SAP Business Integrity Screening

User Guide | PUBLIC2019-08-19

SAP Business Integrity Screening

© 2

020

SAP

SE o

r an

SAP affi

liate

com

pany

. All r

ight

s re

serv

ed.

THE BEST RUN

Content

1 SAP Business Integrity Screening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 What's New in SAP Business Integrity Screening 1.3 SP02. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Setting Up SAP Business Integrity Screening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.1 Back-End Transactions for SAP Business Integrity Screening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.2 Language Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.3 Browser Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193.4 SAP Jam Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4 Home. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.1 Available Tiles in SAP Business Integrity Screening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

5 Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.1 How is Fraud Determined?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305.2 Detection Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Managing Detection Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Scripted Detection Methods (ABAP-Managed). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Scripted Detection Methods (SAP HANA Repository). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Business Rule Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Address Screening Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Predictive Detection Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5.3 Detection Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64About Detection Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65Creating Detection Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Editing a Detection Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Deactivating a Detection Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Monitoring SAP HANA Objects Generated for Detection Strategies. . . . . . . . . . . . . . . . . . . . . . . 81Calibration of Detection Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

5.4 Mass Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Prerequisites for Working with Mass Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Executing Mass Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Handling Errors in Mass Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Simulating Mass Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Analyze Mass Detection Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Deleting Simulation Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Testing and Debugging Detection Strategies in Simulated Mass Detection Runs. . . . . . . . . . . . . 107

5.5 Online Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

2 PUBLICSAP Business Integrity Screening

Content

Online Detection Based on Generic Input Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085.6 Address Screening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Address Screening Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Excluded Terms and Term Mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Managing Excluded Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Managing Term Mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116List Type Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Loading Address Screening Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Managing Address Screening Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120Address Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Intelligent Screening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Detection Method Parameters for Address Screening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Using the Audit Trail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

5.7 Delta Address Screening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Displaying Detection Runs and Their Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Starting a Delta Address Screening Run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Weak Alias Protection in Delta Address Screening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

5.8 Country and Term Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Managing High-Risk Country Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Managing Suspicious Term Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

6 Investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1446.1 Investigation Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1456.2 Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Alert Lifecycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Using Manage Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148Processing Address Screening Hits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174Managing Unassigned Alerts (Will Be Deprecated). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178

6.3 Worklists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Prerequisites for Working with Worklists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Creating Worklists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Displaying My Worklists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Starting Ad Hoc Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Worklist Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

6.4 Approval Requests for Alert Item Findings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Prerequisites for Working with Approval Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Managing User Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Approval Request Process in Detail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195My Approvals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Handling Errors in the Approval Request Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

7 Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

SAP Business Integrity ScreeningContent PUBLIC 3

7.1 Executive Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2057.2 Key Performance Indicator Apps for Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2087.3 Alert Reporting and Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

8 Integration Scenarios for SAP Business Integrity Screening. . . . . . . . . . . . . . . . . . . . . . . . . .2108.1 Alert Status Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2118.2 Online Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2128.3 Integration with SAP Process Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2138.4 Integration with an External Case Management System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

9 Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2169.1 Removing User Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2169.2 Garbage Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2179.3 Data Archiving in SAP Business Integrity Screening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Archiving Alerts with FRA_ALERT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Archiving Audit Trails with FRA_AUDTR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Archiving Address Screening List Entities with FRA_SCRL_E. . . . . . . . . . . . . . . . . . . . . . . . . . .221Archiving Entity Relations with FRA_SCRL_R. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222Archiving Worklists with FRA_WLIST. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

9.4 Displaying the Data Protection Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224


Content

1 SAP Business Integrity Screening

SAP Business Integrity Screening is a solution for detecting, investigating, and analyzing irregularities in data, as well as for preventing fraud in ultra-high volume environments.

Powered by SAP HANA and SAP Leonardo, this solution can be used in any industry, including Public Sector, Banking, Health-Care, Utilities, and High-Tech.

This solution offers the following features and benefits to help ensure your business integrity:

● Create detection strategies that sift through ultra-high volumes of data for clues of fraud and irregularities.● Screen master data and business transactions against screening lists.● Investigate the detected irregularities using efficient alert management.● Continuously improve detection accuracy by minimizing false positives with real-time calibration and

simulation capabilities● Identify common patterns with deterministic rules and predictive algorithms.● Leverage machine learning to quickly react to permanently changing patterns.

SAP Business Integrity ScreeningSAP Business Integrity Screening PUBLIC 5

This documentation includes the following sections:

● #unique_1/unique_1_Connect_42_subsection-im1 [page 6]● #unique_1/unique_1_Connect_42_subsection-im2 [page 7]● #unique_1/unique_1_Connect_42_subsection-im3 [page 7]● #unique_1/unique_1_Connect_42_subsection-im4 [page 7]● #unique_1/unique_1_Connect_42_subsection-im5 [page 7]● #unique_1/unique_1_Connect_42_subsection-im6 [page 7]● #unique_1/unique_1_Connect_42_subsection-im7 [page 7]● #unique_1/unique_1_Connect_42_subsection-im8 [page 7]● #unique_1/unique_1_Connect_42_subsection-im9 [page 7]

Hover over each element for a description. Click the element for more information.

Setting Up

In this section, you will find information about back-end transactions and enterprise services.

See Setting Up SAP Business Integrity Screening [page 12]



Home

Home is the starting point of the application. It gives you an overview about the current workload and supports you in finding your next task, continuing recent tasks, and collaborating with other users.

See Home [page 21]

Detection

Detection means trying to identify the suspicious data as quick as possible in order to avoid any loss or damage. In this section, you will find detailed information about detection strategies, calibration, mass detection, online detection, and well as the rules based on predictive models (algorithms).

Suspicious terms lists, address screening lists, and high-risk country lists can be used in detection methods.

See Detection [page 29]

Investigation

In this section, you will find detailed information about working with alerts and worklists.

See Investigation [page 144]

Reporting

The Executive Dashboard provides a map that displays all currently open alerts. It also provides a set of KPIs of the alert processing and a set of charts with statistics on the alert processing.

External tools, such as SAP Lumira or Microsoft Excel, can also be used for monitoring and reporting.

See Reporting [page 205]

Integration

SAP offers end-to-end scenarios that integrate SAP Business Integrity Screening with other SAP products, such as with SAP Process Control.

See Integration Scenarios for SAP Business Integrity Screening [page 210]

Business Content

SAP delivers predefined business content that can be used as a starting point for an implementation project or as a prototype.

See Business Content for SAP Business Integrity Screening

Extensibility Guide

This document explains how to modify content and how to bring a new business data model into the application.

See SAP Business Integrity Screening Extensibility Guide

Data Protection

Data protection supports you in handling personal data as well as archiving and deleting data.

See Data Protection [page 216]


https://help.sap.com/viewer/fb4b24fa467c4339ae45ab035e625787/1.3.0.2/en-US/d9f545516b8c156de10000000a445394.html

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/b15189af4acd423ab833d4e3d9b4d854.html

Overview of Application Help

This documentation includes the following topics:

Setting Up SAP Business Integrity ScreeningIn this section, you will find information about back end transactions and enterprise services.

See Setting Up SAP Business Integrity Screening [page 12]

HomeHome is the starting point of the application. It gives you an overview about the current workload and supports you in finding your next task, continuing recent tasks, and collaborating with other users.

See Home [page 21]

DetectionDetection means trying to identify the suspicious data as quick as possible in order to avoid any loss or damage. In this section, you will find detailed information about detection strategies, calibration, mass detection, online detection, and well as the rules based on predictive models (algorithms).

Suspicious terms lists, address screening lists, and high-risk country lists can be used in detection methods.

See Detection [page 29]

InvestigationIn this section, you will find detailed information about working with alerts and worklists.

See Investigation [page 144]

ReportingThe Executive Dashboard provides a map that displays all currently open alerts. It also provides a set of KPIs of the alert processing and a set of charts with statistics on the alert processing.

External tools, such as SAP Lumira or Microsoft Excel, can also be used for monitoring and reporting.

See Reporting [page 205]

Integration ScenariosSAP offers end-to-end scenarios that integrate SAP Business Integrity Screening with other SAP products, such as with SAP Process Control.

See Integration Scenarios for SAP Business Integrity Screening [page 210]

Business ContentSAP delivers predefined content that can be used as a starting point for an implementation project or as a prototype.

See Business Content for SAP Business Integrity Screening

Extensibility GuideThis document explains how to modify content and how to bring a new business data model into the application.



https://help.sap.com/viewer/fb4b24fa467c4339ae45ab035e625787/1.3.0.2/en-US/d9f545516b8c156de10000000a445394.html

See SAP Business Integrity Screening Extensibility Guide

Data ProtectionData protection supports you in handling personal data as well as archiving and deleting data.

See Data Protection [page 216]

Terminology

For more information about the terminology used, see http://sapterm.com/ .

Related Information

SAP Assurance and Compliance SoftwareWhat's New in SAP Assurance and Compliance Software 1.3SAP Audit ManagementSAP Business Partner ScreeningSAP Tax Compliance


https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/b15189af4acd423ab833d4e3d9b4d854.html

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsapterm.com%2F

https://help.sap.com/viewer/226618edba28417ba64452d92299a02c/1.3.0.2/en-US/8aec8852c7a69f11e10000000a441470.html

https://help.sap.com/viewer/4ee73c15c40542e48f6996ef27811349/1.3.0.2/en-US/8c19b9a52a9a4bfd8a7edcddd3f5db4d.html

https://help.sap.com/viewer/391a5401019b426f92dd87449de19da6/1.3.0.2/en-US/dc9a15520b48ba64e10000000a423f68.html

https://help.sap.com/viewer/efac5fefafc346cb84468900c7941edc/1.3.0.2/en-US/65184a55620b6e31e10000000a441470.html

https://help.sap.com/viewer/b47b77d1b92f4a0da6edcc0d05bdd41e/1.3.0.2/en-US/79cfaa48c12848029f12099f7df4d7cf.html

2 What's New in SAP Business Integrity Screening 1.3 SP02

Release 1.3 SP02 introduces the following new and changed features described below:

● Investigation Overview (New)With the Investigation Overview app you can see an overview of the outstanding activities in your investigation process, and navigate to the other apps quickly.See Investigation Overview [page 145]

● Manage Alerts (Changed)In the Detection section of the Manage Alerts app you can now set a filter to display a column for Status in your table of alert items. Furthermore, you can now use checkboxes to select one or more alert items and click on the new Decide button, which takes you to the Decision section where you can then complete them.See Displaying the Detection Section [page 158]As well, the filter bar has many new filters with which you can use to restrict the amount of alerts shown in the table. For example, you can set filters to show only those alerts that are open, or unassigned, or due during a specific period.See Alert Attributes [page 148]

● Address Screening (Changed)The logic of the address view has been changed. The address view and the database object must have a 1:1 ratio. That is, the columns NAME and ADDRESS must each have a single column in the database. You can no longer concatenate the columns NAME and ADDRESS.See Address Views [page 125].

The following tiles will be deprecated:

● The Tasks tile will be replaced by the Manage Alerts app.● The Unassigned Alerts tile will be replaced by the Manage Alerts and Process Address Screening Hits apps.

The detection method Address Screening for Politically Exposed Persons (PEP List) has been deprecated and removed from the solution. For more information, see SAP note 2779455 .

Technical Details

Product Version SAP Assurance and Compliance Software 1.3 SP02

Application Component GRC-BIS (SAP Business Integrity Screening)

Country Dependency Available in all countries/regions

Available as of August 2019


What's New in SAP Business Integrity Screening 1.3 SP02

http://help.sap.com/disclaimer?site=https://launchpad.support.sap.com/#/notes/2779455

Effects on Customizing

The following activity has been changed:

● Maintain Worklist Data Model (Changed)This activity (contained in BC Set ID FRA_BASIC_CONTENT) includes the new worklist type, FRAAUD, which refers to the source domain BPCM and is based on the CDS entity FRA_CV_AUDITTRAIL. This worklist type is needed for audit trail of address screening.

Effects on System Administration

If there are any issues with inactive generated objects while upgrading, you can now delete these generated objects in the Generation Monitor for Worklist Types for Compliance Checks (FRA_WLT_MONITOR_CC).

To do so, choose List Upgrade Mode Delete Objects .

Related Information

What's New in SAP Assurance and Compliance Software 1.3 SP02What's New in SAP Assurance and Compliance SoftwareSAP Business Integrity Screening [page 5]

SAP Business Integrity ScreeningWhat's New in SAP Business Integrity Screening 1.3 SP02 PUBLIC 11

https://help.sap.com/viewer/4ee73c15c40542e48f6996ef27811349/1.3.0.2/en-US/22193b0770b94d6d973e1bfffd0f3f39.html

https://help.sap.com/viewer/4ee73c15c40542e48f6996ef27811349/1.3.0.2/en-US/45996251a3668c23e10000000a441470.html

3 Setting Up SAP Business Integrity Screening

In the following sections you will find information about authorizations, transactions, and enterprise services.

Additional Information

SAP Business Integrity Screening can optionally use SAP LT Replication Server for SAP HANA (DMIS 2010 SP07) for data replication.

For more technical information, see the Installation and Configuration Guide, Upgrade Guide, Security Guide, Operations Guide, and the Extensibility Guide on the SAP Help Portal at http://help.sap.com/bis.

3.1 Back-End Transactions for SAP Business Integrity Screening

The transactions shown in the following table are available in the menu.

For detailed information about these transactions, see the application help and the field help.

Starting the Home Screen

Menu path: SAP Menu Business Integrity Screening Start SAP Business Integrity Screening

Transaction Name

Transaction Code

Description

Start SAP Business Integrity Screening

/UI2/FLP This transaction starts the user interface in a browser.

NoteFor more information about the language to be used in the browser, see Language Settings [page 19].

Mass Detection

Menu path: SAP Menu Business Integrity Screening Mass Detection


Setting Up SAP Business Integrity Screening

https://help.sap.com/viewer/p/SAP_BUSINESS_INTEGRITY_SCREENING

Transaction Name

Transaction Code

Description

Execute Mass Detection

FRA_MASS_DET_PP

NoteUsers can also start the mass detection runs from the HTML5 user interface in the browser.

You can use this transaction to start a mass detection run using the detection strategies that you specify.

You can schedule regular mass detection runs in the back-end system. To do so, create a job for program FRA_MASS_DETECTION_PP that is executed regularly.

Display Mass Detection Log

FRA_MASS_DET_PP_LOG

Use this transaction to verify the success of mass detection runs and to analyze such runs.

Display Optimization Error Logs

FRA_OPT_LOG

Use this transaction to display the error log (if any) produced by an automatic optimization run in the Calibration screen.

Delete Simulation Data

FRA_MASS_DET_DEL_SIM

Use this transaction to display the error log (if any) produced by a simulation run in the Calibration screen.

Delete Incomplete Mass Detection Runs

FRA_MASS_DET_DEL_RUN

Use this transaction to display the list of mass detection runs that, for some reason, could not be completed. You can delete such runs.

Address Screening Lists

Menu path: SAP Menu Business Integrity Screening Address Screening Lists

Transaction Name

Transaction Code

Description

Assign Provider-Defined List Group to List Type

ACS_LISTGRP_2_LISTTYP

Use this transaction to associate list types for address screening lists to list groups. This completes the Customizing for address screening lists.

Worklists

Menu path: SAP Menu Business Integrity Screening Worklists

SAP Business Integrity ScreeningSetting Up SAP Business Integrity Screening PUBLIC 13

Transaction Name

Transaction Code

Description

Define Target Groups

FRA_TRGTGRP

Use this transaction to define target groups for worklists.

Distribute Worklist Variants

FRA_DISTRIBUTE_WLV

Use this transaction to distribute worklist variants.

Execute Worklist Variant

FRA_WL_VAR_EXECUTION

Use this transaction to create worklists with a specific variant.

Generation Monitor for Worklist Type

FRA_WLT_MONITOR

Use this transaction to verify that the SAP HANA views and other objects required by worklists have been successfully generated in the database.

Display Worklist Log

FRA_WORKLIST_LOG

Use this transaction to display the error log for worklists that have been created or deleted, and for displaying the generated objects.

Delta Address Screening

Menu path: SAP Menu Business Integrity Screening Delta Address Screening

Transaction Name

Transaction Code

Description

Delta Address Screening

FRA_DELTA_SCREENING

Use this transaction to screen entities in address screening lists that have been changed during a specific time frame.

Display Delta Address Screening Log

FRA_DELTA_SCREEN_LOG

Use this transaction to display and analyze the delta address screening log.

Tools - Environment

Menu path: SAP Menu Business Integrity Screening Tools Environment



Transaction Name

Transaction Code

Description

Check Technical Configuration

FRA_TC_CHECK

Use this transaction to check that the technical configuration is correct. The technical configuration is performed as part of the installation or upgrade of the solution.

You can run the transaction at any time, for example:

● After installation, to see that the technical configuration worked correctly● Before starting an upgrade, to see whether the solution needs to be repaired first● After an upgrade, to see that the technical configuration worked correctly● After making major changes in the system landscape, such as adding a source system

for replication.

For more information, see the Installation Guide or Upgrade Guide on the SAP Help Portal at http://help.sap.com/bis.

Clear All Buffers

FRA_CLEAR_BUFFER

Use this transaction to clear all buffers that are relevant for changes to the application through installation, upgrade, or development (extending the solution). These buffers include the ICM Server Cache, the BOPF Shared Buffer, and the UI5 Cache, for changes to the HTML5 UI.

NoteThe browser cache is deleted automatically and periodically. However, you can run the report /UI5/APP_INDEX_CALCULATE to perform an immediate refresh.

Copy Exchange Rates

FRA_COPY_EXC_RATES

Use this transaction to synchronize the current exchange rates between the SAP ERP source system and the back-end system.

For more information, see the Operations Guide on the SAP Help Portal at http://help.sap.com/bis.

Tools - Workflow

Menu path: SAP Menu Business Integrity Screening Tools Workflow

Transaction Name

Transaction Code

Description

Automatic Workflow Customizing

SWU3 The activities performed in this transaction must be executed so that workflows can be executed.

Selection Report for Workflows

SWI1 This report is intended primarily as a tool for workflow system administrators to analyze work items.

Diagnosis of Workflows with Errors

SWI2_DIAG This transaction identifies all workflows with errors and groups them according to error cause. The evaluation results displayed are runtime information.

To get more details, use transaction SLG1 for object FRA_WORKFLOW.


http://help.sap.com/bis



Transaction Name

Transaction Code

Description

Application Log: Display Logs

SLG1 You can analyze the logs and their messages for workflow-specific errors by using object FRA_WORKFLOW.

Work Items Without Agents

SWI2_ADM1 You can use the work item analysis to find work items without agents. The work items to be analyzed can be limited according to time, type, and task.

Configuration Notifications

SWNCONFIG This transaction is used for configuring notifications.

Notifications are sent to the corresponding user in the form of mail messages. A mail message can contain one or more notifications for work items.

All required settings can be made using the BC set FRA_ALERT_WORKFLOW (transaction SCPR20).

Display/Maintain Event Type Linkage

SWETYPV For triggering events of workflows and tasks, the event type linkage is required. It is set up during the technical configuration of task list FRA_INITIAL_SETUP (transaction STC01).

Only active type linkages are evaluated by the event manager at runtime.

Tools - Detection

Menu path: SAP Menu Business Integrity Screening Tools Detection

Transaction Name

Transaction Code

Description

Detection Procedures Wizard

FRA_DM_WIZARD_SIMPLE

Programmers can use this wizard to generate stubs for the procedures needed for new detection methods.

Generation Monitor for Detection Methods

FRA_GM_DET

Use this transaction to verify that the SAP HANA views and procedures required by detection methods and detection strategies have been successfully generated in the database.

Generation Monitor for Detection Strategies

FRA_GM_STR

Use this transaction to verify that the SAP HANA views and procedures required by detection methods and detection strategies have been successfully generated in the database.

Test Procedure for Mass Detection

FRA_MASS_DET_TEST

Use this transaction to debug and analyze a detection strategy using mass detection data.



Transaction Name

Transaction Code

Description

Display Optimization Log

FRA_OPT_LOG

Use this transaction to display any error messages that may have occurred during optimization of detection strategies in the Calibration screen.

For more information, see Maintenance Transactions for Optimization [page 99].

Tools - Deletion

Menu path: SAP Menu Business Integrity Screening Tools Deletion

Transaction Name

Transaction Code

Description

Delete Alerts FRA_DEL_ALERT

Use this transaction to delete alerts that are not needed. You can, for example, delete alerts that were created during tests or by detection strategies with incorrect parameters.

Delete Worklists

FRA_DEL_WORKLIST

Use this transaction to delete worklists that are no longer needed.

Delete Audit Trail Log Entries

FRA_DEL_AUDIT_TRAIL

Use this transaction to delete records from the audit trail log.

Delete Calibration Optimization Data

FRA_OPT_CLEANUP

Use this transaction to delete the temporary data that is created by automatic optimization runs in the Calibration screen. The temporary data is not automatically deleted because it is needed during a calibration session.

The automatic optimization does not create large amounts of temporary data. Running this transaction after you have completed calibration of a set of detection strategies is adequate.

Delete Calibration Simulation Details

FRA_CDET_CLEANUP

Use this transaction to manually delete all simulation data.

Delete Detection Methods

FRA_DEL_DET_METHOD

Use this transaction to delete detection methods that are no longer needed.

Delete Detection Strategies

FRA_DEL_STRATEGY

Use this transaction to delete detection strategies that are no longer needed.

Delete Personal Settings

FRA_DEL_PERS_SETT

Use this transaction to clean up person-related data when users are removed from the system. For example, you can delete the recent actions history and the status of specific users, as well as their user photo.


Transaction Name

Transaction Code

Description

Delete Saved Master Data of Persons

BPCM_DELETE_PERSON

If you have the optional integration of SAP Master Data Governance in operation, then you can use this transaction to delete master data of business partner persons in the system.

This data is saved by the system locally in order to perform delta address screening on the data.

Deletions in the SAP Master Data Governance system are not automatically replicated to SAP Business Integrity Screening, you must delete such data by hand with this transaction. Deleting such data might become necessary if, for example, the data continues to generate alerts in delta address screening after it has been deleted in the SAP Master Data Governance system.

Delete Saved Master Data of Organizations

BPCM_DELETE_ORG

If you have the optional integration of SAP Master Data Governance in operation, then you can use this transaction to delete master data of business partner organizations in the system.

This data is saved by the system locally in order to perform delta address screening on the data.

Deletions in the SAP Master Data Governance system are not automatically replicated to SAP Business Integrity Screening; you must delete such data by hand with this transaction. Deleting such data might become necessary if, for example, the data continues to generate alerts in delta address screening after it has been deleted in the SAP Master Data Governance system.

Data Protection

Menu path: SAP Menu Business Integrity Screening Data Protection

Transaction Name Transaction Code Description

Remove User Names ACS_DP_ANONYMIZATION Use this transaction to remove user names for data that is not going to be archived.

Garbage Collector ACS_DP_GCO Use this transaction to delete unwanted data.

Display Data Protection Logs

ACS_DP_LOG Use this transaction to display the application log for data protection activities.

Archive Administration SARA Use this transaction to archive data.

Data Destruction ILM_DESTRUCTION Use this transaction to delete archived data.

Read Access Logging Manager

SRALMANAGER Use this transaction to monitor and log read access to sensitive data.



3.2 Language Settings

When you start the application, the language that is displayed depends on the following:

● If you select the language on the logon screen, your selection is transferred to the back end with the URL parameter.

● If you use single sign-on (SSO), the language of the browser settings is transferred to the back end.

NoteThe language settings defined in the User Maintenance (transaction SU01) in the back end has no influence on the application.

If a text is not available in the logon language, the corresponding text in a fallback language is displayed. Usually the fallback language is English, but in some functions, the “secondary language” defined in the application server is used. To achieve uniform behavior, SAP recommends using English as the secondary language.

3.3 Browser Settings

Using a Logon Screen – Internet Explorer

If you always want to use the logon screen in the browser, you have to choose the following setting for the Internet Options. On tab Security choose Custom level... and disable Don’t prompt for client certificate selection when only one certificate exists.

Follow Up Tasks After Importing a Transport – All Browsers (Optional)

The browser cache is deleted automatically and periodically. However, if you want, you can run the report /UI5/APP_INDEX_CALCULATE to perform an immediate refresh.

3.4 SAP Jam Integration

The application offers an optional integration of SAP Jam, the SAP tool for collaborative work and coordination.

SAP Jam must be added to the SAP Fiori launchpad. If you do not find SAP Jam in your Home screen, then see Adding SAP Jam to the SAP Fiori Launchpad in the Installation and Configuration Guide or Upgrade Guide, at http://help.sap.com/bis.



For help with using SAP Jam for collaboration, see http://help.sap.com/jam .



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fjam

4 Home

The home page is the starting point of the application. It is based on the SAP Fiori launchpad and can be called using transaction /UI2/FLP.

The launchpad opens a home page that contains predefined content, divided into groups. Each group contains tiles that represent business applications. Clicking or tapping a tile launches the underlying application.

The following functions are available on the home page:

● PersonalizationThe group My Home is, by default, the first group on your home page. Other groups may also be visible to you, as defined by your administrator.You can personalize the application home page by selecting Edit Home Page. Once you do, you can add groups and tiles. As well, you can rearrange existing tiles by dragging them to a new location in a group or moving them to another group.Choose Settings to display the user account, or to change the appearance or language and regional settings of your screen.Choose App Finder to search the catalogs for all available tiles.

● SearchWith the search, you can find predefined objects, such as detection strategies, alerts, events and documents in alerts.You can use the search as follows:

Your Input Symbol Result

shares warrants None Finds results that contain both the word “shares” and the word “warrants”.

shares OR warrants OR Finds results that contain either the word “shares” or the word “warrants”.

shares‑warrants ‑ Finds results that contain the word “shares” but not the word “warrants”.

warr* * Finds results containing words that start with “warr”, for example “warrants”, “warranty”, and “warranted”.

“with best regards” “” Finds results that contain the exact phrase “with best regards”.

NoteIf you can't find the expected results try again using *, for example *12345 or *john*.

The search is not case-sensitive.

Available Tiles

Available Tiles in SAP Business Integrity Screening [page 22]

SAP Business Integrity ScreeningHome PUBLIC 21

More Information

For more information about using the SAP Fiori launchpad, enter the keyword Using the Launchpad in the documentation of User Interface Add-On for SAP NetWeaver under http://help.sap.com .

4.1 Available Tiles in SAP Business Integrity Screening

The tiles you can use depend on your user role and authorizations. There are simple navigation tiles and tiles with key performance indicators (KPIs).

Detection

The following tiles on your home screen are grouped in the catalog for Detection:

Tile Navigates to… Is used to…

Assign Address List Types SAP Fiori app Assign Address List Types From this tile, you can assign the provider-defined list groups to the available list types.

You can also see how detection strategies are connected to provider-defined lists.

Detection Runs Detection Run screen From this tile, you can display and create detection runs, such as delta address screening runs.

Detection Strategies Detection Strategy screen From this tile, you can maintain detection strategies.

Display Strategy Determination SAP Fiori app Display Strategy Determination

From this tile, you can display the detection strategies determined by the system.


Home

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com

Tile Navigates to… Is used to…

Manage Address Screening Lists SAP Fiori app Manage Address Screening Lists

From this tile, you can display address screening lists in your SAP system, the entities of each list, and the details of each entity.

You can also use this app to block an active entity from an address screening list, excluding it from future screening runs, in order to avoid an unnecessarily large number of false positive hits.

Manage Detection Methods SAP Fiori app Manage Detection Methods

From this tile, you can display and create detection methods based on ABAP-managed database procedures, based on SQLScript procedures, ones that are used in address screening, as well as ones for predictive detection.

You can also use this app to manage your business rules, to regenerate database objects, retrain a predictive model, and mark a detection method for deletion.

Manage Excluded Terms SAP Fiori app Manage Excluded Terms From this tile, you can create and upload lists of terms to be excluded during address screening.

Manage Term Mappings SAP Fiori app Manage Term Mappings From this tile, you can display and create lists of terms and their variants to be used during address screening.

Manage Suspicious Terms SAP Fiori app Manage Suspicious Terms From this tile, you can create and edit suspicious terms lists for use in detection methods.

Manage High-Risk Countries SAP Fiori app Manage High-Risk Countries

From this tile, you can upload high-risk country lists from external sources or to create and edit your own lists. High-risk country lists are used in detection methods.


Investigation

The following tiles on your home screen are grouped in the catalog for Investigation:

Tile Navigates to... Is used to...

Create Worklist SAP Fiori app Create Worklists From this tile, you can create worklists for specific worklist variants. These worklists can then be displayed with the My Worklists tile.

Investigation Overview SAP Fiori app Investigation Overview From this tile, you can see an overview of the outstanding activities in your investigation process, and navigate to the other apps quickly.

Manage Alerts SAP Fiori app Manage Alerts From this tile, you can display, create, assign, and complete alerts.

Manage Worklist Variant SAP Fiori app Manage Worklist Variants From this tile, you can create, display, edit, and delete worklist variants.

My Approvals SAP Fiori app My Inbox This tile displays the total number of the pending approval requests that are assigned to an approver directly, or that are available for the approver (being a member in a group of approvers that have been determined by the system).

From this tile, you can navigate directly to your alert item approval list.

My Worklists SAP Fiori app My Worklists From this tile, you can display your worklists.

Start Ad Hoc Requests SAP Fiori app Start Ad Hoc Requests From this tile, you can display worklist data based on section conditions.


Home

My Alerts to Process

The following tiles on your home screen are grouped in the catalog for My Alerts to Process:


Risk Rating ≥ 4 Manage Alerts app A filter for selecting alerts of the current user that have the status In Process in Manage Alerts and that have a risk rating of 4 out of 5 or higher. The tile shows the number of such alerts.

In Process Manage Alerts app A filter for selecting alerts of the current user that have the status In Process in Manage Alerts. The tile shows the number of such alerts.

Not Started Manage Alerts app A filter for selecting alerts of the current user that have the status Not Started in Manage Alerts. The tile shows the number of such alerts.

Reporting

The following tiles on your home screen are grouped in the catalog for Reporting:


Alert Distribution Executive Dashboard screen From this tile, you can navigate directly to the Executive Dashboard to analyze the alert distribution.

Average Processing Time - This tile displays the average time it took to process an alert. There is no further navigation.

Cumulative Fraud Loss - This tile displays the KPI Cumulative Fraud Loss of closed alerts, given in the currency defined in Customizing. There is no further navigation.



Efficiency - This tile displays the efficiency, given in percent.

Efficiency = (confirmed alerts / (confirmed alerts + false positive alerts)) * 100

Total Risk Value - This tile displays the KPI Total Risk Value of all open alerts.

Risk Rating ≥ 4 Manage Alerts app A filter for selecting all alerts with status In Process in Manage Alerts that have a risk rating of 4 out of 5 or higher. The tile shows the number of such alerts.

At Risk Manage Alerts app A filter for selecting all alerts with status In Process in Manage Alerts. The tile shows the total value at risk in these alerts.

False Alarm Manage Alerts app A filter for selecting alerts with Finding False Alarm in Manage Alerts. The tile shows the number of such alerts in the current calendar year.

Confirmed Manage Alerts app A filter for selecting alerts with Finding Confirmed in Manage Alerts in the current calendar year. The tile shows the loss (aggregated risk values) of such alerts in the current calendar year.

Closed Without Investigation Manage Alerts app A filter for selecting alerts with Finding Closed Without Investigation in Manage Alerts in the current calendar year. The tile shows the number of such alerts in the current calendar year.


Home

Settings

The following tile on your home screen is in the catalog for Settings:


Manage User Groups SAP Fiori app Manage User Groups You can use the Manage User Groups application to create and edit groups of users who will have the necessary authorizations for different tasks, for example processing a particular type of alert.

History

The following tile on your home screen is in the catalog for History:


My Recent Objects My recent objects list This tile navigates to a list of your most recently viewed objects, such as alerts, detection methods, detection strategies.

Collaboration

The following tile on your home screen is in the catalog for Collaboration:


SAP Jam SAP Jam This tile is only available if the SAP Jam integration has been set up by an administrator.

SAP Jam is a collaboration tool through which you can communicate to other users.

See SAP Jam Integration [page 19].

NoteIf you want to make your own KPI tiles, you can do so easily from the Manage Alerts app. See Saving as a Tile [page 173].


Important Changes

The following tiles can now be accessed by the Manage Detection Method app:

Tile Navigated to... Was used to...

Address Screening Methods (deprecated)

Address screening detection methods From this tile, you could navigate directly to Address Screening Detection Method screen in order to display, create, and edit address screening detection methods.

Detection Method Editor Detection method editor From this tile, you could navigate directly to the Detection Method Editor screen in order to maintain business rules.

Enroll Detection Method Detection methods From this tile, you could navigate directly to the Detection Method screen in order to maintain detection methods that are based on SQLScript procedures.

Manage Predictive Detection Methods (deprecated)

SAP Fiori app for displaying and creating predictive detection methods

From this tile, you could navigate directly to the Manage Predictive Detection Methods screen.

You could use this app to display and create predictive detection methods.

More about Alerts

A new alert is an alert with the status Not Started.

An open alert is an alert with the status Not Started or In Process.

A transferred alert is an alert that has been transferred to another system for further investigation.


Home

5 Detection

Detection means trying to identify irregularities as quickly as possible in order to avoid any loss or damage.

Detection is based on detection strategies that contain the rules that are used to evaluate the risk of a potential fraud and its respective weight. The thresholds that are defined in the detection strategy are used to qualify the risk.

When you set up a detection strategy, you assign a set of detection methods to the strategy. The detection method contains the business logic used to determine if an incident, such as a claim, tax declaration, or a bank transfer is a potential fraud.

How is Fraud Determined?

During detection, the system checks for the selected detection strategies if the detection methods (rules) apply.

From a technical point of view, the detection result is an integer value between 0 and 100 independent of what type of rule it represents.

The detection method passes the detection result trough to the strategy.

In the detection strategy the detection result of each detection method is divided by 100 (normalizing the result to a value between 0 and 1) and multiplied by the weighting factor that is assigned to the detection method.

This is the risk score of the detection method in a given strategy. If the sum of all detection method risk scores is higher than the threshold, an alert is created.

NoteThe weighting factor indicates how critical a detection method is within a strategy version. You can use values in a range from -100 to 0 or from 0 to 100.

If the weighting factor is 0 it is interpreted as a positive value. Therefore, in the calibration you can only use values in a range from 0 to 100.

For more information, see the detailed example How is Fraud Determined? [page 30].

How can Fraud be Identified?

You can use the following ways to identify fraud:

● Online Detection (based on a Web service)Online detection is a real-time online check of business data. The data is supplied by a business process at certain points in time during creation, and the result is returned immediately.In online detection, the application is called synchronously from outside the system to check one or more detection objects.New data records are sent to the application system instantly and checked by the active strategy.

● Mass Detection (based on stored records)Here, the fraud detection works with stored records to find similarities or suspicious relations between data records. This detection can be executed asynchronously and scheduled, for example at the end of a day or every hour.

SAP Business Integrity ScreeningDetection PUBLIC 29

Mass detection is performed on data that has been replicated into the application system. In case of suspicious data, alerts are created for a subsequent investigation. The source system or other systems can also be informed about the creation of the alert, so that further processing can be blocked.In mass detection, the detection strategy is used to check a selection of detection objects that have already been loaded into the SAP HANA database.

More Information

Detection Strategy [page 64]

Detection Methods [page 31]

Online Detection [page 108]

Enterprise Services in SAP Business Integrity Screening

Mass Detection [page 99]

5.1 How is Fraud Determined?

During detection, the system checks for the selected detection strategies if the detection methods (rules) apply.

For example, for a detection method based on a SQLScript procedure the execution procedure of the detection method returns a detection result, that is, an integer value between 0 and 100.

The detection method passes the detection result trough to the strategy.

In the detection strategy the detection result of each detection method is divided by 100 (normalizing the result to a value between 0 and 1) and multiplied by the weighting factor that is assigned to the detection method. This is the risk score of the detection method in a given strategy.

NoteDetection methods

Risk score = (Detection result / 100) * Weighting factor

Detection strategies

Risk score = Sum of all detection methods risk scores

If the sum of all detection method risk scores is higher than the threshold, an alert is created.

The thresholds that are defined in the detection strategy are used to qualify the risk.

The figure below illustrates fraud detection using detection methods based on SQLScript procedures.


Detection

https://help.sap.com/viewer/2ebc3a3b3403484dadfc10fed8186067/1.3.0.2/en-US/3ec94ea4338d47c9bd930f7fac457979.html

Fraud Detection

5.2 Detection MethodsDetection methods are used to search for irregularities in your data.

Within detection methods, you can define a business logic that is used to determine if an incident, such as a claim, tax declaration, or a bank transfer, is a potential fraud. A detection method can be used in multiple detection strategies and can be used for online detection as well as for mass detection.

A detection method represents a single executable step that detects fraud candidates in a given set of detection objects and assigns scores to them.

Several detection methods can be sequentially applied on the same data set by grouping them with a detection strategy. The result of a detection method is independent from the result of any other detection method used within the strategy.

The following types of detection methods can be created:

● Detection methods based on ABAP-managed database proceduresYou can use ABAP-managed database procedures, which are created in the back-end system in ABAP and contain the SQLScript-logic that is executed in the SAP HANA database.

● Detection methods based on SQLScript procedures in the SAP HANA RepositoryYou can use SQLScript procedures which are defined in the SAP HANA Repository and contain the logic that is also executed in the SAP HANA database.


● Detection methods based on business rulesYou can use detection methods which use either a text rule or decision table.

● Detection methods used for address screeningYou can use detection methods to screen names and addresses in business data.

● Detection methods used for predictive detectionYou can use your historical data to create detection methods that are based on a predictive model.

