Virsa Systems: Control Yourself

Suppose some rogue in your company found a way to both create and approve invoices in the financial system—and was secretly cutting himself fat checks. You spotted the scam and fixed the loophole. But could you prove the company had improved systems and processes so the fraud couldn’t happen again?

Under the Sarbanes-Oxley Act, publicly traded companies in the U.S. are required to. Last year, the first year the law went into effect, many businesses spent months of grunt work to document that all the I’s were dotted and T’s crossed.

Jasvir Gill, chief executive officer and co-founder of Virsa Systems, is betting corporations won’t be able to do it any faster this year—unless they use something like his company’s software. “Companies pay millions of dollars to consultants when they’re trying to get in compliance,” he says. “Then they realize they need to automate the process.”

Virsa’s Compliance Calibrator analyzes roles of employees who use an SAP enterprise resource planning system and figures out, based on thousands of customizable rules, whether there are potential conflicts in the access rights they’ve been granted. For example, it would red-flag that employee who could generate and approve invoices—a classic “segregation of duties” violation that’s an open invitation to fraud.

Gill started Virsa in 1996 as a consulting firm to help companies identify fraud in their financial systems. But he switched gears four years ago to focus on software to automate fraud prevention and comply with regulations.

Lately, Sarbanes-Oxley has been rocket fuel for Virsa, which claims to have won more than 200 customers for its software. The U.S. federal law was passed in 2002 in response to several high-profile corporate accounting scandals. It requires public companies to document, in detail, who has access to their financial information systems and to demonstrate they have processes in place, such as system security measures, to prevent fraud.

Once Sarbanes-Oxley hit the fan, hundreds of companies suddenly became interested in the previously unsexy subject of financial-audit software. “Any company would like to believe they have proper accounting practices in place,” says Bob Schwartz, chief information officer of consumer electronics maker Panasonic, which is deploying Virsa’s software to identify potential segregation-of-duties conflicts in its SAP system. “But as far as documenting that, ‘like to have’ or ‘nice to have’ was how things were happening before.”

Now it’s a “have to have,” and Virsa is fully milking the Sarbanes-Oxley cow, as are other startups such as Approva and Oversight Systems. Privately held Virsa doesn’t disclose revenues, but Gill says its typical deals run between $300,000 and $500,000, depending on the size of the project. With 200 customers, it could have booked at least $60 million in sales since releasing its software in 2002.

This March, Virsa scored a coup that could really pump up its top line: a three-year deal with SAP, which will exclusively resell the SAP version of Compliance Calibrator. Under the terms of the deal, Virsa doesn’t itself sell the product anymore but offers related software, like Firefighter, which gives “emergency” access to authorized individuals and logs exceptions to provide an audit trail.

SAP is also an investor in Virsa, but Gill insists SAP and Virsa aren’t joined at the hip. In September, he says, Virsa plans to release compliance-monitoring software for Oracle’s enterprise resource planning software, and also has versions planned for Microsoft and PeopleSoft applications. “If a company creates vendor profiles in SAP and pays them with Oracle,” Gill says, “we have to be able to enforce the business policies across both of them.”

Of course, SAP and other financial systems vendors provide security checks within their own software—but the controls aren’t automated. Gill explains it this way: A car has a speedometer and brakes, but those won’t stop you from hurtling dangerously down the autobahn. Similarly, SAP provides some controls, such as passwords; on top of that, Virsa’s software acts as an automatic brake to stop a transaction at a red light—if, say, an employee creates a fake payee with an address matching his own home address.

Such anomalies can (and ideally should) be caught by humans. But in a typical corporation, no single person can remember every rule that specifies potential conflicts, says Margaret Sokolov, SAP security and controls lead for Canadian Pacific Railway. “A businessperson doesn’t know all 60,000 transactions in SAP,” she says.

The railroad uses Virsa’s software to check user accounts created in SAP for segregation-of-duties conflicts, based on 18,000 rules. Now, managers who approve access rights “don’t have to worry they might have missed something,” Sokolov says. “The rules are the same every time.”

