Skip to Content
Technical Articles

Alternative Payee vs Alternative Payee In Document. Is it the same ?

Understanding this feature provided by SAP

 

When it comes to making payments to our vendors SAP has given us an option to make the payment to the vendor or to make the payment to another person (Alternative Payee) which is maintained in the Vendor Master Record. This feature is provided to promote flexible payments so that if requested by your vendor you the buyer can directly make the payment to that person to whom your vendor owes the money.

If an alternative payee has been maintained for a vendor the system would always make the payment to the alternative payee and not the original vendor. This is because the payment program will always access the name, address and bank account details of the alternative payee.

When we create a new vendor master record in SAP the vendor master details are divided under 2 sections

  1. General Data
  2. Company Code Data

Now it is important to remember that an alternative payee can be defined under General as well as Company Code data. If you specify an alternative payee in both areas, the alternative payee mentioned in the company code area has priority.

Screen 1 below showcases the General Area of the vendor master record where an alternative payee can be maintained. We can see that vendor ‘5200’ has been assigned an alternative payee which is ‘1014’.

Please click on the images below to view them in better clarity.

Screen 1               

T-Code%20XK02

T-Code XK03

Screen 2 below showcases the Company Code Area where an alternative payee can be defined. We can see that vendor ‘5200’ has been assigned an alternative payee which is ‘3510’.

Screen 2

T-Code%20XK02

T-Code XK03

Now as per the explanation given above when alternative payees are defined at both General and Company Code Level the system will always select the alternative payee which is defined at the Company Code Level.

The screenshots posted below will corroborate this understanding:

We create an FI Invoice of 580 EUR against vendor 5200. The important thing to note in this screenshot is that the SAP system has selected the vendor as 5200, however if you observe the bank account details you will notice that the bank details are of the alternative payee which is maintained under the company code section in the vendor master for vendor 5200. The system did not select alternate payee ‘1014’ as it was defined under General Data category in the vendor master.

Alternative payee ‘1014’ will only be selected by the system if i would make this invoice in any other company code but 1000

Screen 3

T-Code%20FB60

T-Code FB60

Showcasing the banking details of alternative payee ‘3510’ defined under company code for vendor ‘5200’. We can see that the Bank Key, Bank Account Number and Bank Name are accurately being displayed in the vendor invoice raised above for vendor 5200.

Screen 4

T-Code%20XK03

T-Code XK03

We now run the payment proposal for the sample invoice

Screen 5

T-Code%20F110

T-Code F110

We noted that the payment was made to vendor 3510 who was present as an alternative payee for vendor 5200

Screen 6

Payment Output from T-Code F110

 

Now that we have understood what alternate payees are and how they function let us understand, what is an ‘Alternative Payee In Document’ ?

Alternative Payee In Document is a field available in the general data selection criteria in the Vendor Master. If this field is enabled the payment technically can be made to anyone who may or may not exist in the Vendor Master. This function gives the invoice processor the authority to change payment details which are automatically selected by the system for payment.

For ease of understanding, I will walk you through a sample transaction using the same vendor 5200, however this time the only configuration that has changed is that, I have enabled the field ‘Individual Spec’ under ‘Alternative Payee In Document’ for vendor 5200.

Screen 7

T-Code%20XK03

T-Code XK03

Created a new invoice of 700 EUR against vendor 5200. Till this point nothing has changed as compared to the previous invoice which we processed. System still selects the bank details of the alternative payee ‘3510’ which is defined in the vendor master. We now save the Invoice and the document number is ‘1900000002’

Screen 8

T-Code%20FB60

T-Code FB60

We now execute T-Code FBL1N and search for document number 1900000002 which is created under Vendor 5200. Please observe the blank space highlighted in the image.

Screen 9

                                                                   T-Code FBL1N

Now an alternative payee can be ‘Individually Set’ for this invoice.

Screen 10

T-Code%20FBL1N

T-Code FBL1N

Now on this page bank details of any person can be entered and when the payment proposal will be executed the payment will be made in the account which is mentioned below. In this case the payment will go to sample bank account ‘778899’.

Screen 11

After the new banking details are saved the ‘Individually Set’ field gets populated with the details which have been entered manually by the invoice processor.

A critical observation here is that system always uses the payee which is Most Specific. This means that when you enter a payee in a document, it has priority over all payees specified in the master record. This will even supersede the alternative payee which is mentioned in the vendor master at a company code level which in our case is ‘3510’ and which the system was selecting until now.

Screen 12

We now run the payment proposal for the sample invoice. We can see that the payee which got selected is the one which we entered to be a fake payee.

Screen 13

In the payment proposal output screenshot below we can see that the payment is processed in bank account ‘778899’ which was individually set by us in the document.

Thus in this case the payment has not been processed to any of the alternative payees mentioned in the vendor master but to the payee which was manually entered by me i.e. the fraud payee.

Screen 14

Looking at what you have seen above you might want to audit your vendor master and check whether any vendor has been enabled for  ”Alternative Payee In Document”

Extract Table LFA1 and check field ‘XZEMP’. If this field is marked as X that means ”Alternative Payee In Document” is enabled for that vendor.

Screen 15

Table%20LFA1

Table LFA1

Now in the event that you have found vendors where alternative payee in document is allowed the next step is to identify if anyone has exploited this vulnerability in your system.

Extract Table BSEG

The input parameter should be the list of all vendors which have been identified above in the LFA1 table then search for field ‘XCPDD’ and apply the filter as = X. This will give you the list of all documents where payee details have been manually entered by the invoice processor.

Screen 16

Table BSEG

In our output we can see that document 1900000002 that we processed above is marked as ‘X’ under field ‘Individually Set’ (Technical Name ‘XCPDD’) because we entered the payee details manually in the document.

Screen 17

Now if you want to see what changes were exactly entered by the invoice processor you need to go to the document by executing T-Code FBL1N and click on document changes.

Screen 18

T-Code%20FBL1N

T-Code FBL1N

A comparison can then be made between New and Old values.

Screen 19

All said and done ”Alternative Payee In Document” is a very critical configuration in the vendor master as enabling this configuration gives Absolute Authority to the processor to manipulate invoices. In my personal opinion this field should be set to suppress to avoid accidental enablement of this field.

This can be controlled by making changes in the Screen Layout for vendors

The field which says “Alternative Payee Account” is referring to the alternate payee which is maintained in the vendor master.  This field in most cases would be set between optional entry or display depending upon your business requirement.

The field which says “Alternative Payee In Document” is the field which should be set to suppress to avoid any illicit payments going out of the organization.

Screen 20

 

I would like to thank you for reading my blog. I hope the information that I have shared will be put to good use and will help you improve the information security controls in your organization. Also do let me know if I have missed out on something, because a good auditor is always learning.

Warm Regards

Michael Mathews

 

 

 

2 Comments
You must be Logged on to comment or reply to a post.