoi
Informati Procedu ceitem.ai
on re

 TOLERANCE_DAYS: The minimum threshold for the number of days
early that a payment has been made. If the earliness of the payment falls
within this grace period, then the early payment is ignored.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 096, Invoice
item was paid on the &1, &2 days earlier than the net due date &3
Detection Method: Manual Payment to a

Vendor
You can use this method to determine whether manual payments – that is,
payments outside the ERP system – have been made to a vendor.
Logic
The execution procedure selects all invoices that have posting key
= 21 or 22 or 31 or 32, accounting type K, and a clearing document
number. The document number, company code, fiscal year, and item
number must be the same as from the input data set.
The execution procedure then checks whether any of the invoices were
manually paid. That is, the payments are of accounting type K, the posting
key = 25. The payments also must not have been done using transaction
code F110. All invoices that were paid manually are reported with a score
of 100.

ERP Tables Used


e e Type
Category
Selection PR_MANUAL_PAYMENT_SEL SQLScrip sap.hana-

E t app.fra.suite.pur.dt.vendor.invoiceite
Procedur m.se
e
Execution PR_MANUAL_PAYMENT_EXE SQLScrip sap.hana-

C t app.fra.suite.pur.dt.vendor.invoiceite
Procedur m.ex
e
Additional PR_MANUAL_PAYMENT_ADD SQLScrip sap.hana-

Informatio INF t app.fra.suite.pur.dt.vendor.invoiceite
n Procedur m.ai
e

None
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 089, The
outgoing payment was posted on &1 by user &2
 Message ID FRA_INTERNAL_AUDIT, message number 090, Payment
document number &1 / fiscal year &2 / company code &3
Detection Method: Vendor DSO Shorter

than Company Average DSO
You can use this method to detect cases in which the days sales
outstanding (DSO) – here, the amount of time to payment of a vendor – is
much less than the company average DSO. A low DSO suggests that a
vendor may be getting favorable treatment in payments.
Logic
To check for a low DSO for a particular vendor, the method first calculates
the average payment term from the company code with the following
formula:
SQL Code:
SUM ( DAYS_BETWEEN (BKPF.CPUDT, BSEG.AUGDT) * BSEG.DMBTR
) / SUM ( BSEG.DMBTR )
The average time to payment of a vendor is calculated with the same
formula, but the SQL query is extended with the vendor number. Both
calculations select only data sets from tables BKPF and BSEG that have
accounting type (KOART) K, posting keys (BSCHL) 21, 22, 31, or 32 and a
valid clearing date (AUGDT).
When the values are calculated, the method checks whether the
differences in vendor and company-average DSO exceed the threshold
that you have input. If the threshold is exceeded, then an alert is generated
for the vendor and company code.

 Detection object type: FRA_VEND (Vendor Master Data)
ERP Tables Used


re re Type
Categor
y
Selection PR_VENDOR_TOO_SHORT_DSO_ SQLScri sap.hana-

SELE pt app.fra.suite.pur.dt.vendor.master
Procedur data.se
e
Executio PR_VENDOR_TOO_SHORT_DSO_ SQLScri sap.hana-

n EXEC pt app.fra.suite.pur.dt.vendor.master
Procedur data.ex
e
Addition PR_VENDOR_TOO_SHORT_DSO_ SQLScri sap.hana-

re re Type
Categor
y
al ADDINF pt app.fra.suite.pur.dt.vendor.master
Informati Procedur data.ai
on e

DAYS_TO_DSO: Threshold for the minimum difference between a vendor
DSO and the company average DSO. Differences in DSO that do not
exceed this threshold are ignored.
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 103, Early
payment; average payment period in company code &1 is &2 days more
Detection Method: Find Duplicates of

Blocked Vendors
Use this method to find blocked vendors for which there are active “copies”.
That is, an active vendor master record exists that is similar to a blocked
vendor. From a business point of view, you should not be able to evade a
block on transactions with a vendor by creating copies of the vendor.
Vendors are considered to be duplicates if at least one of the following
vendor data matches:
 The bank account (fields BANKS, BANKL, BANKN and BKONT in
table LFBK)
 The telephone number (fields TELF1 or TELF2 in table LFA1)
 The vendor address (fields ORT01 and STRAS in table LFA1)
 The vendor name (at least one of the name fields in
table LFA1: NAME1, NAME2, NAME3 or NAME4)
 The vendor VAT registration code (field STCEG in table LFA1)
Note
The vendor ID must be different.
Logic
The method returns a detection result of 100 for any active vendor that has
blocked duplicates.
If the matching blocked vendor is blocked on company-code level
(field SPERR in table LFB1), then the matching vendors must have the
same company code in order to get a result for the matching active vendor.
If the matching blocked vendor is blocked on a general level
(field SPERR in table LFA1), then a result is created for the active vendor
independent of the company codes of both vendors.

