As governments around the world increase enforcement of laws and regulations to combat corruption and fraudulent activities such as bribery, global corporations are under increasing pressure to improve their anti-bribery and anti-corruption compliance programs to detect and prevent potentially fraudulent transactions that could put the organization in an unpleasant position. Therefore, a tool to manage this business challenge is becoming more important to top business executives. SAP Fraud Management is designed to detect, investigate, analyze, and prevent malicious business activities in mega-high data volume system environments. The product belongs to the SAP Assurance and Compliance Software 1.1 suite. Technically, it co-habits with SAP Audit Management. SAP Fraud Management offers a number of business benefits that include:

• Curtailing fraudulent losses through real-time detection
• Ensuring continuous process efficiency via real-time monitoring
• Enhancing the efficiency of the investigation process of malicious activities via real-time analyses and simulations
• Optimizing the efficiency of fraud detection via proactive identification and prediction of future risk
• Enhancing operational efficiency by automating business processes and seamless integration

I explain the basic configuration of the product and how to set up the system to prevent revenue loss with capabilities that minimize false positives and mitigate the risks of fraud and noncompliance. Topics include the following:

• The business scenario (use case)
• Verification of technical configuration settings
• Basic configuration settings
• Business content activation
• Concept of system replication
• Understanding the data model
• SAP HANA procedures
• Maintenance of detection methods
• Maintenance of detection strategy
• Calibration and simulation of detection strategy
• Execution of a mass detection run
• Alert assignment to investigators
• Investigation and alert processing

The Business Scenario (Use Case)

My typical business example is based on standard content delivered by SAP via Business Configuration Sets (BC Sets) and SAP HANA procedures. The purpose is to demonstrate how the SAP Fraud Management application works. SAP Fraud Management offers standard content that can be adapted for fraud detection, investigation, and prevention. One such content is the decision method Multiple Changes on Purchase Orders. This decision method aims to identify purchase orders (POs) with a defined number of changes in the header as candidates for suspicion of fraudulent activities. I use standard SAP HANA procedures and configuration settings to explain how the fraud management system is customized to achieve this business benefit of fraud detection and investigation documentation. My business example investigates changes made to POs after they are created, and it considers any PO with more than one change as suspicious and therefore subject to further investigation. A number of basic configuration settings are essential to understanding the business example. Most of the configuration activities are already updated following the activation of the relevant BC Sets.

Verification of Technical Configuration Settings

This article is a follow-on article to the technical setup article “Get Your SAP System Landscape Technically Ready for SAP Assurance and Compliance” in which I explained the technical configuration activities that are prerequisites for harnessing the capabilities of SAP Fraud Management. Following the installation of the SAP Fraud Management add-on, you need to perform a number of post-installation activities on the SAP HANA database and the SAP ABAP NetWeaver system to be able to use the system productively. Follow menu path Fraud Management > Tools > Environment > Check technical Configuration or use transaction code FRA_TC_CHECK to confirm if the system is properly set up for fraud management capabilities. Any error reported during the check should be reviewed and resolved accordingly. All the checks should be flashing in green as shown in Figure 1.

Basic Configuration Settings

You need to perform a number of basic configuration settings to use the system for fraud detection and investigation. Most of the basic configuration settings are initially updated when BC Sets are activated in the system. Depending on the scope of your deployment, the relevant BC Sets for SAP Fraud Management are:

• FRA_INTERNAL_AUDIT - Fraud Management - Internal Audit – General
• FRA_INSURANCE_CLAIM1- Fraud Management - Insurance Claims - Business Content
• FRA_CUAN - Fraud Management - Hybris Marketing - Business Content
• FRA_ALERT_WORKFLOW - Settings for Alert Workflow

You can activate BC Sets via transaction SCPR20 (Figure 2). Click the activate icon. In the screen that displays, choose the Expert Mode option in the Select Activation Mode section as shown in Figure 3. Click the green checkmark and Figure 4 displays with the status message. You can review the activation logs by clicking the logs icon, which takes you to Figure 5. The SAP Fraud Management customizing activities that have associated BC Sets can be reviewed via the IMG screen accessible via transaction SPRO and by choosing the Existing BC Sets option as shown in Figure 6. The value under Additional information confirms if the BC Sets exist and provides the activation status. The BC Sets cover customizing activities in the basic settings, home screen, detection, investigation, and network analysis main nodes. This section covers some of the important basic configuration settings that are central to my business scenario.