The Company

HEADQUARTERS: 47257 Fremont Blvd., Fremont, CA 94538
PHONE: (510) 651-5990
TICKER: Privately held
URL: www.virsa.com
EMPLOYEES: 160
FOUNDED: 1996
EXECUTIVES: Jasvir Gill, chief executive officer and chief technology officer; Kaval Kaur, chief financial officer; Mark L. Feldman, senior vice president of strategy
BUSINESS: Provides software that monitors and controls access to financial systems to comply with government regulations and prevent fraud.
PRODUCTS: Continuous Compliance Suite includes SAP Compliance Calibrator, which analyzes the access privileges of people using an SAP system and enforces security policies.
MARKET SIZE: $1.7B for technology related to Sarbanes-Oxley compliance, 2005 (AMR Research).
COMPETITORS: ACL Services, Applimation, Approva, Logical Apps, Oversight Systems

The Technology
Virsa’s set up for an inside job. Unlike products from its key competitors, Compliance Calibrator sits on the same servers that run an SAP system. That means it’s accessing the most current data coursing through a company and, Virsa claims, allows it to block fraudulent activity, since it monitors (and can stop) changes to access privileges from within SAP based on thousands of rules.

“Our concept is that if you’ve detected fraud, it’s already too late,” says CEO Jasvir Gill. “We prevent it from happening.”

But the approach also means Virsa’s software can drag down the performance of SAP systems. “You can’t run complex analytics on a production database because it will grind to a halt,” says Patrick Taylor, CEO of Oversight Systems.

It’s true Virsa can cause a “performance hit,” but only if it’s analyzing every transaction entered into SAP over an extended period of time to ensure none has violated a compliance-related policy, says John Gradowski, director of information-technology applications for power company Pepco Holdings.

Gradowski notes it would take “hours, not minutes” for Virsa to review several thousand transactions. But that’s acceptable for Pepco because the company doesn’t expect to do such major analyses more than once per quarter. “We’d schedule that for the weekends,” he says, “not in prime time.” —T.S.
Reference Checks

Panasonic
Bob Schwartz
CIO
[email protected]
Project: Consumer electronics subsidiary of Japan-based Matsushita expects to have Virsa software deployed to check for Sarbanes-Oxley compliance by 2007.

Kimberly-Clark
Jayne Gibbon
Team Leader, Security Support
[email protected]
Project: Paper products manufacturer based in Stamford, Conn., installed Virsa’s software in July 2002 to analyze financial transactions in SAP for potential fraud.

Solutia
Lori Kirk
Mgr., Information Security
[email protected]
Project: Maker of chemical-based products bought software from Pricewaterhouse-Coopers last year to analyze access controls; Virsa later acquired the product.

Pepco Holdings
John Gradowski
Dir., I.T. Applications
[email protected]
Project: Energy company with 2,000 SAP users deployed Virsa’s tool this year to automate the process of checking for potential segregation-of-duties conflicts.

Canadian Pacific Railway
Margaret Sokolov
SAP Security and Controls Lead
[email protected]
Project: Freight railroad uses Virsa software to check for conflicts in roles assigned to SAP users, based on 18,000 rules.

Guidant
Trevor Wolf
SAP Security Administrator
[email protected]
Project: Cardiac-health device maker, which has 1,400 employees using SAP, analyzes financial transactions for fraud every night with Virsa’s software.

FINANCIALS

Funding: $15M venture capital, July 2004

Investors: Kleiner, Perkins, Caufield & Byers; Lightspeed Venture Partners; SAP

Revenue split: 90% software; 10% services

Operating results: Claims to be profitable and cash-flow positive

Customers: More than 200

Main Offices

Fremont, Calif. (headquarters); Bracknell, U.K.; Chandigarh, India

MILESTONES

1996: Founded as antifraud consulting company

2001: Shifts focus to fraud-detection software

2002: Lands six initial software customers

2004: Receives $15M in funding

2005: Signs three-year deal with SAP to resell Virsa’s compliance software for SAP systems

Sources: Company reports, Baseline research