ERP Tables Used


ure ure
Categor Type
y
Selectio PR_VENDOR_BLOCKED_REOPENE SQLScri sap.hana-

n D_SELE pt app.fra.suite.pur.dt.vendor.mast
Procedu erdata.se
re
Executio PR_VENDOR_BLOCKED_REOPENE SQLScri sap.hana-

n D_EXEC pt app.fra.suite.pur.dt.vendor.mast
Procedu erdata.ex
re
Addition PR_VENDOR_BLOCKED_REOPENE SQLScri sap.hana-

al D_ADDINF pt app.fra.suite.pur.dt.vendor.mast
Informati Procedu erdata.ai
on re

None
Alert Messages

Number
FRA_INTERNAL_AUDIT 122 Blocked duplicates for vendor &1 exist in the

system:
FRA_INTERNAL_AUDIT 123 Vendor &1 / Company Code &2 / Name &3 /

Address &4
Detection Method: Employees with Same

Bank Data as Vendor
In order to pay out travel expenses, some employees are also set up as
vendors in the system. This detection method checks if any of these
employees have the same bank account data as a regular vendor in the
system. If an employee uses the same bank account data as a vendor,
then this employee master data record is considered to be potentially
fraudulent.
Employees can be identified in the vendor master by their Vendor Account
Group. In the standard delivery, the vendor account group is HRTPfor
reimbursing travel expenses to employees. This value is hard coded in the
selection and execution procedures. If a different vendor account group
must be used, then this value also must be added to the coding of these
procedures.
Logic
For each employee record in the input data table, the execution procedure
checks whether the corresponding bank account is already a regular
vendor bank account. To make this check, the procedure first creates a list
of the regular vendor bank accounts by joining the database
table LFBK, LFA1 and LFB1 on the vendor account number (LIFNR),
where the client equals the session client and the vendor account group
(KTOKK) is unequal HRTP.
Afterwards the procedure compares the employee bank accounts with the
regular vendor bank accounts by joining the two lists. In case identical bank
account data is found for both a vendor and an employee, then the details
of the employee as well as the connected regular vendor are returned. In
addition, a detection result field with value 100 is returned.
ERP Tables Used


ure ure
Categor Type
y
Selectio PR_VENDOR_BANK_DATA_DOUBLE SQLScri sap.hana-

n S_SELE pt app.fra.suite.pur.dt.vendor.mast
Procedu erdata.se
re
Executio PR_VENDOR_BANK_DATA_DOUBLE SQLScri sap.hana-

n S_EXEC pt app.fra.suite.pur.dt.vendor.mast
Procedu erdata.ex
re
Addition PR_VENDOR_BANK_DATA_DOUBLE SQLScri sap.hana-

al S_ADDINF pt app.fra.suite.pur.dt.vendor.mast
on re
Alert Messages
 Message ID FRA_INTERNAL_AUDIT, message number 079, Employee
&1, &2 and vendor &3, &4 have same bank account data
Detection Method: Vendor with "Care Of"

in Address
Use this detection method to find vendors that have a “care of” specification
in the address. Such vendors may be illegitimate.
Logic
The detection method searches for the strings “C/O” or “c/o” in any of the
four address fields in the vendor master data.

