Understanding this feature provided by SAP
When it comes to making payments to our vendors SAP has given us an option to make the payment to the vendor or to make the payment to another person (Alternative Payee) which is maintained in the Vendor Master Record. This feature is provided to promote flexible payments so that if requested by your vendor you the buyer can directly make the payment to that person to whom your vendor owes the money.
If an alternative payee has been maintained for a vendor the system would always make the payment to the alternative payee and not the original vendor. This is because the payment program will always access the name, address and bank account details of the alternative payee.
When we create a new vendor master record in SAP the vendor master details are divided under 2 sections
- General Data
- Company Code Data
Now it is important to remember that an alternative payee can be defined under General as well as Company Code data. If you specify an alternative payee in both areas, the alternative payee mentioned in the company code area has priority.
Screen 1 below showcases the General Area of the vendor master record where an alternative payee can be maintained. We can see that vendor ‘5200’ has been assigned an alternative payee which is ‘1014’.
Please click on the images below to view them in better clarity.
Screen 2 below showcases the Company Code Area where an alternative payee can be defined. We can see that vendor ‘5200’ has been assigned an alternative payee which is ‘3510’.
Now as per the explanation given above when alternative payees are defined at both General and Company Code Level the system will always select the alternative payee which is defined at the Company Code Level.
The screenshots posted below will corroborate this understanding:
Alternative payee ‘1014’ will only be selected by the system if i would make this invoice in any other company code but 1000
Showcasing the banking details of alternative payee ‘3510’ defined under company code for vendor ‘5200’. We can see that the Bank Key, Bank Account Number and Bank Name are accurately being displayed in the vendor invoice raised above for vendor 5200.
We now run the payment proposal for the sample invoice
We noted that the payment was made to vendor 3510 who was present as an alternative payee for vendor 5200
Now that we have understood what alternate payees are and how they function let us understand, what is an ‘Alternative Payee In Document’ ?
Alternative Payee In Document is a field available in the general data selection criteria in the Vendor Master. If this field is enabled the payment technically can be made to anyone who may or may not exist in the Vendor Master. This function gives the invoice processor the authority to change payment details which are automatically selected by the system for payment.
For ease of understanding, I will walk you through a sample transaction using the same vendor 5200, however this time the only configuration that has changed is that, I have enabled the field ‘Individual Spec’ under ‘Alternative Payee In Document’ for vendor 5200.
Created a new invoice of 700 EUR against vendor 5200. Till this point nothing has changed as compared to the previous invoice which we processed. System still selects the bank details of the alternative payee ‘3510’ which is defined in the vendor master. We now save the Invoice and the document number is ‘1900000002’
We now execute T-Code FBL1N and search for document number 1900000002 which is created under Vendor 5200. Please observe the blank space highlighted in the image.
Now an alternative payee can be ‘Individually Set’ for this invoice.
Now on this page bank details of any person can be entered and when the payment proposal will be executed the payment will be made in the account which is mentioned below. In this case the payment will go to sample bank account ‘778899’.
After the new banking details are saved the ‘Individually Set’ field gets populated with the details which have been entered manually by the invoice processor.
A critical observation here is that system always uses the payee which is Most Specific. This means that when you enter a payee in a document, it has priority over all payees specified in the master record. This will even supersede the alternative payee which is mentioned in the vendor master at a company code level which in our case is ‘3510’ and which the system was selecting until now.
We now run the payment proposal for the sample invoice. We can see that the payee which got selected is the one which we entered to be a fake payee.
In the payment proposal output screenshot below we can see that the payment is processed in bank account ‘778899’ which was individually set by us in the document.
Thus in this case the payment has not been processed to any of the alternative payees mentioned in the vendor master but to the payee which was manually entered by me i.e. the fraud payee.
Looking at what you have seen above you might want to audit your vendor master and check whether any vendor has been enabled for ”Alternative Payee In Document”
Extract Table LFA1 and check field ‘XZEMP’. If this field is marked as X that means ”Alternative Payee In Document” is enabled for that vendor.
Now in the event that you have found vendors where alternative payee in document is allowed the next step is to identify if anyone has exploited this vulnerability in your system.
Extract Table BSEG
The input parameter should be the list of all vendors which have been identified above in the LFA1 table then search for field ‘XCPDD’ and apply the filter as = X. This will give you the list of all documents where payee details have been manually entered by the invoice processor.
In our output we can see that document 1900000002 that we processed above is marked as ‘X’ under field ‘Individually Set’ (Technical Name ‘XCPDD’) because we entered the payee details manually in the document.
A comparison can then be made between New and Old values.
All said and done ”Alternative Payee In Document” is a very critical configuration in the vendor master as enabling this configuration gives Absolute Authority to the processor to manipulate invoices. In my personal opinion this field should be set to suppress to avoid accidental enablement of this field.
This can be controlled by making changes in the Screen Layout for vendors
The field which says “Alternative Payee Account” is referring to the alternate payee which is maintained in the vendor master. This field in most cases would be set between optional entry or display depending upon your business requirement.
The field which says “Alternative Payee In Document” is the field which should be set to suppress to avoid any illicit payments going out of the organization.
I would like to thank you for reading my blog. I hope the information that I have shared will be put to good use and will help you improve the information security controls in your organization. Also do let me know if I have missed out on something, because a good auditor is always learning.