Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
cancel
Showing results for 
Search instead for 
Did you mean: 
Micheal_Mathews
Participant
41,377

Understanding this feature provided by SAP


 

When it comes to making payments to our vendors SAP has given us an option to make the payment to the vendor or to make the payment to another person (Alternative Payee) which is maintained in the Vendor Master Record. This feature is provided to promote flexible payments so that if requested by your vendor you the buyer can directly make the payment to that person to whom your vendor owes the money.

If an alternative payee has been maintained for a vendor the system would always make the payment to the alternative payee and not the original vendor. This is because the payment program will always access the name, address and bank account details of the alternative payee.

When we create a new vendor master record in SAP the vendor master details are divided under 2 sections

  1. General Data

  2. Company Code Data


Now it is important to remember that an alternative payee can be defined under General as well as Company Code data. If you specify an alternative payee in both areas, the alternative payee mentioned in the company code area has priority.

Screen 1 below showcases the General Area of the vendor master record where an alternative payee can be maintained. We can see that vendor '5200' has been assigned an alternative payee which is '1014'.

Please click on the images below to view them in better clarity.


Screen 1               



T-Code XK03


Screen 2 below showcases the Company Code Area where an alternative payee can be defined. We can see that vendor '5200' has been assigned an alternative payee which is '3510'.

Screen 2


T-Code XK03


Now as per the explanation given above when alternative payees are defined at both General and Company Code Level the system will always select the alternative payee which is defined at the Company Code Level.

The screenshots posted below will corroborate this understanding:

We create an FI Invoice of 580 EUR against vendor 5200. The important thing to note in this screenshot is that the SAP system has selected the vendor as 5200, however if you observe the bank account details you will notice that the bank details are of the alternative payee which is maintained under the company code section in the vendor master for vendor 5200.


 

The system did not select alternate payee '1014' as it was defined under General Data category in the vendor master.Alternative payee '1014' will only be selected by the system if i would make this invoice in any other company code but 1000


 

Screen 3


T-Code FB60


Showcasing the banking details of alternative payee '3510' defined under company code for vendor '5200'. We can see that the Bank Key, Bank Account Number and Bank Name are accurately being displayed in the vendor invoice raised above for vendor 5200.

Screen 4


T-Code XK03


We now run the payment proposal for the sample invoice

Screen 5


T-Code F110


We noted that the payment was made to vendor 3510 who was present as an alternative payee for vendor 5200

Screen 6


Payment Output from T-Code F110


 

Now that we have understood what alternate payees are and how they function let us understand, what is an 'Alternative Payee In Document' ?

Alternative Payee In Document is a field available in the general data selection criteria in the Vendor Master. If this field is enabled the payment technically can be made to anyone who may or may not exist in the Vendor Master. This function gives the invoice processor the authority to change payment details which are automatically selected by the system for payment.

For ease of understanding, I will walk you through a sample transaction using the same vendor 5200, however this time the only configuration that has changed is that, I have enabled the field 'Individual Spec' under 'Alternative Payee In Document' for vendor 5200.

Screen 7


T-Code XK03


Created a new invoice of 700 EUR against vendor 5200. Till this point nothing has changed as compared to the previous invoice which we processed. System still selects the bank details of the alternative payee '3510' which is defined in the vendor master. We now save the Invoice and the document number is '1900000002'

Screen 8


T-Code FB60


We now execute T-Code FBL1N and search for document number 1900000002 which is created under Vendor 5200. Please observe the blank space highlighted in the image.

Screen 9


                                                                   T-Code FBL1N

Now an alternative payee can be 'Individually Set' for this invoice.

Screen 10


T-Code FBL1N


Now on this page bank details of any person can be entered and when the payment proposal will be executed the payment will be made in the account which is mentioned below. In this case the payment will go to sample bank account '778899'.

Screen 11


After the new banking details are saved the 'Individually Set' field gets populated with the details which have been entered manually by the invoice processor.

A critical observation here is that system always uses the payee which is Most Specific. This means that when you enter a payee in a document, it has priority over all payees specified in the master record. This will even supersede the alternative payee which is mentioned in the vendor master at a company code level which in our case is '3510' and which the system was selecting until now.

Screen 12


We now run the payment proposal for the sample invoice. We can see that the payee which got selected is the one which we entered to be a fake payee.