 Detection object type: FRA_VEND (Vendor)
ERP Tables Used


re re Type
Categor
y
Selection PR_VENDOR_NAME_CHECKS_S SQLScri sap.hana-

ELE pt app.fra.suite.pur.dt.vendor.master
Procedur data.se
e
Executio PR_VENDOR_W_CO_IN_NAME_E SQLScri sap.hana-

n XEC pt app.fra.suite.pur.dt.vendor.master
Procedur data.ex
e
Additiona PR_VENDOR_W_CO_IN_NAME_A SQLScri sap.hana-

l DDINF pt app.fra.suite.pur.dt.vendor.master
on e

None
Alert Messages
(&2) has a "C/O" address
Detection Method: Vendors with Similar
Names
Use this method to find suspicious vendors that have similar names to a
high-volume vendor. Typically, a suspicious vendor makes little revenue
but their name resembles the name of a high-volume vendor. For example,
if there were a vendor called “Ziemens AG ” it might be considered
suspicious because it is similar to “Siemens AG”.
Logic
This method determines the low- and high-volume vendors based on the
revenue of the last 12 months. For each low-volume vendor, it tries to find
matching high-volume vendors that have similar names. The matching is
done with a freestyle fuzzy search on the four name columns of table LFA1.
You can restrict matching by specifying thresholds for the minimum
turnover of valid vendors and the maximum turnover of vendors that may
be suspicious.

ERP Tables Used


re re Type
Categor
y
Selection PR_VENDOR_NAME_CHECKS_S SQLScri sap.hana-

ELE pt app.fra.suite.pur.dt.vendor.masterd
Procedur ata.se
e
re re Type
Categor
y
Executio PR_VENDOR_SIMILAR_NAME_E SQLScri sap.hana-

n XEC pt app.fra.suite.pur.dt.vendor.masterd
Procedur ata.ex
e
Additiona PR_VENDOR_SIMILAR_NAME_A SQLScri sap.hana-

l DDINF pt app.fra.suite.pur.dt.vendor.masterd
Informati Procedur ata.ai
on e
The execution procedure uses two foundation procedures:
 PR_VENDOR_SIMILAR_NAME_FUZZY_SEARCH
This procedure performs the fuzzy-logic search.
 PR_CONVERT_AMOUNT_TO_GIVEN_CURRENCY
This procedure converts invoice amounts into the currency of the
threshold amount.
Parameter Use
THRESHOLD_REVENUE_YEAR Minimum turnover of vendors who are considered as

match candidates (valid vendors to match against
suspicious vendors that have similar names). The
turnover is aggregated over the last 12 months.
MAX_REVENUE Maximum turnover of vendors who are considered as

fraud candidates.
THRESHOLD_CURRENCY The currency in which the threshold parameters are

denominated.
FUZZINESS Specifies by how much a search term and a hit in the data
being searched may differ. The parameter tells the SAP
HANA database how much fuzziness – differences in
spelling, differences in number of characters, and so on –
to allow in doing a search.
The error tolerance scale is a percentage, from 0 to 100,
where 100% is an exact match. The lower the value of the
fuzziness parameter, the higher the tolerance. That is, a
lower fuzziness value may produce too many false
Parameter Use
positives.
The recommended setting is in the range between 80 and
100.
Alert Messages
(&2) has a similar name as high-volume vendor &3 (&4)
Detection Method: Vendor Address

Suspicious
You can use this method to find vendors that have a suspicious address,
such as when:
 There is no address in the master data
 The address is incomplete
 The address is a Post Office (PO) box

ERP Tables Used


ure ure
Catego Type
ry
Selectio PR_VENDOR_EXCEPTIONAL_ADDRESS SQLScr sap.hana-

n _DATA_SELE ipt app.fra.suite.pur.dt.vendor.m
Proced asterdata.se
ure
Executi PR_VENDOR_EXCEPTIONAL_ADDRESS SQLScr sap.hana-

on _DATA_EXEC ipt app.fra.suite.pur.dt.vendor.m
Proced asterdata.ex
ure ure
Catego Type
ry
ure
Addition PR_VENDOR_EXCEPTIONAL_ADDRESS SQLScr sap.hana-

al _DATA_ADDINF ipt app.fra.suite.pur.dt.vendor.m
Informa Proced asterdata.ai
tion ure

None
Alert Messages

Number
FRA_INTERNAL_AUDIT 097 The vendor has no address
FRA_INTERNAL_AUDIT 098 The vendor has only a post office box address
FRA_INTERNAL_AUDIT 099 The address of the vendor is incomplete
FRA_INTERNAL_AUDIT 100 The post office address of the vendor is

incomplete
Detection Method: Vendor Telephone

Number Suspicious
You can use this method to find vendors that have suspicious telephone
numbers, such as when:
 The vendor country code differs from the country codes of the contact
phone numbers 1 and 2 and the fax number
 The vendor data does not have any contact telephone number
For every contact number, the detection method checks whether the
number contains a + or begins with 00; after these two indicators the
country code is located. If the country code of the contact number does not
equal the country code of the vendor, then the vendor is suspicious.
Logic
The method returns all vendors without any contact number
(fields TELEFON_1_NUMBER, TELEFON_2_NUMBERand FAX_NUMBE
R are empty) with a detection result value of 100.
The method also returns vendors for whom the country area code of at
least one contact number does not match the area code of the country in
the vendor’s address. The detection result is set to 100 for these vendors.
For the comparison of the area codes, the method uses table T005K (area
codes for each country code).