Maintain Number Range for Alerts

This customizing activity guides the numbering assigned to alerts in the SAP Fraud Management system. Access this customizing activity via menu path SPRO > SAP Customizing Implementation Guide > SAP Fraud Management > Basic Settings > Maintain Number Ranges for Alerts (Figure 7). Click the Intervals button to review the configuration settings shown in Figure 8. The external check box should not be marked as it is only relevant for documents coming into the system from external sources. The applicable number range object is FRA_ALERT. By following the path in this customizing activity, you will be maintaining the number range object FRA_ALERT. You can also access number range objects via transaction code SNRO, in which case you have to define FRA_ALERT in the Object field that comes up.

Maintain Alert Currency

This customizing setting allows you define the currency that is used for alert report generation and processing. The system allows you to define only one currency to be used for the SAP Fraud Management system. The defined currency needs to be explicitly assigned to an application. The alert currency configuration settings can be accessed via menu path SPRO > SAP Fraud Management > Basic Settings > Maintain Alert Currency (Figure 9). You enter the currency in the free field that allows you to define a value, but that is also validated against the possible values in the system. It also has input help (F4) functionality.

Define Source Domain and Fields Settings

Source domain is used to depict the source system of the data relevant for fraud management. It is mandatory that at least one source domain be defined in the system. The fields settings are a representation of the data structure in the source system. It is used to define the attributes of the fields in the source domain. Figure 10 can be accessed via menu path SPRO > SAP Fraud Management > Basic Settings > Define Source Domain and Field Settings. It shows examples of predefined source domains. Highlight a source domain (for example, INTERNAL) and choose the Fields folder to go to Figure 11. In the fields structure of the source domain, you can maintain the data type, field length, and corresponding SAP HANA package information against the different fields. Source Domain: The source domain is the business entity that delivers detection objects to the fraud management application. It represents the key for the fields in a customer data model. It allows you to define duplicate fields, but still maintain different characteristics for them, provided the fields are associated with different domains. Field: This is the technical name of the field within the field catalog. The field names need to be the same as the name defined in the SAP HANA content. Furthermore, the field names used in SAP HANA content must be unique within the source domain. Data Type: The data type is used to define a user-friendly representation of the field content, for example, currency and dates. Field Length: This is used to define the length of the field in characters or digits. Decimals: This is the decimal of field catalog datatype, which represents the number of decimals of a numeric field. Conversion Routine: This is used to define a user friendly representation of the field content, for example to display technical keys without leading zeros. Case sensitivity: This is used to indicate the case sensitivity of field values. SAP HANA Content – Package: This is used to define the attribute view for access to field values and the corresponding texts. SAP HANA Content – Attribute View for Value Selection: This is used to access field values and the corresponding texts. SAP HANA Content - Value Field in Attribute View: This is used to define the value field within the attribute view. SAP HANA Content - Text Field in Attribute View: This is the relevant text field in the attribute view. ABAP Dictionary: Value Table/View: This represents the value table or view in ABAP Dictionary. ABAP Dictionary : Field Name in Value Table/View: This is the field within the value table or view. ABAP Dictionary - Text Field in Attribute View: This is used to define the relevant text field in the attribute view. Amount and Quantities - Reference Field: This is used to define the currency key for the amount or the unit for the quantity in the SAP HANA content. Amount and Quantities - Reference Value (Fixed Value): This is used to define a specific currency for the amount or a specific unit for the quantity in the SAP HANA content. Amount and Quantities - Special Reference: This is used to define that the alert currency that has been defined in the Customizing for SAP Fraud Management under Maintain Alert Currency is used.

Maintain Investigation and Detection Objects

The investigation object defines the business object that is to be investigated for fraud—for example, an insurance claim, employee, vendor, or purchase order (Figure 12). To go to Figure 12 follow menu path SAP Customizing Implementation Guide > SAP Fraud Management > Basic Settings > Maintain Investigation and Detection Object Types. This customizing activity allows you to associate a source domain with investigation objects and also define the enrichment package with the corresponding enrichment view. An enrichment is information that adds more context to the investigation object. It is provided in the screen used for the creation of alerts. Highlight an investigation object and double-click the Data Enrichment Fields folder (Figure 13). The enrichment field maintenance table allows you to define up to five additional fields. For example, you can define anything related to the investigation object, such as claims-related investigation objects or policy holder details. Click the Detection Object Types folder and Figure 14 displays. Detection object types are the specific business information that needs to be evaluated for evidence of fraud based on the investigation object. For example, that could include vendor invoices, an employee travel expense receipt, or even a PO header as per my business example. This customizing activity allows you to associate a detection object type with an investigation object type. In addition, you can also associate the SAP HANA selection package and the corresponding selection view. With a detection object type highlighted (for example, FRA_POHEAD) choose the Selection Fields folder and Figure 15 displays. It shows how to explore subnodes. An investigation object type is the business object that you intend to investigate for fraudulent activities. Investigation object types are defined by the company as part of customizing as it is not a standard definition. Depending on what fraudulent activity you are investigating, the investigation object can be a PO, for example, as in my business example. The detection object provides the specific information that you want to analyze for evidence of fraudulent activities based on the investigation object—for example, in my business example it is a PO with multiple changes. Figure 13 shows the details of a typical an investigation object. Figure 14 shows the association of detection objects (Detection Object Type Description) with an investigation object (Investigation Object Type). Figure 16 shows the corresponding package in SAP HANA that is associated with the detection object. You can maintain any of these figures by choosing the New Entries button and completing the appropriate fields. Click the Association to Investigation Object Type folder to see Figure 16.

