Virsa Systems: Control Yourself
Suppose some rogue in your company found a way to both create and approve invoices in the financial systemand was secretly cutting himself fat checks. You spotted the scam and fixed the loophole. But could you prove the company had improved systems and processes so the fraud couldn't happen again?
Under the Sarbanes-Oxley Act, publicly traded companies in the U.S. are required to. Last year, the first year the law went into effect, many businesses spent months of grunt work to document that all the I's were dotted and T's crossed.
Jasvir Gill, chief executive officer and co-founder of Virsa Systems, is betting corporations won't be able to do it any faster this yearunless they use something like his company's software. "Companies pay millions of dollars to consultants when they're trying to get in compliance," he says. "Then they realize they need to automate the process."
Virsa's Compliance Calibrator analyzes roles of employees who use an SAP enterprise resource planning system and figures out, based on thousands of customizable rules, whether there are potential conflicts in the access rights they've been granted. For example, it would red-flag that employee who could generate and approve invoicesa classic "segregation of duties" violation that's an open invitation to fraud.
Gill started Virsa in 1996 as a consulting firm to help companies identify fraud in their financial systems. But he switched gears four years ago to focus on software to automate fraud prevention and comply with regulations.
Lately, Sarbanes-Oxley has been rocket fuel for Virsa, which claims to have won more than 200 customers for its software. The U.S. federal law was passed in 2002 in response to several high-profile corporate accounting scandals. It requires public companies to document, in detail, who has access to their financial information systems and to demonstrate they have processes in place, such as system security measures, to prevent fraud.
Once Sarbanes-Oxley hit the fan, hundreds of companies suddenly became interested in the previously unsexy subject of financial-audit software. "Any company would like to believe they have proper accounting practices in place," says Bob Schwartz, chief information officer of consumer electronics maker Panasonic, which is deploying Virsa's software to identify potential segregation-of-duties conflicts in its SAP system. "But as far as documenting that, 'like to have' or 'nice to have' was how things were happening before."
Now it's a "have to have," and Virsa is fully milking the Sarbanes-Oxley cow, as are other startups such as Approva and Oversight Systems. Privately held Virsa doesn't disclose revenues, but Gill says its typical deals run between $300,000 and $500,000, depending on the size of the project. With 200 customers, it could have booked at least $60 million in sales since releasing its software in 2002.
This March, Virsa scored a coup that could really pump up its top line: a three-year deal with SAP, which will exclusively resell the SAP version of Compliance Calibrator. Under the terms of the deal, Virsa doesn't itself sell the product anymore but offers related software, like Firefighter, which gives "emergency" access to authorized individuals and logs exceptions to provide an audit trail.
SAP is also an investor in Virsa, but Gill insists SAP and Virsa aren't joined at the hip. In September, he says, Virsa plans to release compliance-monitoring software for Oracle's enterprise resource planning software, and also has versions planned for Microsoft and PeopleSoft applications. "If a company creates vendor profiles in SAP and pays them with Oracle," Gill says, "we have to be able to enforce the business policies across both of them."
Of course, SAP and other financial systems vendors provide security checks within their own softwarebut the controls aren't automated. Gill explains it this way: A car has a speedometer and brakes, but those won't stop you from hurtling dangerously down the autobahn. Similarly, SAP provides some controls, such as passwords; on top of that, Virsa's software acts as an automatic brake to stop a transaction at a red lightif, say, an employee creates a fake payee with an address matching his own home address.
Such anomalies can (and ideally should) be caught by humans. But in a typical corporation, no single person can remember every rule that specifies potential conflicts, says Margaret Sokolov, SAP security and controls lead for Canadian Pacific Railway. "A businessperson doesn't know all 60,000 transactions in SAP," she says.
The railroad uses Virsa's software to check user accounts created in SAP for segregation-of-duties conflicts, based on 18,000 rules. Now, managers who approve access rights "don't have to worry they might have missed something," Sokolov says. "The rules are the same every time."
Funding: $15M venture capital, July 2004
Investors: Kleiner, Perkins, Caufield & Byers; Lightspeed Venture Partners; SAP
Revenue split: 90% software; 10% services
Operating results: Claims to be profitable and cash-flow positive
Customers: More than 200
Fremont, Calif. (headquarters); Bracknell, U.K.; Chandigarh, India
1996: Founded as antifraud consulting company
2001: Shifts focus to fraud-detection software
2002: Lands six initial software customers
2004: Receives $15M in funding
2005: Signs three-year deal with SAP to resell Virsa's compliance software for SAP systems
Sources: Company reports, Baseline research