ERP Tables Used

 T005K: Communication: country dialling code

ure ure
Categor Type
y
Selectio PR_VENDOR_CTRY_EQ_AREA_COD SQLScri sap.hana-

n E_SELE pt app.fra.suite.pur.dt.vendor.mast
Procedu erdata.se
re
Executio PR_VENDOR_CTRY_EQ_AREA_COD SQLScri sap.hana-

n E_EXEC pt app.fra.suite.pur.dt.vendor.mast
Procedu erdata.ex
re
Addition PR_VENDOR_CTRY_EQ_AREA_COD SQLScri sap.hana-

al E_ADDINF pt app.fra.suite.pur.dt.vendor.mast
on re
Alert Messages

Number
Number
FRA_INTERNAL_AUDIT 093 There is no entry for a phone or fax number for

the vendor
FRA_INTERNAL_AUDIT 094 The phone number &1 is located in a different

country as the vendor (&2)
FRA_INTERNAL_AUDIT 095 The fax number &1 is located in a different

country as the vendor (&2)
Detection Method: Vendor Without Bank

Details
You can use this method to find vendors that have no bank details
recorded in the vendor master data.
Logic
Vendors without bank details are identified by looking for vendors that have
no entry in table LFBK (Bank Details).

ERP Tables Used


re re Type
Categor
y
Selection PR_VENDOR_WO_BANK_DATA_ SQLScri sap.hana-

SELE pt app.fra.suite.pur.dt.vendor.master
Procedur data.se
e
Executio PR_VENDOR_WO_BANK_DATA_ SQLScri sap.hana-

re re Type
Categor
y
n EXEC pt app.fra.suite.pur.dt.vendor.master
Procedur data.ex
e
Additiona PR_VENDOR_WO_BANK_DATA_ SQLScri sap.hana-

l ADDINF pt app.fra.suite.pur.dt.vendor.master
on e
Alert Messages
in company code &2 has no bank details
Detection Method: Vendor and Bank

Countries Differ
Use this method to find vendors whose bank is located in a different
country than that of the vendor. The method returns an alert item for each
bank account that is located in a different country. The detection result is
set to 100.

 Detection object type: FRA_VEBANK (Vendor Bank Account)
ERP Tables Used


re re Type
Categor
y
Selection PR_BANK_VENDOR_LOC_DIFF_ SQLScri sap.hana-

re re Type
Categor
y
SELE pt app.fra.suite.pur.dt.vendor.bankacc
Procedur ount.se
e
Executio PR_BANK_VENDOR_LOC_DIFF_ SQLScri sap.hana-

n EXEC pt app.fra.suite.pur.dt.vendor.bankacc
Procedur ount.ex
e
Addition PR_BANK_VENDOR_LOC_DIFF_ SQLScri sap.hana-

al ADDINF pt app.fra.suite.pur.dt.vendor.bankacc
Informati Procedur ount.ai
on e

None
Alert Messages
 FRA_INTERNAL_AUDIT, message number 127, Vendor &1 in &2 has
bank account &3 in &4
Detection Method: Vendors with Similar

Bank Accounts
You can use this method to check for vendors that have similar bank
accounts.
Note
The use of the method is currently supported in systems in which a vendor
IBAN has been entered directly in the vendor master data.
This method may produce false alerts in systems where the vendor
account numbers have been replaced with IBAN references using SAP's
generic IBAN management feature. In this case, the actual IBANs are
referenced in table TIBAN.
Logic
The execution procedure checks whether a vendor bank account is similar
to bank accounts of other vendors. Two bank accounts are similar if both
have the same BANK_COUNTRY_KEY and BANK_KEY.
The BANK_ACCOUNT_NUMBER may be different in the last 3 digits, but
must have the same length.

