Understanding this feature provided by SAP
When it comes to making payments to our vendors SAP has given us an option to make the payment to the vendor or to make the payment to another person (Alternative Payee) which is maintained in the Vendor Master Record. This feature is provided to promote flexible payments so that if requested by your vendor you the buyer can directly make the payment to that person to whom your vendor owes the money.
If an alternative payee has been maintained for a vendor the system would always make the payment to the alternative payee and not the original vendor. This is because the payment program will always access the name, address and bank account details of the alternative payee.
When we create a new vendor master record in SAP the vendor master details are divided under 2 sections
- General Data
- Company Code Data
Now it is important to remember that an alternative payee can be defined under General as well as Company Code data. If you specify an alternative payee in both areas, the alternative payee mentioned in the company code area has priority.
Screen 1 below showcases the General Area of the vendor master record where an alternative payee can be maintained. We can see that vendor '5200' has been assigned an alternative payee which is '1014'.
Please click on the images below to view them in better clarity.
T-Code XK03
Screen 2 below showcases the Company Code Area where an alternative payee can be defined. We can see that vendor '5200' has been assigned an alternative payee which is '3510'.
Screen 2
T-Code XK03
Now as per the explanation given above when alternative payees are defined at both General and Company Code Level the system will always select the alternative payee which is defined at the Company Code Level.
The screenshots posted below will corroborate this understanding:
Screen 3
T-Code FB60
Showcasing the banking details of alternative payee '3510' defined under company code for vendor '5200'. We can see that the Bank Key, Bank Account Number and Bank Name are accurately being displayed in the vendor invoice raised above for vendor 5200.
Screen 4
T-Code XK03
We now run the payment proposal for the sample invoice
Screen 5
T-Code F110
We noted that the payment was made to vendor 3510 who was present as an alternative payee for vendor 5200
Screen 6
Payment Output from T-Code F110
Now that we have understood what alternate payees are and how they function let us understand, what is an 'Alternative Payee In Document' ?
Alternative Payee In Document is a field available in the general data selection criteria in the Vendor Master. If this field is enabled the payment technically can be made to anyone who may or may not exist in the Vendor Master. This function gives the invoice processor the authority to change payment details which are automatically selected by the system for payment.
For ease of understanding, I will walk you through a sample transaction using the same vendor 5200, however this time the only configuration that has changed is that, I have enabled the field 'Individual Spec' under 'Alternative Payee In Document' for vendor 5200.
Screen 7
T-Code XK03
Created a new invoice of 700 EUR against vendor 5200. Till this point nothing has changed as compared to the previous invoice which we processed. System still selects the bank details of the alternative payee '3510' which is defined in the vendor master. We now save the Invoice and the document number is '1900000002'
Screen 8
T-Code FB60
We now execute T-Code FBL1N and search for document number 1900000002 which is created under Vendor 5200. Please observe the blank space highlighted in the image.
Screen 9
T-Code FBL1N
Now an alternative payee can be 'Individually Set' for this invoice.
Screen 10
T-Code FBL1N
Now on this page bank details of any person can be entered and when the payment proposal will be executed the payment will be made in the account which is mentioned below. In this case the payment will go to sample bank account '778899'.
Screen 11
After the new banking details are saved the 'Individually Set' field gets populated with the details which have been entered manually by the invoice processor.
A critical observation here is that system always uses the payee which is Most Specific. This means that when you enter a payee in a document, it has priority over all payees specified in the master record. This will even supersede the alternative payee which is mentioned in the vendor master at a company code level which in our case is '3510' and which the system was selecting until now.
Screen 12
We now run the payment proposal for the sample invoice. We can see that the payee which got selected is the one which we entered to be a fake payee.
Screen 13
In the payment proposal output screenshot below we can see that the payment is processed in bank account '778899' which was individually set by us in the document.
Thus in this case the payment has not been processed to any of the alternative payees mentioned in the vendor master but to the payee which was manually entered by me i.e. the fraud payee.