More Information

Related Information

Managing Detection Methods [page 32]Scripted Detection Methods (ABAP-Managed) [page 33]Scripted Detection Methods (SAP HANA Repository) [page 40]Address Screening Methods [page 56]Predictive Detection Methods [page 59]Business Rule Methods [page 47]Detection Strategy [page 64]Mass Detection [page 99]Online Detection [page 108]

5.2.1 Managing Detection Methods

With the transactional app Manage Detection Methods you can manage the following types of detection methods:

● Predictive detection methods● Scripted detection methods (ABAP-Managed)● Scripted detection methods (SAP HANA Repository)● Address screening methods● Business rule methods

Key Features

● Display a list of all detection methods in the system● Filter, sort, and search on the list and save these settings a a variant● Export the list to a spreadsheet● Create new detection methods● Display the details of the detection methods


Detection

● Retrain a predictive model● Regenerate database objects● Mark a detection method for deletion● Generate the implementation that is used for the ABAP-managed database procedures

Related Information

Scripted Detection Methods (ABAP-Managed) [page 33]Scripted Detection Methods (SAP HANA Repository) [page 40]Business Rule Methods [page 47]Address Screening Methods [page 56]Predictive Detection Methods [page 59]

5.2.2 Scripted Detection Methods (ABAP-Managed)

One type of detection method is implemented using ABAP-managed database procedures. The ABAP-managed database procedures contain the detection logic needed to examine business data and produce a detection result. These ABAP-managed database procedures are defined in ABAP and may contain SQLScript that is executed in the SAP HANA database.

The following procedures can be used:

● Execution procedure (mandatory)Contains the business logic of the detection method.It is called in mass detection, online detection, and in calibration.

● Selection procedure (mandatory)Selects the necessary data objects from the database tables.It is called in mass detection and calibration.

NoteData that does not belong to the current detection object (for instance, historical data, business partner, and other master data) should be read within the execution procedure, and not in the selection procedure, as this data is available in online detection.

● Additional information procedure (optional)If you want to add more detailed information to an alert, you can use an additional information procedure.An additional information procedure determines risk values and texts that explain the detection result.It can be called in online detection and mass detection, but not in calibration.

NoteFor more information about implementing SQLScript procedures for detection methods, see Best Practices for Detection Method Procedures in the Extensibility Guide.

A detection method can be used in multiple detection strategies.


https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/dcee1fa400c2406a8e7c2669eb108a7e.html


Related Information

Prerequisites for Working with Scripted Detection Methods [page 34]Creating Scripted Detection Methods (ABAP) [page 35]Displaying Scripted Detection Methods (ABAP) [page 35]Detection Method Parameters [page 36]Marking Detection Methods For Deletion [page 37]Deleting Detection Methods in the Back End [page 37]Generating an Implementation for Scripted Detection Methods (ABAP) [page 38]Using the Generation Monitor for Detection Methods [page 38]Predictive Models using the SAP HANA Predictive Analysis Library (PAL) [page 39]

5.2.2.1 Prerequisites for Working with Scripted Detection Methods

Technical Definition

When you define a detection method you must:

1. Develop the SQLScript procedures that implement the detection logic in SAP HANA.2. Create the method in the Manage Detection Methods app, where you assign, for example, the execution

and selection procedures.

For detailed information, see Scripted Detection Methods in the Extensibility Guide.

Authorizations and Roles

For information about the required authorizations and roles for creating detection methods, see the Security Guide on the SAP Help Portal at http://help.sap.com/bis http://help.sap.com/bis_s4.

Customizing

To work with detection methods based on SQLScript procedures, you must do the following:

● Define Source Domain and Field SettingsIn activity Maintain Detection and Investigation Data Model, enter a source domain and define the field settings. You have to define field properties from fields that are used in your SAP HANA SQLScript procedures.

● Maintain Investigation and Detection Object TypesIn activity Maintain Detection and Investigation Data Model, define the relevant detection object type.


Detection

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/9e86aa53bc90ca11e10000000a44176d.html


http://help.sap.com/bis_s4

● Assign Packages for Detection MethodsIn activity Assign Packages for Detection Methods, assign the packages containing the SAP HANA SQLScript procedures that can be used for the detection method.

5.2.2.2 Creating Scripted Detection Methods (ABAP)

To create a detection method based ABAP-managed database procedures, from the Manage Detection Methods app choose Create Scripted Detection Method (ABAP)

In the dialog box displayed, make the following entries:

● In the field Detection Method, enter a unique technical name (or ID).● In the field Description, enter a meaningful description (or name).● In the field Detection Object Type, select a valid entry.● Define the Selection procedure.

The items available for the Class Name and Method Name of the selection procedure depend on the detection object type you defined.

● Define the Execution procedure.The items available for the Class Name and Method Name of the execution procedure also depend on the detection object type you defined.

● If you want to define an Additional Information procedure, select an entry.The items available for the Class Name and Method Name of the additional information procedure also depend on the detection object type you defined.

● Choose Save.

5.2.2.3 Displaying Scripted Detection Methods (ABAP)

To display a list of scripted detection methods, from the Manage Detection Methods app, select Scripted Detection Method from the Det. Method Category filter.

To refine the list, you can select ABAP-Managed from the Database Object Type filter.

If you click on a detection method, its details are displayed as follows:

● HeaderThe header data includes the technical name and description of the detection method, the detection object type, as well as information about who created or changed it and when.If you choose Edit Header, you can change the description of your detection method.

● ImplementationThe implementation data includes the procedures defined, specifically, the class and method names.

● ParametersIf any parameters were defined, their name and description are shown in a table.

● Where-Used ListIf the detection method has been used in a detection strategy, all of the information is shown in a table.


Regenerating Database Procedures

When you create a detection method, the system automatically creates some ABAP-managed database procedures in the back end. You may want to regenerate these database procedures in case there is an error or some optimization is needed.

To regenerate these database procedures, choose Regenerate on the detection method details screen.

Alternatively, you can call transaction FRA_GM_DET (Generation Monitor for Detection Methods) in the back-end system. See Using the Generation Monitor for Detection Methods [page 38].

Marking for Deletion

You can mark a detection method as deleted if it is not used in any active or inactive detection strategy.

NoteThis function does not delete a detection method physically from the database. But detection methods marked as deleted can never be undeleted or assigned to a detection strategy.

To mark a detection method as deleted, choose Delete on the detection method details screen.

5.2.2.4 Detection Method Parameters

Parameters can be used to enhance the flexibility of detection methods. A detection method can be used with different parameter values to execute different checks. Also, parameter values can be changed without having to change the implementation of the detection methods itself. That is, you do not have to change the SQLScript coding.

NoteParameters are introduced into the definition of a detection method by means of an input table of the corresponding execution procedure. This input table needs to have the technical name PARAMETER and the detection method parameters are the individual fields of the table and must be given in upper case letters. The corresponding parameter values are assigned in the detection strategy and handed over to the execution procedure of the detection method at runtime.

Detection method parameters are defined in Customizing activity Maintain Detection and Investigation Data Model. The parameters for investigation object types are defined in the Investigation Object Fields view. The parameters for the detection object types are defined in the Detection Object Fields view.


Detection

5.2.2.5 Marking Detection Methods For Deletion

You can mark a scripted detection method as deleted if it is not used in any active or inactive detection strategy.

NoteThis function does not delete a detection method physically from the database. But detection methods marked as deleted can never be undeleted or assigned to a detection strategy.

It is possible to display a deleted detection method. To do this, on the Manage Detection Methods screen enter Deleted as the search criteria.

Marking for Deletion

Select a detection method from the list of detection methods on the Manage Detection Methods screen. On the following details screen, choose Delete.

Related Information

Deleting Detection Methods in the Back End [page 37]

5.2.2.6 Deleting Detection Methods in the Back End

In a non-production system, you can delete detection methods physically from the database if they are not used in any active or inactive strategy, nor in a detection strategy that is marked for deletion.

This allows you to delete any type of method in order to create another method with the same name.

To delete detection methods, choose transaction Delete Detection Methods (FRA_DEL_DET_METHOD) in the back-end system.

Displaying the Application Log

To display the log, choose transaction Display Application Log (SLG1) in the back-end system.

Selection Parameters

You can restrict the logs, for example, by the following criteria:

● Object FRA_DMETH and subobject DELETION● Program: FRA_DELETE_DETECTION_METHOD


Results

The log will display the following:

● Detection methods that were deleted● Detection methods that could not be deleted because they were used in a detection strategy

5.2.2.7 Generating an Implementation for Scripted Detection Methods (ABAP)

You can use the Manage Detection Methods app to generate example implementations of the selection, execution and additional information procedures that can be used to create an ABAP-managed scripted detection method.

NoteThis function is only available for developers in a development system.

For details, see Tools for Generating Procedures for Scripted Detection Methods in the Extensibility Guide.

5.2.2.8 Using the Generation Monitor for Detection Methods

When you create a detection method, three ABAP-managed database procedures are generated automatically:

● One for calibration● One for mass detection● One for online detection

You can use this transaction to check if the procedures were generated without errors.

Using the Monitor

Call transaction FRA_GM_DET (Generation Monitor for Detection Methods) in the back-end system.

Select a single or range of detection methods, and choose Execute (F8) . You can then do the following:

● Check for errors● Regenerate objects for detection methods

Choose (Regenerate Objects) to regenerate the objects needed for a detection method.● Display the error log

Choose (Display Error Log) to display the details.


Detection

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/27580f94c7fd4bfbb029a8f2ed9d3cff.html

CautionIf you do not select a single or range of detection methods, and choose Execute, ALL the methods in the system will be read and this can last several minutes.

5.2.2.9 Predictive Models using the SAP HANA Predictive Analysis Library (PAL)

In addition to scripted rules, you can use rules based on predictive algorithms in the context of fraud detection.

The SAP HANA database already provides predictive algorithms that are included in the SAP HANA Predictive Analysis Library (PAL).

Decision Tree

The algorithm used in our use case is the C4.5 Decision Tree algorithm.

In general, a decision tree is a set of logically connected decisions with each decision resulting in a true or false statement. This statement will either lead to a new decision requiring a true or false outcome or the decision sequence is concluded with a result statement or an error condition.

NoteThis decision tree is characterized as follows:

● Helps to effectively identify the factors to consider and specifies how each factor has historically been associated with different outcomes of the decision.

● Uses a tree-like structure of conditions and their possible consequences. Each node of a decision tree can be a leaf node or a decision node.○ Leaf node

Identifies the value of the dependent target variable.○ Decision node

Contains one condition that corresponds to a test for an attribute value. The outcome of the condition is further divided into branches with sub‐trees or leaf nodes.

The algorithm is based on a trained model which is the result of a training procedure. For the training of a model historical data including a classification are required.

In our use case historical data are insurance claims that are classified as being suspicious or not suspicious. It is now possible to train and store a model using a PAL training procedure (pal::createDT). This model can then be applied for a worklist of new claims to create alerts by invoking a PAL scoring procedure (pal::predictWithDT).

This process may be realized as a detection method after creating the necessary selection procedure and execution procedure. The selection procedure enriches the worklist by the predictive attributes used to build the model tree. The execution procedure wraps the PAL scoring procedure.


More Information

For more information, see the SAP HANA Predictive Analysis Library (PAL) Reference on SAP Help Portal at http://help.sap.com/hana_platform under Reference Information.

5.2.3 Scripted Detection Methods (SAP HANA Repository)

One type of detection method is implemented using SQLScript procedures that are defined in the SAP HANA Repository. These SQLScript procedures contain the detection logic needed to examine business data and produce a detection result.

The following database procedures can be used:

● Execution procedure (mandatory)Contains the business logic of the detection method.It is called in mass detection, online detection, and in calibration.

● Selection procedure (mandatory)Selects the necessary detection objects from the database tables.It is called in mass detection and in calibration.

NoteData that does not belong to the current detection object (such as historical data, business partner, and other master data) should be read within the execution procedure, and not in the selection procedure, as this data is available in online detection.

● Additional information procedure (optional)If you want to add more detailed information to an alert, you can use an additional information procedure.An additional information procedure determines risk values and texts that explain the detection result.It can be called in online detection and mass detection, but not in calibration.

NoteAn execution procedure can only be assigned to one active detection method.

However an execution procedure may be assigned to multiple detection methods that are marked as deleted.

A detection method can be used in multiple detection strategies.

For more information about implementing SQLScript procedures for detection methods, see Best Practices for Detection Method Procedures in the Extensibility Guide.

Related Information

Prerequisites for Working with Scripted Detection Methods [page 34]Creating Scripted Detection Methods (SAP HANA) [page 42]Displaying Scripted Detection Methods (SAP HANA) [page 42]


Detection

http://help.sap.com/hana_platform



Detection Method Parameters [page 36]Deleting Detection Methods in the Back End [page 37]Creating Procedures for Detection Methods Using a Wizard [page 44]Using the Generation Monitor for Detection Methods [page 38]Predictive Models using the SAP HANA Predictive Analysis Library (PAL) [page 39]

5.2.3.1 Prerequisites for Working with Scripted Detection Methods

Technical Definition

When you define a detection method you must:

1. Develop the SQLScript procedures that implement the detection logic in SAP HANA.2. Create the method in the Manage Detection Methods app, where you assign, for example, the execution

and selection procedures.

For detailed information, see Scripted Detection Methods in the Extensibility Guide.


For information about the required authorizations and roles for creating detection methods, see the Security Guide on the SAP Help Portal at http://help.sap.com/bis http://help.sap.com/bis_s4.

Customizing

To work with detection methods based on SQLScript procedures, you must do the following:

● Define Source Domain and Field SettingsIn activity Maintain Detection and Investigation Data Model, enter a source domain and define the field settings. You have to define field properties from fields that are used in your SAP HANA SQLScript procedures.

● Maintain Investigation and Detection Object TypesIn activity Maintain Detection and Investigation Data Model, define the relevant detection object type.

● Assign Packages for Detection MethodsIn activity Assign Packages for Detection Methods, assign the packages containing the SAP HANA SQLScript procedures that can be used for the detection method.


https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/9e86aa53bc90ca11e10000000a44176d.html


http://help.sap.com/bis_s4

5.2.3.2 Creating Scripted Detection Methods (SAP HANA)

To create a detection method based on SQLScript procedures in the SAP HANA Repository, from the Manage Detection Methods app choose Create Scripted Detection Method (SAP HANA) .

1. On the New Detection Method screen, make the following entries:○ General Data

In the field Detection Method, enter a technical name (or ID) for the method.In the field Detection Method Description, enter a meaningful description (or name) of the method.In the field Detection Object Type, select an entry.

○ Implementing DataThe field Detection Method Category is automatically filled in by the system.In the field Execution Procedure, select a valid entry. The selection available depends on the detection object type you selected.

NoteAn execution procedure can only be assigned to one active detection method. However, a detection method can be used in multiple detection strategies.

In the field Selection Procedure, select a valid entry. The selection available also depends on the detection object type you entered. Once you make a valid entry, the system will automatically enter the corresponding selection procedure package.In the field Additional Information Procedure, select a valid entry. The selection available also depends on the detection object type you entered. Once you make a valid entry, the system will automatically enter the corresponding additional information procedure package.

○ ParametersWhen you enter an execution procedure, the system displays the fields from the input table PARAMETERS of the procedure.You will also see some additional ABAP data type information for the parameters/listed fields. This information is read from the Customizing activity Maintain Detection and Investigation Data Model. If the parameter is not defined in the Customizing, you cannot save the detection method. If you assign this detection method to a strategy, you have to add the values for the parameter.

2. Choose Save.The system checks if the data is correct and automatically generates the corresponding database procedures.

5.2.3.3 Displaying Scripted Detection Methods (SAP HANA)

To display a list of scripted detection methods, from the Manage Detection Methods app, select Scripted Detection Method from the Det. Method Category filter.

To refine the list, you can select SAP HANA Repository from the Database Object Type filter.


Detection

If you click on a detection method, its details will open up in a different tab on your browser. The information is displayed as follows:

● GeneralYou can see the general data, such as the technical ID, name, and the detection object type. You can see the implementing data, such as the procedures and relevant packages. You can also see the parameters if there are any.In the strategies that use this detection method, you can see the values for these table fields.

● Where-Used ListThe where-used list informs you in which active and inactive strategies the detection method is used. In addition, the system displays detailed information from the strategies, such as weighting factor and threshold.

NoteIf a detection method is used only in an inactivate strategy, the where-used list will be empty.

● Administration DataYou can see the name of the user who created the detection method and the name of the user who last changed this detection method.

Editing a Detection Method

From the detection method details screen, you can edit the name of the detection method. That is, the text entered in field Detection Method Description. You cannot change any other data.

5.2.3.4 Detection Method Parameters

Parameters can be used to enhance the flexibility of detection methods. A detection method can be used with different parameter values to execute different checks. Also, parameter values can be changed without having to change the implementation of the detection methods itself. That is, you do not have to change the SQLScript coding.

NoteParameters are introduced into the definition of a detection method by means of an input table of the corresponding execution procedure. This input table needs to have the technical name PARAMETER and the detection method parameters are the individual fields of the table and must be given in upper case letters. The corresponding parameter values are assigned in the detection strategy and handed over to the execution procedure of the detection method at runtime.

Detection method parameters are defined in Customizing activity Maintain Detection and Investigation Data Model. The parameters for investigation object types are defined in the Investigation Object Fields view. The parameters for the detection object types are defined in the Detection Object Fields view.











Results



5.2.3.6 Creating Procedures for Detection Methods Using a Wizard

This wizard helps you generate the execution and selection procedures (SQLScript procedures) that are needed for the definition of a detection method.

The procedures that will be created have the following:

● A correct signature.● Exemplary coding that is syntactically correct but has no real business logic.

In addition, you can create a test procedure.

NoteWhen you run the test procedure in the SAP HANA studio, it checks if the interfaces between the execution procedure and the selection procedure match. It also checks if the selection and the execution procedures will give you accurate results.


Detection

Using the Wizard

To execute the wizard, call transaction FRA_DM_WIZARD_SIMPLE(Procedures Wizard).

NoteYou cannot execute this wizard in the production system.

Ensure the Customizing of the detection object type is complete. That is, the SAP HANA package must be defined.

Further Steps

Once you have finished, you must edit the generated procedures in SAP HANA using the SAP HANA studio. Then, you must transport the completed procedures from the SAP HANA repository to your production system.

For detailed information, see the documentation provided for each step of the wizard.

5.2.3.7 Using the Generation Monitor for Detection Methods

When you create a detection method, three ABAP-managed database procedures are generated automatically:

● One for calibration● One for mass detection● One for online detection

You can use this transaction to check if the procedures were generated without errors.

Using the Monitor

Call transaction FRA_GM_DET (Generation Monitor for Detection Methods) in the back-end system.

Select a single or range of detection methods, and choose Execute (F8) . You can then do the following:

● Check for errors● Regenerate objects for detection methods

Choose (Regenerate Objects) to regenerate the objects needed for a detection method.● Display the error log

Choose (Display Error Log) to display the details.


CautionIf you do not select a single or range of detection methods, and choose Execute, ALL the methods in the system will be read and this can last several minutes.

5.2.3.8 Predictive Models using the SAP HANA Predictive Analysis Library (PAL)

In addition to scripted rules, you can use rules based on predictive algorithms in the context of fraud detection.

The SAP HANA database already provides predictive algorithms that are included in the SAP HANA Predictive Analysis Library (PAL).

Decision Tree

The algorithm used in our use case is the C4.5 Decision Tree algorithm.

In general, a decision tree is a set of logically connected decisions with each decision resulting in a true or false statement. This statement will either lead to a new decision requiring a true or false outcome or the decision sequence is concluded with a result statement or an error condition.

NoteThis decision tree is characterized as follows:

● Helps to effectively identify the factors to consider and specifies how each factor has historically been associated with different outcomes of the decision.

● Uses a tree-like structure of conditions and their possible consequences. Each node of a decision tree can be a leaf node or a decision node.○ Leaf node

Identifies the value of the dependent target variable.○ Decision node

Contains one condition that corresponds to a test for an attribute value. The outcome of the condition is further divided into branches with sub‐trees or leaf nodes.

The algorithm is based on a trained model which is the result of a training procedure. For the training of a model historical data including a classification are required.

In our use case historical data are insurance claims that are classified as being suspicious or not suspicious. It is now possible to train and store a model using a PAL training procedure (pal::createDT). This model can then be applied for a worklist of new claims to create alerts by invoking a PAL scoring procedure (pal::predictWithDT).

This process may be realized as a detection method after creating the necessary selection procedure and execution procedure. The selection procedure enriches the worklist by the predictive attributes used to build the model tree. The execution procedure wraps the PAL scoring procedure.


Detection

More Information

For more information, see the SAP HANA Predictive Analysis Library (PAL) Reference on SAP Help Portal at http://help.sap.com/hana_platform under Reference Information.

5.2.4 Business Rule Methods

One type of detection method is implemented using the SAP HANA rules framework.

NoteThe business rules created are based on a specific vocabulary that has to be provided, for example for a line of business or an industry.

Detection methods based on business rules can be used in the calibration, mass detection, simulated (mass) detection runs, and in the online detection based on generic input tables. See Using Business Rules in Online Detection in the Extensibility Guide

Using the Manage Detection Methods app, business analysts can easily create, copy, adapt, and delete rules. They can also use a test run to check the result of the rules.

Decision tables are intended for “CASE-1…CASE-2…CASE-n” type rules, while text-based rules are used for “IF…THEN” type rules that have single associated condition.

ResultsWhen a detection method (decision table) is successful, the result for such a rule is between 0 and 100.

When a detection method (text rule) is successful, the result is always 100.

For more information about decision tables and text rules, see the SAP HANA Rules Framework - Rule Expression Language Guide on the SAP Help Portal at https://uacp2.hana.ondemand.com/viewer/p/SAP_HANA_RULES_FRAMEWORK.

Related Information

Prerequisites for Working with Business Rule Methods [page 48]Creating Business Rule Methods [page 49]Detection Method Parameters in Text Rules [page 53]Deleting Detection Methods in the Back End [page 37]


http://help.sap.com/hana_platform

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/3a81c254749c713be10000000a44176d.html

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/3a81c254749c713be10000000a44176d.html

https://uacp2.hana.ondemand.com/viewer/p/SAP_HANA_RULES_FRAMEWORK

https://uacp2.hana.ondemand.com/viewer/p/SAP_HANA_RULES_FRAMEWORK

5.2.4.1 Prerequisites for Working with Business Rule Methods

Detection methods based on business rules use the SAP HANA rules framework.

Setup

You have to run the installation and the technical configuration for setting up SAP HANA rules framework to create the SAP HANA roles, the technical SAP HANA users, and the RFC connections that were required.

For more information, see the Installation and Configuration Guide and the Upgrade Guide on the SAP Help Portal at http://help.sap.com/bis.


For more information, see the Security Guide on SAP Help Portal at http://help.sap.com/bis.

Vocabulary

A vocabulary is used to express the business logic with the rule expression language. The rule expression language is a language based on business semantics in order to enable business users to describe the logic required for decision determination.

A vocabulary represents the data models with the underlying data, and consists of entities with their corresponding attributes and their associations.

Create Vocabulary in the SAP HANA Studio

You have to create and activate the relevant vocabulary in the SAP HANA studio. A vocabulary is defined by a resource file extension (hprvocabulary).

For more information, see Defining a Vocabulary for the Detection Method Editor and How to Implement the Vocabulary in the Extensibility Guide.

Customizing

You have to assign the relevant vocabulary to a detection object type in the Customizing activity Maintain Detection and Investigation Data Model.

You can only assign one vocabulary to a detection object type.

The vocabulary assigned in the Customizing is available for users when creating detection methods using the Manage Detection Methods app.

Mass and Online Detection

Detection methods based on business rules can be used for mass detection and for online detection based on generic input tables.

To use the online detection, you have to assign the mapping procedure in the Customizing activity Maintain Detection and Investigation Data Model on the HRF Settings screen.

See Online Detection Based on Generic Input Tables [page 108]


Detection



https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/44f6aa53e70cc110e10000000a44176d.html

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/1e32cd538a755514e10000000a441470.html

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/1e32cd538a755514e10000000a441470.html

More Information

Installation

For more information about the installation of the SAP HANA Rules Framework, see the SAP HANA Rules Framework on XS Classic - Installation & Upgrade Guide on the SAP Help Portal.

Technical Background

For more information about text rules and decision tables, see SAP HANA Rules Framework on XS Classic - Rule Expression Language Guide on the SAP Help Portal.

5.2.4.2 Creating Business Rule Methods

You can create a detection method based on business rules either using decision tables or text rules. Decision tables are intended for “CASE-1…CASE-2…CASE-n” type rules, while text-based rules are used for “IF…THEN” type rules that have single associated condition.

Creating a Text Rule

1. From the Manage Detection Methods app, choose Create Business Rule Method .2. Enter a technical name and a description, and select a detection object type.3. In the Business Rule section, choose Text Rule.4. The following input fields are used for defining the rule expression:

○ Business RuleYou have to start with the object that represents the detection object type.The editor supports you when creating rules with helpful features, such as code completion, code validation, or code highlighting (constants are displayed in black and operands in blue.)

○ Risk Value, Risk Value Currency, and Additional InformationYou can also enter additional data, such as the risk currency.

ExampleThe following is an example for vendor invoice items. The rule checks if a vendor is paid too quickly, for example the clearing date is not in the grace period. In this example it is checked if the payment is made more than 14 days before the net payment date.

Business Rule: NetPaymentDate of the VENDOR_INVOICE_ITEM of a DETECTION_OBJECT - 14 days is greater than ClearingDate of the VENDOR_INVOICE_ITEM of a DETECTION_OBJECT


https://help.sap.com/viewer/p/SAP_HANA_RULES_FRAMEWORK

https://help.sap.com/viewer/67d736abfa7d4b6db23167c4926ceac7/latest/en-US

https://help.sap.com/viewer/67d736abfa7d4b6db23167c4926ceac7/latest/en-US

https://help.sap.com/viewer/f62ac60f6b404d6fb008a6cfd9b7430c/latest/en-US

https://help.sap.com/viewer/f62ac60f6b404d6fb008a6cfd9b7430c/latest/en-US

Risk Value: AmountInAlertCurrency of the VENDOR_INVOICE_ITEM of a DETECTION_OBJECT

Risk Value Currency: AlertCurrency of the VENDOR_INVOICE_ITEM of a DETECTION_OBJECT

Additional Information: concatenate('Vendor' + Vendor of the VENDOR_INVOICE_ITEM of a DETECTION_OBJECT)

5. You can extract parameters.See Detection Method Parameters in Text Rules [page 53]

6. Choose Save.When saving a detection method, the system creates the corresponding SQLScript coding in SAP HANA.

NoteWhen a detection method is successful, the result is always 100 for detection methods that were created in the editor (category Business Rule).

Creating a Decision Table

1. From the Manage Detection Methods app, choose Create Business Rule Method .2. Enter a technical name and a description, and select a detection object type.3. In the Business Rule section, choose Decision Table.4. On the Add Conditions window, define the column expression for the rule.

○ Column ExpressionThe system supports you when creating rules with helpful features, such as code completion, or code validation.

ExampleThe following is an example for the insurance industry. The rule checks if a policy holder is between 18 and 23 years old or older than 65 years.


Detection

Conditions:

Age

Accident happened at night

Outputs:

detectionResult

riskValue riskValueCurrency

additionalInformation

is between 18 and 25

X 100 SUBCLAIMS.CLAIM.BURGLARY.CLAIM_AMOUNT_IN_ALERT_CURRENCY

SUBCLAIMS.CLAIM.BURGLARY.ALERT_CURRENCY

“Young Driver”

> 65 X 50 SUBCLAIMS.CLAIM.BURGLARY.CLAIM_AMOUNT_IN_ALERT_CURRENCY

SUBCLAIMS.CLAIM.BURGLARY.ALERT_CURRENCY

“Old Driver”

NoteCondition

It is a Boolean expression based on the rule expression language and vocabulary.

Output

The data returned when the conditions of a rule are met.

Hit Policy

The hit policy supports "first match", that is only the first condition that is met is returned as an output. Here, the order of the rules in the decision may affect the result.

○ AliasAliases can be used as an alternative term or reusable shortcut to reference any condition.

5. Choose Save.When saving a detection method, the system creates the corresponding SQLScript coding in SAP HANA.When this detection method (decision table) is successful, the result for such a rule is between 0 and 100.

NoteIn the calibration of the detection strategy that used a detection method with a decision table, you can change the decision table content on the Simulation Tuning tab.

Starting a Test Run

Test runs can be executed in the edit mode as well as in the display mode on the (Test Run) tab.

1. To start a test run, choose (Simulate).


You can start the test run with the following settings:○ You can enter a start and end date for selecting the respective detection objects.○ You can limit the number of hits in the results list to top 50, top 100 or top 1000.○ You can choose a field from the investigation object, such as Line of Business or Subclaim.

2. The system simulates what would be the result if this method is executed on the selected data.The results are shown in the table, as well the number of objects processed and the number of hits.

Detection Method List

When you create a business rule method, a list is displayed that shows all available detection methods in the system. The methods are grouped according to the detection object type. In this group, the methods are sorted by the last changed; so that methods that have been changed recently are displayed first.

NoteYou can search for detection methods in the list. The search operates on the description only.

5.2.4.3 Displaying Business Rule Methods

To display a list of all the detection methods based on business rules, from the Manage Detection Methods screen, select Business Rule from the Det. Method Category filter at the top of the page.

Detection Method Details

When you click on an item, the details of the detection method will be displayed in a new browser tab. The various details are displayed as follows:

● (Edit Rule) or (Display Rule)Shows such information as the business rule, risk value, risk value currency, additional information, and parameters.

● (Test Run)Test runs can be executed in the edit mode as well as in the display mode.

● (History)Here you can see administration data or a list of where the method was used.

A detection method can have one of the following statuses:

● Unlocked: Not used in a strategy● Locked: Used in a strategy● Corrupted


Detection

● Online: Can be used for online detection

5.2.4.4 Detection Method Parameters in Text Rules

Parameters can be used to enhance the flexibility of detection methods. For example, a detection method can be used with different parameter values in the calibration of the detection strategy.

By using the Extract function in the Business Rule the system proposes parameters (that have been identified in the business rule).

Once you have extracted, you have the following options:

● Select a field from the field catalog using the input help.The system sets the corresponding data type that has been defined in the field catalog.

ExampleFor example, the system identifies the value <500> (in the context AmountInAlertCurrency of the PaymentProposalItem is less than <500>) as parameter. The system proposes possible data types, such as CURR.

● Enter a description and select a suitable data type.

ExampleFor example, you enter a description Item Amount in Alert Currency and choose data type Amount in Alert Currency.

For parameters that you enter, you can choose the following data types: AMOUNT, DATE, DECIMAL, NUMBER, STRING and TIME.

● Use a parameter multiple times.You can use a parameter multiple times in an expression in order to avoid that the user has to maintain the same value, for example, a threshold, multiple times for different parameters of a detection method.

ExampleYou can assign the same parameters from the field catalog to multiple contexts in order to create one parameter.

This is also possible for parameters with own description.

You can extract parameters any time you edit the detection method.

You can delete the parameters that were proposed by the system.

Define Parameters

1. On the Edit Rule tab, choose .


2. The system then proposes the parameters that have been identified in the Business Rule section.○ You can use this parameter and enter the required data:

○ Enter a description and choose a suitable data type, such as Date Field, Number with Decimals, Number without Decimals, Character String, or Time Field.

○ Use the input help to choose a field from the field catalog that is automatically proposed by the system.

Example for two different parameters

The following is an example for the insurance industry. The rule checks if a policy holder is between 18 and 23 years old.

The business rule is as follows: Age of the holder of the claim of the subclaims is between 18 and 23

Example for parameters with own description extracted from the business rule

Description Data Type Context

Age From NUMBER (Number without Decimals) Age of the holder of the claim of the subclaims is between 18

Age To NUMBER (Number without Decimals) Age of the holder of the claim of the subclaims is between 25

NoteIn the test run, the values (constants) from the business rule are processed.

In this example, the age of the claim holder is between 18 and 25.

If you want to execute the test run with a different value, such as having the age between 18 and 21, you must change the values on the rule tab (this works without saving).

Example for different contexts used by one parameter

The following is an example for checking transaction data. This rule checks if payments of amounts due are broken up into several smaller payments.

The business rule is as follows:

AmountInAlertCurrency of the PaymentProposalItem is less than 500 and AccountType of the PaymentProposalItem is equal to 'K' and sum of AmountInAlertCurrency of all PaymentProposalItems where all of the following conditions are true: · AccountType is equal to 'K' · AmountInAlertCurrency is less than 500 · Vendor is equal to current Vendor of the PaymentProposalItem · CompanyCode is equal to current CompanyCode of the PaymentProposalItem


Detection

; is greater than 5000

Example for different contexts used by one parameter

Description Data Type Context

Threshold amount for single payment proposal items.

CURR AmountInAlertCurrency of the PaymentProposalItem is less than 500

CURR AmountInAlertCurrency is less than 500

Threshold amount for the sum of payment proposal items.

CURR sum of AmountInAlertCurrency of all PaymentProposalItems where ((AccountType is equal to :P3) and (AmountInAlertCurrency is less than :P4) and (Vendor is equal to current Vendor of the PaymentProposalItem) and (CompanyCode is equal to current CompanyCode of the PaymentProposalItem)) is greater than 5000

As a result of assigning the same description and data type to multiple (two) contexts, you benefit from one parameter for the single payment in the detection strategy and the calibration.










Results




5.2.5 Address Screening Methods

You can use detection methods to screen names and addresses in business data against screening lists.

For detailed information see the following sections:

● Creating Detection Methods for Address Screening [page 56]● Detection Method Parameters for Address Screening [page 128]● Deleting Detection Methods in the Back End [page 37]

NoteCalibration is not supported for address screening methods.

SAP HANA Studio and Customizing Requirements

Create an address screening method that provides addresses for detection objects by creating an ABAP-managed CDS entity. For detailed information see Address Views [page 125].

In the Manage Detection Methods app, enter into the Address View field of the Create Address Screening Method dialog box the database object and detection object type that is based on a CDS entity. The dialog box field for the detection object type is then automatically filled.

Related Information

Address Screening [page 112]

5.2.5.1 Creating Detection Methods for Address Screening

In the Manage Detection Methods app you can create detection methods for address screening:

1. In the menu, choose Create and select Address Screening Method.2. Make your entries into the following mandatory fields of the dialog box, which are indicated with an

asterisk:*Detection Method: Give your detection method a name.*Description: Enter a meaningful description of your new detection method.*Detection Obj. Type: Use the input help to select a detection object type.Note that this mandatory field is automatically filled if you were to skip it and first make an entry into the following and final mandatory field, Address View.Select the Audit Trail Enabled checkbox to trace the detection runs that use this method.


Detection

*Address View: Determine address views based on address screening logic of database objects and detection object types.

3. Save your new detection method.

Results

You can now use your new address screening method in a detection strategy.

For details on the detection method parameters, see Detection Method Parameters for Address Screening [page 128].

5.2.5.2 Detection Method Parameters for Address Screening

Detection methods for address screening are a type of detection method on their own. You can create them in the Manage Detection Methods app.

For details on creating methods for address screening, see Address Screening Methods [page 56].

Detection Method Parameters

Use the following parameters to fine-tune the address screening to your needs:

● ExactnessThe exactness, previously called parameter for fuzzy search, technical term FUZZINESS, is a percentage between 0 and 100 that specifies how exact two words must match to be considered as equal. Use this parameter to make the screening tolerant towards typos, name variations, accents, umlauts, and so on. The lower the value, the more tolerant the system is. For example, an exactness of 70% will match Jane to June, while 90% will not.

● Minimum ScoreThe minimum score, previously called minimum match, technical term MINIMATCH, is a number between 0 and 100 that specifies how precise two names or two addresses must match to be considered as a hit. In contrast to exactness, this parameter affects the names and addresses as a whole, not the single words therein. The lower the value, the more two names or addresses can differ and still be a hit. For example, a minimum score of 50 will produce Tomas Meyer as a hit for Thomas Mayer, one of 100 will not. Use this parameter to cut off the long tail of low-quality hits produced by low exactness parameter values.

● Percentage of Matching WordsThe percentage of matching words, previously called address terms threshold, technical term ANDTHRESHOLD, is a value between 0 and 100 that specifies what percentage of the words making up an entire name or address must match. The lower the value, the more reactive the screening is towards single words. For example, percentage of matching words of 66 will produce John Richard Adams as a hit for Michael John Adams, one of 80 will not.

● Address Screening TypeAddress Screening Type, previously called Also compare address, technical name SCREENING_TYPE, is a value field that specifies which parts of an address will be compared in order to produce matches. Value N (name only) makes the screening compare names only. That is, the address is completely ignored. Value C


(country and name) requires an exact country match before names are compared. Value A (name, country, and address) will also compare addresses, after both the names and countries have been matched.For example, the value N will match a John Adams in London, UK to one in Washington, US. The value C will not make a match because the country is different. The value A will also not make a match because the country and address are different.

● Include Term MappingsInclude term mappings, previously called include additional terms for address screening, technical name ALIASES, is a yes-no value that specifies whether the screening shall enrich the search string with additional terms from the term mappings. Term mappings can be used to prevent that the screening is bypassed by common abbreviations and misspellings. For example, the value Y makes the screening match Main Street to Main St. if the term mapping maps St. to Street.With the app Manage Term Mappings you can create lists of terms to be used during address screening. See Managing Term Mappings in the Application Help for your product solution on the SAP Help Portal.

● Use Excluded TermsUse excluded terms, technical name EXCLUSION_TERMS, is a yes-no value that specifies whether the screening shall remove certain terms from names and addresses before comparing them. Excluded terms can be used to ignore common words that would otherwise produce lots of false positive. For example, the value Y makes the screening ignore the Ltd. in ABC Holdings Ltd. if it is entered as an excluded term. If a name or address consists of excluded terms only, for example Limited Corp., the excluded terms will be ignored to make the system produce any results at all.With the app Manage Excluded Terms you can create lists of terms to be excluded during address screening. See Managing Excluded Terms in the Application Help for your product solution on the SAP Help Portal.

● Use Name InitialsUse name initials, previously called activate initials check, technical name INITIALS, is a yes-no value that specifies whether the screening shall consider one-letter abbreviations of names. For example, the value Y will match J. to James. Use this option to improve hit quality in countries such as the United States, where initials are widely used.

● List Type GroupList type group, technical name LIST_TYPE_GROUP, is the identifier of the list type group that the screening shall compare addresses against. While list ID directly identifies one of the lists delivered by the data provider, the list type group can be any combination of list segments from one or multiple such lists. The list type group therefore gives you more possibilities to recombine entities as needed.

NoteOverly tolerant settings, such as low values for Exactness or Percentage of Matched Words, may result in a large number of hits. Address screening has an upper limit of 100 entity hits per screened business partner. In this case, refine your parameter settings and run the detection again.

More Information



Detection

5.2.6 Predictive Detection Methods

Predictive detection methods make use of historical records to build a model that is able to predict if a given detection object is likely to produce an alert.

Technical Concept

A model for a predictive detection method is based on a training view, which is generated by the joining of four different views:

● The selection view, which contains the key fields of the detection object type as well as the creation date and various selection fields.

● The data view, which contains a set of predictive attributes (provided by the customer).● The historical data view (optional), which contains decisions about detection objects prior to any alerts in

the SAP system (provided by the customer).● The alert decision view, which is based on alerts in the SAP system where a decision has been made and

has an alert completion status of either confirmed, false alarm, or closed without investigation.

When you create a predictive detection method, the system applies a machine learning algorithm to the training view. The algorithm that is used, which is called HANA auto-classification, is in the SAP HANA Automated Predictive Library (APL). Upon the creation of the detection method, the training by the algorithm results in a model.

The quality of the specific model type is measured by the predictive power and prediction confidence. Both measures take values between 0 and 1. Trained models with both values close to 1 can be trusted to a high degree.

Running a trained model means assigning a predictive detection method to a detection strategy. For every selected detection object, the model calculates a score. The higher the score, the higher the probability that an investigation would reveal a true positive (confirmed) case.

The score-threshold is a parameter of the detection method. You can lower or raise the score-threshold, using calibration, to find the optimal amount of alerts your organization can handle.

Using Predictive Detection Methods

Once you create a predictive detection method, using the Manage Detection Methods app, you can assign the predictive detection method to a detection strategy.

Related Information

Creating Predictive Detection Methods [page 60]Displaying Predictive Detection Method Details [page 61]


Retraining Predictive Models [page 64]Predictive Detection Methods

5.2.6.1 Creating Predictive Detection Methods

When you create a predictive detection method, you will also be generating a training view and initiating the training of the model and the generation of the SQLScript procedures required for detection.

From the Manage Detection Methods app, choose Create Predictive Detection Method .

Enter the following information (the mandatory fields are marked with an asterisk):

Create Predictive Detection Method

Field Description

* Detection Method Enter a name for your detection method.

* Description Give your detection method a meaningful description.

* Detection Object Type Select from the list of available detection object types.

The detection object types are defined in Customizing activity Maintain Detection and Investigation Data Model.

Selection Parameters (optional) Select from the list of available selection parameters.

The selection parameters depend on the detection object type you have chosen, and correspond to the detection object fields that are defined in the Customizing activity Maintain Detection and Investigation Data Model. You can enter single or multiple parameters.

Training Dates (optional) You can pick your dates to specify the training dates.

* Data View The view you enter in this field will enrich the detection object data with predictive attributes.

The choice of entries available depends on the detection object type you have chosen, and depends on the packages that have been defined in Customizing activity Assign Packages for Detection Methods in SAP HANA Predictive Detection Method Packages.


Detection

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/297dcc3ab9a54ae59278a1952b367b88.html

Field Description

Historical View (optional) The view you enter in this field contains decisions about detection objects prior to any alerts in the SAP system.

The choice of entries available also depends on the detection object type you have chosen, and depends on the packages that have been defined in Customizing activity Assign Packages for Detection Methods in SAP HANA Predictive Detection Method Packages.

* Investigation Reason Select from the list of available investigation reasons.

The investigation reasons are defined in Customizing activity Define Investigation Reasons.

Related Information

Predictive Detection Methods [page 59]Displaying Predictive Detection Method Details [page 61]Retraining Predictive Models [page 64]

5.2.6.2 Displaying Predictive Detection Method Details

To display all the predictive detection methods in the system, on the Manage Detection Methods screen, select Predictive Detection Method from the Det. Method Category filter.

To display the predictive detection method details, click on any entry in the predictive detection methods list. The details page is divided into the following sections:

Header

The header data includes the detection method name and description, the detection object type, and the investigation reason.

If you choose Edit Header, you can change the name of your predictive detection method.

If you choose Copy, you can make a copy of the predictive detection method that uses the original method's master data.

If you choose Retrain, you can retrain your predictive model and the new model version will be displayed in the training results table.


Selection

If any selection parameters were defined for the predictive detection method, they are displayed here.

Training Results

The training results display information about the model versions and the key influencers.

Model Versions

The model versions are displayed in a table, which includes the following information:

Model Versions

Field Description

Model Version Each time the model is run, it is assigned a new version number. (In numerical order).

Predictive Power The performance indicator that measures the quality or accuracy of a given model. This indicator describes the proportion of information contained in the target variable that the explanatory variables are able to explain. Its value ranges are from 0 (which is a pure random model) to 1 (a perfect ideal model).

Prediction Confidence The performance indicator that measures the model generalization capability. This indicator measures the ability of a model to deliver the same level of performances on new data sets as it does on the training data set. Its value ranges are from 0 to 1; and should be equal to or above 0.95 to be considered robust and applicable for a detection strategy.

Records The total number of records in the training view used to train the model version.

Records Confirmed Number of records in the training view that are flagged as Confirmed. (This number as a percentage of the total number of records is shown in parentheses.)


Detection

Field Description

Status The symbols in the Status field indicate the following:

● Only one model version can be ready and active at a time - this is displayed as a green diamond.

● There can be a number of model versions that are ready and inactive - this is displayed as a blue square.

● If a training fails, the model version has errors - this is displayed as a red circle.

● A new training model may have the status in training - this is displayed as an orange triangle.

Training Date From The start date on which the training model is based.

Training Date To The end date on which the training model is based.

Created On The timestamp when the predictive detection method was created.

Changed On The timestamp when the predictive detection method was last changed.

If you have multiple model versions, you can select one and activate it for use in your detection strategies.

Key InfluencersThe key influencers are displayed in a chart.

If you select a model version that is in status ready, the contribution of the key influencers is displayed in a chart. The bars indicate the contribution of each key influencer. The curve of the graph shows the cumulative contribution.

If you select two model versions that are in status ready, a comparison chart is displayed. It compares the contribution of each key influencer of both versions.

Technical Information

The various views associated to your detection method are displayed here, including the data view, the historical decision view (if applicable), as well as the generated training view.

To see the SAP HANA packages that correspond to the views, choose See More. To hide them, choose See Less.

To see the ABAP Managed Database Procedures that are used by the predictive detection method, call transaction FRA_GM_STR (Generation Monitor for Detection Methods) in the back end.


Related Information

Retraining Predictive Models [page 64]Predictive Detection Methods [page 59]Creating Predictive Detection Methods [page 60]Back-End Transactions for SAP Business Integrity Screening [page 12]

5.2.6.3 Retraining Predictive Models

If you are displaying the details of a predictive detection method, you can retrain and create a new version of the predictive model.

To do this, on the details screen, choose the button Retrain from the header of the page.

When you retrain a model, you are retraining the model with updates from the data view and the historic decision view. You can, however, also change the training time window by specifying a new time interval.

The results of the retrained model are displayed in the Training Results table. Initially, the table will display a maximum of five model versions. You can display the rest by choosing More.

5.3 Detection Strategy

A detection strategy is the object that is used to examine business data, such as insurance claims, tax returns, or purchase orders, for potential fraud.

The following sections explain how to create, calibrate, use, and manage detection strategies.

Creating Detection Strategies [page 76]

Editing a Detection Strategy [page 80]

Deactivating a Detection Strategy [page 80]

Calibrating Detection Strategies [page 81]

Executing Mass Detection [page 101]


Related Information

About Detection Strategies [page 65]Version Management of Detection Strategies [page 72]


Detection

5.3.1 About Detection Strategies

Definition

A detection strategy is the object that is used to examine business data, such as insurance claims, tax returns, or purchase orders, for potential fraud.

The following sections provide a conceptual overview about detection strategies:

Parts of a Detection Strategy [page 65]

How Detection Strategies Work [page 69]

Version Management of Detection Strategies [page 72]

About Data Modeling in SAP Business Integrity Screening [page 73]

5.3.1.1 Parts of a Detection Strategy

The following figure shows the parts of a detection strategy. You work with these components when you create or maintain a detection strategy.


Parts of a Detection Strategy.

This section explains what each attribute or component of a detection strategy does and how you can use them.

Detection Strategy ID

This is the name, or unique ID, that you give to a detection strategy.

Investigation Reason

The investigation reason expresses the motivation for a detection strategy and is the key value for alerts. You must specify an investigation reason for each detection strategy that you define.

The investigation reason lets you control how detection strategies create alerts if they examine the same detection objects. For example, the investigation reason lets you choose whether each detection strategy can open its own alert or whether the detection strategies share a single alert.


Detection

ExampleAssume that you have several detection strategies that have the same investigation reason. One detection strategy has run and has created an alert. When the next strategy runs, its detection findings are added as alert items to the existing alert. Because the investigation reasons are the same, the strategies share an alert.

Investigation reasons are defined in Customizing activity Define Investigation Reasons and must be assigned to the solution.

NoteSAP Business Integrity Screening allows only a single alert per detection object and investigation reason, except in address screening. In address screening (and in SAP Business Partner Screening and SAP Audit Management), new or multiple alerts are allowed per detection object and investigation reason. Here, the applications let additional alerts be created according to the source object. The source object stands for the detection activity during which an alert is created.

For more information, see Alert Lifecycle [page 146].

Detection Object Type

Detection methods and detection strategies are both specific to a single type of business data object – a detection object type. In the detection strategy, you define the detection object type that the strategy examines. You also determine which detection methods can be included in a detection strategy.


Selection parameters let you limit the set of detection objects that are selected for processing by a strategy. You set values for the selection parameters. When you run the strategy, only detection objects that meet your selection criteria are processed by the strategy. With the selection parameters, you can, for example, set up specialized strategies that work on separate sets of detection objects.

Detection Methods

Detection methods are the application objects that examine specific aspects of detection objects for evidence of fraud.

When you create a detection strategy, you assign as many detection methods as you need to the strategy. When the detection strategy is run, it applies each detection method in turn to the detection objects that it examines.


NoteAddress screening detection strategies can only have a single detection method. In address screening, a business partner is either found in a screening list or not; only a single method can be run to make this determination.

For information about the implementation of detection methods, see Detection Methods [page 31].

Input Parameters and Weighting Factors

Input parameters and weighting factors let you determine, in a detection strategy, how detection methods behave and how their results are evaluated.

In a detection strategy, you provide values for the input parameters that are exposed by a detection method. For example, you might tell a detection method to look for insurance claims for accidents only late in the night, if the method exposes input parameters for Start Time and End Time.

Since you can include a detection method more than once in a detection strategy, you can use input parameters to tailor different instances of the method for different purposes.

Weighting factors operate on the results returned by detection methods. A detection strategy assigns a weighting factor to each detection method.

For each detection object, a detection method returns a result value. The detection strategy multiplies this result value by the weighting factor to calculate the score returned by the detection method. For each detection object, the scores of all of the detection methods are added up to see whether an alert should be generated.

Weighting factors let you adjust the importance of detection methods relative to one another. You can assign a high weighting factor to an especially significant method to give its result more weight. With the Find Best Values feature on the Calibration screen, you can have the system recommend optimal weighting factors.

Since you can assign negative weighting scores, you can even let a detection method reduce the likelihood that a fraud alert is raised. Such a method finds mitigating evidence with respect to fraud.

The formula for calculating a score is as follows, where:

● The result of a detection method is between 0 and 100.● The weighting factor must be between -100 and 100.

Method result / 100 * weighting factor = method score

ExampleIf the result is 30 and the weighting factor is 50, then the score is 15:

30 / 100 * 50 = 15

If the result is 100 and the weighting factor is 100, then the score is 100:

100 / 100 * 100 = 100.

If the result is 50 and the weighting factor is -10, then the score is -5. A negative score suggests that fraud is not involved and reduces the likelihood that an alert is triggered.


Detection

Alert Threshold and Delta Alert Threshold

You must set an alert threshold in a detection strategy. You may optionally also set a delta threshold.

Use the alert threshold to set the trigger for raising an alert. If the sum of the scores of the detection methods exceed the threshold, then the detection strategy creates an alert item for the detection object. It either adds the alert item to an existing alert or creates a new alert for the investigation object. Raising the alert threshold makes it harder to trigger an alert for a particular detection object. Lowering the threshold lets more alerts through.

The alert threshold can be from 0 to 1000, a range that allows you to work with detection strategies that have many methods or only a few. If you have only a few detection methods, then you should set a correspondingly low threshold.

The delta threshold, if it is set, reactivates a closed alert. (The value 0 means that closed alerts cannot be reactivated.) Set the delta threshold to a value higher than the alert threshold. If more evidence of fraud is found when a detection object is reexamined, then the delta threshold makes it possible to raise an alert for the detection object for a second time.

Authorization Group

You can optionally limit authorization to work with detection strategies. If you enter a value for authorization group, then a user must be authorized both for detection strategies and for the authorization group.

5.3.1.2 How Detection Strategies Work

Here is an explanation of how to use detection strategies to examine your data for fraud. The example assumes that you are using SQLscript-based detection methods. But other types of detection methods - HRF rule-based methods, address screening methods and predictive methods - work similarly.


How Detection Strategies Work

Online Detection, Delta Address Screening, and Mass Detection

Let us start at the right side of the diagram. Data to examine – in the form of detection objects – comes to a detection strategy either by way of online detection or mass detection / delta address screening.

In online detection, an external program requests that one or more detection objects are checked. These objects are taken over into the SAP HANA database for examination.

If fraud is suspected or there is an address screening hit, the detection strategy raises an alert or adds to an existing alert. The application notifies the external user of the alert.

The application can also send notifications of changes in the status of an alert. An external program can then manage alerts. Change notifications require that you maintain a logical port in the Customizing.

In online detection, the requestor can set the detection strategy to use. Alternatively, you can implement a BAdI to select a detection strategy on the fly. The BAdI chooses a strategy according to the characteristics of the detection objects and the request.

In mass detection, you run a detection strategy against a set of detection objects in the SAP HANA database. These objects may be, for example, the newest detection objects added to the database.

In mass detection, the detection objects that are examined are determined by the selection parameters of the detection strategy. You can set the parameters to determine which detection objects are processed by a detection strategy.

Delta address screening is similar to mass detection. This type of detection checks persons and organizations against changed or new entries in address screening lists in the system. The data on persons or organizations may have come from an initial data load from a source business system. Or the data may be from an online request for address screening. The system persists the data from such requests in the database to allow delta screening.


Detection

If an investigation object type has been enabled for cross-system detection, then the detection objects may come from more than one source ERP system. For cross-system detection, source systems are defined as business systems in Customizing. Otherwise, the detection examines data from a single ERP system.

Both mass detection and online detection work in the same way: The detection methods of a strategy run in the SAP HANA database to use the speed and power of the database.

You can also calibrate and simulate a detection strategy to improve its efficiency. The detection strategy runs in the same way as in the production modes, but does not change the data in the database. Note that detection strategies for address screening cannot be calibrated.

Detection Processing

To detect fraud in a detection object, a detection strategy runs each of its detection methods against the detection object. Each detection object is examined by all of the detection methods, unless the input parameters of a detection method tell it to skip a particular detection object.

A detection method uses the logic in its execution procedure to evaluate a detection object. Detection methods are tailored to examine only a specific type of detection object. Often, each method examines only a specific aspect of a detection object, such as the time that an incident occurred in an insurance subclaim or the price per unit purchased in a payment position.

A detection method returns its evaluation to the detection strategy in the form of a numeric result. This result may be between 0 and 100, where 100 indicates a high degree of suspicion of fraud.

Note that address screening detection strategies may contain only a single detection method. You can control the sensitivity and behavior of an address screening method with the standard parameters offered by these methods.

The detection strategy divides the result of each detection method by 100, normalizing the result to a value between 0 and 1. It then multiplies the result by a weighting factor to determine the fraud score of the detection method. The weighting factor is specific to each method. You can therefore use the weighting factor to adjust the importance of detection methods relative to one another. Give a high weighting factor to a detection method that delivers an important indicator of fraud. The high weighting factor gives the score of the method more significance in determining whether to trigger an alert.

The strategy adds up the scores of all of the detection methods. The detection strategy determines to raise an alert as follows:

● Is there an active alert in the investigation object that is the parent of the detection object? If yes, then the detection strategy compares the total score with the alert threshold. If the total is greater than the threshold, then the new finding is added to the active alert as a new alert item, or a new alert is created. For more information on when a new alert is created, see Alert Lifecycle [page 146].

● Is there no alert in the investigation object? If yes, then the detection strategy compares the total score with the alert threshold. If the threshold is exceeded, then the detection strategy raises an alert in the investigation object. It then adds the alert item to the new alert.

● Is there a closed alert in the investigation object? If yes, then the detection strategy compares the total score with the delta alert threshold.If the delta threshold is set to 0, then no reactivation of alerts is allowed. The detection strategy goes on to the next detection object.


If a delta threshold is set and the score exceeds the delta threshold, then the detection strategy reactivates the alert and adds the alert item to it. Otherwise, the detection strategy goes on to the next detection object.Through reactivation of alerts, you can allow a detection strategy to bring in new evidence of fraud for an investigation object that has already been examined. Perhaps a new detection method has inspected the detection objects associated with the investigation object. Or the result of a detection method has changed.In address screening in SAP Business Integrity Screening and SAP Business Partner Screening, closed alerts are not reopened. An address screening alert is keyed by the investigation object, the investigation reason, and a changing source object (the specific online request or delta address screening run). Therefore, a new alert is created. In SAP Audit Management, an alert is reopened if the detection run occurred in the context of the audit work package of the existing alert. Otherwise, a new alert is created, with the source object key of the alert set to the new audit work package.

5.3.1.3 Version Management of Detection Strategies

Version management allows you to manage your changes to detection strategies. Version management ensures the following:

● There is only one active version of a detection strategy at any time. This version is for production use and cannot be changed.

● There can be only one inactive version of a detection strategy at any time. The inactive version is the editable version of a detection strategy.

● Older versions of a detection strategy are kept as deactivated versions. You can use such deactivated versions to track the changes to a detection strategy.

How does version management work?

The process of version management works as follows:

1. When you create a new detection strategy, it is given the version number 1 and remains inactive until you activate it.

2. Direct changes to an active version are not allowed. Therefore, when you edit an active detection strategy, the system creates a new inactive version, and assigns it one version number higher.

3. Once you have made your changes and you activate the new version of the detection strategy, the system changes the status of the first version to Deactivated, and the new version of the detection strategy becomes the new active version.

NoteIf you change an existing inactive version, the previous inactive version is overwritten.

4. This process repeats indefinitely, with each edited and activated detection strategy.


Detection

Version Management in Calibration and Simulation

Calibration is a simulation function that can be used to fine-tune a detection strategy. You can calibrate both the active and inactive versions of a detection strategy. For more information, see Calibration of Detection Strategies [page 81].

You can also test the active and the inactive versions of a detection strategy using the simulation mode in mass detection. For more information, see Simulating Mass Detection [page 105].

5.3.1.4 About Data Modeling in SAP Business Integrity Screening

Background Information

You can use this application to analyze any type of business data or transaction for fraud. To analyze new types of business data, you must first do some setup tasks so that the application can work with the new type of business data. The central task in this setup operation is to define the data model of the business data and make it possible for the application to work with this data model.

This section reviews the concepts underlying modeling of business data.

The information in this section will be useful to you if you must create the business content for new business data models.

Data Model Definition in Overview

You define a new business data model on two levels:

● At the lower level – manipulation and processing of the new business data – you must implement the SAP HANA views that are needed by investigation and detection object types and by detection methods.These SAP HANA views are described in the Extensibility Guide.

● At the higher level – semantic representation of the data model in the application – you define a new business data model in the Customizing.A new business data model is defined as a set of three different types of customizing objects. These are source domains, investigation object types, and detection object types.The main function of these customizing objects is to identify the SAP HANA procedures and views with which the data can be processed.These customizing objects are explained in detail below.

As an additional requirement, you must ensure that data from your source business systems is uploaded into the SAP HANA database (not required if the application is co-deployed with an SAP ERP system). You can use ABAP System Landscape Transformation (SLT) or SAP Data Services for uploading data.


Source Domains and the Field Catalog

The first of the three customizing objects is the source domain.

Source Domains

The two roles of source domains in defining business data models are:

● The source domain lets you create a label for the type of business data and the source system or source systems from which the data is uploaded into the system.For example, you might create a source domain PAYMENT_US to represent payments from your subsidiary in the United States.In this aspect, the source domain is only a label. It does not let you specify which physical systems deliver payment data to Key Extension for Investigation and Detection Object Types. You can define up to 15 key fields to identify the data objects that are represented by investigation and detection object types. It lets you document that this type of data exists in the application.

● The source domain lets you define the data fields of a business data model in a field catalog. The field catalog specifies important attributes of the fields in the business data model.The field definitions in the catalog are specific to the source domain. You therefore do not need to worry about conflicts in field names if you process more than one type of business data in the application.


Detection

Investigation Object Types and Detection Object Types

The second and third types of customizing objects in data modeling are the investigation object type and the detection object type. Together, these types define the business data model itself. So, the source domain reports the category of the data, the fields in it, and, implicitly, where it comes from. The investigation and detection object types define the data model.

Since the application manipulates data primarily by way of SAP HANA objects, the system needs to know which SAP HANA objects to use to select and process the data, and which fields from the business data model are exposed by the SAP HANA objects to the ABAP layer of the application. These fields are defined in the field catalog of the source domain, and their roles are specified in the definitions of the investigation and detection object types. (Fields are also exposed by detection methods. For more information, see Detection [page 29]).

The figure shows how investigation and detection object types are related to one another and how they may be used to describe a business data model.

Investigation Object Types and Detection Object Types

As the figure shows, the investigation object type and detection object types exist in a hierarchical relationship to one another. The investigation object type is the superior header element in the hierarchy. One or more detection object types are the subordinate item elements in the hierarchy.

This construction lets you model the hierarchy commonly found in business data. For example, an insurance claim can be modeled as an investigation object type. The personal injury subclaims and property damage subclaims in an insurance claim are modeled as detection object types. Similarly, a payment is commonly represented as a hierarchy. The payment itself can be modeled as an investigation object type. The individual positions in the payment can be modeled as detection object types.

Alerts are raised for the parent investigation object of a detection object. If a detection object is found to be suspicious, then the system creates an alert item for the detection object.


The alert item is then added as a new bit of evidence to an existing alert in the parent investigation object. Or a new alert is created and the alert item is added as the first piece of evidence to that alert.

Cross-Source Business Objects

Investigation object types can be marked in Customizing as cross-source business objects. This means that the data objects represented by the investigation type and the associated detection objects can come from multiple ERP systems. You can apply a detection method to detection object data from multiple systems for efficient mass detection. Or a detection method can combine detection object data from more than one system in order to look for fraud signatures.

You identify the source ERP systems (SAP or non-SAP) as business systems in Customizing. If a source ERP system is an SAP System, then the business system defines a single client in the source ERP system.

Additional SAP HANA views are required for cross-system business objects. See the Extensibility Guide for more information.

Classical investigation objects examine data from a single ERP system that is not explicitly named. You can combine both modes of operation, single implicit system and cross-system business objects. Using cross-system business objects is optional.

Investigation objects can also examine data from a single ERP system that is not explicitly named. You can combine both modes of operation, single implicit system and cross-system business objects. Using cross-system business objects is optional.

5.3.2 Creating Detection Strategies

Introduction

Create a detection strategy to check business data for potential fraud in mass detection or online detection.

A detection strategy uses selection parameters to specify which business records are to be examined. It also specifies the detection methods that are to be run against this data and how the results are to be evaluated.

You will need to create a new detection strategy if you have added new business data to your system. You can also create new detection strategies in order to examine the same type of business content using different sets of selection parameters, detection methods, or other attributes.

The business content examined by a detection strategy is in the form of detection objects. A detection object type represents a type of business transaction or business document that is to be examined for fraud. A detection object might, for example, be, a particular tax form or a purchase order item. For a brief explanation of the data model, see About Data Modeling in SAP Business Integrity Screening [page 73].

Prerequisites

Before you can create a detection strategy, you must have defined the detection object type and the detection methods that the detection strategy will use, if these do not already exist. For more information, see the Customizing activity, Maintain Detection and Investigation Data Model.


Detection

Procedure

To define a new detection strategy, do the following:

1. From the Home screen, choose Detection Detection Strategy to reach the maintenance screen for detection strategies.

2. At the Detection Strategies screen, search for and open an existing detection strategy that you would like to copy and modify. Or click New to create an entirely new detection strategy.

3. Maintain the General information of the detection strategy.For detailed information, use the key combination CTRL F1 to see the online help.To define a detection strategy for use with SAP Audit Management, set the Investigation Reason field to an investigation reason that is assigned to the Audit Management solution in Customizing.

4. In the Selection Parameters tab, provide values for the selection parameters of the detection strategy.Use selection parameters to limit the detection objects that are evaluated by a detection strategy.For example, you can limit a detection strategy to examining only a particular type of product or to detection objects that exceed a certain minimum value at risk.For more information, see Creating Detection Strategies: Selection Parameters Tab [page 77].

5. In the Detection Methods tab, assign the detection methods that your detection strategy uses to evaluate detection objects.The detection strategy examines each detection object with all of the detection methods that you assign.If the sum of the scores of the detection methods exceeds the Threshold value, then an alert of potential fraud is created. Your investigators can then work with the alert to investigate the potential fraud.For more information, see Creating Detection Strategies: Detection Methods Tab [page 79].

6. In the Optional Settings tab, you can set a threshold for stopping a delta address screening run.This function helps you to avoid a large amount of false positives produced by weak aliases in delta address screening.See Creating Detection Strategies: Optional Settings [page 80] and Weak Alias Protection in Delta Address Screening [page 137]

7. Save your detection strategy, if you have not already done so.Saving a strategy generates (in some cases, prepares for generation of) the SAP HANA objects that are needed to use the strategy in calibration, simulation, mass detection, or online detection.If saving the detection strategy does not result in any error messages, then the strategy is ready to use. You can verify this status by switching to the Administration Data tab. There, theExecution Status field should show the value Executable if the detection strategy is ready to use.

8. If the detection strategy is ready for production use, then click Activate to make the detection strategy available.To fine tune your detection strategy before you activate it, you can calibrate the detection strategy. For more information, see Calibration of Detection Strategies [page 81]. You can also test your detection strategy by using it in a simulated mass detection or online detection. For more information, see Simulating Mass Detection [page 105].

5.3.2.1 Creating Detection Strategies: Selection Parameters Tab

This section explains the information that you provide in the Selection Parameters tab of a detection strategy.


Use selection parameters to limit the detection objects that are evaluated by a detection strategy. The selection parameters are determined in the definition of the detection object type in Customizing.

Procedure

For each selection parameter in the table, choose an operator and enter a selection value.

The operators let you specify single values or search for patterns with the CONTAINS and STARTS WITH operators. It is not possible to define a search range.

If you leave the right-most value field empty, then the selection parameter is not used in selecting detection objects. Leaving a field blank is therefore the equivalent of a wild-card that accepts all values.

You can require that a selection field is empty in the detection objects that are selected from the database. Enter the operator IS EMPTY to make this requirement.

You can add multiple selection criteria for each selection parameter. If you do this, then the selection criteria for a parameter are linked with OR logic. Across parameters, selections are linked with AND logic.

ExampleAssume that you have specified these values for selection parameters Company Code and Purchasing Organization:

Parameter Operator Value

Company Code is 001

Company Code is 005

Purchasing Organization starts with EU

Purchasing Organization starts with AS

The Company Code selection is for company codes 001 or 005.

The Purchasing Organization selection is for purchasing units starting with EU or AS.

Across parameters, the selection criteria are linked with AND logic. The selection as a whole is for records that have Company Code 001 or 005 and that are from Purchasing Organizations that start with EU or AS.

NoteHRF detection methods (SAP HANA Rules Framework) (Detection Method Editor tile) do not support OR logic in selection parameters. This means that only a single selection parameter criterion is allowed for each selection parameter. In the editor, only a single line is allowed for a selection parameter.


Detection

5.3.2.2 Creating Detection Strategies: Detection Methods Tab

This section explains how to assign detection methods to a detection strategy.

The detection strategy examines each detection object with all of the detection methods that you assign.

You can run, simulate, or calibrate a detection strategy (not for address screening methods) only after you have assigned at least one detection method. The Execution Status of a strategy (in the Administration Data tab) can switch to Executable only when there is at least one detection method assignment.

Procedure

To assign detection methods to a detection strategy, do the following:

1. Click Edit to make the detection method assignments editable, if the tab is still in display-only mode.2. Click Assign to add a detection method to the detection strategy. A detection strategy for address

screening may contain only a single address screening method.3. Use the input help to choose a detection method from the list of available methods. Only methods that

specify the same detection object type as the detection strategy are presented in the input help.You can assign the same method more than once. For example, you could use two assignments of a method that checks the time of an accident to define two daily periods of interest for fraud detection.

4. Enter a weighting factor for each method. The value may be between –100 and 100. Note that address screening methods do not use a weighting factor.The application multiplies the result returned by a detection method with the weighting factor that you specify. Varying the weighting factor lets you fine tune the detection strategy. For example:○ You can assign a high weighting factor to detection methods that return more important indications of

fraud.○ You can assign a negative weighting factor to a detection method that delivers evidence that a

detection object is not fraudulent.For more information on how Sthe system calculates fraud scores, see About Detection Strategies [page 65].

5. Open the input Parameters of a detection method by marking the method in the list of assigned methods. With these parameters, you can control how the detection method checks detection objects.The parameters appear automatically and are specific to each detection method. If a detection method does not have parameters, then the parameter area on the tab remains empty.For each parameter, enter a value in the right-most field in the parameter table. Note the following:○ Only the IS operator is supported.○ Enter only the exact value that you wish to use or find. No patterns or wild cards are allowed as values,

and you cannot define a range of values in a single parameter value.○ You must provide a value for every input parameter.


5.3.2.3 Creating Detection Strategies: Optional Settings

Before using the weak alias protection in delta address screening, you have to define the number of alert items that need to be created by a detection strategy in order to stop the detection run.

You can set a Threshold for Stopping the Run in each involved detection strategy on the Optional Settings tab.

If the number of alert items that will be created exceeds the threshold, a strategy will stop the delta address screening run. No alert items will be created.

When several detection strategies are executed in a delta address screening run, the run is stopped when a threshold of one strategy is exceeded.

See Weak Alias Protection in Delta Address Screening [page 137]

5.3.3 Editing a Detection Strategy

You can edit the active or the inactive version of a detection strategy.

If you edit the active version, then the application responds by creating a new inactive version. Direct changes to an active version are not allowed.

You can edit the inactive version of a detection strategy without affecting any other version.

Related Information


5.3.4 Deactivating a Detection Strategy

If you want to make an active detection strategy unavailable for production use, you can deactivate the active version of the detection strategy.

Activating the inactive version of a detection strategy also deactivates any active version that is present.

Related Information



Detection

5.3.5 Monitoring SAP HANA Objects Generated for Detection Strategies

For detection strategies with the status Executable, you can check if the SAP HANA objects that are used exist and can be read by the system.

An error might occur when objects have been deleted in SAP HANA.

NoteThe authorization object FRA_GEN (Generate SAP HANA Objects) is checked whenever a SAP HANA object is generated in the generation monitor. It defines whether the user is allowed to generate SAP HANA objects in the SAP HANA DB repository.

To generate SAP HANA objects, you have to be authorized for activity 01 (Create).

Choose transaction FRA_GM_STR (Generation Monitor for Detection Strategies) in the back end system.

With this function, you can do the following:

● Check for detection strategies

NoteYou cannot perform this check for detection strategies that are deactivated.

● Regenerate Objects for detection strategies with errors

Choose (Regenerate Objects) to regenerate the objects needed for a detection strategy.● Display Error Log

Choose (Display Error Log) to display more details about the error that has occurred.

5.3.6 Calibration of Detection Strategies

The calibration is a simulation function for what-if analyses to improve the result of detection strategies.

Calibration empowers business users to fine-tune detection strategies without having to learn technical skills in order to:

● Reduce False Positives alert items● Reduce the number of alert items generated by keeping the number of Confirmed alert items at a constant

level (improve efficiency)● Reduce and manage the workload for fraud investigators● Simulate the number of alert items to be expected● Analyze the result details from the KPI level down to the alert item level● Optimize the strategy from a financial point of view

Once the detection strategy is adjusted, you can save the new set of weighting factors, parameters, and the threshold. By saving the results of the calibration, the system creates a new detection strategy version with status inactive. An existing inactive strategy version will be overwritten.

How to Work with the Simulation?


With the simulation, you can do the following:

● Fine-tune the settings and compare with a reference strategy○ You can compare the actual result of the strategy with the simulated results.○ You can also define a selection period for the data that is relevant for the simulation.○ You can change the threshold of the strategy.○ You can also change the weighting factors, and the parameter values of the detection methods.○ You can compare the actual and simulated results of the strategy with the results of another strategy

that has the same detection object type (reference strategy).See Starting the Calibration [page 84]

● Display the simulation results○ For each simulation a new tile will be created and displayed, providing, for example, the number of

alert items, the simulation ID, the efficiency, and the number of records that have been processed.○ For each simulation the results are displayed in various charts:

○ A treemap and a column chart that display the number of alert itemsSee Analyzing the Simulation Results [page 88]

○ A Sankey diagram that displays the contribution of the detection method to the simulation resultSee Analyzing the Detection Method Contribution [page 89]

○ Patterns that show a group of alert items that have been detected by the same detection methods in a concrete simulationSee Analyzing Detection Method Patterns [page 90]

○ Alert item details are displayed in a list below the diagrams.From there you can navigate from the simulated alert items with status New to the business system, and you can navigate to the alert item details from already existing alerts.

How to Work with the Optimization?

You can start an optimization so that the system finds the best values for the weighting factors automatically. You can display these values and apply them. You can also run a simulation using the new weighting factors.

See Optimization of Detection Strategies [page 95]

Which KPIs are displayed?

For example, the following KPIs are used in the calibration:

● KPIs for actual data (which represents the calibrated strategy and the reference strategy as it is in the system), such as confirmed alert items or false positives.

● KPIs for simulated data (based on a comparison with the actual classification of detection objects), such as new or missed alert items.

● The efficiency for actual and simulated data.

See Which KPIs are displayed in the Calibration? [page 93]

More Information

Prerequisites for Working with the Calibration [page 83]

Starting the Calibration [page 84]

Optimization of Detection Strategies [page 95]


Detection

Which KPIs are displayed in the Calibration? [page 93]

5.3.6.1 Prerequisites for Working with the Calibration

Setup

For more information about the setup, see the Installation and Configuration Guide on the SAP Help Portal.

Roles and Authorizations

For more information, see the Security Guide on SAP Help Portal.

Customizing

Calibration Preview SizeYou can specify the number of detection objects that will be evaluated in the preview phase of a calibration run. The system then calculates the effect on the detection strategy based on the defined number of detection objects and displays a preliminary result.

You define the Calibration Preview Size in the Customizing activity Maintain Detection and Investigation Data Model in the Detection Object Types view.

NoteTo switch off the preview, you can set the value to 0.

Alert CurrencyYou specify the alert currency that is used when displaying the risk values in the treemap. You define the alert currency in the Customizing activity Maintain Application Currency.

Own Calibration UIYou can also use your own calibration UI. When using your calibration UI for a detection object type, you have to assign it to the role / instance HPA / FRA launchpad in the Customizing activity Set Up Launchpads (or by using transaction LPD_CUST).

If you do not enter an alias, then the default Calibration UI is shown.

NoteIf you want to use your own UI, you must also assign it to a detection object type as Calibration Application Alias in the Customizing activity Maintain Detection and Investigation Data Model.


Navigation TargetsTo use navigation targets in the calibration, you have to create the required entries in the following Customizing activities:

● Assign Navigation Targets to Navigation Groups● Define Investigation Settings● Setup Launchpad

NoteFor simulated new alert items, you can navigate to the business system.

For existing alerts, you can navigate to the business system and to the alert.

Calibration Procedure

You have created a detection method that supports the execution mode Mass Detection.

All detection methods created in the editor support the mass detection.

NoteOnly detection methods based on SQLScript procedures with a selection procedure support the execution in a mass run and can be used for calibration.

Delete Calibration Simulation Details (optional)

Details of the calibration simulation will be deleted automatically by the system.

To delete all simulation data older than today’s date manually, execute the report Delete Calibration Simulation Details (FRA_CDET_CLEANUP) in the Business Integrity Screening menu.

5.3.6.2 Starting the Calibration

You can only start the calibration for detection strategies that can be executed.

You can perform the calibration on all detection strategies; whether their detection methods are based on SQLScript procedures, whether they were created in the detection editor, or if they are used for address screening.

Accessing Calibration

You can access calibration as follows:

● On the Detection Strategy screen● On the Detection Strategy Details screen


Detection

Tiles in the Calibration

When starting the calibration UI, the KPIs for the selected strategy based on the actual data are displayed in a tile. Once you have performed the calibration, a new tile for each calibration (simulation) is displayed.

On the tiles the systems displays the following KPIs:

● Confirmed, False Positives, Unclassified, and New alert items● Efficiency of the strategy● Selection period● Number of records processed in the simulation

The figure below illustrates tiles with the actual and the simulated KPIs:

KPIs for the actual data and the simulation

Running the Calibration

You have several options when running the calibration, as described in the following sections:

Define calibration settings and assign a reference strategy

1. Choose in the bottom left corner and enter the required values.You can define the selection period for the detection objects and select a reference strategy that has the same detection object type as the strategy that is currently calibrated.

2. Choose Apply.

NoteBy default, the system displays the alert items that have been created in the last year that is in the last 365 days for the selected strategy.

Define threshold, weighting factors, and parameters

1. Choose to change the threshold, the weighting factors, and the parameter values.


2. You can fine-tune the strategy by changing the following:○ The threshold on strategy level

You can change the threshold at which an alert item is created, if exceeded. By changing the threshold you can analyze the impact of the weighting factors.You can use values in a range from 0 to 1000.

○ The weighting factor for each detection methodDefines how important a detection method is within a strategy. You can use values in a range from ‑100 to 100.

NoteYou can change the weighting factor from a positive value to a negative value or vice versa.

A negative value reduces the contribution of the detection method to the total score of the strategy.

○ The parameter values of the detection method.You can enter or change the parameter values in an input field.

Start the optimization

1. Choose Find Best Values and then Start in the context menu to start the optimization.2. Enter a profit factor and a cost factor in the dialog box and choose Start.

You can display and apply the best values for the weighting factors that have been determined by the system.See Optimizing Detection Strategies [page 95]

Start the simulation

1. Choose Start Simulation to start the simulation.A preliminary result can be displayed first (if the Calibration Preview Size is defined in the Customizing). The system displays a message indicating the number of records processed and the number of hits found.

2. Once you have started the simulation, the results are displayed in the followings ways:○ In the simulation tile the number of confirmed, false positive, unclassified, and new alert items are

displayed as well as difference (delta) between the actual KPIs and the simulated KPIs.The efficiency of the strategy and the number of records that have been processed are also displayed.For more information about the KPIs, see Which KPIs are displayed in the Calibration? [page 93]

NoteThis result for a simulation and the reference strategy is compared with the actual classification of the detection objects in order to determine the KPIs for the simulation.

However no alert items are created in the calibration.


Detection

○ In various diagrams, you can analyze the calibration results:

Option Description KPIs See Also

This analysis shows the number of alert items and their risk values in a treemap and in a column chart.

(Both diagrams display the number of alert items and the sum of all the risk values of the alert items.)

KPIs for the actual data and the simulated data:

○ Confirmed, false positive, and unclassified alert items

○ New, missed, and found alert items

○ Risk value of new, found, and missed alert items

Analyzing the Simulation Results [page 88]

This analysis decomposes which detection methods contribute to the detection results; it is based on a Sankey diagram.

○ The number of alert items in which a detection method (or a selection of methods) is involved

○ The number of alert items with a specific status in which a detection method (or a selection of detection methods) is involved

○ The number of hits (detection methods that apply) with a specific status (Confirmed, False Positive, New, and Unclassified)

Analyzing the Detection Method Contribution [page 89]

This diagram displays detection method patterns, that is a group of alert items that have been detected by exactly the same detection methods in a concrete simulation.

○ Pattern score○ Pattern efficiency○ Positive predictive value

Analyzing Detection Method Patterns [page 90]

Navigate through simulations and delete simulation

The result of the simulation is displayed in a tile that allows you to browse through the simulations.

You can navigate back and forth through previous simulations of your current session, if needed.

NoteYou can delete simulation that you do not need any longer, for example, after changing the selection period in the calibration settings.

Once the detection strategy is adjusted, you can save the new set of weighting factors, parameter values, and the threshold as an inactive strategy.

Save the calibration results


Choose Save to save the calibration results.

When saving a simulation the system creates or overwrites an (existing) inactive strategy.

NoteThe simulation does not change an active strategy.

More Information

Prerequisites for Working with the Calibration [page 83]


Optimization of Detection Strategies [page 95]

5.3.6.3 Analyzing the Simulation Results

This diagram shows the number of alert items and the sum of all the risk values (of the alert items) in a treemap and in a column chart.

NoteA treemap is an area-based visualization of data.

In the calibration, it displays the number of alert items or the risk values as a set of rectangles in such a way that the size of the rectangles is proportional to amount of data.

Displaying the KPIs

On the tab in the Calibration you can display the following KPIs:

● Number of alert items with a specific status (Confirmed, False Positive, or Unclassified alert items that were Found, Missed, or New in the simulation)

● Sum of all the risk values of the alert items

Note

You can toggle between a chart view and a table view. To do so, choose , , or .

Displaying the Alert Item Details

By clicking on the respective KPI in the treemap or table, such as Confirmed, the system also displays the alert items found for the selected KPI in a list below the treemap.

Here, you can sort and group the alert items.


Detection

More Information


5.3.6.4 Analyzing the Detection Method Contribution

This analysis decomposes which detection methods contribute to the detection results; it is based on a Sankey diagram.

NoteA Sankey diagram is a specific type of flow diagram, in which the width of the block arrows is shown proportionate to the contribution of the detection method to the simulation result. Every block arrow represents a detection method. The bigger the block arrow is, the more the detection method contributed to the simulation result.

Displaying and Analyzing the KPIs

On the tab in the Calibration you see the following KPIs:

● For each detection method (or a selection of methods) you can display the number of alert items the methods are involved in.

● For each alert item status (Proven Fraud, False Positive, New, and Unclassified) you can display the detection methods that contributed and the number of alert items in which each detection method is involved.

ExampleIn the simulation of a strategy, the number of records processed are 80,000. The number of alert items that were found with status False Positive is 22,000.

In this strategy, three detection methods “Loss amount in damage”, “Age of policy holder”, and “Claims for policy holder in the last year” contributed to the alert items with status False Positive.

The detection method “Loss amount in damage” contributed with 19,000 hits.

The detection method “Age of policy holder” contributed with 20,000 hits.

The detection method “Loss amount in damage” contributed with 5,290 hits.

These detection methods in total applied 44,290 times, which results in 22,000 alert items (because for some alert items two or all three detection methods applied).

You can also filter by using the detection methods or the alert item status.

Use the function to set the visualization back to the initial state.

Note

You can toggle between a chart view and a table view. To do so, choose or choose .


Displaying the Alert Items Details

By clicking on the respective detection method or status in the diagram or table, the system displays the alert items found for the selected detection method or status in a list below the diagram.

In this list, you can see the details, for example the Risk Value, Score, and Date of Loss of the alert items.

Here, you can sort or group the alert items, and you can search in the alert item details. Choose to sort or group the data.

More Information


5.3.6.5 Analyzing Detection Method Patterns

This graphic chart visualizes which detection method patterns occurred in the data set and how they contribute to the detection results.

NoteA pattern is a group of alert items that have been detected by exactly the same detection methods in a concrete simulation.

Displaying Detection Method Patterns

On the tab you see the patterns that have been detected by the system. The detection method pattern helps you analyzing how a combination of detection methods behaves.

You can do the following:

● Sorting patterns.● Clicking on the pattern opens a popup displaying all detection methods of a pattern, including all methods

that apply as well as all methods that do not apply.● Clicking on the KPIs displays the alert item details. By default they are grouped by their status.

You can sort and group the items as well as search for a specific item.

● For existing alerts, you can navigate directly to the alert item details by clicking on .For simulated alert items with status New, you can only navigate to the business system (depending on the customizing).

Displaying the Alert Item Details and the KPIsThe system displays the details, such as the number of False Positive, Confirmed, Unclassified, and New alert items.

The KPIs for a pattern (Pattern Efficiency, Pattern Score, Positive Predictive Value) are displayed as well as the KPIs of the strategy (Efficiency and Threshold) so that you can compare the simulation results.


Detection

The system calculates the pattern efficiency KPI to indicate the most promising patterns.

NoteThe KPIs for a pattern are:

● Pattern EfficiencyThe pattern efficiency is the percentage of alert items with the finding Confirmed in the pattern of the simulation, which is calculated from the number of actual alert items with status Confirmed and the number of simulated alert items with status False Positives.Calculation: Confirmed sim. in pattern / (Confirmed actual + False Positives sim. in pattern)

● Pattern ScoreThe pattern score is the sum of the scores of detection methods that contribute to a pattern.Patterns are only displayed if the pattern score is higher than the threshold of the strategy.

● Positive Predictive ValueThe positive predictive value indicates how likely it is that an alert item found with this particular pattern will be confirmed.Calculation: Confirmed in pattern / (Confirmed in pattern + False Alarm in pattern)

More Information


5.3.6.6 How to Calculate the Pattern Efficiency and the Positive Predictive Value

In the calibration of a detection strategy, you can analyze detection method patterns.

In this example the actual data is as follows:

● 1,307 confirmed alert items● 35,527 false positive alert items● 0 new alert items● 0 unclassified alert items

Simulation Result

Once you started the simulation, the patterns are displayed.


Detection Method Patterns

The details for pattern 4 and 6 in the simulation are displayed in the following table:

PatternFalse Positive

Confirmed

Unclassified

New Alert Items

Pattern Efficiency

(Simulation: 3%)

Positive Predictive Value

Pattern Score

(Threshold: 20)

4 999 53 0 0 2.30% 5.04% 40

6 6444 166 0 0 2.14% 2.51% 25

How the Pattern Efficiency and the Positive Predictive Value are calculated

The calculation for the KPIs is as follows:

KPI Calculation

Pattern Efficiency (Confirmed sim. in pattern) / (Confirmed actual data + False Positive sim. in pattern)

ExampleEfficiency of pattern 4:

(53) / (1307 + 999) ≈ 0.022983521 ≈ 2.31%


(Confirmed sim. in pattern) / (Confirmed sim. in pattern + False Positive sim. in pattern)


Detection

In this example, the KPIs are therefore calculated as follows:

5.3.6.7 Which KPIs are displayed in the Calibration?

Actual Data and Reference Data

The key performance indicators for actual data (which represents the calibrated strategy and the reference strategy as it is in the system) are the following:

KPI Description

Confirmed Number of alert items that have been created by this strategy and are classified as Confirmed within a given time frame.

False Positives Number of alert items that have been created by this strategy and are classified as False Alarm within a given time frame.

Unclassified Number of alert items that are not yet classified or have been closed by a processor with the status Closed Without Investigation.


Simulated Data

The key performance indicators for simulated data (based on a comparison with the actual classification of detection objects) are the following:

KPI Description

Confirmed Number of alert items that would have been created and classified as Confirmed for detection objects that already have been identified as Confirmed in the actual data.

False Positives Number of alert items that would have been created and classified as Confirmed for detection objects that already have been identified as False Alarm in the actual data.

New Alert Items Number of alert items that will be created during simulation and that have not been created within the actual data.

Missed Alert Items Number of alert items that were created by the strategy in the past, but were not found during the current simulation.

Found Alert Items Number of alert items that were both created by the strategy in the past and were found during the current simulation.

Risk Value of New Alert Items

Sum of all the risk values of the new alert items found during the current simulation that were not found by the strategy in the past.

Risk Value of Found Alert Items

Sum of all the risk values of the alert items that were both created by the strategy in the past and were found during the current simulation.

Risk Value of Missed Alert Items

Sum of all the risk values of the alert items that were created by the strategy in the past, but were not found during the current simulation.

Efficiency of a Strategy

The efficiency for actual and simulated data is the following:

KPI Description

Efficiency (Actual) Share of Confirmed alert items from the number of classified alert items, created by the strategy within a given time frame:

Confirmed actual / (Confirmed actual + False Positive actual)

Efficiency (Simulation)

Share of simulated Confirmed alert items from the number of classified alert items, created by the simulated strategy within a given time frame:

Confirmed sim / (Confirmed actual + False Positive sim)


Detection

Detection Method Pattern KPIs

The key performance indicators for a pattern are the following:

KPI Description

Pattern Score Sum of the (risk) scores of detection methods that contribute to a pattern.

NoteCalculation: Risk score of a detection method = (Detection result / 100) * Weighting factor

Pattern Efficiency The pattern efficiency is the percentage of alert items with the finding Confirmed in the pattern of the simulation, which is calculated from the number of actual alert items with status Confirmed and the number of simulated alert items with status False Positives.

NoteCalculation: Confirmed sim. in pattern / (Confirmed actual + False Positives sim. in pattern)


This KPI indicates how likely it is that an alert item found with this particular pattern will be confirmed.

NoteCalculation: Confirmed in pattern / (Confirmed in pattern + False Positive in pattern).

For more information, see How to Calculate the Pattern Efficiency and the Positive Predictive Value [page 91].

NoteIn general, when a detection strategy applies this results in an alert item that refers to a detection object. When the subsequent detection is successful this alert will be updated.

For some scenarios, such as the delta address screening, the handling of alerts is different: If an alert item already exists for a detection object a new alert item for the same detection object will be created. The calibration will only consider the most recent alert item.

5.3.6.8 Optimization of Detection StrategiesYou can speed the calibration of detection strategies with automated optimization. You access this feature in the Find Best Values menu on the standard Calibration screens.

Quick Procedure

Use the automatic optimization as follows:

1. On the Calibration screen, click Find Best Values.2. For Profit Factor and Cost Factor accept the default values, or enter your known figures for profit from

discovery of real cases of fraud and cost of clearing false alarms about possible fraud.


3. Click Start to start the automatic optimization.

4. Choose Find Best Values Show Best Values to display a dialog window with the proposed new values for weighting factors.

Result: You can see how well the strategy performs in terms of the number of true fraud cases found and false alerts raised.

Recommendation: Combine the automatic optimization with baseline simulation results, as shown in the following procedure. This iterative procedure lets you see how well the optimization works in relation to your baseline settings. With further iterations, you can fine-tune your detection strategy.

Combining Baseline Simulation and Automatic Optimization

Here is how to combine simulation for baseline results with automatic optimization.

1. Starting from a detection strategy (list screen or Details screen), choose Calibration.2. Click Expand at the right side of the Calibration screen to open the Calibration Settings section of the

screen.Set the correct start and end dates for selecting records for simulations and for the automatic optimization.

3. Choose Start Simulation to get a baseline for the performance of your detection strategy.The simulation shows you how many confirmed alert items and false positives are found. It also shows you how efficient the strategy is.

4. Start the automatic optimization by choosing Find Best Values Start .5. Set the Profit Factor and Cost Factor values.

Recommended: Start with the default values. Then repeat Find Best Values with the known profit and cost values of your organization to find the best performance of the detection strategy.For more information on the Profit Factor and Cost Factor, see Background Information below.

6. Click Start to start the automatic optimization.While the optimization is running, the legend on the button changes to Finding Best Values and shows the percentage of the optimization that has been completed.When the optimization is done, the button turns green and returns to the legend Find Best Values. You will also see a success message reporting the end of the optimization.

7. Choose Find Best Values Show Best Values to display a dialog window with the proposed new values for weighting factors.

8. Show the changes in weighting factors by choosing Apply on the Best Values dialog.Put the cursor on one of the weighting factor scales at the right side of the Calibration screen to display a message that reports the new and old weighting factors.Apply applies the new weighting factors to your detection strategy only in the context of the Calibration screen. You make changes to the detection strategy permanent only if you click Save.

9. Then click Start Simulation to run the detection strategy with the optimized weighting factors.Use the Go to previous simulation and Go to next simulation buttons to compare the results of the optimized simulation with your previous baseline simulation.

Make not that the automatic optimization provides only a suggestion for the best weighting factors. If you are not satisfied with the performance of a detection strategy after optimization, then use Start Simulation to try different detection method parameters and selection parameters. Return to the Edit Detection Strategy Details screen to add more detection methods, if possible. Then try the optimization again.


Detection

More Information

Background Information on Optimization [page 97]

Maintenance Transactions for Optimization [page 99]

5.3.6.8.1 Background Information on Optimization

This section lets you know in more detail what you can expect from the optimization. It also explains the limitations of the feature.

How Optimization Works

Optimizing Detection Strategies by Optimizing Weighting Factors

Find Best Values optimizes a detection strategy by applying mathematical modeling techniques to find a best fit for the weighting factors in a detection method.

A weighting factor increases or decreases the importance of a detection method in a detection strategy. The weighting factor of a method is multiplied against the raw numerical score returned by the method:

● A higher weighting factor therefore increases the contribution of a method in breaking the alert threshold set by a detection strategy and triggering an alert.

● A negative weighting factor actually decreases the likelihood of an alert if the detection method returns a significant score.

As it tries out various optimizations, Find Best Values gives more importance to scores that strongly break the alert threshold of a detection strategy. This feature means that the optimization favors weighting factor settings that produce strong signals of potential fraud. This effect in turn improves the quality of the alerts that an optimized strategy creates.

Find Best Values does not vary any other attributes of a detection strategy, only the weighting factors of the detection methods of the strategy.

Historical Data: Confirmed Alert Items and Known False Positives

Find Best Values validates its best-fit values for weighting factors by comparing the simulated alerts that it would trigger in its mathematical model to historical data. The historical data lets Find Best Values see the following:

● How many alerts with the status Confirmed it was able to find with a particular set of weighting factor values.The Efficiency graph on the Calibration screen shows you the Confirmed alert items found as a percentage of all confirmed alert items in the historical data, together with the simulated false positives.

● How many of the simulated alerts are actually known False Positives in the historical data. A false positive is an alert that has been shown to be incorrect and misleading.The Actual Alert Items and Simulated Alert Items graphs on the Calibration screen let you see the ratios between confirmed alert items and false positives in your historical data and in your optimized simulation.


You can judge whether the optimized detection strategy achieves a much better ratio of confirmed and false positives.

The Profit Factor and Cost Factor Coefficients

You can use the Profit Factor and Cost Factor input parameters to tell Find Best Values what goals to follow when it optimizes a detection strategy. How should the optimization balance the goals of finding as many confirmed cases as possible while minimizing the number of false positives for which alerts are raised?

● With Profit Factor, you say how important it is to you to find as many real cases of fraud as possible. A high Profit Factor tells Find Best Values to optimize for finding a high proportion of the real cases of fraud in your historical data set.The meaning behind it is: I expect to get this much value – Profit Factor value – from finding each case of real fraud.

● With Cost Factor, you say how important it is to you to avoid false-positives, that is, alerts for data that has been shown not to be fraudulent.The meaning behind it is: I expect it to cost me this much – Cost Factor value – to clear a false-positive alert and recognize that it is false.

You tell the optimization how to balance the goals of efficiency and avoiding false positives with the ratio between the Profit Factor and the Cost Factor. A high ratio of Profit Factor to Cost Factor sets the priority on finding cases of confirmed alert items, even at the risk of more false positives. A low ratio means that clearing false positives costs a lot in relation to confirmed alert items, so that avoiding false positives is proportionally more important.

If you have historical values for your profit and cost, then use these values in the optimization. Otherwise, run the optimization using the default values set by SAP.

If you cannot get the results that you want from Find Best Values, then you need to improve the detection strategy itself. Perhaps the selection parameters need to be refined, or the input parameters of the detection methods need to be adjusted and optimized. Or it may be necessary to add detection methods in order to look for a more powerful signature of fraud in your data.

Good To Know

Note the following with regard to the Find Best Values feature:

● Find Best Values cannot guarantee that it will find the global optimal setting for the weighting factors of a detection strategy.This feature lets you quickly generate a proposal for setting up a detection strategy. The proposal is quite likely to be optimal, given the Profit Factor and Cost Factor values that you provided.An automatic optimization proposal should always be reviewed and tested – using the Calibration Simulation function – by someone with expert knowledge of the data that you are examining.You should also compare the results of automatic optimization runs that use varying values for the Profit Factor and Cost Factor parameters.

● Find Best Values optimizes only the weighting factors of a detection strategy. That is, it optimizes the importance of each detection method in a strategy so that the best mix of maximal true alerts (Confirmed) and minimal false-positive alerts is generated.Find Best Values does not change selection parameters, the detection method mix, or other settings that you make when you define a detection strategy. It is up to you to find the best set of detection methods, select the right data, and set the best parameters.


Detection

● A detection strategy must contain at least two detection methods to be optimized automatically.● The quality of optimization depends on the quality of your historical data. Historical data consists of alerts

that your investigators have already closed. Poor quality in decisions on alerts is likely to cause poor quality in optimizations as well.The quality of optimization also improves with the amount of reliable historical data. The minimum amount of historical data that is required for optimization is hard to specify precisely, as it varies with the number of detection methods, the distribution of findings in the historical data and other factors.

NoteA set of at least 100 historical data findings – with both confirmed alerts and findings of no fraud – would be required to optimize a detection strategy that has 10 detection methods.

That is, the number of classified alert items must be at least tenfold the number of the detection methods of a strategy, otherwise the optimization will not start.

5.3.6.8.2 Maintenance Transactions for Optimization

You can use the following transactions for the optimization of calibration:

● FRA_OPT_LOGUse this transaction to see error logs produced by optimization runs. Only error logs are available; other messages, such as success messages, are shown directly on the Calibration screen.Should an optimization end abruptly on the Calibration screen, an error message is displayed, and then you can use this transaction to find the cause of the error.

● FRA_OPT_CLEANUPUse this transaction to delete the data generated by automatic optimization runs. Optimization may produce large amounts of temporary data. After you have optimized a set of detection strategies, you can delete this data.You can delete by individual run ID, or leave the ID fields empty and delete all optimization data.The ID of an optimization run is the job number of the run in the back-end system. You can find the ID of a particular job using transaction SM37. The names of optimization jobs begin with the string OPT.

5.4 Mass Detection

The mass detection function is a background process to execute detection strategies on a scheduled basis for regular or one time processing of mass data. For each processed detection object exceeding the detection strategies threshold an alert item will be created.

More Information



Handling Errors in Mass Detection [page 104]

Simulating Mass Detection [page 105]

Deleting Simulation Data [page 106]

5.4.1 Prerequisites for Working with Mass Detection

Setup

For information, see the Installation Guide and the Upgrade Guide on the SAP Help Portal at http://help.sap.com/bis.


For more information, see the Security Guide and the Upgrade Guide on the SAP Help Portal at http://help.sap.com/bis.

Recommendation for Address Screening

Once you have completed the sizing for your SAP HANA database, and determine that the total volume of your business partners cannot be processed in one single mass detection run, you need to screen your business partners in smaller packages.

For further details, see 2819024 .

Detection Strategy

You can use both, an executable active or an executable inactive strategy for mass detection. For the inactive strategy, you have at least generated the objects needed on SAP HANA. Furthermore all assigned detection methods have to support the execution mode Mass Detection.

Detection Object Type

You have defined a Detection Object Type in Customizing activity Maintain Detection and Investigation Data Model.

The Detection Object Type specifies the data model for which a detection strategy and detection methods are intended.

Creating Strategies


Detection






You have assigned the Detection Object Type when creating a detection strategy. In addition, you have chosen a Investigation Reason, Threshold, and Delta Threshold.

Customizing

● Define Number of Parallel JobsDefine the number of parallel jobs for the application type FRA_MDECT (Mass Detection) in Customizing activity Maintain Job Distribution.When you execute a production run and an alert item is created, the system starts a background job, therefore it is recommended to define the number of parallel jobs.

● Define Settings for Application Types (optional)In order to avoid errors when processing locked objects in parallel processing, you can make the following client-specific customer settings for the application type FRA_MDECT in Customizing activity Maintain Customer Settings for Application Types:○ Number of repeated runs in parallel mode○ Number of repeats in sequential mode

Once the number of repeats of parallel runs has been reached, it can be technically meaningful to attempt one or more sequential repeats of the run in the level, as execution in parallel causes mutual blocking.

Detection Strategy

In order to execute a production run, you have created active detection strategies.

5.4.2 Executing Mass Detection

To start the mass detection in the back end system, call transaction FRA_MASS_DET_PP (Execute Mass Detection) or call transaction SA38 (ABAP Reporting) and run program FRA_MASS_DETECTION_PP.

NoteYou can also start the mass detection on the Detection Strategy Details screen.

In this case a background job is started immediately.

There you have the following options:

● For inactive strategies, you can execute a simulation run.● For active strategies, you can execute a production run or a simulation run.● The system proposes an External Run ID, build by the strategy name, user name, and timestamp. This

ID can be changed by the user.

● If incomplete mass runs exist, the system informs you with an additional text and the icon . You can use this ID to restart the mass detection for this strategy.Incomplete mass runs can occur if the system detects objects with errors during the execution of the mass run.


All other tasks, such as displaying the mass detection log, deleting the simulation data, and deleting the incomplete simulation runs, have to be carried out in the back end system.

NoteTo schedule mass detections to run regularly, you can define a background job for program FRA_MASS_DETECTION_PP in transaction SM36 (Define Background Job). You can enter the program name directly or use the Job Wizard.

For more information about background jobs, see the documentation for SAP NetWeaver on SAP Help Portal at http://help.sap.com under Scheduling Background Jobs (https://help.sap.com/saphelp_nw70/helpdata/EN/c4/3a7f87505211d189550000e829fbbd/frameset.htm ).

Start Mass Detection


You can execute the mass detection in dialog or as a scheduled job, for example with the following parameters:

● External Run IDThis ID can be assigned by the application program or a user. An existing ID can be used to restart a mass run.

● Package SizeYou can use the package size to define the number of alert items to be created in each work package in parallel processing. The default size is 100. The maximum size is 5000.

● SimulationYou can run the mass detection for active or inactive strategies in simulation mode.

● Detection Strategy

NoteYou cannot start the mass detection for a specific strategy in parallel.

● Period● Alert Program

You can enter a description in order to execute reporting on alerts with the same program name at a later point in time.

Simulation Mode

You can start the mass run in simulation mode and you can delete the simulation data in transaction Delete Simulation Data (FRA_MASS_DET_DEL_SIM).

Detailed Log

You can only display a detailed log when you execute a production run.

If an alert item is created, the system displays a detailed list with the detection results, such as score, risk value, or texts.

Result of Mass Detection

As a result you will receive a log that indicates the processing status.


Detection


http://help.sap.com/disclaimer?site=https%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw70%2Fhelpdata%2FEN%2Fc4%2F3a7f87505211d189550000e829fbbd%2Fframeset.htm


The status could be the following:

● Red (Error) indicates that an error occurred during execution.● Green (Information) indicates that the mass run has been successfully processed.

In the log, you will have the following messages:

● Application messages● Selection parameters & statistics● Success messages● Error messages

Create or Update Alert Items

The mass detection creates or update alert items if the overall score for a detection strategy exceeds the threshold. These are displayed on the Alert screen with status Not Started. These alerts are not assigned to a processor.

NoteFor an alert item, for example, the following information will be stored:

● Detection strategy and detection strategy version● Detection object and detection object type● Check date● Calculated score (per detection method)● Weighting factor● Threshold and delta threshold● Investigation reason● Risk score, risk value and texts (as defined during the implementation of the detection method and the

SQLScript procedure)

NoteIn general, if an alert item already exists, the system will update this alert item. In some cases, for example, when an alert has been closed, this alert will be reopened. In this case the delta threshold is considered.

You will find more information about the changed alert status on the Alerts screen in Timeline section.

Error Handling

If the mass detection cannot be processed successfully, you have to analyze the mass detection log.

After you have solved the error/ after the error has been eliminated, you can restart the mass run in order to process the erroneous objects once again.

More Information

Analyze Mass Detection Log [page 105]

Handling Errors in Mass Detection [page 104]

Simulate Mass Detection [page 105]


Delete Simulation Data [page 106]

5.4.3 Handling Errors in Mass Detection

When performing a production mass run it might be possible that the system is not able to run the mass detection properly. In the following section, you will find more information about how to solve these errors.

Strategy cannot be executed

When creating alert items for a detection object the system could not execute a strategy.

In this case the system faced an error in SAP HANA.

You have to check the mass detection log using transaction FRA_MASS_DET_PP_LOG (Display Mass Detection Log) and correct the error in SAP HANA.

Alert item cannot be created

The mass detection stopped with an error because the system could not create alert items or the system failed to create one alert item among others.

You have to check the mass detection log using transaction FRA_MASS_DET_PP_LOG and correct the error.

You have to restart the mass run with the same external ID using transaction FRA_MASS_DET_PP (Execute Mass Detection).

The system proposes the data with which the mass run has been started once and you are not allowed to change it. In case of a restart the external ID is enhanced with a suffix. For example the external run ID 123 will be enhanced to 123-001.

Detection result contains more than 5000 detection objects

The mass detection stopped with an error because the detection results contain more than 5000 detection objects.

You must choose a smaller package size, and run the mass detection again.

Delete mass runs with errors

You can delete production runs that ended with errors using transaction FRA_MASS_DET_DEL_RUN (Delete Incomplete Mass Detection Runs).


Detection

5.4.4 Simulating Mass Detection

To start the mass detection, choose transaction Execute Mass Detection (FRA_MASS_DET_PP).

Execute Simulation

You can start the mass run in simulation mode for both, active and inactive strategies. In simulation mode, no alert items are created.

Use the following views to analyze the simulation results in transaction SE16 or in the SAP HANA studio:

● FRA_V_MD_S2_OVW Mass Detection Simulation Result OverviewIn this view, you will see all detection objects and their score that were considered in this simulation run. In addition, you can display the detection strategy, strategy version, selection date, detection object type, threshold, and so on.

● FRA_V_MD_S2_RES Mass Detection Simulation Detail ResultsIn this view, you will see the details for each detection object and its applicable detection methods.

● FRA_V_MD_S2_TXT Mass Detection Simulation Details with TextsIn this view, you will see the text messages provided by the detection method for each detection object.

Display Log

In simulation mode no log, besides of the selection parameters, is written.

If the status of the simulation is green, the simulation has been processed without any errors.

If the status is red, errors occurred during simulation, for example the strategy could not be executed. You should check the log for further details.

Delete Simulation Data

You can delete the simulation data in transaction FRA_MASS_DET_DEL_SIM (Delete Simulation Data).

More Information

Analyze Mass Detection Log [page 105]

Delete Simulation Data [page 106]

5.4.5 Analyze Mass Detection Log

To display the log, choose transaction Display Mass Detection Log (FRA_MASS_DET_PP_LOG) in the back-end system.




● Object and subobjectEach log has the attributes Object and Subobject:○ The object FRA_MASS (Mass Detection Log) is already set as default.○ Choose one of the following subobjects: application messages, error messages, selection parameters

& statistics, and success messages (or all messages).● External ID

Enter an external ID. This ID has been assigned by the application program or a user when starting a mass run.

● ProgramFor the program FRA_MASS_DETECTION_PP is already set as default. It is the name of the program, which caused the logged event.

● Time period, User, or Log class

Result

In the log, you will have the following messages:

● Application messagesIn this section the system informs you about the following:○ if alert items have been created or updated for a production run○ that errors occurred during creation of alert items

For each detection object for which an alert item is created, the log shows you the following data (if you have chosen Detailed Log when executing the mass detection):○ overall risk score○ risk score○ risk value○ texts

● Selection parameters & statisticsFor a production run, this section shows the number of alert items that have been created or updated.For a simulation run, this section list the selection parameters with which the simulation started.

● Success messagesShows the number of alert items that have been created or updated for a detection object in the productive run.

● Error messagesShows the number of errors that have occurred during alert item creation in a productive run.

5.4.6 Deleting Simulation Data

To delete the simulation data, choose transaction Delete Simulation Data (FRA_MASS_DET_DEL_SIM) in the back end system.


Detection

1. Select the mass run for which you want to delete the simulation data and choose .You have to use the value help to choose the internal mass run ID for the appropriate external mass run ID (because the external mass run ID is not unique).

2. The system deletes the data tables and you will receive a success message that informs you that the simulation data has been deleted and indicating the number of deleted rows.

NoteThe system deletes the data in the following SAP HANA database tables:

○ FRA_D_MD_RUN_INF Mass Detection Run Information○ FRA_D_AI_HDR_S2 Simulation Alert Input Data - Header○ FRA_D_AI_DM_S2 Simulation Alert Input Data - Detection Method Results○ FRA_D_AI_DMT_S2 Simulation Alert Input Data - Detection Method Texts

5.4.7 Testing and Debugging Detection Strategies in Simulated Mass Detection Runs

You can test and debug detection strategies in simulated mass detection runs. This is done by setting breakpoints on SQLScript statements of the debug method in the AMDP (ABAP Managed Database Procedures) Debugger, which is part of the ABAP Development Tool (ADT) client installation, and then running the report for debugging mass detection simulation runs. The debug method of the AMDP class for mass detection that is called when running the report does not change data in the database.

For more information, see the online documentation in your application system when you start the transaction for Debugging Detection Strategies in Simulated Mass Detection Runs, FRA_MASS_DET_TEST.

Test Procedure for Debugging

1. Use the Generation Monitor for Detection Strategies, transaction FRA_GM_STR, to obtain the appropriate debug method contained in the mass detection AMDP class of the detection strategy you wish to test.

2. In ADT, open the class entry, Mass Detection Strategy Debug Method and set an AMDP breakpoint in method IF_FRA_MASS_DETECTION_AMDP~DEBUG_MASS_DETECTION by double-clicking at the position from which you want to start debugging.

3. Start the transaction for Test Procedure for Mass Detection, FRA_MASS_DET_TEST. In the Debugging Detection Strategies in Simulated Mass Detection Runs screen, make your entries and debug version selection and then click Execute to run the debugging report.

4. View the results and debug the simulated mass detection run.

More Information

● ABAP-Managed Database Procedures (AMDP)● ABAP Debugging in ADT


https://help.sap.com/doc/saphelp_ewm92/latest/en-US/3e/7ce62892d243eca44499d3f5a54bff/frameset.htm

https://help.sap.com/viewer/c238d694b825421f940829321ffa326a/latest/en-US/4ec365a66e391014adc9fffe4e204223.html

5.5 Online Detection

In online detection, an external application calls via a Web service and evaluates detection objects for possible fraud.

Business Case

In online fraud detection, an external application calls SAP Business Integrity Screening via a Web service. This means that you have integrated a call to SAP Business Integrity Screening for online detection into a business process in the external application.

For example, a claims examiner wants to check a new claim in real time for signs of fraud. The examiner initiates online detection; behind the scenes, a request is sent to SAP Business Integrity Screening. SAP Business Integrity Screening examines the investigation object and detection object information provided in the request. The claims examiner receives notification, in real time, whether an alert was raised for the detection objects or not. This means that SAP Business Integrity Screening can be integrated into your business processes on a “while you wait” basis, without disrupting the business process flow.

Web Service for Online Detection

SAP Business Integrity Screening uses the Web service FraudDetection_GenericTable_Request_Sync_In for Online Detection Based on Generic Input Tables. This interface has the following features:

● The input parameters include generic tables, which you can use to transfer the data of your application tables. The generic tables are also used directly in the detection method.

● The detection strategy is determined by the system in SAP Business Integrity Screening based on the data given in input to the service interface.

● The processing is synchronous. Therefore, there is no separate interface required for the confirmation message.

More Information

Online Detection Based on Generic Input Tables [page 108]


5.5.1 Online Detection Based on Generic Input Tables

Online detection based on the Web service FraudDetection_GenericTable_Request_Sync_In works as follows:

1. In an external SAP or non-SAP system, a user requests online detection. The capability to make this request must be integrated in a business process that runs in the external system.

2. The request is passed synchronously to the back-end system via a connection between the external system and the back-end system. The request contains the investigation object, detection objects, and all of the other information required for a detection run.


Detection


3. The detection strategy is determined by the system based on the data given in the input to the service interface.

4. The input parameters of your request uses the same tables as in the execution procedures of your online detection methods. The data will be used directly in the detection methods of the strategies, no further action is required.

NoteThe input parameter tables of the request must have the same name as the input tables of the execution procedure of the detection methods.

5. The system may generate an alert. This alert can be investigated in the same way as any other alert. Simulation mode is also supported. In this case, alert information is returned to the external application. However, the back-end system does not generate an alert.

6. Because the call is synchronous, the confirmation message is returned directly by the original Web service call.

More Information

Determination of Detection Strategies [page 109]

Displaying the Detection Strategy Determination [page 110]

Analyzing the Online Detection Log [page 111]


5.5.1.1 Determination of Detection Strategies

The system automatically determines the relevant detection strategies for each detection object type. With the selection parameters of a detection strategy, you define which detection objects are evaluated by this strategy. The system examines the selection parameters of all available detection strategies in active status to determine the relevant detection strategies for each detection object. Multiple detection strategies can be determined and executed for a detection object.

With the app Display Strategy Determination you can display and simulate which detection strategies are relevant for a detection object type.

See Displaying the Detection Strategy Determination [page 110]

Example

You can define the following strategies for purchase order items as follows:

● Strategy A with selection parameter purchasing organization = 1000● Strategy B with selection parameter purchasing organization = 2000 or 3000



● Strategy C with selection parameter purchasing organization = 3000

Purchase Order Item Purchasing Organization Detection Strategies Determined

A001800 001 1000 Strategy A

A003100 001 3000 Strategy B and Strategy C

Customizing Settings

For online detection in SAP Business Integrity Screening, the input data for strategy determination is provided in a specific table.

The name of this table needs to be specified in field Online Detection Input Table Name in Customizing activity Maintain Detection and Investigation Data Model. This field is found in the Detection Object Type details.

5.5.1.2 Displaying the Detection Strategy Determination

With the transactional app Display Strategy Determination you can display and simulate the detection strategies that are relevant for a detection object type.

You can display all detection strategies that would be used in the online detection and mass detection, for example in address screening.

You can also use selection parameters to limit the relevant detection objects.

For example, you can simulate which active detection strategies would be used for vendors in/with company code 0001 and bank country US.

Key Features

● Display the number of active and inactive detection strategies found for a detection object type● Simulate using the active or the most recent version of the detection strategies found● Apply selection parameter values and simulate which detection strategies would be found for these value

NoteOnce you have chosen the values for the selection parameters, click Go to start the simulation.

● Navigate directly to the Detection Strategies app in order to change the values of the selection parameters of the strategyYou can change the values in the detection strategy directly in order to influence whether a strategy is used or not.

ExampleFirst, in the Detection Strategies app you could adapt the selection parameter values of the detection strategy and save them as inactive version.


Detection

Then, in the Display Strategy Determination app you would simulate with the new values and verify them. If you are happy with the results, you would go back to the Detection Strategies app and activate the detection strategy.

● Use Save as tile to create a new tile on the Home screenSee Saving an SAP Fiori App as a Tile (https://help.sap.com/viewer/17ae0e97e0fc424a9c368f350c0ba6bd/2.06/en-US/6086339c2c7e48388d15a8c58495f48d.html)

General Remarks

You can use the selection fields maintained for the detection object type in the Customizing activity Maintain Detection and Investigation Data Model.

Navigation Targets

You can display the details of a detection strategy by clicking on a detection strategy on the Display Strategy Determination screen.

Related Apps


Displaying Detection Runs and Their Details [page 133]

Creating Detection Strategies [page 76](SAP Business Integrity Screening)

Creating Detection Strategies(SAP Business Partner Screening)

More Information

Determination of Detection Strategies [page 109]

How Detection Strategies Work [page 69]

5.5.1.3 Analyzing the Online Detection Log

To display the log, choose transaction Display Online Detection Log (FRA_ONLINE_DET_LOG) in the back-end system.



● ObjectThe object FRA_ONLINE (Online Detection Log) is already set as default.

● SubobjectSince the online detection log is an error log only, ERROR is the only subject which can be selected.

● External ID


https://help.sap.com/viewer/17ae0e97e0fc424a9c368f350c0ba6bd/2.06/en-US/6086339c2c7e48388d15a8c58495f48d.html

https://help.sap.com/viewer/17ae0e97e0fc424a9c368f350c0ba6bd/2.06/en-US/6086339c2c7e48388d15a8c58495f48d.html

https://help.sap.com/viewer/efac5fefafc346cb84468900c7941edc/1.3.0.2/en-US/8c37a355cac15d26e10000000a44538d.html

Enter an external ID. This ID has been assigned by the application program or a user when starting an online detection run.

● Time period● User● Transaction code● Program

Result

In the log, you will find messages for errors that occurred during an online detection.

The first line of each log shows the message ID of the Web service call. This ID can be used for example to find the Web service call in transaction SXMB_MONI to further investigate an erroneous online detection call.

5.6 Address Screening

In most countries, governments legally require companies to compare their business partners to lists of terrorists, sanctioned parties, politically exposed persons, and so on, to enforce security measures and political bans in daily trading. The software enables you to screen any business partner in your business documents against such lists.

To perform address screening, you need the following:

● One or more address screening lists. You can obtain these lists of persons and organizations of interest from third-party data providers and upload them into your system, or you can create your own lists manually.

● Customizing that groups the content in the lists into list type groups. This enables you to use parts of the same loaded lists in different scenarios.

● An address view that retrieves the names and addresses from your data.For the guidelines on creating an address view, see Address Views [page 125].

● One or more detection methods for address screening. You can create detection methods for address screening using the Manage Detection Methods app.See Creating Detection Methods for Address Screening [page 56].

Optionally, you can improve your screening quality by using:

● Excluded terms to leave out certain terms; for example, to ignore common abbreviations such as "Corp." or "Ltd.".

● Term mappings to treat terms in the same way; for example, to treat the abbreviation “Corp.” and its long form “Corporation” equally.

More Information

Address Screening Lists [page 113]


Detection

Excluded Terms and Term Mappings [page 113]

Managing Excluded Terms [page 115]

Managing Term Mappings [page 116]

List Type Groups [page 117]

Loading Address Screening Lists [page 119]

Managing Address Screening Lists [page 120]

Address Views [page 125]

Intelligent Screening [page 127]

Using the Audit Trail [page 130]

5.6.1 Address Screening Lists

Address screening lists provide the data on persons and organizations of interest and form the basis for address screening.

The official lists published by government agencies are subject to constant change and therefore not delivered as part of the application. Instead, you can obtain them from third-party data providers. Address screening lists are available in a wide variety of formats, levels of detail, and update cycles.

For details about loading address screening lists into your SAP system, see Loading Address Screening Lists [page 119].

More Information


5.6.2 Excluded Terms and Term Mappings

You can use excluded terms and term mappings to improve the quality of your address screening.

Excluded Terms

Excluded terms are removed before comparing names and addresses. Use this to exclude common, unremarkable words such as company forms like “Ltd.” and “Corp.” from the screening.

You can manage excluded terms lists using the app Manage Excluded Terms.

See Managing Excluded Terms [page 115]

Term Mappings


Term mappings are added before comparing names and addresses. Use them to include common variants and alternative spellings to improve the quality of the screening, such as including “St.” wherever the word “Street” occurs.

You can manage term mappings using the app Managing Term Mappings [page 116].

More Information


5.6.2.1 Fuzzy Search

Fuzzy search is a fast and fault-tolerant search feature of SAP HANA. A fuzzy search returns records even if the search term contains additional or missing characters or other types of spelling errors. Fuzzy search is the preferred method of searching used in detection.

Reserved Words and Special Characters

During address screening, the following reserved words and special characters do not have a "special function". Instead, they are treated like any other character:

● Asterisk (*)An asterisk is not interpreted as a wildcard, instead, it is interpreted as the actual symbol *.

● Percent Sign (%)A percent sign is not interpreted as a wildcard, instead, it is interpreted as the actual symbol %.

● Question Mark (?)A question mark is not interpreted as a wildcard, instead, it is interpreted as the actual symbol ?.

● Double Quotes (")Double quotes are not interpreted as a phrase, instead, they are interpreted as the actual symbol ".

● Minus Sign (-)A minus sign (-) that is directly in front of a word is no longer interpreted as "but not". Therefore the minus sign is removed from the search string.

● ORA capital OR, surrounded by blanks, is replaced by a lower-case "or". This means it is not considered to be a "logical or", just the word "or".

Fuzzy Search with a Full-Text Index

The content and behavior of a full-text index is configured by its parameters. One of the full-text index parameters used during address screening is TOKEN SEPARATORS.


Detection

For the full-text index singlestringname, which is used to the search for names (in table FRA_D_SCRL_NAME), the following four values for parameter TOKEN SEPARATORS are set:

● ;,-&

For the full-text index address, which is used to search for addresses (in table FRA_D_SCRL_ADDR), the following three values for parameter TOKEN SEPARATORS are set:

● ;,-

For detailed information about the search logic, see Fuzzy Search on Text Columns.

For detailed information about the parameter TOKEN SEPARATORS, please see Full-Text Index Parameters.

5.6.3 Managing Excluded Terms

With the transactional app Manage Excluded Terms you can display and create lists of terms to be excluded during address screening.

For example, you can exclude common, unimportant words such as “Ltd.” and “Corp.” from the screening.

Key Features

● Create, copy, upload, and delete excluded terms lists

NoteYou can only upload a .csv or .txt file in an UTF-8 format.

For example, the terms “Ltd.” and “Corp.” should be separated by using ↵(Enter) in the file that you wish to upload.

● Activate and deactivate lists as well as single terms● Add terms to lists● Assign list type groups

NoteAn excluded terms list can be assigned to several list type groups, whereas a list type group can only be assigned to one excluded terms list.

General Remarks

Using the Authorization Group allows you to restrict access to excluded terms lists.

The authorization object FRA_EXTL (Business Integrity Screening: Excluded Terms List) allows you to restrict access to excluded terms lists.


https://help.sap.com/viewer/691cb949c1034198800afde3e5be6570/latest/en-US/56815e15318d4cfdb291029bbd5d285f.html

https://help.sap.com/viewer/691cb949c1034198800afde3e5be6570/latest/en-US/ccc504cebb571014badd88b622a24cae.html

More Information

Excluded Terms and Term Mappings [page 113]


5.6.4 Managing Term Mappings

With the transactional app Manage Term Mappings you can display and create lists of terms and their variants to be used during address screening.

You can use common variants and alternative spellings to improve the quality of address screening.

For example, you can assign “St.” to be included in the check wherever the word “Street” occurs.

Key Features

● Map terms with their variants (active aliases)

NoteThe mapping works in both directions: Address screening also uses the aliases as terms and the terms as alias.

● Define inactive terms (inactive aliases)● Create, copy, and delete lists● Activate and deactivate lists as well as single terms● Add terms to lists● Assign list type groups

NoteA term mapping list can be assigned to several list type groups, whereas a list type group can only be assigned to one term mapping list.

● Download listsWhen you download a list, it contains the status (active/inactive), the terms, and their active and inactive aliases. A comma is used as separator for multiple aliases.

● Upload termsYou can upload terms and active aliases. Inactive aliases cannot be uploaded.The first term will be uploaded in the field Term, whereas all following terms will be interpreted as active aliases.Each time you upload terms to a already existing list, they will be added to the already existing terms.


Detection

NoteYou can only upload a .csv or .txt file in an UTF-8 format. Column headers cannot be used, they will be interpreted as term.

To separate a term and its active aliases use a ; (semicolon).

To separate the next term use ↵ (Enter) in the file that you wish to upload.

For example, the row Stephen;Stefan;Stephan;Stephane;Stéphane;Stephane will have the following result:

Term Mapping Example

Term Active Aliases

Stephen Stefan, Stephan, Stephane, Stéphane, Stephane

General Remarks

Using the Authorization Group allows you to restrict access to terms lists.

The authorization object FRA_TMPL (Business Integrity Screening: Term Mapping List) allows you to restrict access to terms lists.

Related Information

Excluded Terms and Term Mappings [page 113]List Type Groups [page 117]

5.6.5 List Type Groups

List type groups enable you to use the same list for different purposes, for example, to use part of the list for politically-exposed persons and another for sanctioned parties. It also enables you to combine parts of different lists into a common list type group, for example, to combine the sanctioned parties from the lists of two different data providers.

Required Customizing

You can group the entities in your address screening lists into list type groups in Customizing activity Define Address Screening List Type and Group.


Follow-Up Activities

Once you have defined your screening lists types, you can then assign provider-defined list groups to them.

You can do this using the app Assign Address List Types or in the SAP Menu under Business Integrity Screening Address Screening Lists Assign Provider-Defined List Group to List Type(ACS_LISTGRP_2_LISTTYP).

Note that multiple list types can be assigned to one provider-defined list group. As well, multiple provider-defined list groups can be assigned to one list type.

Related Information

Assigning Address List Types [page 119]


Detection


5.6.5.1 Assigning Address List Types

With the Assign Address List Types app, you can assign the provider-defined list groups to the available list types. You can also see how detection strategies are connected to provider-defined lists.

Key Features

● Display how the detection strategies are connected to the provider-defined lists in a graph. This includes:○ The provider-defined lists, and their list groups (gray background)○ The list types of the customer, grouped by their list classification (green background)○ The list type groups of the customer (yellow background)○ The active detection strategies used for address list screening (red background)

● Display the number of entities belonging to each node (using the Show Details button or the Node Details button)

● Display all connections for each node, using the Highlight the Connection button (you can select multiple nodes using the Ctrl key)

● Assign provider-defined list groups to the available list types, using the Assign List Type button● Delete the assignment between provider-defined list groups and the list types by clicking on the line

connecting those nodes● Search for nodes, lines, and groups by name with the search bar

TipThe graph overview is an interactive panel that not only shows you which part of the graph is currently displayed on the screen (blue box), but also allows you to navigate directly to the parts of the graph that are out of the zoom range.

Related Information


5.6.6 Loading Address Screening Lists

To perform address screening, you must load the address screening lists that you obtain from your third-party data providers into your SAP system.

Initially, your data provider will give you a full list with the current state of the address screening list. After that, the data provider will usually send you delta lists that contain only the difference to the last state.


You can use transaction Upload Address Screening List (FRA_UPLOAD_ADDR_LIST) directly in the back end to upload XML files or XML files that have been compressed into a ZIP archive into your SAP system. You can select either local files or files from the application server. Ensure that the files you use have the same structure as for the Web service Address Screening List Load Request (AddressScreeningListLoadRequest_In).

Alternatively, you can use the Web service Address Screening List Load Request (AddressScreeningListLoadRequest_In) to upload your address screening lists.

Full Data Load

Use a full data load to import a new address screening list and get started with address screening in mass detections and online detections. The import will save and activate all entities in the list.

Perform a full data load on an existing address screening list to repair a list that got out of sync. The import will deactivate all previous versions of entities in the list and activate their current state.

Large address screening lists may have to be divided into several packages. Refer to the fields TotalPackageNumber and PackageNumber in the request when you divide your packages.

Delta Data Load

Use a delta data load to update an existing address screening list and perform delta address screenings for the changes. The delta data load creates a new version of the address screening list; activating new and updated entities, and deactivating outdated and deleted entities.

Address screening lists cannot be deleted or deactivated. If you no longer wish to use a list in address screening, you must remove the list from the list group in Customizing or remove the provider list group from the list type. See List Type Groups [page 117].

NoteSAP recommends using either the Upload Address Screening List transaction or the Web service Address Screening List Load Request to upload your address screening lists. The previous method of inserting your data directly into the database tables (using data services) is no longer supported.

Related Information

Address Screening List Load Request

5.6.7 Managing Address Screening Lists

With the transactional app Manage Address Screening Lists you can create, edit, and display your address screening lists.


Detection

https://help.sap.com/viewer/2ebc3a3b3403484dadfc10fed8186067/1.3.0.2/en-US/f4e066563ea77b5ce10000000a44147b.html

Key Features

● Display address screening lists, their entities, and the entity details● Create and edit address screening lists manually● Download and upload manually created address screening lists as a worksheet (in .xlsx format)

Related Apps

Manage Alerts [page 148]

More Information

Displaying Address Screening Lists [page 121]

Displaying Address Entities [page 122]

Displaying Entity Details [page 123]

Creating Address Screening Lists Manually [page 124]

5.6.7.1 Displaying Address Screening Lists

The first-level entry of the Manage Address Screening Lists screen displays a table showing all the address screening lists in your SAP system, including the following information:

● The names of the lists● Their descriptions● The names of their data providers● The number of entities within each list● The last date and time each list was changed● Their creation mode

What can you do here?

On this screen, you can:

● Click anywhere on a row to display all the entities of a single list.● Choose Create to create a new address screening list manually.● Choose Export to Spreadsheet to download the entire table of address screening lists to a worksheet

(in .xlsx format).

More Information




5.6.7.2 Displaying Address Entities

If you click on a row on the Manage Address Screening Lists screen, a table showing the entities belonging to that list is displayed, including the following information:

● The status of each entity (Active, Not Active, Deleted, or Blocked)● The unique number for each entity● The primary name of each entity● The type of each entity (Person or Organization)● The gender (if type Person is used)● The country of the entity's primary address● The list classification, as defined in Customizing (such as Politically Exposed Person)● The last date and time each entity was changed in the SAP system (Last Changed On)● The last date and time each entity was changed by the data provider (Updated On)● Whether or not each entity is valid for all countries (Yes/No)

Manually created entities may appear twice in the list. The entry marked as Active is the version used by the address screening. The entity marked as Inactive is a draft that is still being edited. Once the inactive version is activated, it replaces the previously active version.

Address screening lists are versioned; thus recording all changes for auditing purposes. Any change within a list will create a new version, while keeping the previous version intact.



● Click a row to display the details of a single entity.● Use the Search and Settings functions to filter and order the entities.● Choose Upload Entities to upload the content of an address screening list from a worksheet (in .xlsx

format) to the list.● Choose Download Entities to download the content of a list to a worksheet (in .xlsx format).

NoteIf your entity list is empty, choose Download Entities to get a worksheet with a built-in template that you can fill in and then upload to your list.

● For manually created lists, choose Create to create a new entity.● For manually created lists, you can also select an entity and choose Delete to delete an entity from the list.● Choose Export to Spreadsheet to export the table of entities to a spreadsheet.


Detection

More Information



5.6.7.3 Displaying Entity Details

Once you drill down from the list of address entities, the following details are displayed:

● The header shows:○ Entity name (number) and type○ List description○ List classification○ The gender (if the type is Person)○ Country○ Validity for all countries○ Status○ Update date and time

● If you are on the tab Names, you can see the breakdown of the name. That is, the first name, middle name, last name, and its type (such as Primary, Spelling Variation, Also Known As, and Low Quality AKA).

● The Countries tab displays the name of the country associated to the entity and its role (such as Citizenship, Resident Of, and Jurisdiction).

● The Addresses tab displays the breakdown of the address of the entity (such as Street, City, Country, and Postal Code).

● The Dates tab displays various date types (such as Date of Birth, Deceased Date, and Date of Registration).● The Roles tab displays, for example, the occupation of the person (such as Local Public Official, National

Government Minister, and Senior Civil-Servant).● The Notes tab displays any notes the data provider may have written about the entity.● If the data provider has delivered links to images associated to the entity, the images are displayed on the

Images tab. (The data provider does not deliver images, just the links). Multiple images are displayed in a carousel.

● The Lists tab displays all the other lists that this entity is also found.● The References tab displays a table of active Web links given by the data provider.● The Connections tab displays the relationships from this entity to other entities, using the Network Analysis

function.

NoteFor manually created lists, the entity details only show the Names, Countries, Address, and Notes. The other tabs are not available.




● Choose Block to exclude the entity from the address screening.● If an entity is already blocked, you can choose Unblock, which sets it to active once again.● For manually created entities, choose Create Inactive Version to create a new, editable version of the entity.

If there already is such a version, click the link to display it.● For inactive versions of a manually created entity, choose Create on the different tabs to add names,

addresses, countries, and dates. Select a detail and choose Edit to change it.● When you are finished editing an inactive version of a manually created entity, choose Activate to make

your changes active and include them in the address screening. Activation replaces the previously active version.

Address screening lists are versioned; thus recording all changes for auditing purposes. Any change within a list will create a new version, while keeping the previous version intact.

More Information

Using the Network Analysis [page 166]

5.6.7.4 Creating Address Screening Lists Manually

From the Manage Address Screening Lists screen, you can create address screening lists manually by choosing the Create button at the top of the table.

Make your entries in the dialog box displayed. The required fields are marked with an asterisk in the following table:

Creating Address Screening Lists

Field Use

List * Enter a technical name for your list.

Description * Enter a meaningful description.

List Type Select an entry from the list types that have been defined in Customizing activity Define Address Screening List Type and Group.

Authorization Group If you enter an authorization group, you can limit access to address screening list.

Once you create an address screening list manually, you must then upload entities to that list or create the list entities by hand. To do this, display the address entities for that list and choose:

Upload Entities to upload existing list entities from a file.


Detection

Create to create a new entity by hand, filling in all the required information.

Once you have created or uploaded the entities, you must then activate them in order for them to be used in the address screening process.

More Information



5.6.8 Address Views

Address views connect detection objects to related names and addresses for the purpose of address screening. For example, an address view for purchase orders might return the names and addresses of business partners per purchase order.

The address view is defined as a CDS entity (view or table function).

The address view must provide the columns listed in the following table, with exactly these names and data types.

Note

For performance optimization, see 2818535

The dependent and optional columns also have to be provided, but can be filled with NULL values or empty strings if they are not needed:

Name ABAP or CDS Data Type Content

[Key fields of the detection object type] [variable] The view must provide the key fields maintained in the Customizing activity Maintain Detection and Investigation Data Model. For example, when dealing with vendors as detection objects, these key fields could be VENDOR and COMPANY_CODE.




ADDRESS_ID

Mandatory

CHAR(32) Identifier of the address, for example a GUID. During the screening, addresses are separated from their detection objects and later reconnected through this ID – it therefore is mandatory. However, the ID does not have to be globally unique and can be generated or substituted from another field.

ADDRESS_VARIANT

Mandatory

CHAR(1) Variant of the address, for example E for the Latin and K for the non-Latin notation of Japanese characters. The field is mandatory, but can usually be left empty because empty defaults to the ABAP SPACE as a valid default.

VALID_FROM

Mandatory

DATS Start of the validity time frame of an address.

NAME

Mandatory

CHAR(800) The name of the person or organization, for example John Miller or SAP SE.

This column must be a single column in the database. That is, the view and the database object must have a 1:1 ratio.

This column must also provide a full-text index otherwise the more advanced fuzzy search options will not work. The full-text index must use ;,-& as separators.

ADDRESS

Mandatory

CHAR(400) The address of the person or organization, for example 221B Baker Street, London.

This column must be a single column in the database. That is, the view and the database object must have a 1:1 ratio.

This column must also provide a full-text index otherwise the more advanced fuzzy search options will not work. The full-text index must use ;,-& as separators.

This field can be filled with an empty string if you plan to screen names only.


Detection


COUNTRY

Dependent

CHAR(3) The SAP code of the country where the address is located. See database tables T005 and T005T in your SAP system for available values. This field can be left empty if you plan to screen names only.

PARTNER_ID

Optional

CHAR(60) Identifier for the business partner, for example a GUID. If provided, the additional information of the address screening provides this ID to identify the involved business partner. This field does not affect the address screening itself.

PARTNER_FUNCTION

Optional

CHAR(10) Function or role of the business partner, for example Vendor. If provided, the additional information of the address screening provides this function to help understand the business partner’s involvement. This field does not affect the address screening itself.

If there is more than one set of name and address information in a detection object type, then you can define more than one address view. Each view then supplies one set of name and address information.

Related Information

Address Screening Methods

5.6.9 Intelligent Screening

New alerts in SAP Business Integrity Screening that are created through address screening will be closed automatically if previous alerts with the same name and same business address (exact match) have been closed with decision No Hit, thus reducing the effort for compliance experts to manually close alerts. If other types of detection methods were also used, the address screening hits with an exact match will be closed, but the alert items will remain open.

How it Works

When an alert in SAP Business Integrity Screening is created through address screening, the system will search for previous alert items with the same business address. If a previous alert item is found, the system will check


https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/49398f5345163f27e10000000a44538d.html

the decision of each alert item. The highlighted name, highlighted address, country, and list classification are compared.

If the system finds a match and the previous alert item was closed with the completion status False Alarm and the decision has been set to No Hit, then the decision for the new alert item will be automatically set to No Hit and the alert will be closed with the status False Alarm.

NoteIf multiple alerts are found, the latest one will be taken into account. As well, if the system finds that an alert that had been closed but then later re-opened, then the new alert will not be automatically closed.

Prerequisites

The closing reason that is required to close the alert items must be defined in Customizing activity Define Default Reasons for Closing Alerts.

What else do you have to do?

Nothing. Intelligent screening automatically runs in your system. You just have to have had previous alerts with completion status False Alarm and with decisions that were set to No Hit for address screening hits.

5.6.10 Detection Method Parameters for Address Screening

Detection methods for address screening are a type of detection method on their own. You can create them in the Manage Detection Methods app.

For details on creating methods for address screening, see Address Screening Methods [page 56].

Detection Method Parameters

Use the following parameters to fine-tune the address screening to your needs:

● ExactnessThe exactness, previously called parameter for fuzzy search, technical term FUZZINESS, is a percentage between 0 and 100 that specifies how exact two words must match to be considered as equal. Use this parameter to make the screening tolerant towards typos, name variations, accents, umlauts, and so on. The lower the value, the more tolerant the system is. For example, an exactness of 70% will match Jane to June, while 90% will not.

● Minimum ScoreThe minimum score, previously called minimum match, technical term MINIMATCH, is a number between 0 and 100 that specifies how precise two names or two addresses must match to be considered as a hit. In contrast to exactness, this parameter affects the names and addresses as a whole, not the single words therein. The lower the value, the more two names or addresses can differ and still be a hit. For example, a


Detection

minimum score of 50 will produce Tomas Meyer as a hit for Thomas Mayer, one of 100 will not. Use this parameter to cut off the long tail of low-quality hits produced by low exactness parameter values.

● Percentage of Matching WordsThe percentage of matching words, previously called address terms threshold, technical term ANDTHRESHOLD, is a value between 0 and 100 that specifies what percentage of the words making up an entire name or address must match. The lower the value, the more reactive the screening is towards single words. For example, percentage of matching words of 66 will produce John Richard Adams as a hit for Michael John Adams, one of 80 will not.

● Address Screening TypeAddress Screening Type, previously called Also compare address, technical name SCREENING_TYPE, is a value field that specifies which parts of an address will be compared in order to produce matches. Value N (name only) makes the screening compare names only. That is, the address is completely ignored. Value C (country and name) requires an exact country match before names are compared. Value A (name, country, and address) will also compare addresses, after both the names and countries have been matched.For example, the value N will match a John Adams in London, UK to one in Washington, US. The value C will not make a match because the country is different. The value A will also not make a match because the country and address are different.

● Include Term MappingsInclude term mappings, previously called include additional terms for address screening, technical name ALIASES, is a yes-no value that specifies whether the screening shall enrich the search string with additional terms from the term mappings. Term mappings can be used to prevent that the screening is bypassed by common abbreviations and misspellings. For example, the value Y makes the screening match Main Street to Main St. if the term mapping maps St. to Street.With the app Manage Term Mappings you can create lists of terms to be used during address screening. See Managing Term Mappings in the Application Help for your product solution on the SAP Help Portal.

● Use Excluded TermsUse excluded terms, technical name EXCLUSION_TERMS, is a yes-no value that specifies whether the screening shall remove certain terms from names and addresses before comparing them. Excluded terms can be used to ignore common words that would otherwise produce lots of false positive. For example, the value Y makes the screening ignore the Ltd. in ABC Holdings Ltd. if it is entered as an excluded term. If a name or address consists of excluded terms only, for example Limited Corp., the excluded terms will be ignored to make the system produce any results at all.With the app Manage Excluded Terms you can create lists of terms to be excluded during address screening. See Managing Excluded Terms in the Application Help for your product solution on the SAP Help Portal.

● Use Name InitialsUse name initials, previously called activate initials check, technical name INITIALS, is a yes-no value that specifies whether the screening shall consider one-letter abbreviations of names. For example, the value Y will match J. to James. Use this option to improve hit quality in countries such as the United States, where initials are widely used.

● List Type GroupList type group, technical name LIST_TYPE_GROUP, is the identifier of the list type group that the screening shall compare addresses against. While list ID directly identifies one of the lists delivered by the data provider, the list type group can be any combination of list segments from one or multiple such lists. The list type group therefore gives you more possibilities to recombine entities as needed.


NoteOverly tolerant settings, such as low values for Exactness or Percentage of Matched Words, may result in a large number of hits. Address screening has an upper limit of 100 entity hits per screened business partner. In this case, refine your parameter settings and run the detection again.

More Information


5.6.11 Using the Audit Trail

The audit trail is a log that helps you with verification and auditing of your address screening. The audit trail logs all of the detection objects – persons, addresses, partners, and so on – that have been processed by address screening detection methods.

The purpose of the audit trail is to let you show your compliance with anti-corruption laws and regulations through your address screening activities and to help you analyze address screening hits. With the audit trail, you can show when a business partner was screened and with what result.

NoteThe audit trail is written only for address screening detection methods. The trace records are written during online address screening, delta address screening, and mass detection.

Enabling the Audit Trail

To enable the audit trail, set the Audit Trail flag to ON for each applicable address screening detection method in the Manage Detection Methods app.

Displaying the Audit Trail

To display the audit trail, use the Start Ad Hoc Request app.

NoteIn Customizing activity Maintain Worklist Data Model, check and make sure that the worklist type FRAAUD (BIS Audit Trail (CDS)), which is delivered with BC set FRA_BASIC_CONTENT, has been maintained. This worklist type refers to the source domain BPCM and is based on the CDS entity FRA_CV_AUDITTRAIL.

Here you can also see the worklist package and the worklist view that allow you to read the audit trail logs. Check that the For Ad Hoc Requests function is selected.


Detection

For details about Ad Hoc Requests, see also Managing Worklist Variants [page 182].

If you would like to consume the audit trail data using an external tool, use the CDS entity FRA_CV_AUDITTRAIL.

The important fields in the audit trail records are shown in the table below. Detailed hit information is not recorded. If you wish to trace hits, then you should set your detection strategies so that every positive result from a detection method results in an alert. Alerts record all hit information.

Field Description

Run ID The technical ID that is assigned for each detection run.

Audit Trail Creation Date The date when the audit trail record was written. While the date does not allow you to determine exactly which detection run created the record, it does let you find the date when a person or business partner was screened.

Business System The name of the source system where the detection object comes. The business system name is defined in Customizing.

Detection Object Type and Detection Object IDs

The detection object type, as defined in the system, which can have up to 15 generic identifiers.

Screening Name, Screening Address, Country

The name and address strings and the company code that were screened.

Alert ID An alert ID is displayed if an alert exists for the screened detection object.

However, please note that the alert may not have been created in this run. That is, it is possible that a detection run creates a run ID entry in the audit trail table but does not create an alert. If an alert is created during another detection run for the same screened object, then that alert ID will be shown for both run IDs.

Risk Score The score returned by a detection method for address screening. Since a detection strategy for address screening contains a single method, this is the score of the detection strategy.

Displaying the Audit Trail in the Back End

As an alternative to using worklists, you can display the audit trail in the back-end system. In the back-end system, call transaction SE16. In field Table Name, enter FRA_D_AUD_TRAIL to display audit trail records.

NoteThe alert ID is not shown in the back end. Only on the UI.


Managing the Data Volume of the Audit Trail

If you activate the audit trail function, the system will generate a lot of data in the audit trail table. For each mass detection or delta screening run, at least one entry per screened Business Partner will be generated. For 100 million detection objects, a trace volume of around 50 gigabytes is estimated.

SAP HANA has a limit of 2 billion records per database table in one partition. This limit can be reached very soon.

To manage the data volume and to handle to two-billion-limit you should do the two following steps:

1. Enable database table partitioning for the audit trail table.2. Setup archiving for audit trail data.

NoteIf you just want to delete audit trail records (for example, in test systems), you can use transaction Delete Audit Trail Entries (FRA_DEL_AUDIT_TRAIL).

Enabling Database Table Partitioning for the Audit Trail Table

SAP recommends setting up partitioning as early as possible to avoid expensive re-partitioning operations.

To enable database table partitioning for the audit trail table, do the following:

● Log on to the SAP HANA SQL Console, and connect to the SAP HANA database that you use for SAP Business Integrity Screening or SAP Business Partner Screening.

● Set the schema to the same schema of your SAP Assurance and Compliance Software ABAP system. (To find this, go to the main menu of your SAPGUI and choose System Status... Database dataSchema ).

● Execute an SQL statement to define the required partitions.

Example

Sample Code

alter table FRA_D_AUD_TRAIL partition by range (creation_date)(partition 00000000 <= values < 20190101,partition 20190101 <= values < 20200101,partition 20200101 <= values < 20210101,partition 20210101 <= values < 20220101,partition 20220101 <= values < 20230101,partition others);

You can adapt the date-ranges to your needs, for example, based on the expected data volume.

See also Table Partitioning in the SAP HANA Administration Guide.

Setting Up Archiving for Audit Trail Data

For details on archiving audit trail data, see section Relevant Business Objects for Archiving in the Security Guide for SAP Assurance and Compliance Software.


Detection

https://help.sap.com/viewer/6b94445c94ae495c83a19646e7c3fd56/latest/en-US/c2ea130bbb571014b024ffeda5090764.html

5.7 Delta Address Screening

Third-party data providers usually deliver complete address screening lists when they are initially contracted. (Mass detection is then used to perform the initial address screening on these complete lists.) Afterwards, the data providers usually only deliver changes to those lists. To screen the entities in address screening lists that were changed since their initial import, perform Delta Address Screening.

NoteThe initial address screening list, as well as at least one delta address screening list must have already been imported into your back-end system.

This function will not reopen or update existing alerts. It will always create a new alert, independent of an existing alert for an investigation object.

Displaying Detection Runs and Their Details

On the Detection Runs screen, you can display the detection runs and their details.

See Displaying Detection Runs and Their Details [page 133]

Starting Delta Address Screening

You can create or copy a delta address screening run on the Detection Runs screen.

You can also run a simulation.

See Starting a Delta Address Screening Run [page 135]

Weak Alias Protection

This function helps you to avoid a large amount of false positives produced by weak aliases in delta address screening.

Once the intermediary results are available, you can exclude entities and either continue or cancel the run.


5.7.1 Displaying Detection Runs and Their Details

On the Detection Runs screen, the detection runs and their details are displayed.


If detection runs have been created, you will see the following:

● On the left-hand side of the screen you can see a list of all the detections runs that have been started, and their status.○ The most recent run is always displayed at the top of the list.○ There are different statuses, such as Completed, Error, In Progress.

NoteThere are two statuses related to stopped delta address screening runs:

○ On Hold indicates that the number of alert items that would be created were above the threshold that is defined for a strategy.

○ Canceled indicates that the user canceled a detection run, which was put on hold by the system.

● On the right-hand side of the screen, you can see the details of the selected run as well as the results and the list of hits for stopped runs.

If no detection runs have yet been created, the list on the left will be empty and “No data available” will be displayed.

Displaying the Details

At the top of the details screen, the name (description) of the run is shown, the type of run (such as Delta Address Screening), as well as its status.

On the Details tab, you see the following:

Results

In the Results section, two links are available:

● Clicking on the Log ID opens the Application Log in the back end in a new window.

NoteDepending on your input the system writes messages in the delta screening log; the values range from All Messages for a comprehensive log to No Log for no logging at all:

○ Success messages provide the results, such as the number of strategies processed or the number of new alert items that have been created.

○ Application messages provide the strategy results including the details about the alert items created and the detection objects type.

○ Selection parameters and statistics provide the selection criteria.

You can also display the log in the back end using transaction FRA_DELTA_SCREEN_LOG.

● Clicking on the number of alerts opens the Manage Alerts app in a new window.On the Detection section, you can find more information about business partners that match with the delta address screening list.

User Input

The User Input section shows the following information:

● Delta Import Date● Data Provider


Detection

● Search Period● Alert Program● Simulation On/Off● External Log ID● Log Type

Strategies

This section displays the strategies that were used if an alert was created.

● If alerts were created, click on the strategy ID to display the Detection Strategy Details screen in a new window.

● If there were no alerts created, the table will be empty.

NoteThe List of Hits tabs is available only for stopped detection runs with status On Hold.


5.7.2 Starting a Delta Address Screening Run

You can navigate to delta address screening runs from the Home screen via the Detection Runs tile.

Creating a Delta Address Screening Run

To create a delta address screening run, choose Create Delta Screening (at the bottom of the screen). The right-hand side of the screen will now display the create screen. Enter the details, note that mandatory fields are marked with an asterisk:

Field Description

*Description Give a meaningful name for your detection run.

*Delta Import Date Enter the period when the delta screening list was imported into the system.

Data Provider If applicable, select the name of the data providers who gave you your list. Multiple selections are permitted. If you wish to remove an entry, simply click the X button.

*Search Period Enter the dates when the business objects you are searching for were created. You can use the selection calendar or simply type in the dates in this field.

Alert Program If you make an entry here, the information will be stored in any alerts that will be created from this run.


Field Description

Simulation If you set this to ON, you can just simulate a detection run. Turn the toggle switch OFF to start an actual run.

NoteAlternatively, you can use the Weak Alias Protection function, that is setting a threshold for stopping a run. No alert items will be created when a run is stopped by the system.

The intermediary results will be displayed and investigators can exclude address screening entities that result in a large number of hits before they continue the run in order to create alert items.

External Log ID If you make an entry here, the ID you use will be able to help you identify the run in an external log. If you do not make an entry, an external log ID will be generated by the run.

Log Type Select the type of entries you want to see in your log, if any.

Choose Start to begin the detection run, which will take place in the back end.

NoteIf your delta address screening run produces more than 5000 hits, it will stop with errors. In this case, limit your search period, and run the delta address screening again. For example, instead of using a search period of 1 year, perform two runs each of 6 months.

Creating a New Run with the Same Details

If you are displaying the details of a detection run, you can choose Copy and Create (at the bottom of the screen) to create a new detection run with the same details as the one you are currently displaying.

The create screen will be displayed, and the fields will contain the same values as the detection run displayed before. Change any field you want and choose Start.

Using the Simulation

The results for the simulation can be displayed in the application log.

If you click on the entry for the Log ID on the Details tab of the delta address screening run, the log in the back end is displayed in a new window.

To display the log in the back end, use transaction FRA_DELTA_SCREEN_LOG.

NoteSimulation


Detection

In the simulation run, no alert items will be created and the results of the simulation can be displayed in the log.

Weak Alias Protection

Setting a threshold for stopping the run in the detection strategy also means that no alert items will be created when a run is stopped by the system.

The intermediary results for stopped runs will be displayed on the List of Hits tab.

There you can exclude address screening entities and recalculate the number of alert items that would be created considering the excluded entities.

Alert items will only be created when the user continues the run.


5.7.3 Weak Alias Protection in Delta Address Screening

This function helps you to avoid a large amount of false positives produced by weak aliases in delta address screening.

To deal with an unexpected high number of potential hits, before alert items will be created, you can define a threshold for stopping a delta address screening run.

ExampleThe threshold is set to 100 alert items. A delta address screening is run and it wants to create 115 alert items. The delta screening process will be put on hold, and no alert items will be created until the user manually continues the run.