 Detection object type: FRA_VEBANK (Vendor Bank Account)
ERP Tables Used


re re Type
Categor
y
Selection PR_SIMILAR_BANK_ACCOUNT_ SQLScri sap.hana-

SELE pt app.fra.suite.pur.dt.vendor.bankacc
Procedur ount.se
e
Executio PR_SIMILAR_BANK_ACCOUNT_ SQLScri sap.hana-

n EXEC pt app.fra.suite.pur.dt.vendor.bankacc
Procedur ount.ex
e
Addition PR_SIMILAR_BANK_ACCOUNT_ SQLScri sap.hana-

al ADDINF pt app.fra.suite.pur.dt.vendor.bankacc
Informati Procedur ount.ai
on e
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 092, Vendor &1
&2 has a similar bank account
Detection Method: Manual Change to
Payment Proposal
Use this detection method to find payment proposals to which manual
changes have been made.
Note that exceptions in payment proposals are disregarded.
Logic
The execution procedure finds vendor payment proposals that have been
manually changed by checking whether the run ID (field LAUFI) and the run
date (field LAUFD) from table REGUP exists in table REGUA. If this is the
case, then alerts are created for all vendors related to the run ID and run
date. This detection method returns a score of 100.
The additional information procedure determines the users who changed
the payment proposal (field UNAME in table REGUA) and calculates the
risk amount, which is the sum of the manipulated payment proposals
(field RBETRin table REGUH) aggregated by vendor.
The field WAERS from table T001 is the currency key for the amount
field RBETR in table REGUH. These two tables are joined at the company
code (field BUKRS in table T001) and the paying company code of the
payment proposal (field ZBUKR in table REGUH).

 Investigation Object Type: FRA_VEND (Vendor)
 Detection Object Type: FRA_VEPAY (Payment Proposal)
ERP Tables Used

 REGUA: Change of Payment Proposals: User and Time
 REGUH: Settlement Data from Payment Program
 REGUP: Processed Items from Payment Program
 REGUHH: REGUH Version Before the 'n'th Change

ure ure
Categor Type
y
Selectio PR_PAY_PROP_VEND_CHANGE SQLScri sap.hana-

n _SELE pt app.fra.suite.pur.dt.vendor.paymentp
Procedu roposal.se
re
Executio PR_PAY_PROP_VEND_CHANGE SQLScri sap.hana-

n _EXEC pt app.fra.suite.pur.dt.vendor.paymentp
Procedu roposal.ex
re
Addition PR_PAY_PROP_VEND_CHANGE SQLScri sap.hana-

al _ADDINF pt app.fra.suite.pur.dt.vendor.paymentp
Informati Procedu roposal.ai
on re

None
Alert Messages
Message ID FRA_INTERNAL_AUDIT, message number 091, Payment
proposal for vendor &1 was changed by
Detection Method: Interactions

You can use this method (technical name YMKT_IOI_HIGH_INTR) to
detect an increase in the count of interactions related to an item of interest.
Interactions are communication activities between contact persons and
your company, for example sent and received e-mails, posts in social
networks, or Website visits.
Items of interest are key words used in the communication content, for
example “SAP_HANA”.
Logic
The execution procedure checks if the percentage increase in the count of
interactions for an item of interest exceeded a threshold parameter. The
evaluated period is compared with the previous period; the period length is
a parameter which specifies a multiple of 30 minutes.

 Investigation object type: YMKT_INTR (Item of Interest)
 Detection object type: YMKT_INTR (Item of Interest)
SAP hybris Marketing Tables Used

CUAND_CE_IA_RT: Interaction Root Node
CUAND_CE_IA_INTR: Interaction Interest Node
CUANC_CE_IOI: Item of Interest
CUANC_CE_IOI_T: Description for Item of Interest
CUANC_CE_CHANNEL: Interaction Channel
CUANC_CE_CHNNL_T: Interaction Channel Description
CUANC_CE_CH_ASGN: Interaction Channel Assignment
Procedure Procedure Name Procedure Package

Category Type
Selection PR_HIGH_INTR_SELE SQLScript sap.hana-

procedure app.fra.cuan.dt.interestitem.se
Execution PR_HIGH_INTR_EXEC SQLScript sap.hana-

procedure app.fra.cuan.dt.interestitem.ex
Additional PR_HIGH_INTR_ADDINF SQLScript sap.hana-

Information procedure app.fra.cuan.dt.interestitem.ai
Technical Name Name Definition
PERIOD_LENGTH Period Length Length of evaluated period in

multiples of 30 Minutes
THRESHOLD_IA_COUNT_INCR Increase in Increase in Interaction Count

Interaction Count relative to the previous period in %
(%)
Alert Messages

Number
Number
FRA_CUAN_MSG 001 Interest in '&1' has increased by &2 between &3 and
&4
Where &1 is the item of interest, &2 is the increase in %, &3 is
the beginning of the previous period, and &4 is the end of the evaluated
period.