Screen 14
Looking at what you have seen above you might want to audit your vendor master and check whether any vendor has been enabled for ''Alternative Payee In Document"
Extract Table LFA1 and check field 'XZEMP'. If this field is marked as X that means ''Alternative Payee In Document" is enabled for that vendor.
Screen 15
Table LFA1
Now in the event that you have found vendors where alternative payee in document is allowed the next step is to identify if anyone has exploited this vulnerability in your system.
Extract Table BSEG
The input parameter should be the list of all vendors which have been identified above in the LFA1 table then search for field 'XCPDD' and apply the filter as = X. This will give you the list of all documents where payee details have been manually entered by the invoice processor.
Screen 16
Table BSEG
In our output we can see that document 1900000002 that we processed above is marked as 'X' under field 'Individually Set' (Technical Name 'XCPDD') because we entered the payee details manually in the document.
Screen 17
Screen 18
T-Code FBL1N
A comparison can then be made between New and Old values.
Screen 19
Now that we have understood "Alternative Payee" and "Alternative Payee In Document", so now what is a "Permitted Payee" ?
From the very word permit, a permitted payee is someone you define in the vendor master to whom a legitimate payment can be made. This is very different as compared to an "Alternative Payee In Document" because here the payment can only be made to a specific Predefined Vendor and not anyone like in the case of "Alternative Payee In Document".
Let me help you understand this with the help of an example. Here we have vendor 5200 who has a permitted payee assigned which is vendor 3101.
Screen 20
Now when the invoice processor punches an invoice against vendor 5200 the system automatically selects the details of the "Alternative Payee" defined for this vendor at a company code level which is vendor 3510 and this behavior is fine, because this is how the system should be working.
Screen 21
So now the use-case of permitted payee is during invoice creation the invoice processor can change the payee details, but only to the one's which are pre-configured in the vendor master for that specific vendor.
Screen 22
In this case the payment can be processed only to two possible sources
i) The alternative payee assigned to vendor 5200 which is vendor 3510 and which the system is selecting until now
ii) The "Permitted Payee" 3101 which the invoice processor can select in the event he decides he doesn't want the payment to go to vendor 5200 alternative payee which is vendor 3510
Once selected we can see the payee details are updated in the invoice.
Screen 23
Below screenshot showcases that payee details of vendor 3101 are accurately reflected in the invoice screen above
Screen 24
Here are a few points to remember are when you are dealing with Permitted Payees:
In order to add a permitted payee to a vendor you first have to enable the ''Individual Spec" (XZEMP) which is actually the alternative payee in document field. Only after that you can add a permitted payee to the vendor.
Once changes are done remember to reverse the setting and keep the field "Alternative payee in document" (XZEMP) as display or on suppress. If you fail to do so alternative payee in document will stay active and then payments can be made to anyone as showcased in the blog above.
System Configuration
All said and done ''Alternative Payee In Document" is a very critical configuration in the vendor master as enabling this configuration gives Absolute Authority to the processor to manipulate invoices. In my personal opinion this field should be set to suppress to avoid accidental enablement of this field.
This can be controlled by making changes in the Screen Layout for vendors.
Path: SPRO-->Financial Accounting New-->Accounts Receivable and Accounts Payable-->Vendor Accounts-->Master Data-->Preparations for creating Vendor Master Data-->Define screen layouts for Vendors
The field which says "Alternative Payee Account" is referring to the alternate payee which is maintained in the vendor master. This field in most cases would be set between optional entry or display depending upon your business requirement.
The field which says "Alternative Payee In Document" is the field which should be set to suppress to avoid any illicit payments going out of the organization.
Screen 25
I would like to thank you for reading my blog. I hope the information that I have shared will be put to good use and will help you improve the information security controls in your organization. Also do let me know if I have missed out on something, because a good auditor is always learning.
Warm Regards
Michael Mathews
- SAP Managed Tags:
24 Comments
