Use a Three-Way Invoice Control Assessment to Reduce the Risk of Fraud and Money Loss

  • by Maurizio Binatti, SAP GRC Consultant, Aglea s.r.l.
  • December 19, 2011
Learn how to measure and assess whether three-way match invoice control has been effectively implemented — in terms of security, segregation of duties (SoD), and processes — to reduce the risk of fraud and monetary losses over the procure-to-pay (P2P) process.
Key Concept
The three-way match invoice control in an SAP system is designed to ensure that the prices of purchase orders (POs) and invoice requests (IRs) are the same within certain tolerance limits defined by management or that goods receipt (GR) and IR quantities are the same within defined tolerance limits defined by management. If these prices or quantities are not consistent, invoices are blocked for payment (Payment Block R). In many SAP systems, this control becomes only a mechanical procedure of manually unlocking that does not effectively remove the causes of the block (changes in price or quantity). If not properly implemented, this control can be easily bypassed in different ways.

Different operational steps could allow errors and fraud over the following subprocesses: processing purchase orders (POs), entering incoming invoices, unlocking invoices, and processing payments. I show you how to measure the control effectiveness in order to understand if key settings have been correctly implemented in an SAP system. This phase is control assessment and effectiveness. I also describe mitigation controls over the procure-to-pay (P2P) process that you can use to cover the risk of money lost owing to the price or quantity variance generated by possible errors or conflicts of interest.

Perform a Three-Way Match Invoice Control Effectiveness Assessment

The first important step to be analyzed is related to the layout settings in PO processing. Using transaction code ME22N, you can modify many relevant fields that are not related to the settings of the layout, but that are relevant to the PO, by bypassing three-way match control (Figure 1). Those fields include GR-Bsd IV, Unlimited, and the Delivery complete flag. To change a PO follow menu path Logistics > Material Management > Purchasing > Purchase Order > Change. In the next paragraph I discuss the different impacts of PO changes in order to help you understand how easy it is to bypass the three-way match invoice control.

Maurizio Binatti

Maurizio Binatti is an SAP GRC consultant at Aglea s.r.l. (www.aglea.com), the only Italian company whose core business is SAP security and compliance. He has six years of experience in SAP security, IT automated control, and internal audit best practices over different processes.

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.