Technical Document - Overview of Detection Methods For Internal Auditing

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Technical Document - Overview of Detection Methods For Internal Auditing

Enviado por

Direitos autorais:

Formatos disponíveis

Overview of Detection Methods for

Internal Auditing and Anti-Corruption

Irregularities in Accounting Documents

Detection Method: Accounting

BUKRS (table BKPF) USNAM (table BKPF) IDENT (table TFACS)

Investigation and Detection Object Types

ERP Tables Used

Procedures for Detection Methods

Procedur Procedure Name Procedur Package

Selection PR_ACCDOC_EXCEPTIONAL_DATES_SEL SQLScript sap.hana-app.fra-

Execution PR_ACCDOC_EXCEPTIONAL_DATES_EXE SQLScript sap.hana-app.fra-

Additional PR_ACCDOC_EXCEIONAL_DATES_ADDIN SQLScript sap.hana-app.fra-

Additional AT_FRA_C_USER_FCA : Attribute view on SQLScript sap.hana-

Detection Method Parameters

Message ID Message Message Text

FRA_INTERNAL_AUDIT 061 User &1 posted a document on a non-working

FRA_INTERNAL_AUDIT 062 Document entry date: &1

Detection Method: Business Partner

Investigation and Detection Object Types

ERP Tables Used

SAP HANA Procedures for Detection Methods

Proced Procedure Name Proced Package

Selectio PR_BP_HIGH_RISK_CTRY SQLScri sap.hana-

Executio PR_BP_HIGH_RISK_CTRY SQLScri sap.hana-

Addition PR_BP_HIGH_RISK_CTRY SQLScri sap.hana-

Detection Method Parameters

KP North Korea 175

Investigation and Detection Object Types

ERP Tables Used

SAP HANA Procedures for Detection Methods

Proce Procedure Name Proce Package

Selecti PR_SMURFING_SELE SQLS sap.hana-

Execu PR_SMURFING_EXEC SQLS sap.hana-

Additi PR_SMURFING_ADDINF SQLS sap.hana-

Conve PR_CONVERT_THRESHOLD_AMOUNT SQLS sap.hana-app.fra.suite.lib

Detection Method Parameters

THRESHOLD_SINGLE Threshold amount for single payment proposal items.

THRESHOLD_SINGLE_CURRENCY Threshold currency for single payment proposal

THRESHOLD_SUM Threshold amount for the sum of payment proposal

THRESHOLD_SUM_CURRENCY Threshold currency for the sum of payment proposal

DOCUMENT_TYPE Document type.

TERM_PAYMENT_KEY Terms of payment key.

Detection Method: Duplicate Travel

Investigation and Detection Object Types

SAP HANA Procedures for Detection Methods

Procedur Procedure Name Procedur Package

Selection PR_SAME_RECEIPT_SEL SQLScrip sap.hana-

Execution PR_SAME_RECEIPT_EXE SQLScrip sap.hana-

Additional PR_SAME_RECEIPT_ADD SQLScrip sap.hana-

Detection Method Parameters

Technical Name Description Definition

NO_OF_SAME_RECEIPT Minimum or Determines the minimum or equal number of

AMOUNT Minimum match Determines the minimum amount a receipt

AMOUNT_CURRENCY Exact match The currency for parameter AMOUNT

Decision Table for Rounded Amounts

JPY <= 10000 1000 0

JPY > 10000 1000 1

Detection and Investigation Object Types

ERP Tables Used

SAP HANA Procedures for Detection Methods

Proced Procedure Name Proced Package

Selectio PR_TREXRECEIPTS_EVENAMOUN SQLScri sap.hana-

Executi PR_TREXRECEIPTS_EVENAMOUN SQLScri sap.hana-