In today’s blog post, we will analyze which types of documents posted during weekend must be inspected closely. For this purpose, we will use the analytics of the SQL statements of the previous series.
Part III of the series: “FI documents posted during weekend”
1. What postings during weekend have to do with the fraud triangle
2. How to identify postings during weekend
3. Postings during weekend you should definitely not ignore
4. Quick Guide: Reducing the identified amount of postings
How do you analyze postings during weekend?
With the help of the SQL statements from previous post, we can identify which USER undertook postings during weekend in the SAP system. As already mentioned, these postings are not necessarily critical, which is why we will now focus on the questionable document types and corresponding USER.
However, before starting with the analytics, we need to obtain the relevant data according to the instructions in part II of this series. You will also find the download link to the instruction at the end of this blog post.
On a practice data set, the evaluation of the first SQL statements yields the following results:
But what types of document are critical?
This question can’t be answered offhand as it depends on your company. However, we can use the results of the first statement and narrow the audit. This raises the question which USER should be examined first. The attentive reader will have noticed the parallels to the types of users (USTYP), that we explained in the fourth part of the analytics of super users. The user types A and S are the so-called dialog users that should be standing in our spotlight. After identifying all users who conducted postings during weekend (on a Saturday or Sunday) in the SAP system, we need to take a look at the used document types. In our analytics, it would be:
|RV||Accounting document for billing|
|DG||Customer credit memo|
By experience, we know that the logistics department of many companies is working during weekends. Therefore, goods issue / delivery and goods issue are not that much of an interest. The accounting document for billing is also being performed automatically in most companies, so we can assume that it is not a critical activity, too. At the latest and without specific knowledge about the company, I would be taken aback when seeing customer credit memo and vendor invoice. You should examine it closely and challenge it. Then, you should use your “Professional Judgment” in consideration of the specifics of the company and investigate the critical types of document.
Since USER_38 only produced one vendor invoice in the SAP system, we will investigate the 40 documents of customer credit memo of USER_23 first. For this purpose, we pick the third SQL statement stated in the instructions. Because of a suspicion I already have, I include the document type “customer credit memo” directly in the SQL Statement by adding: „AND BLART=’DG’“. The results looked like this:
The screenshot only shows an outtake of the complete list of results. You can take this list and specifically seek out the operating department to ask for the concrete reason of these postings. In the fourth part of this series, I will show you how to further narrow this list and analyze it even more precisely.
Small tip: If you would like to export the list immediately: There are different possibilities depending on the database. We are using a H2 database, where the export can be invoked simply through the function call CSVWRITE:
call CSVWRITE(‘C:/zapliance/USER_23_export.txt’, ‘SELECT BKPF.MANDT, BUKRS, GJAHR, BELNR, USNAM,USTYP,BLART, BLDAT FROM BKPF LEFT JOIN USR02 ON (USR02.MANDT=BKPF.MANDT AND USR02.BNAME=BKPF.USNAM) WHERE (DAYNAME(CPUDT)=”Sunday” OR DAYNAME(CPUDT)=”Saturday”) AND BLART=”DG”’)
Afterwards, simply open the created “USER_23_export.txt” file with Excel and add the data into the columns. Done!
Have you already analyzed documents posted during weekend? If so, which tool did you use, or rather, which procedure did you choose? Please let us know in the comments section.
Did you miss the last part of the series about the SQL statements? You can download the instructions including all the relevant statements here: