Fraud prevention through segregation of duties: authorization model in SAP GRC Access Control

Thumbnail Image
Publication date
Defense date
Journal Title
Journal ISSN
Volume Title
Google Scholar
Research Projects
Organizational Units
Journal Issue
The occurrence of cases motivated by fraud is becoming more prevalent in companies with weak internal control policies and security vulnerabilities. On one hand, internal fraud is usually carried out by top management or accounting positions which have higher privileges, and thus, more capabilities in the system to commit fraud. On the other hand, external fraud is managed by hackers who gain access to the internal information system through stealing employee credentials. This project presents a solution to prevent fraud in companies. This proposal consists in controlling and managing user’s authorizations through an Access Control principle: Segregation of Duties. Following this security philosophy, it is defined a role based architecture. Furthermore, a detailed process on Segregation of Duties is carried out from a risk-based approach. Conflicts among critical tasks lead to significant risks in the system. Those risks become the core of the study. With an emphasis on risk management lifecycle, it is described every phase developed for achieving an implementation that complies with Segregation of Duties. Based on the design proposed, it is depicted the methodology of a project, by using a tool that integrates and streamline risks, compliance, corporate governance and access control policies, which is SAP GRC Access Control. Taking into consideration the security measures defined, costs of its implementation were calculated to be compared with the great losses occasioned by fraud and data breaches. The results showed that the percentage invested in security is almost imperceptible, ranging from 0.002% to 0.7% of the economic losses that fraud involves. Finally, from the results presented and the methodology of the project performed, conclusions and recommendations are presented for enterprises to avoid fraud, through its detection and control.
Informática de gestión, SAP R/3 (Programa de aplicación), Fraude
Bibliographic citation