Business Content Activation

In order to use the SAP Fraud Management system, some business content needs to be activated mandatorily and some optionally depending on different use cases. These business contents are activated via transaction STC01. You can review the status of the activation run via transaction STC02. The delivered business content objects include generic SAP HANA content and content for Claims Management, Internal Auditing and Anti-Corruption Compliance, Business Partner Master Data Screening, and SAP hybris Marketing Customer Data Management. To use the detection and investigation business content of Internal Auditing and Anti-Corruption Compliance, a number of follow-on activities need to be performed, including activation of task lists FRA_SUITE_CORE_SETUP_PART_1 and FRA_SUITE_CORE_SETUP_PART_2 and activation of the extended Computer Aided Test Tool (eCATT) scripts. The following eCATT scripts create the standard detection methods and detection strategies for internal auditing and compliance with anti-corruption laws and regulations such as the Foreign Corrupt Practices Act of 1977 (FCPA – United States of America) as amended by the International Anti-Bribery Act of 1998, or the Bribery Act 2010 of the United Kingdom.

• FRA_CREATE_DM_IA (Create all detection methods for internal audit)
• FRA_CREATE_DS_IA_ALL_DET_OBJ (Create detection strategy for internal audit)

Follow the procedure below to activate the eCATT scripts. Enter transaction SECATT in the command line. In the figure that displays, enter a value in the test script field as shown in Figure 17. Click the execute icon to display Figure 18. Click the execute icon. Figure 19 displays with the logs of the eCATT activity status.

Concept of System Replication

SAP Fraud Management relies on business data in order to be used productively. The system needs to be fed with business data from different source systems such as SAP ERP or SAP Claims Management. The data from the source system can get into the SAP Fraud Management system via different approaches in the event that the SAP Fraud Management system is different from the back-end system. One approach is to use the SAP Landscape Transformation (LT) Replication Server to get the data into the SAP HANA database. Another approach is to manually upload the data into the SAP HANA database. The system provides a standard task list (FRA_SUITE_CORE_SETUP_PART_1) that helps replicate tables from the source system to the SAP HANA database of the SAP Fraud Management system, especially if you intend to use the delivered business contents. The task list FRA_SUITE_CORE_SETUP_PART_1 allows you to define, among other things, the details of data provisioning settings for data replication. The details of the activated task list run for FRA_SUITE_CORE_SETUP_PART_1 can be accessed via transaction STC02. In the initial screen that displays, enter FRA_SUITE_CORE_SETUP_PART_1 in the Task list field and choose the Finished Successfully check box in the Task List Run Status as shown in Figure 20. Click the execute icon. Figure 21 displays with the result of the search criteria. Double-click the entry. Figure 22 displays with the details of the activities of the run. Click the icon under the Parameter column to review the details of the entries, especially the details of the SAP LT replication server as shown in Figure 23. I show this to emphasize the relevance of the SAP LT system configuration to the collection of data from the back-end system into SAP HANA for SAP Fraud Management. For more information go to https://help.sap.com/hana/sap_hana_installation_guide_trigger_based_replication_slt_en.pdf  or https://help.sap.com/hana/SAP_Landscape_Transformation_for_SAP_HANA_Operations_Guide_en.pdf. You can see the connection information and details of the source system, SAP LT replication server, and SAP HANA database provided as parameters. The authoring schema will always be SAP_FRA_CORE_ERP and that cannot be changed. The value specified in the physical schema field must match the name of the SAP LT replication server configuration. On the SAP LT replication server, execute transaction code LTRC to review the status and configuration name as shown in Figure 24. The status of the configuration must be green before the configuration of the task list setting is executed. Click the hyperlink under the Configuration Name column and navigate to the table overview to review the replicated tables following the execution of the task list FRA_SUITE_CORE_SETUP_PART_1 as shown in Figure 25.