A stopped delta address screening run shows a list of address screening entities that have been identified by the detection strategy.

By excluding these entities, the number of alert items that will be created will be reduced. You can decide which entities have to be excluded before you start the production run in order to create “real” alert items.

NoteBefore using this function, you have to define the number of alert items that need to be created by a detection strategy in order to stop the detection run.

You can set a threshold for stopping the run in each involved detection strategy on the Optional Settings tab.

If the number of alert items that will be created exceeds the threshold, a strategy will stop the delta address screening run. No alert items will be created.

When several detection strategies are executed in a delta address screening run, the run is stopped when a threshold of one strategy is exceeded.

You can navigate to the Detection Runs tile on the Home screen.


If a delta address screening run is stopped, you can see its results on the detection run UI. The status of a stopped run is On Hold.

The following features are available:

Handling Potential Hits

The intermediary results for stopped delta address screening runs can be displayed on the List of Hits tab of the detection run.

The following KPIs are displayed:

● Total number of potential alert itemsThe total number of potential alert items is not necessarily identical with the sum of all potential alert items per entity.

● Number of potential alert items per entity

You can do the following:

Excluding Address Screening Entities

You can exclude address screening entities that result in a large number of potential hits and recalculate the number of alert items that would be created considering the excluded entities.

Creating Alert Items

You can continue to complete the run, either for all potential hits that were found, or for a subset of the entities. The system then creates the alert items.

On the Details tab of the detection run, you can see the number of alert items that were created, and you can navigate to the Manage Alerts app.

See Displaying Detection Runs and Their Details [page 133]

Canceling

You can cancel a run, which has been put on hold, to avoid a large number of alert items.

Notifications

Notifications will be automatically sent to the user if the threshold is exceeded and the run is stopped. The mail contains a link to the detection run UI.

Status

There are two statuses related to stopped delta address screening runs:

● On Hold indicates that the number of alert items that would be created were above the threshold that is defined for a strategy.


Detection

● Canceled indicates that the user canceled a detection run, which was put on hold by the system.

5.8 Country and Term Lists

Suspicious Term Lists and High-Risk Country Lists are used by detection methods to help identify potential fraudulent activity.

Suspicious Term Lists

A suspicious term is a word or phrase that is thought to be questionable or cause suspicion.

You can use the Manage Suspicious Terms app to create and edit lists of suspicious terms that can then be used in detection. You can create different lists for different use cases.

For example, you could use the terms 'smart phone' and 'water damage' to identify fraudulent claims, or 'private' and 'gift' to identify questionable bank transfers. There is no limit to the amount of terms you can enter.

Terms can be set to Inactive in order to calibrate the system and manage the number of hits generated.

High-Risk Country Lists

High-risk countries are countries in which social, political, or economic instability threatens business operations. Detection methods use high-risk country lists, which rank countries by their risk. These lists can be from external providers, for example the Transparency International Corruption Perceptions Index, or custom lists created manually using the Manage High-Risk Countries app.

The rating a country has indicates how risky or corrupt the country is considered to be; with a higher number indicating a greater risk.

When creating lists manually, it can be useful to assign ratings in increments of 10 or 100, as this allows you to insert new countries and edit the rankings more easily. You can also give multiple countries the same rating.

ExampleThe three countries on this list have been rated in increments of 100. In this example, Somalia is considered the riskiest of these countries.

Country Name Country Code Rank

Canada CA 100

Czech Republic CZ 200



Somalia SO 300

You can then insert a fourth country into the list at a later date:


Canada CA 100

Germany DE 150

Czech Republic CZ 200

Somalia SO 300

Detection MethodsFor detailed information about creating detection methods for high-risk countries, see Creating A Detection Method for High-Risk Countries in the Extensibility Guide.

For detailed information about creating detection methods for suspicious terms, see Creating a Detection Method for Suspicious Terms also in the Extensibility Guide.

5.8.1 Managing High-Risk Country Lists

You can use the Manage High-Risk Countries app to upload new lists, create and edit your own lists, and delete those that are no longer required.

The main screen shows you the lists that are currently in the system, displayed in chronological order starting with the most recently changed item. The Creation Mode column shows whether a list was imported or created manually using the app.

Click on any list to see which countries are on it and what risk rating they have. The higher the number in the Rank field, the greater the risk associated with that country.


Detection

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/85bb9249c8f945349f1b1c88e90fdf14.html

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/85bb9249c8f945349f1b1c88e90fdf14.html

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/f8134d9637aa4aa6a1ce618dffeef9e5.html

https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/f8134d9637aa4aa6a1ce618dffeef9e5.html

Uploading Lists

To upload a new file, choose Upload. In the Upload List dialog, enter the following information:

Field Description

List ID Enter a unique identifier.

This will then be used to identify the list when creating and calibrating detection strategies.

List Name Enter a meaningful name.

This is for your own reference, so you can enter whatever you feel is appropriate.

File Use the Browse button to select a file to upload.

You should keep the default Custom Files setting in the window. This limits the visible files to those the system recognizes as being in valid formats, such as .xml (SAP standard format) or .csv (external format).

The SAP standard format must adhere to the XML schema definition that is available from your back-end system.

If you upload an external list, such as the Corruption Perceptions Index (CPI), ensure that it is saved as a comma-separated-values (.csv) file before you upload it. The CSV format is made up of the following two fields:

● WB Code● Country Rank

The WB Code is the World Bank country code. This field is shown on the UI in the column Country Code when you display the list details. The field Country Rank is shown on the UI in the column Rank.

The World Bank country code used in the .csv file represents the ISO 3 country code, and is changed to the SAP country code during import.

If no ISO 3 country code exists, there will be an error message during import. In this case, you can map the World Bank country codes to SAP country codes in the back end. For more information, see the Customizing activity Define Exceptions for Mapping World Bank Country Codes.

ExampleUse the following links to see examples of a high-risk country list. Replace the first two variables with your own host and port name:

● XML (SAP Standard Format):https://<host><port>/sap/bc/ui5_ui5/sap/fra_invest_ui/HighRiskCountryExample/xml/HighRiskCountryExample.xml

● CSV (External Format):https://<host><port>/sap/bc/ui5_ui5/sap/fra_invest_ui/HighRiskCountryExample/csv/HighRiskCountryExample.csv


NoteUploaded lists can be deleted, but not edited. You can overwrite a list with a new version by uploading a new data file with the same list ID.

Creating and Editing Manual Lists

Manual lists are those that are created using the app. They can be edited or deleted, but they cannot be overwritten.

To create a manual list, use the icon on the main screen, and then enter an appropriate List Name and a unique List ID.

Use to add countries to your list, and to remove them.

Select the countries you want in the Add Countries dialog box, and give them a rank. You can use the + / - icons, or type the number in the field.

To make adjustments to an existing list, select the entry for that list on the main screen and then use the Edit feature. You can add and remove countries, and change a country's rating by entering the new number in the rank field.

5.8.2 Managing Suspicious Term Lists

You can use the Manage Suspicious Terms app to create and edit lists of suspicious terms.

On the main screen, click Go to see the lists currently in the system, displayed in chronological order starting with the most recently changed item. Click on any list to see what terms are on it, and which are currently active.

The Number of Terms field in the table shows the total number of terms on each list, and how many of those terms are currently Inactive, where applicable.

Use the search filters to refine the display. If the list you are looking for is not visible, try clearing the date filter by selecting 'From' in the Last Changed On field and then Go.

Creating and Editing Lists

To create a new list, use the icon on the main screen, and enter the relevant information.

● The List Name is for your own reference, so you can enter whatever you feel is appropriate.● The List ID must be unique, and is what is used to identify the list when creating and calibrating detection

strategies.

● Use to add terms to the new list.


Detection

To edit an existing list, go to the list, change to Edit mode and then you can add and remove terms using the

and buttons.

Copying and Merging Lists

To create a new version of an existing list, select the list on the main screen using the checkboxes on the left and Copy the list. You can then edit it as you would when creating a new list.

If you select two or more lists, you have the option to Copy and Merge them. The new list will contain all the terms from both lists, but without duplicating items.


6 Investigation

The investigation process begins after detection. During the investigation process, either master data or business transactions are examined to determine whether there are any irregularities or not.

Time plays a critical role in investigation, as you can see in the following example:

ExampleWhen a policy holder submits an insurance claim, it can be checked against detection strategies. Depending on the result of the detection run, the claim is either settled (no irregularities are found) or blocked to ensure that no money is paid out (suspicious activities detected).

In the case of online detection, a business process is blocked in order to avoid a financial loss. If the investigation reveals that nothing irregular has occurred (a false positive), the business process was misleadingly blocked and therefore may have a negative impact on your business.

SAP offers a wide-range of functions for you to use in your investigation process.

Working with Alerts

Alerts, which are either created during detection or created manually, are the central work objects for investigators.

Alerts store the results of the detection and are used by investigators to confirm their findings, whether they are found to be false or positive.

The Manage Alerts app is used to display, create, assign, and complete alerts.

When an investigator sets their decision, the system checks if an additional approval step is required (Approval Request Process).

Working with Worklists

With worklists, you create snapshots of data, which can be used for investigation.

You can use a worklist in compliance scenarios that may not require detailed investigation, for example, password violations, quality control, routine risk checks, or reviewing large amounts of data.

If you decide that a detailed investigation is required, you can create an alert manually.


Investigation

Related Information

Alerts [page 145]Using Manage Alerts [page 148]Approval Requests for Alert Item Findings [page 192]Worklists [page 180]

6.1 Investigation Overview

With this app you can see an overview of the outstanding activities in your investigation process, and navigate to the other apps quickly.

Key Features

● See the amount of unassigned alerts, sorted by Investigation Reason, on the All Unassigned Alerts card and navigate to the Manage Alerts app.

● Use the My Approved Alert Items card to directly close the alert items that have been approved in the workflow (or view all related alerts on the Manage Alerts screen).

● Use the My Open Tasks card to directly close open task items that are due today or already overdue for all your open alerts (or view all related alerts on the Manage Alerts screen).

● See the amount of open alerts that are assigned to you, sorted by due period, in the My Open Alerts card and navigate to the Manage Alerts app.

Related Apps

Using Manage Alerts [page 148]

6.2 Alerts

An alert is a warning that the system creates when a detection strategy finds irregularities or that users create manually. Alerts are the central work objects for investigators. Alerts store the results of the detection and are used by investigators to confirm their findings, whether they are found to be false or positive.

Available Functions

There are different functions available for working with alerts:

SAP Business Integrity ScreeningInvestigation PUBLIC 145

● Manage AlertsThis app is used to display, create, assign, and complete alerts.

● My ApprovalsWhen an investigator sets the decision, the system checks if an additional approval step is required (Approval Request Process).

More Information

Alert Lifecycle [page 146]

Using Manage Alerts [page 148]

Processing Address Screening Hits [page 174]

Open Screening Alerts

My Approvals [page 202]

6.2.1 Alert Lifecycle

Alert Status

An alert can have the following status:

● Not Started indicates that the investigation has not yet begun.● In Process indicates that the alert has been assigned to a user, but no decision has yet been made.● Completed indicates that a decision has been made, and the alert was either Confirmed or found to be a

False Alarm.

Alert Updates

Alerts that are Not Started or In Process are updated if new information is found. That is, alerts are updated when a new detection run generates a detection score higher than the original. The delta threshold is set in the detection strategy, and if the new detection score passes the threshold, the alert will be updated or reopened.

Updates only apply if the detection strategy is the same in both cases, and source objects are not used.

● Updates to Not Started and In Process alerts do not change the status of the alert.● Where an alert was Completed and found to be a False Alarm, an update will reopen the alert and set the

status back to Not Started.

More Information

Alerts and Alert Items [page 147]


Investigation

https://help.sap.com/viewer/efac5fefafc346cb84468900c7941edc/1.3.0.2/en-US/ffcf7e5567a3f320e10000000a4450e5.html

6.2.1.1 Alerts and Alert Items

An alert is created when detection finds a problem with a detection object. The finding on the detection object becomes an alert item.

Additional alerts triggered by the same detection object may be added to an existing alert as new alert items.

For example, a single insurance claim with multiple subclaims could trigger multiple alerts if the system finds something problematic in each subclaim. In this case, there would typically be one alert with multiple alert items.

Additional Alert Item or New Alert?

When there is a new finding on a detection object for which an alert already exists, the system will either create a new alert or add alert items to the existing alert.

The system will produce one of the following outcomes:

● When a new finding on a detection object, e.g., an insurance subclaim, has a different investigation reason to an existing alert, the system will create a new alert. This reflects the fact that different investigators could be looking at the same detection object but for different investigation reasons, and so the two alerts would be investigated separately.

● When a new finding on a detection object has the same investigation reason as an existing alert, the system will add an alert item to the existing alert.

● When a new finding on a detection object has the same investigation reason as an existing alert, and you have started a new Delta Address Screening run to screen business partners, then the system will create a new alert for each finding. A new Delta Address Screening run is technically a Source Object.

Source Objects

The purpose of a source object (such as a Delta Address Screening run or an Audit Work Package) is to let a solution open additional alerts for an investigation object, rather than adding alert items to an existing alert. When a source object is used, a new alert is usually created, even if an alert already exists for that investigation object.


However, if the source object of a new finding is the same as the source object of an existing alert, then the new finding is added to the existing alert as an alert item.

Source objects are used in Delta Address Screening. The Source Object Type is DS Delta Address Screening, and the Source Object ID is Detection Run GUID.

6.2.2 Using Manage Alerts

With the transactional app Manage Alerts you can display, create, assign, and complete alerts.

Key Features

● Display a list of all the alerts in the system● Access the alert details● Link directly to the other colleagues via your phone or email application● Create alerts manually● Assign all or any number of alerts and alert items to yourself or an other investigator, or reset the

assignment by selecting the checkbox.● Complete alerts● Export the list to a spreadsheet● Save your filter and table settings as a tile on your home screen

More Information

Alert Attributes [page 148]

Creating Alerts Manually [page 153]

Assigning Alerts [page 153]

Completing Alerts [page 153]

Alert Details [page 154]

Saving as a Tile [page 173]

6.2.2.1 Alert Attributes

An alert can have many different attributes. On the Manage Alerts screen, you can choose which attributes you want displayed for your alerts.


Investigation

Filters

The filter bar is displayed at the top of the screen. You can make any selection of the filters you want, and then choose Go to restrict the amount of alerts shown in the table.

The Standard view includes the following filters:

Filter Displays only...

Investigation Object Type Alerts associated to the investigation object types selected.

Investigation Reason Alerts associated to the investigation reasons selected.

Alert Lifecycle Alerts associated to the alert lifecycles selected.

My Alert Alerts that have been assigned to you, or not.

Is Unassigned Alerts that are unassigned, or not.

Person Responsible Alerts that are assigned to a specific person.

As a standard function in SAP Fiori, you can add more filters or save your own variation of the filter bar, which is called a view.

To add more filters, choose Filters More Filters and make your selection.

To save a view, make your selection, and choose Save.

Table Columns

You can choose the Settings function and choose which columns of alert attribute information you would like to display in the table. You can also sort and filter these columns. The columns available for the alert worklist include:

Column Description

Alert The alert ID. If you click on this ID number, the alert details will be displayed.

Risk Rating A 5-star rating; similar to product ratings in an online store. The higher the risk factor, the higher the rating.

The risk rating of an alert is its risk factor percentage scaled to interval [0 – 5]. For example, if the risk factor percentage is 60%, then the rating is 3-stars.

See the Customizing activity Define Investigation Settings, field Max. Risk Factor, to see how the risk factor percentage is calculated.


Column Description

Person Responsible The name of the person who has been assigned to the alert.

Note: If you click on the name, a dialog box will be displayed showing the contact details. If it has been defined in the back-end system, you can directly link to the person's phone number or send them an email.

Due Date The date when the alert must be processed.

Alert Lifecycle The status of the alert, such as Not started, In process, or Completed.

Investigation Reason Specifies the motivation behind the detection strategy used to create the alert. The investigation reason also assigns an alert to a particular solution, such as SAP Business Integrity Screening or SAP Business Partner Screening.

For more information, see Customizing activity Define Investigation Reasons.

Investigation Object Type Indicates the type of customer data that is evaluated.

ID1 – ID15 These are the key fields of the investigation object, which are defined in Customizing activity Maintain Detection and Investigation Data Model.

Note: If you use the filter, and select a single investigation object type, then the generic column name will dynamically change to the specific key field as defined in Customizing. In this case, the column Investigation Object Type will disappear.

Alert Group A classification for the way in which investigation is distributed, from a reporting perspective.

The entries are maintained in Customizing activity Define Alert Group.

Risk Factor The calculation for the risk factor is the risk score divided by the threshold.

Example: If the risk score is 7 and the threshold is 2, the alert’s risk factor is 3.5 because 7 ⁄ 2 = 3.5.

Risk Value The sum of all the alert item risk values, which are individually calculated based on the detection method values and the detection strategy used. The calculation may be based on the average value, maximum value, or the total sum.

Access Group Used to determine whether a user has the authority to display or change an alert.

In SAP Business Integrity Screening, define this in the Investigation Object Fields in Customizing activity Maintain Detection and Investigation Data Model.

In SAP Business Partner Screening, this has already been defined in Customizing activity Define Investigation and Detection Object Types for Screening.

Action Indicates, for example, that the alert can be transferred to an external system.

The action is defined in Customizing activity Define Investigation Settings, as well as in the Business Add-In BAdI: Transfer Alert Action (FRA_BADI_AL_ACT_TRANSFER).


Investigation

Column Description

Actual Loss In the loss-based approach to evaluating fraud, this would be the amount of money at stake.

Additional Date An additional date that you can assign to the investigation object.

In SAP Business Integrity Screening, define the Investigation Object Fields in Customizing activity Maintain Detection and Investigation Data Model.

In SAP Business Partner Screening, define the Data Enrichment Fields in Customizing activity Define Investigation and Detection Object Types for Screening.

Once you have defined your additional date, you can define the field label that appears on the UI in Customizing activity Define Alert Field Labels.

Additional ID 1 – Additional ID 4 An additional identifier for the investigation object.

In SAP Business Integrity Screening, define the Investigation Object Fields in Customizing activity Maintain Detection and Investigation Data Model.

In SAP Business Partner Screening, define the Data Enrichment Fields in Customizing activity Define Investigation and Detection Object Types for Screening.

Once you have defined your additional IDs, you can define the field label that appears on the UI in Customizing activity Define Alert Field Labels.

Alert Category Used to classify alerts according to their type of fraud or compliance problem.

The entries are maintained in Customizing activity Define Alert Category.

Alert Program Application data that is used to classify alerts when they are created during mass detection.

Business System Identifies the source system of alerts from the investigation object types that have been marked in Customizing as cross-source business objects.

Once the business system is defined in Customizing activity Define a Business System, you can mark it as a key field for the investigation object type in Customizing activity Maintain Detection and Investigation Data Model.

Creation Mode Indicates whether the alert was created manually or through a detection strategy.

Created On The date and time the alert was created.

Created By The name of the person who created the alert.

Due Period Identifies alerts that are due in a specific period, such as 1 day over, 2-4 days over, 5 days and more, Not yet due, or are due Today.

Evaluation Type Defines the way the financial impact of an alert is calculated; either from a win-based perspective or a loss-based perspective.

The entries are maintained in Customizing activity Define Investigation Settings (column Evaluation Type).


Column Description

Financial Outcome This is used in the win-based approach to evaluating the alerts.

Finding The completion status of an alert; the values can be Confirmed, False Alarm, and Closed Without Investigation.

Fraud Division A grouping of the type of fraud, by region or by line of business.

The entries are maintained in Customizing activity Define Fraud Division.

Has Approved Items Shows alerts that have approved items, and can be closed.

Has Due Tasks Shows alerts having open tasks that are due.

Is Not Transferred Shows alerts that have not been transferred to an external system.

Is Open Shows alerts that are open.

Is Unassigned Shows alerts that are unassigned.

Last Changed On The date and time the alert was last changed.

Last Changed By The name of the person who last changed the alert.

My Alert Shows alerts that are assigned to you.

Opportunity Cost In the loss-based approach to evaluating fraud, this would be the cost of the investigation.

Phase Represents the processing stages of the alert.

Risk Factor Percentage The risk rating expressed in terms of percent.

To see how the risk factor percentage is calculated, see the Customizing activity Define Investigation Settings (field Max. Risk Factor).

Risk Score The risk score is calculated in the detection strategy; the results of the detection method are multiplied with the weighting factor and added together to calculate the risk score.

Solution The product the alert is associated to; either SAP Business Integrity Screening or SAP Business Partner Screening.

Transfer ID Identifier set by the transferring system.

Transfer Status This indicates whether the alert has been transferred to an external case management system.


Investigation

6.2.2.2 Creating Alerts Manually

From the Manage Alerts screen, you can create alerts manually by choosing the Create button at top of the worklist.

In the dialog box displayed, fill out at least the required alert fields. The standard required fields are shown in the table below. Depending on Customizing settings and the investigation object type that you choose, additional optional and required fields may be added to the dialog box.

Field Use

Investigation Reason Choose the investigation reason that is appropriate for your alert.

Note that the investigation reason also assigns the alert to a particular solution, such as SAP Business Integrity Screening or SAP Business Partner Screening. Be sure to choose an investigation reason that belongs to the solution in which you are working.

Investigation Object Type Choose the investigation object type of the document or entity, such as a sales order or business partner, for which you are creating the alert.

Detection Summary List the evidence of non-compliance or fraud that has prompted you to create the alert.

You can also enter a risk assessment. In the standard case, you can specify the value at risk (Risk Value) and a Rating that indicates the severity or importance of the risk.

Finally, in the standard process, you can assign the alert to a particular user or fraud division.

Choose Save to save your alert. Choose Cancel if you wish to close the dialog box without creating an alert.

6.2.2.3 Assigning Alerts

From the Manage Alerts screen, you can assign alerts to yourself, to another investigator, or reset the assignment. To do this, select one or more checkboxes in the table and choose Assign.

6.2.2.4 Completing Alerts

From the Manage Alerts screen, you can quickly complete one or more alerts directly from the worklist.


Which alerts can you complete?

You can complete:

● Alerts that have been assigned to you, with the lifecycle status In Process.● Alerts that are open and have no one assigned to them (the system will automatically make you the person

responsible for the alert).

NoteYou can complete multiple alerts at once as long as they have the same currency and same evaluation type.

You cannot complete an alert that has been assigned to someone else.

Selecting Alerts to be Completed

From the list, select one or more alert checkboxes and choose Complete.

In the dialog box displayed, make entries in the mandatory fields Summary, Finding, Reason, and choose Save. The system will close all the open items of the selected alerts, and the alerts will receive the lifecycle status Completed.

NoteIf an alert has multiple items, the finding of any items that were already completed will not be overwritten.

Likewise, if any items are part of a workflow, all items will be completed except the ones pending approval, and the alert will receive the lifecycle status In Process.

Once you choose Save, the dialog box will close automatically and the worklist will be refreshed.

If you do not wish to complete the alert, choose Cancel and the dialog box will close. The alert worklist will not be refreshed, thus keeping your position and selection as they were before choosing the Complete button.

Related Information

Setting the Decision [page 171]

6.2.2.5 Alert Details

The alert details are displayed when you click anywhere in the row of an alert of the Manage Alerts list (except name fields).

Alert Details Header


Investigation

The alert details header displays the name of the person who was assigned the alert, the status of the alert lifecycle, the risk value and rating, as well as the detection summary.

The alert header offers various functions; for example, from here you can:

● Assign the alert to someone, or change the current assignment● Reopen alerts that have been completed● Edit the alert● Transfer the alert to an external system● Navigate to an external system● Create an SAP Jam group or task in a group for an alert● Save the alert as a tile on the Home screen.

Alert Details Sections

The alert details are the central workplace for an investigator. The different sections include:

● InfoThe Alert Information section tells you basic information such as who is assigned to investigate the alert and when it is due, the Risk Assessment section gives you details about the risk, and the Administrative Data section tells you when and by whom the alert was created and last changed.

● ClaimThis section is specialized for alerts for insurance claims. It shows you the details of the insurance claim, together with the insurance coverage of the claimant, the names of people involved in the claim, and the claim history of the claimant.

● Conflict of InterestThis section is specialized for alerts for potential conflicts of interest found in internal auditing. The section shows you graphical information on the order history of a vendor involved in the alert, approvers of purchase orders, and other related information.

● DetectionHere you can see the full details of the detection strategy and detection methods that created the alert.Note that the Detection section is not available for manually created alerts.

● Address Screening HitsHere, you can display the entities found in screening lists for an address screening alert.

● DocumentationHere you can see the list of items relating to the alert, such as uploaded documents, notes, and tasks created by the investigator.

● ActivityHere you can see the list of activities relating to the alert, in chronological order.

● Network AnalysisHere you can see a visual display of the relationships that exist between business objects and business partners of the alert.

● DecisionHere you can provide a summary, finding, and reason for completing each alert item.

NoteThe order and number of sections available may vary depending on the type of alert. The sections that are available and the order in which they appear are defined in customizing activities Define Alerts Detail Sections and Assign Alert Sections to Investigation Object Types.


More Information

Displaying the Detection Section [page 158]

Displaying the Claim Section [page 156]

Displaying the Conflict of Interest Section [page 157]

Displaying Address Screening Hits [page 159]

Using the Documentation Section [page 160]

Displaying the Activity Section [page 163]

Using the Network Analysis [page 166]

Setting the Decision [page 171]

6.2.2.5.1 Using the Claim Section

The Claim section displays a wide range of information relating to alerts with the investigation object type Claim (FRA_CLAIM).

The Claim section shows the following types of information:

Subsection Information Shown

General Information on the claim, including the incident type, the amount claimed, details of the insurance policy, contact information for the claim handler, and so on.

Loss Details Use Show Loss Details to see the date of the loss and when it was reported, the cause and location of the loss, and any description of the incident.

Coverages A list of the insurance coverages held by the claimant.

Participants A list of contact persons involved in the claim, including the claimant, the claimant's insurance agent, and the investigating police agency.

Coverage Referrals A list of any coverage referrals created for claims by the claimant. A coverage referral is a "heads-up" that indicates that there are grounds to doubt the validity of an insurance claim.

Subclaims The use of subclaims depends on your Claim Management solution. If used, subclaims could be opened for each claimant and coverage involved in the claim, for example. Each subclaim would typically have its own reserves and claim items.

Previous Claims Shows the claim history of the claimant. Previous claims are listed with claim number, date, incident type, and status. Choose an item from the list to see full details of the previous claim. Multiple 'Previous Claims' can be opened in this way.


Investigation

Related Information

Detecting Irregularities in Claims Management

6.2.2.5.2 Using the Conflict of Interest Section

The Conflict of Interest section shows how much revenue a new vendor received from your company in the first years of your business together, and who in your company approved the transactions.

What do the charts show?

The Revenue to Vendor chart shows the revenue that the new vendor company received during the first one, two, or three years of your business together. If there is a high yearly total, or a sharp increase from year to year, this could indicate fraudulent activity.

Select a point on the chart to see the date of the first day of business, and the total amount for the specified time period. The total is shown in the original currency and in the application currency. The application currency is the standard currency determined by your company for use in your SAP system.

The Vendor Approver Structure chart shows what percentage of the vendor's revenue was approved by different individuals in your company within each time period. A high percentage from one individual would be unusual, and could indicate that there is a potential conflict of interest in the relationship between the approver and the vendor.

Select a point on the chart to see details of how much an individual approved in a given period.

Displaying Information

Both charts allow you to:

● Switch from By Year of Business to By 30-Day Period. This is a more detailed view showing totals for each period of 30 days, counted from the first day of your business with that vendor.

● Select different display formats using the icons in the upper right section of each chart. In addition to various chart types, a table view is also available.

Related Information

Detection Method: Growth Between 1st and 2nd Year Exceeds ThresholdDetection Method: Turnover of New Vendor in First Year Exceeds ThresholdDetection Method: Percentage of Turnover Approved by a Single Person


https://help.sap.com/viewer/fb4b24fa467c4339ae45ab035e625787/1.3.0.2/en-US/b72cda96b6dc4fd3ac8aa5111e051442.html

https://help.sap.com/viewer/fb4b24fa467c4339ae45ab035e625787/1.3.0.2/en-US/826746530dad6957e10000000a44538d.html

https://help.sap.com/viewer/fb4b24fa467c4339ae45ab035e625787/1.3.0.2/en-US/5c541d53f0709354e10000000a4450e5.html

https://help.sap.com/viewer/fb4b24fa467c4339ae45ab035e625787/1.3.0.2/en-US/b09e4853d0396857e10000000a44538d.html

6.2.2.5.3 Displaying the Detection Section

The Detection section of the alert details displays the detection results that caused the alert to be created. You can also display the detection strategy and the detection methods that triggered the alert.

What is Detection?

Detection means trying to identify suspicious activities as quickly as possible in order to avoid any loss or damage. Detection starts when the event has already occurred.

Detection is based on detection strategies that contain the detection methods that are used to evaluate the risk of irregularities and their respective weight. The thresholds that are defined in the detection strategy are used to qualify the risk. When you set up a detection strategy, you assign a set of detection methods to the strategy. The detection method contains the business logic used to determine if an incident, such as a claim, tax declaration, or a bank transfer, is suspicious.

Detection Section in Detail

The Detection section displays a table containing the following information:

● Alert ItemA numerical list of each item detected in the alert. If two or more detection strategies have raised alerts for the same detection object, then you will see multiple alert items, one for each detection strategy. The list is sorted descending order, according to the run time.

● Detection ObjectClick the name to see the details of the detection object (the document that was checked by the detection strategy) behind the alert.

● Detection Strategy ExecutionClick the name of the detection strategy to see its details and to open the strategy in related apps. For example, you can open Detection Run to see the details of the run in which the alert was created. You can also check the definition of the detection strategy or see when the detection strategy is selected to run in the Detection Strategy Determination app.If the detection strategy was executed multiple times, click on the expand button to see the details.

● Risk ScoreThis shows the risk score that was calculated in the detection strategy; the results of the detection method are multiplied with the weighting factor and added together to calculate the risk score.

● ThresholdThis shows the threshold that was defined in the detection strategy; the threshold sets the trigger for raising an alert. If the sum of the scores of the detection methods exceeds the threshold, then the detection strategy creates an alert item for the detection object.

● Risk ValueThis shows the sum of all the alert item risk values, which are individually calculated based on the detection method values and the detection strategy used. The calculation may be based on the average value, maximum value, or the total sum.

● StatusThis shows the status of an alert item. Alert items can have the status In Process or Completed.

● Detection MethodsClick the message in the Detection Methods column to see the detailed message returned by each detection method. These messages, in the Detection Method Details screen, explain the problems that were found and which triggered the alert.


Investigation

Click the name of a method In Detection Method Details to open a dialog with navigation options. Click Details to open the detection method definition. You can also start the apps for defining detection methods.

The table toolbar offers a Decide button, which you can use to navigate directly to the Decision section and complete the alert items you selected before using the checkboxes.

NoteYou may experience a slight delay before the Detection section is updated, when you switch from one alert in Manage Alerts to another alert. You may briefly see the detection information of the last alert that you looked at before the screen is refreshed with the detection information of the new alert.

More Information

Detection Strategy

Detection Method [page 31]

6.2.2.5.4 Displaying Address Screening Hits

The Address Screening Hits section displays the entities from address screening lists that were found as possible hits for the business partner in an alert.

The following information is displayed:

Screening Hits

Field Description

ID Technical ID of the entity.

Name Name of the list entity.

Address Address of the list entity.

Country Country associated to the entity’s address.

Score The mean value of the hit.

The maximum score is 1.

List Classification The type of address screening list on which the entity appears, such as a PEP or sanctions list.

The list classification is defined in Customizing activity Define Address Screening List Type and Group.

Hit The current hit status. (Confirmed, Undecided, Rejected).


https://help.sap.com/viewer/efac5fefafc346cb84468900c7941edc/1.3.0.2/en-US/fe629e55d74b7b43e10000000a4450e5.html

Field Description

Remark The comment entered with the hit status.

The maximum length is 100 characters.


If the alert has been assigned to you and you have the authorization to update an alert, you can change the hit status. To do this, select one or more hits and choose Set Hit Status. In the dialog box displayed, select a status and enter a remark.

Likewise, you can change all the hits with the status Undecided to Rejected with one click. To do this, choose Reject All Undecided Hits.

You can click the ID to go directly to the Manage Address Screening Lists app to check the details of the entity.

6.2.2.5.5 Using the Documentation Section

The Documentation section displays a list of items relating to an alert, such as notes, tasks, or any files that have been uploaded by the investigator.


To make any changes or entries in the Documentation section, the alert must be assigned to you and have the status In Process.

Uploading files and creating documents: You can upload files that are associated with an alert, create notes, create tasks, and edit or delete any existing documents.

Creating hierarchies: Note that all entries made here can be created as top-level entries, or you insert documents (notes, tasks, files) under each other to create hierarchies. Mark an entry to insert another entry under it. Or mark an empty row to create a top-level document. You can rearrange documents and hierarchies by dragging and dropping entries or by using the Cut and Paste buttons above the list of documents.

Changes that you make are tracked in the Activity section, so that you can reconstruct your notes, tasks, and documents, even if they are deleted. See below for more information.

Displaying a Document


Investigation

Document Icon To Display this Kind of Document...

Do this

Uploaded Document

Click the File Name. Depending on the settings of your Internet Browser, the document will be opened directly or will be downloaded for you to open.

Note Click the text in the Description column. The full text of the note is opened in a dialog.

Task Click the text in the Description column. The full text of the note is opened in a dialog.

Uploading a Document

Choose Upload Document to upload any type of file. In the popup displayed, make the following entries:

Field Input

Document Browse your computer to attach a file.

Subject Enter a description to display in the table.

Importance You can highlight the importance of your entry. Select from High (an exclamation point is displayed), Medium, and Low (an arrow is displayed).

Category This is used to classify the information received, such as whether the event is a fact or supposition.

Communication Source Enter the communication channel or the source of information of the event, such as e-mail or a phone call.

Receiving Date Enter the date the event information was received.

Related Date Optionally, enter another relevant date, such as the time the event occurred, not necessarily the time when you are entering the information.

When you choose Save, the file will be uploaded and the information will be entered in the table displayed.

Files that have been uploaded are displayed with the paperclip icon in column Type.

Creating a Note

Choose Create Note if you want to add a note to your investigation. In the popup displayed, make the following entries:

Field Input

Subject Enter a short but meaningful text, which will be displayed in the table.


Field Input

Notes This is a free text field where you can enter your notes. This is displayed in the Description column of the table.

Importance You can highlight the importance of your entry. Select from High (an exclamation point is displayed), Medium, and Low (an arrow is displayed).

Category This is used to classify the information received, such as whether the event is a fact or supposition.

Communication Source Enter the communication channel or the source of information of the event, such as e-mail or a phone call.

When you choose Save, the note is entered in the table.

Creating a Task

Choose Create Task to add a task that must be performed as part of the investigation of an alert.

When you create a task, you can set a deadline for completing the task. You can also detail what is to be done, set the importance, and enter the source. Except for the Due Date, the fields are the same as for a note, above.

When you choose Save, the task is entered in the table.

Tasks can be managed directly from the table. In the Task Status column, you can close open tasks, and reopen closed ones. Tasks that have been closed are still shown in the table, but they are crossed-out.

Editing a Document

To Edit this Kind of Document...

Do This

Uploaded Document Mark the row of the uploaded document and click Edit to edit the properties of the uploaded file.

Click the file name to download the document or display it in another tab for editing.

Note Mark the row of the note and click Edit to edit the text and properties of the note.

Task Mark the row of the task and click Edit to edit the text and properties of the task.

Deleting Entries

When you select an entry to be deleted, a confirmation popup is displayed. If the entry has subentries, the popup asks you if you want to delete the entry as well as its children. This gives you the opportunity to cancel and go back to select individual entries.

Tracking Your Actions in the Activity Section

The changes that you make in the Documentation section are recorded in the Activity section. Even if you delete a note or task, you can still reconstruct what was in it. If you delete a document, you can still access the document directly.

The table below shows what is tracked in the Activity section.


Investigation

Tracking of Documentation Changes in the Activity Section.

Type of Document What Is Tracked? Notes

Notes and Tasks Creation, editing, and deletion of notes and tasks and their attributes

Activity entries record the exact text in a note or task after each change.

By following the entries, you can see how a note or task changed.

You can also see the most recent text even if a note or task has been deleted.

Documents Upload, editing of attributes, download, and deletion of documents

Activity entries record all document actions that occur.

If a document is deleted, it disappears from the Documentation section. But you can still display the deleted document from the action-tracking entry in the Activity section.

6.2.2.5.6 Displaying the Activity Section

How to use the action and event log in the Activity section of the Manage Alerts app to audit alert investigations.

What is the Activity Section for?

The Activity section provides complete logging of the actions taken within Manage Alerts with respect to an alert.

With this logging, you can determine exactly what happened during the investigation of an alert and which users were responsible for the actions that were taken. You can answer questions like these:

● What changes in alert status occurred?● What documents, tasks, and notes were added to, changed, or deleted during the investigation of an alert?● What decisions were taken with respect to alert items or address screening hits?● Which users participated in the investigation of the alert?

About the Display and Filter

The Activity section displays events and actions in a timeline. The type of action is shown by an icon. When you open Activity, all events and actions are shown. Each entry shows only the most important information; you can expand and close entries with Show More and Show Less buttons.


The timeline shows events from newest - at the top - to oldest. You may see the events in the timeline stacked vertically in a single line. Or you may see events zigzagging back and forth between two columns, to make better use of the space in your browser window. In both cases, events that are higher in the timeline are newer.

You can filter actions by the user who is responsible and by the type of action. The filters in the Activity section show only the users and action types that are present in the log.

Types of Actions and Events Logged

The table below shows the types of actions and events that are logged.

Types of Actions and Events Logged.

Categories of Logged Activities Activities Logged by Category Notes

Actions Alert Transfer Action Triggered

Customer General Action Triggered

Customer Transfer Action Triggered

Revoke Transfer Action Triggered

Alert Transfer Action Triggered and Revoke Transfer Action Triggered document the transfer of an alert to an external case management system. Revocation of a transfer is possible from the external system.

Customer General Action Triggered documents the execution of an implementation of BAdI: General Alert Action in Customizing.

Customer Transfer Action Triggered logs the execution of an implementation of BAdI: Transfer Alert Action in Customizing.

Address Screening Address Screening Hit Confirmed

Address Screening Hit Rejected After Having Been Confirmed

Documents confirmation or rejection of screening hits in the Address Screening Hits section of Manage Alerts or in the Address Screening Hits app.

Alert Editing Alert Edited Documents changes of alert attributes with the Edit function in Manage Alerts


Investigation


Approvals (Actions in Workflow) Approval for Decision on Alert Item Requested

Approval for Decision on Alert Item Canceled

Request Rejected

Request Approved

Workflow Event (Migrated)

Documents actions in the workflow for approval of a completion decision for an alert item.

Workflow actions follow the Decisions action Alert Item Closed Subject to Approval.

Note that user WF-BATCH may appear as the responsible user in workflow messages. WF-BATCH is a workflow service user. WF-BATCH does not directly carry out workflow actions. But, for technical reasons, it must appear at the start of messages as the "responsible user."

The users who really are responsible for workflow actions appear in the body of the messages.

Assignments Alert Assigned

User Assignment Removed

Assignment, removal of assignment, and reassignments of an alert to a responsible user

Decisions Alert Item Closed

Alert Closed

Alert Item Closed Automatically

Alert Item Closed Subject to Approval

Decisions to complete alert items and the parent alert. Completion of the last open alert item in an alert triggers the completion of the parent alert.

Also, decisions to reopen an alert that has been completed. Reopening an alert reopens all alert items in the alert.

Documents Document Added

Document Changed

Document Deleted

Upload, change of attributes such as category, and deletion of documents in the Documentation section.

You keep access to a deleted document. While the document disappears from the Documentation section, you can still display a deleted document from the Activity section.

Integration Integration Event Actions from the partner system in an integration scenario. For example, actions by the Master Data Governance system in integration with SAP Business Partner Screening are recorded as Integration actions.

Note that approval of an alert decision in Master Data Governance is recorded as an Approvals action. The subsequent closing of the alert item and alert appear in this integration scenario as Decisions events.



Lifecycle Alert Created

Alert Created Manually

Alert Set to In Progress

Alert and Items Reopened

All system-internal events relating to alerts and alert items. Creation, assignments of an alert, completion decisions of alert items and the parent alert in the Decision section, and the reopening of an alert are tracked.

Notes Note Added

Note Changed

Note Deleted

Creation, edits, and deletion of notes in the Documentation section. At creation and edit, the text and attributes (importance, for example) are captured. You can trace any changes made to the text of a note or its attributes.

SAP Jam SAP Jam Group Created

SAP Jam Task Created

Creation of an SAP Jam group or task from the SAP Jam tile in an application.

Tasks Task Added

Task Changed

Task Deleted

Task Closed

Task Reopened

Creation, edits, status changes, and deletion of tasks in the Documentation section. At creation and edit, the text and attributes (importance, for example) are captured. You can trace any changes made to the text of a task, its status, and its attributes.

Other Other Event (Migrated) Migrated actions from alerts that existed before an upgrade to Release 1.2 SP03.

Note that you will not see the texts shown in the Activities Logged by Category column in the table above. These texts are the technical descriptive names of the activities that are logged. The search filter in the Activity section displays the categories shown in the left column. The log itself offers an explanatory message detailing each action.

6.2.2.5.7 Using the Network Analysis

The Network Analysis displays the relationships of the entities associated with an alert, for example, the related business objects and partners. The data is rendered as a graph, consisting of nodes (depicted by icons) that are connected by edges (depicted by lines).

To help make the investigation of an alert easier, the network analysis displays “cycles” in the graphs. A cycle is formed when an entity can be reached from the investigation object by more than one path. A cycle indicates that the entities are interconnected more closely than they should be, which is therefore an indication that fraudulent activities may have occurred. Cycles are emphasized by bold edges in the graph.


Investigation

Simple Graph

Graph visualization fosters insights into the relationships between objects and persons and can help, for example, in unveiling criminal networks of people covering each other’s fraudulent actions. What is displayed as nodes and edges depends on the Customizing settings for the Network Analysis, and is not limited to the common business-objects to business-partners scenario.

Network Analysis Functions

The Network Analysis is a visualization tool and has the following functions:

Expanding and Collapsing

You can expand the nodes to display more nodes and explore the displayed network. Click the node, then click the expand icon “+” in its context menu.

Expanding a node loads and displays all nodes connected to it by an edge. It also loads and displays all edges between newly and previously displayed nodes. Expanding a node takes into account all node types and edge types in the Customizing.

You can collapse a node to display less nodes and reduce the amount of data for a better overview. Click the node, then click the collapse icon “-” in its context menu.

Collapsing a node removes its sub-graph from the display. The sub-graph of a node contains all nodes that are farther from the graph’s origin node. The collapsed node itself remains.

Moving Nodes


Drag the nodes to adjust the layout of the graph as needed. Push and hold down the mouse button on a node, then move the mouse to move the node. Releasing the mouse buttons pins the node to its new position, so that it will no longer move with the automatic layout.

Panning

Drag the background to adjust the viewed portion of the graph. Push and hold down the mouse button on the graph’s background, then move the mouse to move the whole graph from side to side.

Network Analysis Settings

A Network Analysis graph consists of nodes (depicted by images) connected by edges (depicted as lines). In terms of computer science, the Network Analysis displays an undirected multi-graph. The graph starts from a designated node called the origin node. The origin node is highlighted in gold and, at startup, is centered in the display.

The origin nodes are defined in Customizing in the Business Add-In BAdI: Origin Node for Alerts in Network Analysis.

Nodes

Nodes in the social graph are provided by SAP HANA information models. Each row in the view results in a node.

Each node has a label that is displayed beneath its visual representation in the graph. Usually, the label is an identifier of some kind, like an ID or the name of a business partner.

Each SAP HANA information model provides nodes of one node type, such as a claim or business partner. The social graph, however, displays any combination of node types, as long as they are related in some way.

Nodes can be provided from SAP HANA views, such as calculation views, ABAP-Managed Database Procedures (AMDP), or ABAP classes.

Nodes are defined in Customizing in activities Define Node Styles for Network Analysis and Define Node Types for Network Analysis.


Investigation

Nodes

Edges

Just like nodes, edges are provided by SAP HANA information models. Each row in a view results in an edge.

Edges are defined in Customizing in activities Define Edge Styles for Network Analysis and Define Edge Types for Network Analysis.


Edges

Reference Types

The following source and target nodes can be connected for the Network Analysis:

● Nodes of different node types can be connected.

● Nodes of the same node type can be connected.


Investigation

Reference Types

More Information

Alert Details [page 154]

Extending the Network Analysisin the Extensibility Guide

6.2.2.5.8 Setting the Decision

You can complete alerts that belong to you on the Manage Alerts screen (see Completing Alerts [page 153]) or you can use the Decision tool from the alert details.

Closing an alert from the Manage Alerts screen is the quick way; you close all of the open alert items at once. From the Decision section, you can close alert items individually, as required by your investigation of the alert items.

This section shows you how to complete your alerts from the Decision section.

Overview


https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/39f879c3ba3b4248823fdf0fd47273cc.html

Investigators must enter a Summary, Finding, and Reason for each item of the alert in order to complete their investigation and close the alert. That is, if any of the alert items are not completed, the alert status will remain In Process.

The reasons for completing an alert and the values for the findings are defined in Customizing.

When an investigator sets the decision, the system checks if an additional approval step is required (as defined in the Customizing).

Making a Decision

To set the decision, the alert must be assigned to you and have the status In Process.

Select one or more alert items in the Alert Items table and enter a Summary, Finding, and Reason.

Depending on your Customizing settings, you may have to enter either a value for the Financial Outcome or Actual Loss / Opportunity Costs. A financial outcome has a win-based approach to evaluation and represents the amount of money you saved your company due to the successful investigation. A loss-based approach to the evaluation could represent the actual loss that has occurred or the opportunity costs that would ensue.

NoteFor more information about these win-based or loss-based alert evaluation types, see Customizing activity Define Investigation Settings (column Eval Type).

When you Save your entries, the alert details are automatically updated.

Approval for Decision

When an investigator assigns a finding, an additional approval step may be required. Depending on the Customizing settings, alert items may have to be approved by one or several approvers before they can be closed.

In the Approvals list, in tiles such as My Approvals, the decision summary is limited to the first 80 characters. However, you can follow the alert link to display the full decision and summary text.

NoteApproval-related information, such as the Approval Status and the Approval Request Log, is displayed in the Decision section.

Show History

The Activity section records all actions that are taken in the Decision section.

Because decisions on alert items are so important, we also offer the Show History button in the Decision section. Show History gives you fast access to the decisions on each alert item.

Show History shows a subset of all of the actions recorded in the Activity section. In Show History, you will see in one compact entry only the decision or decisions made with respect to an alert item. (There may be more than one decision if an alert was reopened.) As a bonus, each entry includes the complete text from the Decision Summary field, which is not tracked in the Activity section.


Investigation

More Information

Approval Request Process in Detail [page 195]

6.2.2.6 Saving as a Tile

From the Manage Alerts screen, you can save your filter and table settings as a tile on your home screen.

Creating KPI Tiles

Certain filter settings, which represent the status of an alert, can be used to create tiles with KPIs. That is, the number of records will also be displayed on the tile you create.

The following table gives an overview of the different filter combinations for which a KPI tile is created:

Transfer Status Alert Lifecycle Person Responsible Default Title

Transferred All Transferred Alerts

Transferred <My User> My Transferred Alerts

In Process

Not Started

All Open Alerts

In Process

Not Started

<My User> My Open Alerts

Not Started All New Alerts

Not Started <My User> My New Alerts

Completed <My User> My Closed Alerts

ExampleTo create a KPI tile of all your open alerts, perform the following steps:

1. Enter your name in the Person Responsible filter.2. Enter In Process and Not Started in the Alert Lifecycle filter.3. Choose Go.4. Click on the Share button.5. Choose Save as Tile.6. In the dialog box displayed, the Title field has the default entry My Open Alerts. Enter any text that

you wish. You can also make entries in the Subtitle, and Info fields. This information will also be


displayed on your tile. The entry selected in the field Group indicates where on the home screen you want you KPI tile to be displayed. My Home is the default setting.

7. Choose OK.

The KPI tile with all your open alerts will now be displayed at the top of your home screen.

Changing KPI Tiles

If you want to change, for example, the name of a tile or add a subtitle, perform the following steps:

1. Go to your home screen.2. Click on the pencil (Edit Home Page) button at the top of the screen.3. Click on a tile, and choose Settings.4. Make your changes in the Settings dialog box, and choose OK.5. Choose Done at the bottom of the screen.

Removing KPI Tiles

If you want to remove a tile from your home screen, perform the following steps:

1. Go to your home screen.2. Click on the pencil (Edit Home Page) button at the top of the screen.3. Click on the Remove button on the tile.4. Choose Done at the bottom of the screen.

6.2.3 Processing Address Screening Hits

With the Process Address Screening Hits app, the fraud investigator in the area of SAP Business Integrity Screening or the exception management specialist in the area of SAP Business Partner Screening can make an initial decision as to whether a hit from address screening is a likely false positive or requires further investigation. You can also use this app to assign the unassigned hits to yourself or to another investigator for processing.

This app supersedes the Address Screening Hits tile.

Key Features

● Display the list of all potential screening hits that are currently unassigned (Unassigned Hits tab is highlighted)

● Assign screening hits to yourself or to another investigator or exception management specialist for processing


Investigation

● Display the list of all the open screening hits that have been assigned to you (My Hits tab is highlighted)● Submit your decision about whether or not it is an actual hit (either YES/NO)● Reset the assignment if you'd rather have the hit go back in the queue● Assign the hit to another investigator or exception management specialist for processing

Related Information

Processing Your Open Hits [page 175]

6.2.3.1 Processing Your Open Hits

When you open the app, the main screen will show you a list of all your open hits (and the My Hits tab is highlighted). The columns of the table depend on the settings you make in your view:

Process Address Screening Hits

Column Description

Investigation Object Type This identifies the type of object which you are screening. This could be, for example, a purchase order, claim, or a person.

Screened Name The names that were screened against an address screening list.

Match Shows you how close the screened name is to a name from a screening list. The match is based on the name only. That is, the address involved does not influence the match percentage.

The match is shown in red if it is above or equal to 90%, in yellow if it is above or equal to 70%, in gray if it is less than 70%.

Opened Shows you how long the hit has been open.

Business System The source system where the screened entity exists.

ID The ID changes, depending on the investigation object type you are displaying.

NoteBy default, the app uses the Standard view, which displays all your open hits, starting with the most recent.

You can customize your own view settings by selecting the columns that you use regularly and saving a new View.


To process a screening hit, click on a line in the table and the details of the hit will be displayed on the next screen.

Hit Details

The My Open Hits screen shows the details of the screened name in the hit. The table entries are sorted in descending order, by the best match:

My Open Hits

Column Description

Name These are the names that appear on an address screening list, and are responsible for producing the hit.

If you click anywhere on the line of the matched name, you will go to the Manage Address Screening Lists screen, which shows you the entity details of the matched name.

Match Shows you how close the screened name is to the name on the screening list. The match is based on the name only. That is, the address involved does not influence the match percentage.

The match is shown in red if it is above or equal to 90%, in yellow if it is above or equal to 70%, in gray if it is less than 70%.

List Classification The list classification shows under which classification the list has been defined in Customizing, such as sanctions, or allegations, or PEP.


Investigation

Column Description

Additional Info Gives you more information about the screening list that the matched names are from, as well as the details of the overall score and screening type for that hit:

● Overall ScoreCombines information about the name, address, and country involved.If this combined score is higher than the score for the name only, a warning icon is displayed next to the Match percentage. This is intended to highlight situations where, for example, the address is a 100% match, but the name is only a 79% match. In this situation you might want to confirm the hit based on the address match, despite the relatively low match on the name.

● Screening TypeTells you how the overall score was generated:○ Screening type N (name only) means the screening

compared names only. That is, the address is completely ignored.

○ Screening type C (country and name) requires an exact country match before names are compared.

○ Screening type A (name, country, and address) will also compare addresses, after both the names and countries have been matched.

For example, screening type N will match a John Adams in London, UK to one in Washington, US. Screening type C will not make a match because the country is differ-ent. Screening type A will also not make a match because the country and address are different.

● Screening List DetailsThis shows the various details of the list where the matched name is found, such as the list ID, list description, the entity ID, as well as the provider list group.

Making Your Decision

Use the YES/NO toggle to show whether you think the item is a genuine hit requiring further action or a false positive.

Note that hits with name matches of 100% are preset to YES.

You can add a Comment if you'd like, and Submit your decision.

If you leave the screen without submitting a decision, for example with the Back button, your comments and hit decision will remain as you set them, and the item will remain open.

You can also go directly to your next open hits using the function arrows Next Item and Previous Item at the top of the screen.


You also have the option to Reset Assignment, which will return it to the queue.

If you choose Assign to Other, you can select a specific individual to assign the hit to.

6.2.4 Managing Unassigned Alerts (Will Be Deprecated)

This worklist allows you to manage alerts that are not assigned to an investigator. That is, you can preinvestigate unassigned alerts, and either dispatch them or close them without investigation.

You can call this function on the Home screen using the Unassigned Alerts app. It opens in a new window or tab.

You can display alert details by clicking on an alert.

NoteThe sections that are displayed in the alerts details are defined in the Customizing activity Assign Alert Sections to Investigation Object Types.

When you display an alert, only those sections are displayed that were defined to be visible and active on the screen for unassigned alerts.

You can use this app to:

● Assign alerts to an investigator● Close alerts without investigation● Assign color tags● Filter alerts● Search for alerts● Display alert details● Add notes

Icon Description

You can dispatch alerts that should be investigated.

1. Select one or more alerts.

2. Choose . All users are displayed in a sorted list (according to their last name) with the following data:○ Name○ Number of new and open alerts that have been assigned to them○ Color tag and additional information

3. Click on the user photo to assign the selected alerts.


Investigation

Icon Description

You can close alerts without investigation, for example if an alert has a low risk value.

1. Select one or more alerts.

2. Choose .3. On the next screen, enter a summary and select a reason.

The alert then is closed and set to completed with the finding Not Investigated. The alert disappears from the list of unassigned alerts. It can be later seen in the alert worklist using the My Closed Alerts filter.

You can filter alerts by:

● Creation Date● Investigation Object Type● Risk Rating● Risk Value● Color Tag

You can sort by:

● Creation Date● Investigation Object Type● Risk Rating● Risk Value

You can search for alerts.

The search operates on all searchable attributes.

You can assign color tags to one or more selected alerts, for example, to provide status information such as ‘on hold‘.

You can select all visible (loaded) alerts.

You can add a note to the alert that is displayed with its alert details (highlighted in blue).

These notes can then be displayed on the Documentation section.

NoteYou cannot add a note to multiple alerts (only to the highlighted one).

NoteInvestigators can also color tag themselves and add additional information in their user settings.

This information could be, for example, the dates of their absence or their investigation domains.


6.3 Worklists

Worklists complement the investigation process. With worklists, you create snapshots of data, which can be used for investigation.

Worklists support you in scenarios with large number of similar “hits” without the need of intensive investigation.

Scenarios that benefit from the creation of worklists could be, for example, corporate compliance scenarios, like password compliance or budget spending.

Worklists can be created regularly, for example, to document the state of the data set, or they can be created ad hoc.

If you decide that a detailed investigation is required, you can create an alert manually. You can also navigate to an external system from the worklist, thus facilitating the investigation process.

Both functions are available in the My Worklist app or when using Ad Hoc Requests.

NoteWorklists versus Alerts

In detection, you manage the results using alerts. Traceability, detailed investigation, status management, as well as workflows are features of alert processing aimed for managing suspicious data or handling exceptions.

With worklists, you create snapshots of data, which can be used for investigation.

Worklists are not aimed for intensive investigation purposes.

What is right for you? See also Alerts [page 145]

Setting Up Worklists

See Prerequisites for Working with Worklists [page 181]

Working with Worklists

1. Creating Worklists Based on Worklist VariantsSee Creating Worklists [page 185]and Scheduling Worklist Creation [page 188]

2. Using WorklistsTo display worklists that already have been created.See Displaying My Worklists [page 186]


Investigation

Working with Ad Hoc Requests

● Start Ad Hoc Request Based on Worklist VariantsTo display worklist data on demand, see Starting Ad Hoc Requests [page 187].

Deleting Worklists and Worklist-Related Objects

To delete worklists, perform the following steps:

1. Delete WorklistsSee Deleting Worklists [page 189]

2. Delete Worklist VariantsSee Managing Worklist Variants [page 182]

3. Delete Worklist Type and Generated ObjectsSee Monitoring Objects Generated for Worklists [page 191]

Monitoring Generated Objects

You can use this function to display and check objects that have been generated when a worklist type has been used.

See Monitoring Objects Generated for Worklists [page 191]


You can use the application log to display more information about worklists that have been created or deleted.

See Analyzing the Worklist Log [page 190]

6.3.1 Prerequisites for Working with Worklists

Before using worklists, you must provide an SAP HANA view and maintain worklist data models in the Customizing activity Maintain Worklist Data Model.

See Defining Worklists in the Extensibility Guide.

The worklist type is needed in order to create a worklist variant.

See Managing Worklist Variants [page 182]

NoteOptionally, you can distribute worklist variant from a source system in a target system.


https://help.sap.com/viewer/2cba2a3475d24114b91c4c268d4c84b6/1.3.0.2/en-US/5b929f56138af52ae10000000a4450e5.html

See Defining Target Groups [page 183]and Distributing Worklist Variants [page 184]

Authorizations

The authorization objects FRA_WL_VAR (Business Integrity Screening: Worklist Variant) and FRA_WLIST (Business Integrity Screening: Worklist Item) allow you to restrict access to worklist variants, worklists, and worklist items.

You can use the BAdI FRA_BADI_WORKLIST_PROCESSING to influence which worklist items will be displayed in the following apps:

● Manage Worklist Variants during the preview when adding selection conditions● My Worklists to influence which worklist items will be displayed● Start Ad Hoc Requests to influence which worklist items will be displayed

Fore more information, see the Security Guide on SAP Help Portal at http://help.sap.com/bis.

Distributing Worklist Variants

Before you can distribute worklist variants, the following has to be done:

● The worklist type has to be available in the target system.● You must have defined a target group and assigned an RFC connection using transaction FRA_TRGTGRP.

6.3.1.1 Managing Worklist Variants

With the transactional app Manage Worklist Variants, you define the selection conditions to be used for creating worklists.

Key Features

● Create, display, edit, and delete worklist variants● Define and change the selection conditions

When you apply the selection conditions, the system immediately previews the data found for your selection.

NoteWhen adding the selection conditions on the Add Selection Conditions screen, you can apply conditions and choose Go to use the preview function. By default, all available data will be displayed.


Investigation


● Define field visibilityYou can define which fields are displayed in which order.The selected fields and their order is used when displaying the worklist items for a worklist or the results for an ad hoc request.

NoteThis function does not restrict access to data. It only changes the visibility of the fields in the results list. Fields that are not visible in the results list can nevertheless be used to filter data, and they will be displayed when creating an alert manually (especially the key fields).

General Remarks

If an Investigation Object Type is maintained in the worklist type Customizing, you must enter an Investigation Reason to support creating and identifying alerts.

Using the Authorization Group allows you to restrict access to worklist variants and to worklists created with this variant.

For more information, see the Security Guide at http://help.sap.com/bis.

Related Apps

Displaying My Worklists [page 186]

6.3.1.2 Defining Target Groups

You can define target groups for distributing worklist variants to other ABAP systems. A target group is a grouping of multiple client-specific RFC destinations under a symbolic name.

To define target groups, use transaction Define Target Group (FRA_TRGTGRP) in the back-end system.

NoteAll settings made here are local entries and are only valid in the system in which you have created the target group.

Prerequisites

You have already set up RFC connections of type 3 (destinations that refer to another ABAP system) in transaction Configuration of RFC Connections (SM59).



6.3.1.3 Distributing Worklist Variants

To distribute worklists variants, call transaction Distribute Worklist Variants (FRA_DISTRIBUTE_WLV) in the back-end system or execute program FRA_DISTRIBUTE_WLV in transaction SA38.

Distributing worklist variants means creating a copy of this variant in another ABAP system.

NoteThe target system is determined via the target group, which has to be defined in transaction Define Target Groups (FRA_TRGTGRP).

Selecting Worklist Variants to be Distributed

You can select the relevant worklist variants using the following selection criteria:

● Based on worklist type or worklist variant● Target group

NoteBefore you can distribute worklist variants, the following has to be done:

● The worklist type has to be available in the target system.● A target group must exist.

See Defining Target Groups [page 183]

Result

The system lists the variants found with its status (Worklist variant with different data in the target system, Worklist variant with same data in the target system, and Worklist variant does not exist in the target system).

In the results lists, you can do the following:

●

NoteYou can also display messages related to the worklist variants that have been distributed using transaction Analyze Application Log (SLG1) with object FRA_WL_TECH, subobject DISTRIBUTE, and program FRA_DISTRIBUTE_WLV.

●

More Information

Analyzing the Worklist Log [page 190]


Investigation

6.3.2 Creating Worklists

With the transactional app Create Worklists, you can create worklists for a specific worklist variant.

You can only use worklist variants with a worklist type that can be used for persisted worklists.

Key Features

The system will propose selection conditions if they have been defined in the worklist variant.

When creating a worklist, you can add or change the selection conditions.

You can only use the selection fields that have been defined in the Customizing for this specific worklist type.

Result

● The system creates a worklist.● Your worklists can be displayed with the app Displaying My Worklists [page 186].● Worklist-related messages can be displayed in the application log in the back-end system using transaction

Display Worklist Log (FRA_WORKLIST_LOG). The application log lists application messages and selection parameters and statistics, such as the search criteria or the number of worklists items that have been created.

NoteIf the worklist does not have any items, an empty worklist will be created. Empty worklists will not be displayed with the app My Worklists. They are listed in the application log and they can be deleted.

General Remarks

You can create worklists if you have the required authorization for executing worklist variants.


Related Back-End Transactions

Execute Worklist Variant (transaction FRA_WL_VAR_EXECUTION)

See Scheduling Worklist Creation [page 188]


Related Apps

Managing Worklist Variants [page 182]

Displaying My Worklists [page 186]

6.3.3 Displaying My Worklists

With the transactional app My Worklists, you can display your worklists.

A worklist provides a snapshot of data, which has been created at a specific date and time.

Key Features

● Export the worklist into a spreadsheet application (.xlsx format)● Create an alert manually (if Customized)

NoteThe following fields will have proposals that can be changed when you create an alert manually in the My Worklists app:

○ The investigation object type with its key fields○ The investigation reason from the worklist variant○ Detection summary○ Person responsible (by default your user is proposed)

● Navigate to an external destination (if Customized)● Sort and filter your worklists● Hide and unhide columns

General Remarks

You can only display worklists and their items (rows) as well as the number of worklists on the tile if you are authorized to display these worklists and items.

You can only display related alerts or create alerts manually if the investigation object type has been assigned to a worklist type in the Customizing under Maintain Worklist Data Model.

You can only navigate to a transaction in an external system if a navigation group has been assigned to a worklist type in the Customizing under Maintain Worklist Data Model.

You can only display related alerts, navigate to them, or create alerts manually if you are authorized for working with alerts.



Investigation

Related Apps


6.3.4 Starting Ad Hoc Requests

With the transactional app Start Ad Hoc Requests, you can display worklist data based on a specific worklist variant and on selection conditions.

The selection conditions defined in the worklist variant will be displayed when choosing a worklist variant from the list.

Key Features

● Export the worklist into a spreadsheet application (.xlsx format)● Create an alert manually (if Customized)

NoteThe following fields will have proposals that can be changed when you create an alert manually in the My Worklists app:

○ The investigation object type with its key fields○ The investigation reason from the worklist variant○ Detection summary○ Person responsible (by default your user is proposed)

● Navigate to an external destination (if Customized)● Use Save as tile to create a new tile on the Home screen, so you can directly navigate to the details for the

selected worklist variantSee Saving an SAP Fiori App as a Tile

● Sort and filter in the results list● Hide and unhide columns

General Remarks

You can only use worklist variants with a worklist type that can be used for ad hoc requests.

You can only display related alerts or create manual alerts if the investigation object type has been assigned to a worklist type in the Customizing under Maintain Worklist Data Model.

You can only navigate to a transaction in an external system if a navigation group has been assigned to a worklist type in the Customizing under Maintain Worklist Data Model.



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsaphelp_nw75%2Fhelpdata%2Fen%2F60%2F86339c2c7e48388d15a8c58495f48d%2Fcontent.htm

Related Apps


6.3.5 Worklist Administration

The following tasks can be carried out in the back-end system:

● Schedule worklists to be created for specific worklist variantsSee Scheduling Worklist Creation [page 188]

● Delete worklists created with specific worklist variants and worklist typesSee Deleting Worklists [page 189]

● Display the application logSee Analyzing the Worklist Log [page 190]

● Display and check objects that have been generated when a worklist type has been usedSee Monitoring Objects Generated for Worklists [page 191]

6.3.5.1 Scheduling Worklist Creation

To create worklists for a specific worklist variant, choose transaction Execute Worklist Variant (FRA_WL_VAR_EXECUTION) in the back-end system or run program FRA_WORKLIST_VARIANT_EXECUTION in transaction SA38.

You can only use worklist variants with a worklist type that can be used for persisted worklists.

To run the worklist creation regularly you can define a background job in transaction Define Background Job(SM36) or use the Job Scheduling Wizard.

NoteBefore creating worklists, you must have already created a worklist variant with the app Manage Worklist Variants.

The selection conditions defined for the worklist variant will be used when creating a worklist. The selection conditions cannot be changed while creating a worklist in the back end.

Result

● The system creates a worklist.● The system displays the application log with application messages and selection parameters and statistics,

such as the search criteria or the number of worklists items that have been created.If the worklist does not have any items, an empty worklist will be created. They are listed in the application log and can be deleted.

NoteEmpty worklists will not be displayed with the app My Worklists.


Investigation

● Your worklists can be displayed with the app Displaying My Worklists [page 186].

More Information


Deleting Worklists [page 189]

Analyzing the Worklist Log [page 190]

For more information about background jobs, see the documentation for SAP NetWeaver on SAP Help Portal at http://help.sap.com under Scheduling Background Jobs (https://help.sap.com/saphelp_nw70/helpdata/EN/c4/3a7f87505211d189550000e829fbbd/frameset.htm ).

6.3.5.2 Deleting Worklists

To delete worklists, call transaction Deleting Worklists (FRA_DEL_WORKLIST) in the back-end system or execute program FRA_DELETE_WORKLIST in transaction SA38.

Selecting the Worklists to be Deleted

You can select the relevant worklists using the following selection criteria:

● Based on worklist type or worklist variant● Based on the “age” of worklists (residence time)

All worklists that are older than the years and days you have entered will be deleted. You can enter years and days (the years and days are added up together, they are not an either/or value).Worklists with 0 items (empty worklists) are deleted as well.

NoteThe residence time is the length of time that must have passed before application data can be deleted.

The system calculates the dates based on calendar days (not working days).

If you enter a residence time of 0, the system will delete all available worklists.

NoteSAP recommends archiving your data instead of deleting it.

Example

If the date is February 20th, and you want to delete all worklists that are older than 10 days (residence time is 10 days), the system will delete all worklists that have been created on February 10th or earlier.

The creation date of the worklist will be considered when calculating the residence time.





Sequence for Deleting Worklist-Related Objects

You must proceed as follows:

1. Delete all worklists for a worklist type/worklist variant using transaction Delete Worklists (FRA_DEL_WORKLIST).

2. Delete worklist variant using the app Manage Worklist Variants.3. Delete the worklist type in the Customizing activity Maintain Worklist Data Model.4. Delete all generated objects for this worklist type in transaction Generation Monitor for Worklist Type

(FRA_WLT_MONITOR) using the (Delete Orphaned Entries) function.

Related Information

Archiving Worklists with FRA_WLIST [page 223]

6.3.5.3 Analyzing the Worklist Log

To display the worklist log, call transaction Display Worklist Log (FRA_WORKLIST_LOG) in the back-end system.


You can filter the logs, for example, by the following criteria:

● Object and subobject○ The object Worklist Processing Log (FRA_WL_PROC) is already set as the default.○ The subobjects could be Application Messages, Selection Parameters and Statistics or all messages.

● External IDEnter an external ID. This ID was assigned by the application program or by the user who created the worklist.

● ProgramEnter the name of the program that caused the logged event:○ Execute Worklist Variant: FRA_WORKLIST_VARIANT_EXECUTION for messages related to worklists

that have been created in the back-end system○ Create Worklists: FRA_WORKLIST_EXECUTION for messages related to worklists that have been

created in the background using the Create Worklist app○ Delete Worklists: FRA_DELETE_WORKLIST for messages related to worklists that have been deleted in

the back-end system● Time period, user, or log class


Investigation

Results

Examples for log messages are:

Messages for Created or Scheduled Worklists

The log displays the search criteria used for creating worklists and the number of worklist items that have been created.

Messages for Deleted Worklists

The log displays the worklists that have been deleted, the number of their deleted worklist items, and the residence time that has been selected.

6.3.5.4 Monitoring Objects Generated for Worklists

To display and check objects that have been generated when a worklist type has been used, call transaction Generation Monitor for Worklist Type (FRA_WLT_MONITOR) in the back-end system or run report FRA_WLT_MONITOR in transaction SA38.

You can also delete generated objects for worklist types that have been deleted.

In the results list, you can do the following:

● Display StatusIf the status is Error, the objects have to be generated.You can navigate to the log by clicking on the status.The log displays errors that occurred during the generation or lists generated objects that have been deleted successfully.

NoteYou can also display messages related to the generation monitor for worklists using transaction Analyze Application Log (SLG1) with object FRA_WL_TECH, subobject MONITOR, and program FRA_WLT_MONITOR.

● Display Error Log

To display the messages that cannot be assigned to a single worklist type, choose (Display Error Log).● Navigate to the Generated Objects

You can navigate to the objects that have been generated by clicking on the object in the results list.● Regenerate Objects

Choose (Regenerate Objects) to regenerate the objects needed, for example when errors occurred during the generation.

● Delete Objects

○ Choose (Delete Generated Objects and Content) to delete objects when regenerating was not successful. Deleting objects and regenerating them afterwards might solve the problem.

○ Choose (Delete Orphaned Entries) to delete objects that are no longer needed. This function can be executed in the results list without selecting a specific entry and it can also be executed in a production system.


This function can be executed in the results list without selecting a specific entry and it can also be executed in a production system.

Sequence for Deleting Worklist-Related Objects

You must proceed as follows:

1. Delete all worklists for a worklist type/worklist variant using transaction Delete Worklists (FRA_DEL_WORKLIST).

2. Delete worklist variant using the app Manage Worklist Variants.3. Delete the worklist type in the Customizing activity Maintain Worklist Data Model.4. Delete all generated objects for this worklist type in transaction Generation Monitor for Worklist Type

(FRA_WLT_MONITOR) using the (Delete Orphaned Entries) function.

6.4 Approval Requests for Alert Item Findings

Approval requests are used to establish a dual control principle for findings of an alert item.

When an investigator of an alert item sets the decision, the system checks if an approval step is required.

Starting an approval request technically means starting a workflow.

ExampleIf an alert item with a high risk value (> EUR 2,000) is closed without investigation, an approval request is required.

The higher the risk value is, the more approvers are desired.

Setting Up the Start Conditions for Approval Requests

You can define the conditions that have to be met to start an approval request in the customizing activity Define Start Conditions including the threshold for the risk value, the alert completion status, the number of approvers, and their required role.

If cross checking by several approvers is needed, you can define up to nine approvers.

You can also define that the investigator can directly assign any other user as approver.

How Will the Approvers be Determined?

Groups of people who can be participants in an approval process can be created using the Manage User Groups app.


Investigation

The system then identifies the approvers for an alert item as follows: The fraud division and the detection object type of the alert item are used to find the relevant groups. The members of these groups are checked for having the required role that has been maintained in the Customizing.

NoteInvestigators that already have acted as approvers, as well as the investigator who requested the approval are excluded.

See Managing User Groups [page 195]

Working with My Approvals

The approval requests can be accessed from the home screen by clicking the My Approval tile.

When an investigator of an alert item requests an approval for the finding, the request is visible in the “inbox” (that is the approval list) of all approvers that have been determined by the system.

See My Approvals [page 202]

Approval Request Process in Detail

The approval process may require one or several approvers, approvers can be assigned manually, requests can be rejected, or approval request can be canceled.

Exemplary process descriptions are available in the following section.

See Approval Request Process in Detail [page 195]

Who is Notified?

● If an approver has rejected the finding, the investigator of an alert item is informed via e-mail.See Approval Request Process in Detail [page 195]

● Approvers are informed about approval request that are available in their approval list.See My Approvals [page 202]

● Workflow administrators are informed about erroneous workflows.See Handling Errors in the Approval Request Process [page 203]

6.4.1 Prerequisites for Working with Approval Requests

The approval process for the finding of an alert item is technically realized by a workflow.

In this section, you will find information about the settings that are required to work with approval requests.


Setup

For information about the setup, see the Installation and Configuration Guide and the Upgrade Guide on the SAP Help Portal at http://help.sap.com/bis.


The workflow user WF-BATCH needs the authorization FRA_ALERT to change alerts.

We recommend giving user WF-BATCH role SAP_FRA_FRAUD_INVESTIGATOR.

For more information, see the Security Guide on the SAP Help Portal.

Customizing

Start Conditions for the Workflow

You can define the conditions that have to be met to start a workflow in Customizing activity Define Start Conditions. Additionally, you can define the number of approvers, the required role of an approver, and you can define if an investigator of an alert item is allowed to assign the first approver directly.

ExampleIf an alert item with a high risk value (> EUR 2,000) is closed without investigation, the system will start a workflow to establish at least a dual control principle.

You may also define conditions that state "the higher the risk value is, the more approvers required".

Settings for the Approval List

During the setup of the application, ensure you have fulfilled the Customizing steps required to set up a notification for approvers about approval requests that are available in their approval list. As well, ensure you have maintained the following activities:

● In the Customizing for SAP NetWeaver, the activity Task Gateway Service Settings is required to forward tasks to other approvers with the same role. Ensure Is User List Enabled is selected.

● In the Customizing for SAP NetWeaver, the activity Scenario Definition is required to select multiple approvals in the approval list. Ensure MassAction is selected.

Managing User Groups

User groups can be created and edited with the Manage User Groups application.

To create groups of users who are allowed to approve decisions, choose Manage User Groups - Approvals.


Investigation


6.4.2 Managing User Groups

You can use the Manage User Groups app to create and edit groups of users who will have the necessary authorizations for different tasks.

● Manage User Groups - Approvals for users who can approve the findings for alert items.● Manage User Groups - Screening for users who can finalize address screening hits decisions.

The app shows you a range of information about the various user groups, including which users are in which groups and what roles they have.

The two tabs, Groups and People, offer similar information and functionality, but from different perspectives. Choose Groups when your focus is on maintaining a specific group, and People when your focus is on an individual and which groups they are in.