Screen 13


In the payment proposal output screenshot below we can see that the payment is processed in bank account '778899' which was individually set by us in the document.

Thus in this case the payment has not been processed to any of the alternative payees mentioned in the vendor master but to the payee which was manually entered by me i.e. the fraud payee.

Screen 14


Looking at what you have seen above you might want to audit your vendor master and check whether any vendor has been enabled for  ''Alternative Payee In Document"

Extract Table LFA1 and check field 'XZEMP'. If this field is marked as X that means ''Alternative Payee In Document" is enabled for that vendor.

Screen 15


Table LFA1


Now in the event that you have found vendors where alternative payee in document is allowed the next step is to identify if anyone has exploited this vulnerability in your system.

Extract Table BSEG

The input parameter should be the list of all vendors which have been identified above in the LFA1 table then search for field 'XCPDD' and apply the filter as = X. This will give you the list of all documents where payee details have been manually entered by the invoice processor.

Screen 16


Table BSEG


In our output we can see that document 1900000002 that we processed above is marked as 'X' under field 'Individually Set' (Technical Name 'XCPDD') because we entered the payee details manually in the document.

Screen 17


Now if you want to see what changes were exactly entered by the invoice processor you need to go to the document by executing T-Code FBL1N and click on document changes.


 

Screen 18


T-Code FBL1N


A comparison can then be made between New and Old values.

Screen 19


 

Now that we have understood "Alternative Payee" and "Alternative Payee In Document", so now what is a "Permitted Payee" ?

From the very word permit, a permitted payee is someone you define in the vendor master to whom a legitimate payment can be made. This is very different as compared to an "Alternative Payee In Document" because here the payment can only be made to a specific Predefined Vendor and not anyone like in the case of "Alternative Payee In Document".

Let me help you understand this with the help of an example. Here we have vendor 5200 who has a permitted payee assigned which is vendor 3101.

Screen 20


Now when the invoice processor punches an invoice against vendor 5200 the system automatically selects the details of the "Alternative Payee" defined for this vendor at a company code level which is vendor 3510 and this behavior is fine, because this is how the system should be working.

Screen 21


So now the use-case of permitted payee is during invoice creation the invoice processor can change the payee details, but only to the one's which are pre-configured in the vendor master for that specific vendor.

Screen 22


In this case the payment can be processed only to two possible sources

i) The alternative payee assigned to vendor 5200 which is vendor 3510 and which the system is selecting until now

ii) The "Permitted Payee" 3101 which the invoice processor can select in the event he decides he doesn't want the payment to go to vendor 5200 alternative payee which is vendor 3510

Once selected we can see the payee details are updated in the invoice.

Screen 23


Below screenshot showcases that payee details of vendor 3101 are accurately reflected in the invoice screen above

Screen 24


Here are a few points to remember are when you are dealing with Permitted Payees:

In order to add a permitted payee to a vendor you first have to enable the ''Individual Spec" (XZEMP) which is actually the alternative payee in document field. Only after that you can add a permitted payee to the vendor.

Once changes are done remember to reverse the setting and keep the field "Alternative payee in document" (XZEMP) as display or on suppress. If you fail to do so alternative payee in document will stay active and then payments can be made to anyone as showcased in the blog above.

 

System Configuration


All said and done ''Alternative Payee In Document" is a very critical configuration in the vendor master as enabling this configuration gives Absolute Authority to the processor to manipulate invoices. In my personal opinion this field should be set to suppress to avoid accidental enablement of this field.

This can be controlled by making changes in the Screen Layout for vendors.

Path: SPRO-->Financial Accounting New-->Accounts Receivable and Accounts Payable-->Vendor Accounts-->Master Data-->Preparations for creating Vendor Master Data-->Define screen layouts for Vendors

The field which says "Alternative Payee Account" is referring to the alternate payee which is maintained in the vendor master.  This field in most cases would be set between optional entry or display depending upon your business requirement.

The field which says "Alternative Payee In Document" is the field which should be set to suppress to avoid any illicit payments going out of the organization.

Screen 25


 

I would like to thank you for reading my blog. I hope the information that I have shared will be put to good use and will help you improve the information security controls in your organization. Also do let me know if I have missed out on something, because a good auditor is always learning.

Warm Regards

Michael Mathews

 

 

 
24 Comments
Labels in this area