Understanding the Data Model

The concept of a data model in SAP Fraud Management is central to being able to implement the supported processes in SAP Fraud Management. More importantly, you need to first be able to identify the database tables in the source system applicable to the fraud element you are trying to access. For example, in my business scenario in which I am interested in investigating POs with changes after creation, you should be able to identify the investigation object and the detection object. In my business scenario the investigation object is the PO and the detection object is the purchase order header. Secondly, you need to know in which tables and fields the relevant information resides. Again, for my business scenario, the applicable tables are EKKO (Purchase Document Header), CDHDR (Change Document Header), and LFA1 (Vendor Master [General Section]). This information about the data model is important in identifying the tables to replicate and also helps with the scripting of the corresponding SAP HANA procedure.

SAP HANA Procedure

To detect the supposedly fraudulent data or transactions in the enterprise system, the system makes use of logics in the form of SAP HANA procedures to evaluate the business rules for fraud detection. Usually, you need to have the following SAP HANA procedures in place:

• Selection procedure: This procedure is used to perform the selection of the necessary data of the detection objects from the database tables
• Execution procedure: This procedure is used to perform the core business logic of the detection method
• Additional information procedure: This procedure is used to determine risk values and texts that give more information about the detection result.

For the purpose of my business example, I am adopting the following standard SAP HANA procedures.

• PR_PURCHASE_ORDER_MULTIPLE_CHANGES_SELE
• PR_PURCHASE_ORDER_MULTIPLE_CHANGES_EXEC
• PR_PURCHASE_ORDER_MULTIPLE_CHANGES_ADDINF

You can access these procedures via SAP HANA studio. Open SAP HANA studio and right-click the Content folder. In the Find Content screen that displays, enter the name of the selection procedure—for example, PR_PURCHASE_ORDER_MULTIPLE_CHANGES_SELE as shown in Figure 26. Click the OK button. The screen in Figure 27 displays with the SQL script of the procedure including the output parameters and input parameters. Figure 28 shows an excerpt of the script, which collects information about POs that have multiple changes. Repeat the steps above for the execution procedure PR_PURCHASE_ORDER_MULTIPLE_CHANGES_EXEC. Figure 29 displays with the script of the procedure including the output parameters and input parameters. Figure 30 shows an excerpt of the script. This script does a count of the number of changes within the PO and generates an alert if the number of changes exceeds the run-time parameter maintained in the detection method. Repeat the same step for the additional information procedure PR_PURCHASE_ORDER_MULTIPLE_CHANGES_ADDINF as shown in Figure 31 with the script of the procedure including the output parameters and input parameters. Figure 32 shows an excerpt of the script. This script is used to auto-populate the PO number and the number of times the PO was changed in the alert.

Maintenance of Detection Methods

Execute transaction FRA_UI to access the application. Figure 33 displays. Click the Enroll Detection Method tile and Figure 34 displays. Click Detection Method in the search criteria and enter a value. The detection method of interest in my example is FRA_IA_PUR_ORD_H_MCG. Click the Search button and Figure 35 displays with the filtered result. Click the link under the Description column. Figure 36 displays the details of the detection method including the associated SAP HANA procedures. It also shows the assignment of the fields (THRESHOLD_CHANGES) of the source domain. Click the Where-Used List tab to display the corresponding detection strategy where the detection method was used, as shown in Figure 37.

Maintenance of Detection Strategy

The detection strategy can be accessed via the application home page by choosing the Detection Strategy tile or by clicking the link under Detection Strategy column in Figure 37. Figure 38 displays. Click Detection Strategy in the search criteria and enter a value. The detection strategy that is of interest to my example is FRA_IA_POHEAD_VER_6. Click the Search button and Figure 39 displays with the filtered result. Click the value under the description column and Figure 40 displays. The General tab of the detection strategy master data details shows the definition of important attributes of the decision strategy such as the detection object type and the investigation reason. More importantly, the detection strategy must be Active as shown in the Version Status field in order to be able run a mass detection session against it. Click the Detection Methods tab. Figure 41 displays with the details of the assigned detection method. With the detection method highlighted, the Parameters: section displays. In my business scenario, the parameter Tolerance limit of allowed changes is set to 1. This definition sets the condition that is evaluated when the alert is generated. In my case, any PO header data that is changed more than once generates a corresponding alert.

Calibration and Simulation of Detection Strategy

Calibration allows you to simulate the alerts for a detection run that will be generated based on a set of defined criteria. This allows you to make an informed decision as to the volume of alerts to be generated, while also reducing false positives. This functionality allows you to perform what-if analysis in real time, which gives an impression of the future workload of alerts to review. To navigate to the calibration screen, click the Calibration button and Figure 42 displays. Click the setting icon. Figure 43 displays with the Calibration Settings dialog box.   Change the value for the Start Date field as desired, for example, 08.07.2000 as shown in my example in Figure 44. Click the Apply button and then click the Start Simulation button. Figure 45 displays with the simulation result (Simulation1). It shows that with the calibration setting defined, 83 alerts will be generated. Click the Calibration Settings button in Figure 43 again and Figure 46 displays. Change the End Date field as desired, for example, 08.07.2005 as shown in Figure 47. Cick the Apply button and then the Start Simulation button. Figure 48 displays with the simulation result (Simulation:2). You can see that with the revised calibration setting, 44 alert items will be generated.

Execution of a Mass Detection Run

Now that you are satisfied you can manage the number of alerts generated, you can progress to execute the mass detection run. Navigate to the Detection Strategy Details page shown in Figure 49. To go there click the value under the Description column in Figure 39. Click the Mass Detection button. Figure 50 displays with a dialog box to define the properties of the detection run. Keep the default values for the fields but maintain the Date From: field to the match the definition used for the calibration as shown in Figure 51. Click the Execute button and Figure 52 displays with a status message confirming the release of the background job. With the mass detection run job successfully released, you can monitor the status via the application logs, which you can access via transaction SLG1. In the screen that displays, enter FRA_MASS in the Object field as shown in Figure 53. Click the execute icon. Figure 54 displays with the logs related to the mass detection run showing the details of the number of generated alerts. Forty-four alerts are generated, which is the same number reported in the second calibration run whose setting I adopted for the mass detection run. Expand the second log generated at the same time (20:32:53) and Figure 55 displays. It shows the details of the actual objects (POs in my example) responsible for the generated alerts. Expand the third log generated at the same time (20:32:53) to display Figure 56, which confirms the successful generation of alert items.

Alert Assignment to Investigator

To process an alert, you need to assign the alert to an investigator. Log on to the SAP Fraud Management application and assign the alerts to someone to investigate them further. The initial screen shown in Figure 57 displays. Click the New alert link in the All Alerts tile. In the screen that displays, click the Inv. Object Type column to filter the relevant alerts. In my example, it is a PO, so I enter *PURCHASE* as shown in Figure 58. Press Enter. Figure 59 displays with the result of the filtering criteria. Highlight the alert items to assign for processing as shown in Figure 60. Click the Assign button and Figure 61 displays with the possible menu options. You can choose to assign the alerts to yourself or to others or you can reset the assignment. For the purpose of the article, I choose Assign to Other and Figure 62 displays. Click a user to assign the alert. For the purpose of myr business example, I choose PO_FRA_MGR as shown in Figure 63. Click the Save button.

Investigation and Alert Processing

Log on as the investigator (for example, PO_FRA_MGR) as shown in Figure 64. Click the Log On button and Figure 65 displays. Click the + sign to add tiles to the initial screen. The first time you log on, the screen is blank and you need to add tiles. Figure 66 displays. Click a tile, for example My Alerts, as shown in Figure 67. Click the OK button. The My Alerts tile displays with the assigned alerts as shown in Figure 68. Click the Open sub-tile. Figure 69 displays with all open alerts. Click the alert you want to treat by choosing the hyperlink under the Alert column, for example, 725. Figure 70 displays in a read-only format. The screen shows the Detection facet containing important information such as the Detection Strategy and Detection Method. (Note that facet is what a tab is called in SAP Fraud Management.) The Evaluation column under Detection methods provides alert messages about the detection method evaluated. In my business case, you can see that the PO header was changed twice, which is above the threshold set in the decision method evaluated. Also, the Detection Method Parameters column defines the threshold evaluated in the decision method. To initiate the processing of the alert, click the Set in Process button. Figure 71 displays in edit mode with the capability to maintain the alert information such as Fraud Division and category. Click the Documentation facet and Figure 72 displays. The screen allows you attach documents, create notes, or create a task. Click the Decision facet. Figure 73 displays the screen to document the investigation findings and to make an investigation decision while providing a reason. For the purpose of this article, I enter values in the madatory fields – Summary, Findings, and Reasons as shown in Figure 74. Click the Save button. Figure 75 displays. Observe that the Lifecycle Status has changed to Completed and the status messge Alert items have been closed is displayed.