The Groups TabThe Groups tab shows a list of all the available groups. You can edit any fields on the main screen by entering new values manually, or by using the dropdown menus. By selecting an entry you can go to a list of the members of that group. From the membership list, use Display Roles to see what business roles an individual has.

● To make a new group, click Create Group on the main screen, and then enter the necessary information on the Group Details screen. Use the dropdown menu to choose multiple entries from the available values where applicable.

NoteWhen you create a group, the Authorization Group field is optional.

You can use this field to separate groups by organizational or legal entity. Authorization groups can be maintained using transaction SU21 in the authorization object FRA_GROUP (Business Integrity Screeening Group).

● To add new members to a group, go to the list of members, use Add Users and follow the on-screen prompts. To remove members, first select the relevant checkboxes on the left and then use Remove Users.

The People TabThe People tab shows all the available users, and by clicking anywhere on an entry you can see a list of the groups that the selected individual is a member of. You can then edit which groups the user is in using Add Groups and Remove Groups.

Customizing and Set Up

User roles need to be maintained in the appropriate Customizing activities. When the workflow starts, the system will check that the users have the necessary roles.

● Maintain User Roles for Alert Investigation defines which users can process alerts● Define Start Condition defines when a workflow is started, and which role a workflow processor needs

6.4.3 Approval Request Process in Detail

When an investigator assigns a finding for an alert item an additional approval step may be required.


The conditions that have to be met can be defined in the Customizing. For example, if an alert item with a high risk value (> EUR 2,000) is closed without investigation, the system will start a workflow to establish at least a dual control principle.

NoteFor more information about the approval request process when using the Manage Alerts app, see Using Manage Alerts [page 148].

Overview

The basic approval request process is the following:

1. Finding needs to be approvedThe finding of an alert item has been identified as needing approval.

2. Investigator requests approvalThe investigator requests an approval on the Decision section of the alert.The approver can be assigned manually (if customized) or determined by the system.If required, the request can be canceled.

3. Approver approves or rejects approval requestAn approver is informed about new approval requests.The approver accepts or rejects the approval request in the My Approvals inbox, and comments the finding.Approval-related information is displayed on the Decision and Documentation section on the alert UI.If the approver rejects an approval request, the investigator is informed.

4. Investigator closes the alert itemWhen the investigator saves an alert item that has been approved, the alert item is closed.If required, the alert can be reopened.

See Examples: Approval Process in Detail [page 198]

Good to Know

● Alert Worklist○ If an approval is required, the alert item can only be closed after the approval has been given.○ If an approval request is rejected, the investigator has to request an approval again after making the

required changes or rework.○ Once the approval is requested the finding cannot be changed. To change the finding, the approval

request has to be canceled.○ Once the approval for an item has been given and all the alert items have been closed, that is, the alert

is closed, you must reopen the alert if you want to change the finding.○ Manually created alerts are also checked if an approver is required.○ In the Alert Worklist the investigator can set the decision and release several alerts at the same time,

but only alerts that do not need an additional approval can be closed.○ The approvers' decision including the notes are displayed as Note on the Documentation section of the

alert.○ The investigator of an alert item can select the approver directly on the Decision section of the alert (if

this is allowed, according to the Customizing).○ If the system cannot determine an approver, the investigator can enter any user as approver.○ Approval-related information, such as the Approval Status and the Approval Request Log, is displayed

on the Decision section.● Notifications


Investigation

○ If an approval is needed, the approver is informed by e-mail about new approval requests in the approval list.

○ All approvers that are determined by the system are informed via e-mail.○ If the approval is rejected, the investigator is informed by e-mail.

● Approvals○ If an approval is required, but the system cannot determine an approver, the Approver field will be

visible, so that the approver can be assigned directly on the Decision section.○ The approval request is displayed in the approval list of all responsible approvers as long as one or

several approvals are still pending.○ If the number of approvers found by the system is less than the number of approvers that are required

according to the Customizing, the system adapts (reduces) the number of approval steps accordingly. This can be the case before the workflow starts, or after each approval step.

Example○ Less approvers in a group than approvers defined in the Customizing

If the system only finds a group of 3 approvers, but 5 approvers are required as defined in the Customizing, the number of approval steps is only 3.

○ One approver required as defined in the CustomizingIf one approver is required and the system finds a group of 4 approvers, it is sufficient that one of them approves the finding.

○ 3 approvers required as defined in the CustomizingIf 3 approvers are required and the system finds a group of 6 approvers, it is sufficient that 3 approvers approve the finding.

○ 3 approvers required as defined in the CustomizingIf 3 approvers are required and the system finds a group of 3 approvers, all 3 approvers have to approve the finding.

Approval Status During the Approval Process

The following table shows the possible values for the Approval Status, which is displayed on the Decision section on the Alert UI.

Approval Status Description

If an approval has not yet been requested or if no approval is needed, the alert item has no Approval Status.

Pending If the approver hasn’t given their approval yet, the status is Pending. (If more than one approver is required, the status remains Pending as long as some approvals are still outstanding.)

Canceled If the investigator cancels the approval request, the status will be Canceled.

Approved If all the required approvers have approved, the status will be Approved.

Rejected If even one approver rejects it, the status will be Rejected. This overrules other approvals that have been given before.


More Information

Approval Requests for Alert Item Findings [page 192]

My Approvals [page 202]

Handling Errors in the Approval Request Process [page 203]

6.4.3.1 Examples: Approval Process in Detail

Approval Processes in Detail

In this section, you will find several examples for approval processes. In the examples, there may be one or several approvers, manually assigned approvers, rejected requests, or canceled approval request.

● One Approver● Two Approvers● Approval is Canceled● Approval is Rejected

NoteFor more information about the approval request process when using the Manage Alerts app, see Using Manage Alerts [page 148].

One Approver

In this example, the approver is automatically chosen by the system and the approver approves the decision.

1. The investigator of an alert item sets the decision, for example, by choosing the finding False Alarm.An additional approval is required due to a risk value that is above the threshold that is defined in the Customizing.

2. The investigator requests the approval on the Decision section of the alert.The investigator chooses Request Approval to start the approval process.

NoteThe approval status of the alert items displayed in the Decision section of the alert is Pending.

3. The system determines the approver automatically and informs the approver via e-mail.4. To display the pending approval requests, the approver opens the approval list.

The approver clicks on the My Approvals tile on the Home screen.To approve the request, the approver selects the approval request and chooses Approve. On the Submit Decision screen, the approver adds a note (optional), and submits the decision.

NoteThe approvers' notes are displayed on the Documentation section.

The Approval Status that is displayed on the Decision section of the alert is now Approved.


Investigation

5. The investigator closes the alert.To close the alert, the investigator chooses Save on the Decision section of the alert.

Approver Approves the Decision

Two Approvers

In this example, two approval steps are required to approve the decision, and the first approver is assigned manually.

1. The investigator sets the decision, for example, by choosing the finding False Alarm.An additional approval is required due to a risk value that is above the threshold that has been defined in Customizing.

2. The investigator selects the approver directly using the value help for field Approver on the Decision section of the Alert.The investigator chooses Request Approval to start the approval process.The approvers are informed via e-mail. The approval request is displayed in the inbox of the approvers.

3. To display the pending approval requests, the first approver opens the approval list.The approver clicks on the My Approvals tile on the Home screen.To approve the request, the approver selects the approval request and chooses Approve. On the Submit Decision screen, the approver adds a note (optional), and submits the decision.

4. To display the pending approval requests, the second approver opens the approval list.The approver clicks on the My Approvals tile on the Home screen.To approve the request, the approver selects the approval request and chooses Approve. On the Submit Decision screen, the approver adds a note (optional), and submits the decision.

5. The investigator of the alert closes the alert.To close the alert, the investigator chooses Save on the Decision section of the alert.


Two Approvers Approve the Decision

Approval is Canceled

In this example, the approver is assigned manually.

The approver approves the decision. Later the investigator cancels the workflow.

1. The investigator sets the decision, for example, by choosing the finding False Alarm.An additional approval is required due to a risk value that is above the threshold that has been defined in Customizing.

2. The investigator selects the approver directly using the value help for field Approver on the Decision section of the Alert.The investigator chooses Request Approval to start the approval process.The approver is informed via e-mail. The approval request is displayed in the inbox of the approver.

3. The investigator cancels the request.The investigator chooses Cancel Approval on the Decision section.

4. The investigator starts a new approval process after making the required investigation or changes.5. Once the approver has approved the decision, the investigator can close the alert.


Investigation

Approver Cancels Approval Request

Approval is Rejected

In this example, the investigator classifies an alert item as Confirmed. The approver is automatically chosen by the system.

The approver rejects the decision.

The investigator is notified when a request has been rejected by an approver.

1. The investigator sets the decision, for example, by choosing the finding Confirmed.An additional approval is required due to a risk value that is above the threshold that has been defined in Customizing.The investigator chooses Request Approval to start the approval process.The approver is automatically chosen by the system.The approver is informed via e-mail. The approval request is displayed in the inbox of the approver.

2. To display the pending approval requests, the approver opens the approval list.The approver clicks on the My Approvals tile on the Home screen.To reject the request, the approver selects the approval request and chooses Reject. On the Submit Decision screen, the approver adds a note (mandatory), and submits the decision.

3. The investigator of the alert is informed about the rejection via e-mail.

NoteOn the Decision section of the Alert the Approval Status is Rejected.

4. The investigator starts a new approval process after making the required investigation or changes.5. Once the approver has approved the decision, the investigator can close the alert.


Approver Rejects the Decision

6.4.4 My Approvals

The approval list can be accessed from the home screen by clicking the My Approvals tile.

When an investigator of an alert item requests an approval for the finding, the request is visible in the “inbox” of all approvers that have been determined by the system.


● You can approve or reject multiple approval requests at the same time.● You can claim and release requests.● You can forward a request to a delegate.● You can add comments.● You can send e-mails to share an approval request.● You can browse, sort, filter, and group requests.

Approve Requests

To approve the request, select the approval request and choose Approve.

On the Submit Decision screen, you can add a note, and submit your decision.

You can also do the following:

● Display additional information, such as the summary, finding, closing reason, or financial outcome on the

tabThe summary is limited to 80 characters in the approvals info. You can display the complete summary by navigating to the alert.


Investigation

● Navigate to the alert on the tab

● Create comments on the tab

● Upload attachments on the tab

NoteThe priority of all approval requests is high. This cannot be changed.

Attachments and comments you enter here will not be transferred to the alert item.

Reject Requests

To reject a request, select the approval request and choose Reject.

On the Submit Decision screen, you must add a note, afterwards you can submit your decision.

When an approver rejects an approval request, the investigator of the alert item is notified.

Forward Requests

You can forward a request to a delegate.

Claim and Release Requests

Approval requests may require several approvers. The group of approvers is determined by the system, using the relevant groups that have been created with the Manage User Groups app.

With the Claim function one of the approvers can reserve an approval request.

NoteWhen one of the approvers claims a request, the request disappears in the inbox of all other approvers, so that no one else can work on it at the same time.

When the approver releases a request, the request is available for all other approvers of the group to process it.

Open Tasks

You can display the alert item that needs to be approved.

Share Requests

You can share an approval request with a colleague by sending a link to the task in the approval list via e-mail.

More Information


6.4.5 Handling Errors in the Approval Request Process

Errors may occur if, for example,the alert is locked when the system tries to update the alert.


Alert Locked

When the approver approves or rejects a decision, the system will update the alert. A temporary error may occur if the alert is already locked. The system will try to update the alert three times. (The Repeat Counter that is used in report RSWWERIN is fixed.)

If the alert cannot be updated, the workflow is erroneous and can be displayed in transaction SWI2_DIAG (Diagnosis of Workflows with Errors).

Workflow administrators will also be informed about erroneous workflows, as set up in the Automatic Workflow Customizing (transaction SWU3) in step Schedule Background Job for Work Items with Errors (the corresponding transaction is SWWD - Configure and Schedule Work Item Error Monitoring).

NoteThe report RSWWERIN (transaction SWWD - Configure and Schedule Work Item Error Monitoring) is executed during the Automatic Workflow Customizing in the Customizing for SAP NetWeaver under Maintain Standard Settings.

You can find the workflow-related transactions in the menu under Tools Workflow .

Display Application Log

In case of an error further messages are available in the application log.

You can display the application log in transaction SLG1. You can analyze the logs and their messages for workflow-specific errors by using object FRA_WORKFLOW.

Workflow Items Without Approvers

You can use the work item analysis (transaction SWI2_ADM1 - Work Items Without Agents) to find work items without approvers. You can limit the work items to be analyzed by time, type, and task.

Deleting Workflows

It may be required that the workflow administrator deletes a workflow in transaction SWI1. In the Approval Request Log on the Decision section of the alert item, the Status is Logically Deleted.

More Information



Investigation

7 Reporting

The application provides different ways to monitor the volume and the effectiveness of the work being done in SAP Business Integrity Screening.

● Executive DashboardYou can use the Executive Dashboard to display a range of key performance indicators on alerts and alert processing. For more information, see Executive Dashboard [page 205].

● SAP Fiori AppsThere are SAP Fiori apps that provide management KPIs for alerts. For more information, see Key Performance Indicator Apps for Alerts [page 208].

● External ToolsYou can also use external tools for monitoring and reporting. For more information, see Alert Reporting and Analysis [page 208].

● Start Ad Hoc RequestYou can use Start Ad Hoc Request to display the audit trail for auditing business partner screening or verifying due diligence. For more information, see Using the Audit Trail [page 130].

7.1 Executive Dashboard

This Executive Dashboard is only available if you have the correct authorization. That is, this screen is only displayed for users who have been assigned the role SAP_FRA_CHIEF_RISK_OFFICER. The Executive Dashboard can be accessed from the home screen by clicking on the Alert Distribution, Top 10 Countries by Numbers of Alerts, or Top 10 Countries by Risk Value tiles.

The Executive Dashboard provides the following:

● A map that displays all currently open alerts for which the location information is available in the alert BO● A set of key performance indicators (KPIs) of the alert processing● A set of charts with statistics on the alert processing

The control area in the upper right corner of the screen allows you to adjust the screen. Press the buttons KPIs, Charts, and Map individually or in unison to switch the information on and off. The button Filters opens a menu in which you can select the criteria by which to filter the data (that is, in all subsections: the map, the KPIs, and the charts).

KPIs

The KPIs provide an overview of the alert workload, and include:

● Open Alerts: All alerts with status Not Started or In Process● Total Value: Sum of risk values of all alerts with status Not Started or In Process

SAP Business Integrity ScreeningReporting PUBLIC 205

● Efficiency: A KPI for closed alerts; this is the number of alerts with completion status Confirmed from the total number of completed alerts (percentage)

● Average Processing Time: A KPI for closed alerts; the average time, in days, between the alert creation and the alert close date

Charts

The charts are displayed in a sort of carousel control. (Much like that of a mobile application). The chart that is selected is highlighted and displayed in big at the top of the screen. Underneath it, all the other charts are shown as a smaller image. Since only three charts can been displayed at a time; choose the arrow buttons on the right and left to scroll through the list. Clicking a chart selects it.

The charts display real data from the back end. The data is loaded once when the screen is entered, and only refreshed when the user refreshes the browser page.

Top 10 Countries by Risk Value

The total risk value of all closed alerts matching the filter criteria, listed per country.

Top 10 Countries by Number of Alerts

The number of completed alerts matching the filter criteria, listed per country. The bars’ stacks represent the findings of the alerts: green for Confirmed, red for False Alarm, and blue for Closed Without Investigation.

Top 10 Countries by Risk Value with Num. of Alerts

This chart combines the charts Top 10 Countries by Risk Value and Top 10 Countries by Number of Alerts in one chart. The top 10 are determined by risk value.

Top 10 Countries by Num. of Alerts with Risk Value

Same as the chart before, but the top 10 are determined by number of alerts.

Cumulative Fraud Loss

The fraud loss, cumulated over the past 12 months. Total Loss (red) is the sum of Actual Loss (yellow) and Opportunity Cost (violet). Actual loss is caused by the fraud itself (such as the value of stolen goods), and the opportunity cost by the investigation (such as the reports of experts).

Cumulative Fraud Loss Comparison

Compares the cumulated Actual Loss (yellow) and cumulated Opportunity Cost (violet) of the current period (that is, the current year) to the cumulated Actual Loss (red) and cumulated Opportunity Cost (green) of the past period (that is, the previous year).

Efficiency Trend

Displays the efficiency of the fraud investigations over the past 12 months. Efficiency represents the percentage of completed alerts with finding Confirmed from the total number of investigated alerts. The more confirmed alert items there are, the more efficient the investigation is; whereas, the more false positives there are, the less efficient the investigation is.


Reporting

Map

The map provides an overview of the geographical distribution of the open alerts per assigned location. Like all standard maps, you can zoom in and out and rotate it using the mouse or the corresponding control at the side of the map.

Locations having at least one open alert are shown as red circles. The location circle provides a tooltip with the name of the location and the number of open alerts. If you click on a location circle you will navigate to an alert list showing all open alerts for this location. Choosing the Back button on your browser will bring you back to the map.

NoteIn order to use the map, ensure you have made the settings in Customizing activity Geocode Services and Map Provider.

SAP Visual Business 2.0 must also be installed on the front-end computer you are working on in order to display the map.

Filter

You can filter alerts based on filter groups for Board Area, Region, Subject, and Information Source. Each filter group contains checkboxes with selection options. By default, all options are deselected and the filter is not applied. You can select checkboxes to show only alerts having the selected parameters. Filter change will be immediately applied to alerts KPIs and alert locations shown at the map.

Customizing

To use the Executive Dashboard, maintain the following Customizing activities:

● Maintain the name, description, and URL of the map provider in activity Maintain Map Provider.● Maintain the geocoding service, map product, map layer stacks, and applications in activity Maintain

Geocode Services.● To determine the geolocation data for the alerts of an investigation object, set the flag Location in the

Investigation Object Fields in activity Maintain Detection and Investigation Data Model.● For the fields marked as Location, you need to define the information model that is used to determine the

alert address. Do this in activity Maintain Address View for Investigation Object Type.


7.2 Key Performance Indicator Apps for Alerts

If you have one of the roles shown below, then you can use a set of SAP Fiori apps for alert reporting. The apps provide key performance indicators on alerts for managers. The apps are part of both the Executive Dashboard for the chief risk officer, and are also available to manager roles.

The SAP standard roles that entitle to these KPI apps are as follows:

● SAP_FRA_CHIEF_RISK_OFFICER SAP Business Integrity Screening: Chief Risk Officer● SAP_FRA_FRAUD_MANAGER SAP Business Integrity Screening: Manager

The apps for key performance indicators are shown in the table below.

App/Tile Use

Efficiency A KPI for closed alerts. The KPI on the tile is the number of alerts with completion status Confirmed from the total number of completed alerts (percentage)

Avg. Proc. Time A KPI for closed alerts. The tile shows the average time, in days, between the alert creation and the alert close date

Risk Rating ≥ 4 A filter for selecting all alerts with status In Process in Manage Alerts that have a risk rating of 4 out of 5 or higher. The tile shows the number of such alerts.

At Risk A filter for selecting all alerts with status In Process in Manage Alerts. The tile shows the total amount at risk in these alerts.

False Alarm A filter for selecting alerts with Finding False Alarm in Manage Alerts. The tile shows the number of such alerts in the current calendar year.

Confirmed A filter for selecting alerts with Finding Confirmed in Manage Alerts. The tile shows the loss (aggregated risk values) of such alerts in the current calendar year.

Closed Without Investigation A filter for selecting alerts with Finding Closed Without Investigation in Manage Alerts. The tile shows the number of such alerts in the current calendar year.

7.3 Alert Reporting and Analysis

You can use any external program that can connect to SAP HANA to do analysis and reporting on alerts and alert items.


Reporting

SAP Business Integrity Screening provides the analytic view AN_ALERT_VIEW for use with these external programs. The view is located in package sap.hana-app.fra.generic.ana and gives you access to all of the information available on alerts and alert items.


8 Integration Scenarios for SAP Business Integrity Screening

SAP offers end-to-end scenarios that integrate SAP Business Integrity Screening with other SAP products. You can enable these scenarios with minimal Customizing. SAP also offers application programming interfaces for do-it-yourself integration of SAP Business Integrity Screening with your business processes, whether they are running in SAP products or in other products.

The following sections list these integration scenarios.

End-to-End Integration ScenariosThis end-to-end integration scenario can be activated with little effort.

● Integration with SAP Process Control (GRC-SPC)SAP Business Integrity Screening creates a corresponding ad-hoc issue in SAP Process Control when an alert is closed with the finding Confirmed.See Integration with SAP Process Control [page 213].

Application Programming Interfaces (APIs) for IntegrationWith these APIs, you can integrate SAP Business Integrity Screening into your business processes on your own.

● Alert status notificationIn alert status notification, the alert information is sent to the source system of the replicated data (where the replicated data comes from), when an alert has been created, closed, or reopened.

● Online detectionIn online detection, an external application calls SAP Business Integrity Screening via a Web service and evaluates detection objects for possible fraud.

● Integration with an external case management systemYou can set up an integration of SAP Business Integrity Screening with an external case management system for transferring alerts as well as updating alerts based on decisions made in case management.

The table below provides more information.

Scenario Requires the following... Further documentation...

Alert status notification Enterprise service AlertStatusChangeNotification_Out

Alert-Related Services


Integration Scenarios for SAP Business Integrity Screening

https://help.sap.com/viewer/2ebc3a3b3403484dadfc10fed8186067/1.3.0.2/en-US/22fbe1e28418485ba9bb169977b6dd7c.html

Scenario Requires the following... Further documentation...

Online detection Enterprise service FraudDetection_GenericTable_Request_Sync_In

OR

Enterprise service FraudDetectionRequest_In

Enterprise service FraudDetectionConfirmation_Out

Online Detection-Related Services

Integration with an external case management system

Business Add-In FRA_BADI_AL_ACT_TRANSFER

Enterprise service AlertDecisionRequest_In

Enterprise service AlertDecisionConfirmation_Out

Enterprise service AlertRevokeTransferRequest_In

Enterprise service AlertRevokeTransferConfirmation_Out

Integration with an External Case Management System [page 214]

More Information

Alert Status Notification [page 211]


Integration with SAP Process Control [page 213]

Integration with an External Case Management System [page 214]

For detailed information about all the Enterprise Services, see Enterprise Services in SAP Business Integrity Screening.

8.1 Alert Status Notification

In alert status notification, the alert information is sent to the source system of the replicated data (where the replicated data comes from), when an alert has been created, closed, or reopened.

For each investigation object type you can define if this information is sent. To do this, define the Status Port in the customizing activity Define Investigation Settings in the Enterprise Services section.

SAP Business Integrity ScreeningIntegration Scenarios for SAP Business Integrity Screening PUBLIC 211

https://help.sap.com/viewer/2ebc3a3b3403484dadfc10fed8186067/1.3.0.2/en-US/04731954b192024be10000000a44176d.html



The following service is used for alert status notification:

● AlertStatusChangeNotification_OutThis service is used to communicate the status change and further alert information. The notification contains information about the investigation object, detection objects, and the status information.

NoteYou can use a Business Add-In (BAdI) to change the content of any field in the alert header or alert item before a notification is sent to an external system, following a change in the alert item lifecycle status. The BAdI is called Changed Lifecycle Status Items and Alerts (FRA_BADI_CHANGED_ITEMS) and is available in the Customizing under Business Add-Ins for Investigation.

More Information


8.2 Online Detection

In online detection, an external application calls SAP Business Integrity Screening via a Web service.

This means that you have integrated a call to SAP Business Integrity Screening for online detection into a business process in the external application.

SAP Business Integrity Screening uses the Web service FraudDetection_GenericTable_Request_Sync_Infor online detection. This Web service performs synchronous online detection using generic input tables.

Customizing

The Business Add-In BAdI: Online Detection with Generic Table Input Service Enhancement (FRA_BADI_SE_ONL_DET_GEN_TABLE) is available for this operation in the Customizing.

Related Information

Online Detection [page 108]Online Detection-Related Services




https://help.sap.com/viewer/2ebc3a3b3403484dadfc10fed8186067/1.3.0.2/en-US/04731954b192024be10000000a44176d.html

8.3 Integration with SAP Process Control

SAP Business Integrity Screening creates a corresponding ad-hoc issue in SAP Process Control when an alert is closed with the finding Confirmed.

This integration is done using RFC to establish a system connection (using the function module GRFN_ISSUE_CREATE).

Customizing Settings

To do this, you have to make the following settings in Customizing:

1. Define RFC DestinationDefine an RFC destination to SAP Process Control in Customizing under Basic Settings Maintain Alert RFC Destinations .The RFC destination you select will be used for establishing the system connection to SAP Process Control.

2. Call SAP Process ControlIn Customizing under Investigation Define Investigation Settings , choose the Investigation Settings and select Call SAP Process Control for the relevant Investigation Object Type.

Mapping

The following data is transferred:

SAP Process Control Issue Description

Name This is a concatenation of the three investigation object IDs (separated by a space) and the item number

Description This is the detection summary

Priority This depends on the risk rating of the alert:

● If the risk rating is 4 or higher, the priority is 1● If the risk rating is 2 or 3, the priority is 2● If the risk rating is less than 2, the priority is 3

Source This has the fixed value Fraud

Due Date This is the due date of the alert


8.4 Integration with an External Case Management System

You can set up an integration of SAP Business Integrity Screening with an external case management system for transferring alerts as well as updating alerts based on decisions made in case management.

Transfer Alert to a Case Management System

Before you start, you have to do the following in the Customizing for SAP Business Integrity Screening:

● Implement the Business Add-In BAdI: Transfer Alert Action (FRA_BADI_AL_ACT_TRANSFER)This BAdI is located in Customizing under Investigation Business Add-Ins for Investigation .The implementation must include the following:○ Reading of the alert data using the alert ID○ Conversion of the alert data in a suitable format○ Transfer of the alert data to the external case management system

For more information, see the sample implementation, available via the Customizing activity.● In Customizing, identify the BAdI implementation that is to be called by the Action function in the alert

details display in the Manage Alerts appThe BAdI implementation reads the alert, converts it if necessary, and transfers it to the external case management system.In the Customizing under Investigation Define Investigation Settings , choose Investigation Settings. Mark each investigation object type whose alerts should be transferred. Then double click Action and create a new Action entry.Provide the following information in the new entry:○ Enter a name and description for the action. These are used in the Action menu in the Manage Alerts

app.○ Choose Transfer in the ActionType field.

An activity defined as Transfer indicates that the alert can be transferred to an external system.○ Enter a filter value in the Action BAdI Filter field.

This value determines which BAdI implementation is used when the BAdI is called.○ Enter a number in the Sort Order field.

The Sort Order numbers determine the order in which actions are listed in the Action menu in Manage Alerts.

○ To display the new action in the Action menu, mark the Active checkbox.

Once you have implemented the BAdI BAdI: Transfer Alert Action and defined the activity for sending alerts, you can transfer alerts.

NoteAn alert that is transferred cannot be changed in the SAP Business Integrity Screening system.

Revoke Transfer for an Alert

When an alert has been transferred by mistake, you can undo the transfer. This must be triggered from the case management system.

In this case, the following enterprise services are used:

● AlertRevokeTransferRequest_InThis service changes the transfer status value of one or more alerts from Transferred to Not Transferred.



As a consequence, this alert can be modified in the SAP Business Integrity Screening system. The request contains the IDs of the alerts for which the status transfer is requested.

● AlertRevokeTransferConfirmation_OutThis service sends the confirmation of the change of the transfer status of one or more alerts from Transferred to Not Transferred. The confirmation contains the IDs of the alerts for which the status transfer was updated.

NoteFor each investigation object type you can define if this information is sent. To do this, define the Revoke Port in the Customizing under Investigation Define Investigation Settings in the Enterprise Services section.

Accept Decision From Case Management System

The decision made in a case management system can also be transferred to SAP Business Integrity Screening.

This process is as follows:

1. A case is decided in the case management system.2. The decision is transferred from the case management system to SAP Business Integrity Screening.3. The alert is updated accordingly in SAP Business Integrity Screening.4. The alert status notification has to be send from SAP Business Integrity Screening to the source system

using the serviceAlertStatusChangeNotification_Out.

The following enterprise services are used for this scenario:

● AlertDecisionRequest_In● AlertDecisionConfirmation_Out

NoteFor each investigation object type you can define if this information is sent. To do this, define the Decision Port in the Customizing under Investigation Define Investigation Settings in the Enterprise Services section.

More Information




9 Data Protection

The following functions support you in handling personal data as well as archiving and deleting data.

● Display Personal Data● Logging Changes to Personal Data● Remove User Names (transaction ACS_DP_ANONYMIZATION)

Removes user names for data that is not going to be archived.● Garbage Collector (transaction ACS_DP_GCO)

Deletes unwanted data.● Display Data Protection Logs (transaction ACS_DP_LOG)

Displays the application log for data protection activities.● Archive Administration (transaction SARA)

Archives data based on the Archive Development Kit (ADK).● Data Destruction (transaction ILM_DESTRUCTION)

SAP Information Lifecycle Management (ILM) can be used to delete the archived data based on retention rules on a defined point in time.

● Read Access Logging Manager (transaction SRALMANAGER)Read Access Logging is used to monitor and log read access to sensitive data. This data may be categorized as sensitive by law, by external company policy, or by internal company policy.

NoteFor more information, see the Security Guide.

Related Information

Removing User Names [page 216]Garbage Collector [page 217]Displaying the Data Protection Logs [page 224]Data Archiving in SAP Business Integrity Screening [page 218]

9.1 Removing User Names

You can use this function to remove the user names from the system once the residence period has been reached.

To remove the user names from business objects, call transaction Remove User Names (ACS_DP_ANONYMIZATION) in the back-end system.

You can also run this function in test mode.


Data Protection

Prerequisites

You have defined the residence period for each business object in Customizing activity Define Residence Period.

Example

Depending on the structure of the business object, you can use this function to remove the Created By user names, Last Changed By user names, or Executed By user names.

NoteFor more information, see the detailed documentation in the back-end system.

9.2 Garbage Collector

You can use this function to delete unwanted data.

To delete objects that are no longer referenced or no longer needed, call transaction Garbage Collector (ACS_DP_GCO) in the back-end system

You can also run this function in test mode.

Prerequisites

You have defined the residence period for the simulated alert input data in Customizing activity Define Residence Period.

Results

This function deletes the following data:

● Alert input data for mass detection● Simulated alert input data

○ Mass detection simulation results○ Results of the calibration○ Intermediate results of the delta address screening

● Assignments to user groups● Personal settings

SAP Business Integrity ScreeningData Protection PUBLIC 217

NoteFor more information, see the detailed documentation in the back-end system.

Application Log

You can display the application log for the Garbage Collector using transaction Display Data Protection Logs (ACS_DP_LOG).

Choose the log object ACS_DATAPROTECTION and the subobject DELETION.

Related Information

Displaying the Data Protection Logs [page 224]

9.3 Data Archiving in SAP Business Integrity Screening

Data archiving is used to remove mass data from the database that is no longer required in the system but must be kept in a format that can be analyzed.

The following table shows the available archiving objects and their ILM objects:

Object Archiving Object ILM Object

Alerts FRA_ALERT FRA_ALERT

Audit Trail FRA_AUDTR FRA_AUDTR

Address Screening List Entities

FRA_SCRL_E FRA_SCRL_E

Entity Relations FRA_SCRL_R FRA_SCRL_R

Worklists FRA_WLIST FRA_WLIST

Dependencies

Before archiving, the system checks if the preconditions for archiving data are met. Then, the write program writes the data in an archive file. The delete program deletes the archived data from the database. It is still possible to display this data in the archive file.


Data Protection

The SAP data archiving concept is based on the Archive Development Kit (ADK) using the Archive Administration function (transaction SARA).

For more information, see the Data Archiving documentation on the SAP Help Portal at http://help.sap.com/nw.

For more information, see the SAP Information Lifecycle Management (ILM) documentation on the SAP Help Portal at http://help.sap.com.

9.3.1 Archiving Alerts with FRA_ALERT

You can use the archiving object FRA_ALERT for archiving alerts.

Defining Variants for the Archiving Run

When you schedule the archiving run (Preprocessing, Write, Delete), you need to enter an existing variant or create a new one.

The variant contains the processing options for the archiving run.

You have the following options:

● Test mode or production mode● Detail log:

○ No detail log○ Without success messages○ Complete

● Log output:○ List○ Application log○ List and application log

Preprocessing Archiving Object FRA_ALERT

In the preprocessing step, the system checks that:

● The last changed date has reached the residence period.● The lifecycle status is Completed.

ILM-Based Information for the Archiving Object

You can use this archiving object with the FRA_ALERT ILM object.


http://help.sap.com/nw

http://help.sap.com/nw

http://help.sap.com

The following fields for FRA_ALERT are defined:

● Available Time Bases○ Created On (CREATION_DATE)

○ END_OF_MONTH (End of Month)○ END_OF_QUARTER (End of Quarter)○ END_OF_YEAR (End of Year)

○ Last Changed On (LAST_CHANGE_DATE)○ END_OF_MONTH (End of Month)○ END_OF_QUARTER (End of Quarter)○ END_OF_YEAR (End of Year)

● Available Policy Categories○ RTP (Retention Rules)

9.3.2 Archiving Audit Trails with FRA_AUDTR

You can use the archiving object FRA_AUDTR for archiving of the table for audit trails FRA_D_AUD_TRAIL.


When you schedule the archiving run (Write, Delete), you need to enter an existing variant or create a new one.

The variant contains the processing options for the archiving run.





Prerequisites

Before the audit trail can be archived, ensure the creation date is older than defined residence period.


Data Protection


You can use this archiving object with the FRA_AUDTR ILM object.

The following fields for FRA_AUDTR are defined:




9.3.3 Archiving Address Screening List Entities with FRA_SCRL_E

You can use the archiving object FRA_SCRL_E for archiving entities of address screening lists.

As entities may be referenced in alerts, alerts should be archived before the referenced entities are archived. Therefore, you should define the residence periods of address screening list entities and alerts appropriately.

Prerequisites

Before an address screening list entity can be archived, the following prerequisites must be fulfilled:

● Ensure it is not current version you are archiving● Ensure the residence period has been met


When you schedule the archiving run (Write, Delete), you must enter an existing variant or create a new one.

The variant contains the processing options for the archiving run. You have the following options in both archiving programs write and delete:

● Test mode or production mode

In the write program, you have the additional following options:

● Detail log:○ No detail log○ Without success messages


○ Complete● Log output:

○ List○ Application log○ List and application log


You can use this archiving object with the FRA_SCRL_E ILM object.

The following fields for FRA_SCRL_E are defined:

● Available Time Base○ Created On (CREATION_DATE)



● Available Policy Category○ RTP (Retention Rules)

9.3.4 Archiving Entity Relations with FRA_SCRL_R

You can use the archiving object FRA_SCRL_R for archiving BOPF node ENTITY-RELATION from the BO: FRA_ADDRESS_SCREENING_LIST.

Prerequisites

Before an entity relation can be archived, the following prerequisites must be fulfilled:

● Ensure it is not current version you are archiving● Ensure the residence period has been met (check against the last change date of the parent node

IMPORT_LOG)


Data Protection


When you schedule the archiving run (Write, Delete), you must enter an existing variant or create a new one.

The variant contains the processing options for the archiving run. You have the following options:





You can use this archiving object with the FRA_SCRL_R ILM object.

The following fields for FRA_SCRL_R are defined:

● Available Time Base○ Last Changed On (LAST_CHANGE_DATE)


● Available Policy Category○ RTP (Retention Rules)

9.3.5 Archiving Worklists with FRA_WLIST

You can use the archiving object FRA_WLIST to archive worklists.


When you schedule the archiving run (Preprocessing, Write, Delete), you must enter an existing variant or create a new one. The variant contains the processing options for the archiving run.






Preprocessing Archiving Object FRA_WLIST

In the preprocessing step, the system checks that:

● The overall run status is Completed.● The dependent data of the worklist is no longer relevant.● The last changed date has reached the residence period.

○ For the business object Worklist, the system checks that the last change date of the ROOT and ITEM nodes exceed the residence period.


You can use this archiving object with the ILM object FRA_WLIST.

The following fields for FRA_WLIST are defined:





9.4 Displaying the Data Protection Logs

You can use this function to display the data protection logs.

To display the application log, call transaction Display Data Protection Logs (ACS_DP_LOG) in the back-end system.


Data Protection


You can filter the logs, for example, by the following criteria:

● Object and subobjectThe object ACS_DATAPROTECTION (Log for Data Protection) is already set as the default.The subobjects could be the following:○ ANONYMOUS for user names that have been removed from system administration data○ ARCHIVING for archiving preparation

NoteTo display the log for data archiving, choose the object ARCHIVING.

○ DELETION for data that has been deleted with the garbage collector● External ID

This ID was assigned by the application program. (It is a combination of the report name, time stamp, and user name.)

● ProgramEnter the name of the program that caused the logged event: ACS_DP_GARBAGE_COLLECTOR (Garbage Collector), ACS_BO_ANONYMOUS(Remove User Names), BPCM_BO_ORG_END_BUS_REL (End of Business Relation for Organization), BPCM_BO_PERSON_END_BUS_REL (End of Business Relation: Person)

● Time restriction, user, or log class

Results

Examples for log messages that have been created for the subobject DELETION are:

● Processing simulation results<120> records deleted

● Processing invalid user assignments<10> user assignments deleted from groups


Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Videos Hosted on External PlatformsSome videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the control or responsibility of SAP.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related LanguageWe try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.


Important Disclaimers and Legal Information

SAP Business Integrity ScreeningImportant Disclaimers and Legal Information PUBLIC 227

www.sap.com/contactsap

© 2020 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN

https://www.sap.com/about/legal/trademark.html